Copilot code review: customize it before rollout

Do not roll out AI code review as a generic reviewer. Make the review contract explicit first: Copilot can comment and suggest fixes, but human reviewers and branch protection still own approval, security-sensitive judgment, and release blocking decisions.

Write The Review Contract First

Use Copilot for early coverage, repeated checks, and review consistency. Keep final approval, security exceptions, architecture tradeoffs, and merge-blocking policy with humans or existing controls.

Put Stable Rules In Instructions

Repository custom instructions are the lightest place for standards, validation commands, framework preferences, and repo-wide review patterns. Use path-specific instructions when only one package, service, or language needs different guidance.

• Good fit: review standards, test commands, validation expectations.
• Good fit: path-specific service or language exceptions.
• Weak fit: secrets, temporary credentials, or rules that contradict branch policy.

Use Skills For Repeated Review Workflows

Agent skills are useful when a recurring review job needs a rubric, checklist, internal workflow, or clearly scoped tool interaction. If the guidance is only one sentence, keep it in instructions instead.

Bound MCP Context Before Connecting It

MCP can bring issue trackers, docs, service catalogs, and incident tooling into review. Start read-only, store credentials in the right GitHub agent secrets or variables, and decide what information should never appear in a PR comment.

Route Review Depth By Risk

Use Low review effort for straightforward repositories and cheaper default coverage. Use Medium for complex logic, security-sensitive changes, cross-service behavior, or high-value repositories where deeper analysis is worth the extra AI credit usage.