HolyNit — Train Your Code Review Skills

Best Practices

How to Review a PR

Code review is a craft. This guide covers what separates a useful review from noise — from spotting real issues to the tone that keeps teams moving.

01preview

Scan before you comment

Read the entire diff before writing a single comment. You need the full picture to know what matters. A change that looks suspicious in one file might be intentional given what happens in another.

arrow_rightRead the PR description and linked issue first
arrow_rightSkim all changed files to understand the shape of the change
arrow_rightLook for patterns across files — inconsistency is often a signal
arrow_rightNote anything confusing to revisit; don't react line by line

02bug_report

Identify real issues

Not all observations are worth a comment. Focus on things that actually matter: bugs, security holes, logic errors, missing edge cases, misleading names, and violations of patterns the codebase already establishes.

emergency_home

Correctness

Will this code do what the author thinks it does?

lock

Security

Does this open an injection vector, leak data, or skip auth?

speed

Performance

N+1 queries, unbounded loops, unnecessary allocations

integration_instructions

API / contract

Breaking changes, bad error handling, undocumented behaviour

text_fields

Naming & clarity

Names that mislead, dead code left in, missing context

03edit_note

Be clear and precise

A vague comment forces the author to guess what you mean and come back with follow-up questions. State what the problem is, why it matters, and what to do about it.

Weak

"This doesn't look right."

Strong

This will panic on an empty slice — the loop starts at index 1 but doesn't guard against len(items) == 0. Add a length check before the loop.

checkName the exact line or variable you're talking about
checkExplain the consequence, not just the observation
checkMake the required action unambiguous

04signal_cellular_alt

Signal severity clearly

If the author has to read between the lines to know whether your comment blocks the merge, you've made their job harder. Label every comment so they can triage at a glance.

BlockerMust be resolved before merge. Bugs, security issues, broken contracts.

"This bypasses the auth middleware — ship this and anyone can hit the admin endpoint."

MajorSerious but not necessarily a hard blocker. Warrants a fix or discussion.

"Fetching inside a loop will cause N+1 queries on every page load. Worth batching."

NitMinor style, naming, or polish. Author can take it or leave it.

"nit: `getUserById` → `findUser` is closer to the naming convention in this file."

05compress

Say more with less

More words do not mean more clarity. Long comments that over-explain bury the actual point. Aim for the fewest words that make your meaning impossible to misread.

Over-explained

"So I was looking at this and thinking about it and I'm not entirely sure but it seems like maybe there could potentially be an issue here with the error handling, though I could be wrong, just thought it might be worth looking into?"

To the point

The error from db.Query() is swallowed here — if the query fails, the caller gets nil data with no indication of why.

checkCut hedging language — own your observation
checkSkip preambles like 'I was thinking...' or 'Not sure but...'
checkOne comment, one issue — don't pile multiple concerns together

06auto_fix_high

Suggest the fix

When the fix is obvious and short, write it out. Pointing at a problem without showing the solution adds friction. Showing the fix closes the loop in one round-trip.

arrow_rightInline code snippets make intent unambiguous
arrow_rightA suggested diff is faster to apply than re-implementing from a description
arrow_rightIf multiple valid approaches exist, name them — don't just pick one without acknowledging the trade-off
arrow_rightFor complex changes, link to a reference or prior art in the codebase

07select_all

Use multi-line selection

Anchoring a comment to a single line works for single-line issues. But when the problem spans a function, a block, or a whole section — select the whole range. It gives the author the right context immediately.

When to use single-line

Typo in a variable name, off-by-one on a single expression, a missing null check on one return value.

When to use multi-line

The entire function has the wrong approach, a transaction isn't closed properly across several lines, or the issue only makes sense when you see the setup and teardown together.

08gavel

Give an overall verdict

Inline comments are details. The verdict is the bottom line. Always close a review with a PR-level summary that tells the author where things stand — don't make them count up blockers to figure it out.

check_circle

Approve

The code is good to merge. Inline nits are optional — call them out so the author knows they're not blockers.

change_circle

Request changes

There are one or more issues that should be addressed before merge. List them clearly at the top of your summary.

help

Comment (no verdict)

You have questions or thoughts but aren't blocking. Make that explicit — 'not blocking, just curious about the approach here.'

09tune

Context matters

Good review judgement is situational. The same nit that's worth raising in a calm sprint might not be worth raising when a hotfix needs to be live in 20 minutes.

Hotfix / urgent—Only blockers matter. Nits and majors can be follow-up tickets. Don't slow down a production incident over style.
New feature—Hold a higher standard. This code will be maintained and built on. Majors are worth discussing.
Refactor / cleanup—Verify the refactor doesn't change behaviour. Check edge cases. Test coverage matters here.
New contributor—Be more explanatory. A brief 'why' alongside the 'what' is worth it. Don't bury them in nits.

10handshake

Tone and collaboration

You and the author are on the same team. The code is the thing under review — not the person. A review that feels like an attack makes people defensive, and defensive people don't absorb feedback.

Combative

"Why would you do it this way? This is clearly wrong. You should have known better."

Collaborative

"This will silently return stale data when the cache expires — we ran into this in the users service last quarter. Adding a TTL check here should fix it."

checkComment on the code, not the author — 'this function' not 'you'
checkDon't treat every review as a chance to show off what you know
checkAcknowledge when something is done well — balance builds trust
checkLeave your ego at the door — being right matters less than the code shipping correctly
checkIf you're frustrated, wait. Review when you can be constructive

The best reviewers make their team better over time — not just this PR, but the next one too. People improve faster when feedback feels safe to receive.

Ready to put this into practice?

rate_reviewBrowse Challenges