Kiro CI Recipes

Kiro CI Recipes

Copy only the AI-in-CI workflows you want: PR review, security gates, test gap review, docs drift checks, issue promotion, artifact-only experiments, and opt-in fix branches. 

./install.sh pr-review security-gate test-gap-finder

Use Cases

Use case Authority What it does Install
Advisory PR Review pull-request-comment Posts normalized Kiro findings as a non-blocking PR review. ./install.sh pr-review
Security Gate read-only-blocking Runs strict security review and fails on critical normalized findings. ./install.sh security-gate
Test Gap Finder pull-request-comment Flags changed behavior that lacks direct regression coverage. ./install.sh test-gap-finder
Docs Drift Check pull-request-comment Flags code/API/CLI changes that should update documentation. ./install.sh docs-drift
Manual Artifact Review read-only-artifact Runs from workflow_dispatch and uploads markdown/JSON artifacts. ./install.sh artifact-review
Issue Promotion issue-write Turns /open-issue <n> into a tracked GitHub issue. ./install.sh issue-promotion
Auto-Fix Branch branch-write Creates an opt-in branch for /kiro-fix <n>. ./install.sh auto-fix-branch

Kiro Headless Setup

Kiro CLI headless mode uses the KIRO_API_KEY environment variable instead of browser login. Generate an API key from Kiro, add it to GitHub Actions as a repository secret named KIRO_API_KEY, then install the recipes you want. 

export KIRO_API_KEY=...
kiro-cli chat --no-interactive --trust-tools=read,grep "Summarize this repository"

Official docs: Kiro headless mode and Kiro CLI authentication.

Shift Left Locally

Most packs install scripts that can run before CI. Use them to review your current diff, normalize Kiro output, and test gates locally. 

export KIRO_API_KEY=...
./scripts/run-local-review.sh
node scripts/fail-on-critical.mjs review-findings.json

Safety Model

Read-only workflows run Kiro with --trust-tools=read,grep. Branch-writing workflows are opt-in and should be installed only after review-only workflows are proven. PR workflows run trusted action code and agent configs from the base checkout while reviewing PR code in a separate workspace.

Design Lessons

The recipes favor structured review data, permission-checked slash commands, and small auditable agents. Avoid stale-comment success checks, broad shell tools for PR review agents, and direct shell interpolation of comments, paths, PR titles, or workflow inputs.

Project Docs