When a PR is opened, it needs to be reviewed by the right person. Most teams solve this with CODEOWNERS, which matches file paths to reviewers. But path based matching doesn't account for risk. A safe refactor touching 50 files gets the same review requirements as a three line change to a critical path.
This caused two problems:
Low risk PRs sat in queues, blocking engineers who needed to ship
High risk PRs didn't get enough review, because reviewers had too many PRs to look at
What we built
We built an internal system that reads each PR and estimates risk.
Very low and low risk PRs get auto approved.
Higher risk PRs get routed to the right reviewer.
We can also use Git history to assign PRs to the most relevant reviewer where the person who has recently worked on the area being changed. This increases the chance of catching issues!
It's built on Cloud Agents, which can be triggered by events like a new PR and act autonomously. Here's an excerpt from the prompt:
The full version includes detailed examples for each risk level.
Here's what an approved PR looks like:
Break glass merges
Sometimes you need to merge outside the default workflow, e.g if the PR is urgent, or the agent's routing is wrong.
We treat these as explicit exceptions and require a short reason, so we can audit what happened and calibrate the system. Internally, we use a Slack command like this:
We're working on making it easy for any team to build workflows like this!
Explore Further
This has a linked resource worth reading, a tool worth trying, or an idea worth prototyping
Quick Insight
This is about using AI agents to automatically assess PR risk instead of relying on simple CODEOWNERS file path matching. The system auto-approves low-risk PRs and routes high-risk ones to appropriate reviewers, reducing bottlenecks while improving code quality. For Brian's fintech work where code quality is critical but speed matters, this could solve the classic "too many PR reviews blocking deployment" problem.
Actionable Takeaway
Build a simple PR risk assessment bot for his side projects using webhook integrations (which he already knows) + AI prompting to categorize PRs by risk level. Start with GitHub webhooks → Claude/GPT API → auto-label PRs as low/medium/high risk.
Related to Your Work
Direct application to his fintech platform's webhook integrations and credit-card processing where code changes have varying risk levels. A payment flow change needs heavy review, but updating copy or analytics dashboards could auto-approve. His webhook expertise makes this a natural fit.
Source Worth Reading
The linked article is worth reading - it includes actual prompt examples and implementation details for the risk assessment system, plus the "break glass" merge workflow with Slack commands. Concrete enough to implement.
