Description

Unleash the power of AI in your development lifecycle! This extension integrates the Flow Code Reviewer directly into your Azure DevOps pipelines, transforming your pull request reviews with intelligent, CI&T Flow-driven insights.

Features

• AI-Powered Code Review: Leverages CI&T Flow to provide insightful code review comments.
• Azure DevOps Integration: Seamlessly integrates into Azure DevOps pull request workflows.
• Customizable Prompts: Allows for custom prompts to tailor the AI's review focus.
• Flexible Model Selection: Supports various AI models (GPT-o3 mini, GPT-5, Gemini 1.5 Flash, Gemini 3.0 Pro, Claude 3.7 Sonnet, etc.).
• File Exclusion: Ability to ignore specific files or patterns from the review process.

Installation

1. Install the extension from the Azure DevOps Marketplace.
2. Add the FlowCodeReviewerTask (version 0.x) to your Azure DevOps pipelines.
3. Configure the task with your Flow API credentials (Client ID, Client Secret, Tenant).
4. Ensure the Build Service user has the necessary permissions on the repositories:
   • Contribute
   • Contribute to pull requests

How to Get Flow API Credentials

1. Access the Flow platform.
2. Log in with your credentials.
3. Click on your username at the bottom left of the screen.
4. Go to Settings.
5. Navigate to Your Profile > API Keys.
6. Enter a name for the API key, select the llm-api under apps, and click Create.
7. Copy the Client ID, Client Secret, and Tenant values.

Pipeline Task Definition

steps:
  - task: FlowCodeReviewerTask@0
    inputs:
      clientId: 'YOUR_CLIENT_ID'
      clientSecret: 'YOUR_CLIENT_SECRET'
      tenant: 'YOUR_TENANT'
      model: 'gpt-5' # Or your preferred model
      ignoreFiles: '**/package-lock.json,**/dist/**' # Optional: files to ignore
      customPrompt: 'Your custom review instructions here' # Optional: custom prompt
      useAdr: 'true' # Enable ADR context
      adrPath: 'downloaded-adrs' # Optional: Only if using downloaded artifacts

SSH Fetch Configuration

If your environment requires SSH to fetch the repository files instead of HTTPS, you must configure the pipeline agent with your SSH keys before running the reviewer task. Specify useSsh: true to trigger the SSH clone behavior.

Example Pipeline with SSH Config:

steps:
  - task: InstallSSHKey@0
    inputs:
      hostName: vs-ssh.visualstudio.com
      sshPublicKey: $(ssh_public_key)
      sshKeySecureFile: mobile_platform_ssh

  - script: |
      ssh-keyscan -t rsa vs-ssh.visualstudio.com >> ~/.ssh/known_hosts
    displayName: 'Config Known Hosts'

  - task: FlowCodeReviewerTask@0
    inputs:
      clientId: 'YOUR_CLIENT_ID'
      clientSecret: 'YOUR_CLIENT_SECRET'
      tenant: 'YOUR_TENANT'
      useSsh: true

The FlowCodeReviewerTask accepts the following inputs:

• clientId (required): The Client ID of the Flow application.
• clientSecret (required): The Client Secret of the Flow application.
• tenant (required): The Tenant of the Flow application.
• model (optional, default: gpt-5): AI Model to be used for completions.
  • Supported values: gpt-4o-mini, gpt-4o, gpt-5, gpt-5.1, gpt-5.2, o3-mini, gemini-1.5-flash, gemini-3-flash-preview, gemini-2.5-pro, gemini-3.0-pro, anthropic.claude-35-sonnet, anthropic.claude-37-sonnet, anthropic.claude-4-sonnet, anthropic.claude-4-5-haiku, anthropic.claude-4-5-sonnet.
  • Disclaimer: Not all models may be available for some tenants.
• ignoreFiles (optional): Comma-separated glob expressions for files to be ignored (e.g., **/package-lock.json,**/dist/**).
• customPrompt (optional): Custom prompt to be used for AI review. This adds to the default prompt.
• useAdr (optional, default: 'false'): Controls whether ADRs are loaded and used as review context.
  • 'true': The task searches the repository for ADRs and passes their content to the AI reviewer.
  • 'false': ADR retrieval is skipped; the reviewer does not use ADRs and will not comment based on ADR rules.
• adrPath (optional): Local path to a directory containing ADR files. Used when ADRs are downloaded from an artifact or located in a custom local folder.
• useSsh (optional, default: 'false'): Fetch the repository using SSH instead of HTTPS. If enabled, the agent must have the appropriate SSH keys configured.

Architecture Decision Records (ADR) Integration

The extension can read your architectural rules (ADRs) to provide context-aware feedback. There are two ways to provide these files:

Scenario A: In-Repository ADRs (Default)

If you keep your ADRs inside the same repository as your code, simply enable useAdr: 'true'. The task will automatically search for them using the standard directory structure.

Discovery Logic:

Looks for a top-level directory named docs, doc, or documentation. Inside it, looks for a subfolder named adr. Expected path: /docs/adr (or /doc/adr). Only .md files in this path are processed.

Scenario B: Centralized / Shared ADRs (Artifacts)

If you manage your ADRs in a separate "Architecture" repository and want to enforce them across multiple projects, you can download them as a pipeline artifact and point the reviewer to that location.

How to configure:

Use the DownloadPipelineArtifact task to fetch the ADRs into the working directory. Set adrPath in the FlowCodeReviewerTask to match the folder name.

Example Pipeline:

steps:

1. Download ADRs from your central architecture project

• task: DownloadPipelineArtifact@2 displayName: 'Download Centralized ADRs' inputs: buildType: 'specific' project: 'ArchitectureProject' # Name of the project hosting the ADRs definition: 'Global-ADR-Pipeline' # Definition ID or Name of the pipeline publishing the artifact buildVersionToDownload: 'latest' artifactName: 'GlobalADRs' targetPath: '$(System.DefaultWorkingDirectory)/downloaded-adrs'

2. Run the Reviewer using the downloaded files

• task: FlowCodeReviewerTask@0 inputs: clientId: '$(FLOW_CLIENT_ID)' clientSecret: '$(FLOW_CLIENT_SECRET)' tenant: 'wenco' model: 'gpt-5' useAdr: 'true'

  Point to the local folder where artifacts were downloaded

  adrPath: '$(System.DefaultWorkingDirectory)/downloaded-adrs'

Tips for writing effective ADRs for AI

The clearer the ADR, the better the AI can leverage it.

• Filename: 001-no-console-log.md
• Content: clearly state the Decision and Consequences.
• Example Rule: "Must use Node 18+", "Forbidden to execute curl|bash from unverified domains", "All - API responses must follow RFC 7807".