An intelligent system that automatically detects GitHub Actions CI failures, analyzes root causes using the Nova AI model, proposes code fixes, and applies them via pull requests β all with human-in-the-loop approval.
- Overview
- Architecture
- Features
- Tech Stack
- API Endpoints
- Data Model
- Risk Scoring
- Nova Model Integration
- How It Works
- Frontend Pages
- Security
- Example Scenario
When a CI pipeline fails on GitHub, this system:
- Captures the failure via a GitHub App webhook
- Fetches and analyzes CI logs
- Calls the Nova AI model to identify the root cause and propose a fix
- Computes a risk score for the proposed change
- Displays everything on a dashboard for developer review
- On approval, automatically creates a branch, applies the patch, and opens a PR
- Reruns CI and tracks the result
GitHub β Webhook β Backend β Nova Model β DynamoDB β Dashboard β Approval β PR β CI Rerun
ββββββββββββββββββββββ
β Developer β
β Pushes Commit β
βββββββββββ¬βββββββββββ
β
βΌ
ββββββββββββββββββββββ
β GitHub Actions CI β
β Workflow β
βββββββββββ¬βββββββββββ
β (Failure Event)
βΌ
ββββββββββββββββββββββ
β GitHub App β
β Webhook Trigger β
βββββββββββ¬βββββββββββ
β
βΌ
ββββββββββββββββββββββββββββββ
β API Gateway (HTTP API) β
βββββββββββ¬βββββββββββββββββββ
β
βΌ
ββββββββββββββββββββββββββββββ
β Webhook Lambda β
β - Validate signature β
β - Generate token β
β - Fetch CI logs β
β - Extract failure β
β - Call Nova model β
β - Generate patch proposal β
β - Compute risk score β
β - Store in DynamoDB β
βββββββββββ¬βββββββββββββββββββ
β
βΌ
ββββββββββββββββββββββββββββββ
β DynamoDB β
β Table: ci_failures β
β status = pending β
βββββββββββ¬βββββββββββββββββββ
β
βΌ
ββββββββββββββββββββββββββββββ
β Frontend Dashboard β
β - Show failure β
β - Show root cause β
β - Show diff preview β
β - Show risk level β
β - Approve / Reject β
βββββββββββ¬βββββββββββββββββββ
β (User Approval)
βΌ
ββββββββββββββββββββββββββββββ
β Approval Lambda β
β - Create branch β
β - Apply patch β
β - Commit changes β
β - Create PR β
β - Update DynamoDB β
βββββββββββ¬βββββββββββββββββββ
β
βΌ
ββββββββββββββββββββββββββββββ
β GitHub PR + CI Rerun β
βββββββββββ¬βββββββββββββββββββ
β (CI Result)
βΌ
ββββββββββββββββββββββββββββββ
β Status Update Lambda β
β - Capture PR CI result β
β - Update DynamoDB status β
ββββββββββββββββββββββββββββββ
- π Automatic failure detection via GitHub App webhooks
- π§ AI-powered root cause analysis using the Nova model
- π©Ή Minimal patch proposals targeting only the affected files
- π Risk scoring before any change is applied
- ποΈ Diff preview so developers know exactly what will change
- β Human-in-the-loop approval β nothing is merged without consent
- π Closed-loop CI rerun with automated status tracking
- π GitHub OAuth login and webhook signature verification
| Layer | Technology |
|---|---|
| Frontend | React / Next.js |
| Auth | GitHub OAuth |
| Backend | AWS Lambda (Python/Node) |
| API | AWS API Gateway (HTTP API) |
| Database | AWS DynamoDB |
| AI Model | Amazon Nova |
| CI/CD | GitHub Actions |
| GitHub | GitHub App (Webhooks + Installation Tokens) |
| Method | Endpoint | Description |
|---|---|---|
POST |
/github/webhook |
Receives CI failure events from GitHub |
POST |
/approve |
Triggers branch creation, patch apply, and PR |
GET |
/failures |
Returns failure list for the frontend dashboard |
| Parameter | Values | Description |
|---|---|---|
status |
pending, approved, resolved |
Filter failures by status |
DynamoDB Table: ci_failures
| Attribute | Type | Description |
|---|---|---|
failure_id |
String | Partition Key |
repo_name |
String | GitHub repository name |
branch |
String | Branch where failure occurred |
commit_sha |
String | Commit hash that triggered CI |
root_cause |
String | AI-generated root cause explanation |
proposed_patch |
JSON | Structured patch proposal from Nova |
risk_score |
String | low, medium, or high |
confidence |
Float | Nova model confidence score (0β1) |
status |
String | pending / approved / merged / failed |
pr_url |
String | URL of the created pull request |
timestamp |
String | ISO timestamp of when failure was recorded |
Risk is computed before any approval is requested:
| Level | Conditions |
|---|---|
| π’ Low | < 10 lines changed, only source file touched |
| π‘ Medium | Dependency file changed (e.g. requirements.txt) |
| π΄ High | Workflow file modified (e.g. .github/workflows/) |
Risk level is displayed prominently in the UI before the user approves.
The Nova model is used for structured multi-step reasoning inside the Webhook Lambda:
Steps:
- Analyze failure logs
- Identify root cause
- Identify affected file(s)
- Propose a minimal modification
Expected output format:
{
"root_cause": "The module pandas is imported but not listed in requirements.txt.",
"files_to_modify": [
{
"file_path": "requirements.txt",
"original": "",
"replacement": "pandas==2.2.1"
}
],
"confidence": 0.91
}Pre-processing before LLM: Rather than sending entire CI logs, the Webhook Lambda extracts the relevant failure block (e.g. 40 lines around the traceback) to reduce token usage and improve accuracy.
- Receive CI failure event from GitHub
- Fetch workflow run logs via GitHub API
- Extract relevant failure block (traceback + error)
- Send structured prompt to Nova with error message, log snippet, and relevant file content
- Receive structured JSON response with
root_cause,files_to_modify, andconfidence - Validate: does the file exist? Are the changes minimal?
- Compute risk score
- Store proposal in DynamoDB with
status = pending_approval
The frontend polls for new failures every 10β15 seconds:
GET /failures?status=pending
| Page | Description |
|---|---|
| Pending Fixes | Lists all CI failures awaiting approval |
| Failure Detail | Shows root cause, diff preview, risk badge |
| Active PRs | Shows approved fixes with open PRs in progress |
| Resolved History | Shows completed and merged fixes |
- Failure list with status badges
- Diff viewer (before/after patch)
- Risk badge (π’ / π‘ / π΄)
- Approve / Reject buttons
- PR status view
- GitHub OAuth login
| Concern | Approach |
|---|---|
| Webhook authenticity | Verify GitHub webhook signature (X-Hub-Signature-256) |
| GitHub API access | Use short-lived App Installation Tokens |
| User authorization | Approval endpoint requires authenticated GitHub user |
| Branch safety | All patches applied to a new branch β never directly to main |
Situation: A developer pushes code that imports pandas, but pandas is not in requirements.txt.
CI Failure:
ModuleNotFoundError: No module named 'pandas'
System Response:
| Step | Actor | Action |
|---|---|---|
| 1 | Developer | Pushes commit to GitHub |
| 2 | GitHub Actions | CI workflow runs and fails |
| 3 | GitHub App | Sends webhook to API Gateway |
| 4 | API Gateway | Routes to Webhook Lambda |
| 5 | Webhook Lambda | Verifies signature, fetches logs |
| 6 | Webhook Lambda | Extracts failure block (pre-processing) |
| 7 | Nova Model | Identifies root cause, proposes patch |
| 8 | Webhook Lambda | Computes risk: π‘ Medium (dependency file) |
| 9 | DynamoDB | Stores proposal with status = pending |
| 10 | Frontend | Polls and displays the pending fix |
| 11 | Developer | Reviews diff, clicks Approve |
| 12 | Approval Lambda | Creates branch ai-fix/run-12345, applies patch, opens PR |
| 13 | GitHub Actions | Reruns CI on the new PR branch |
| 14 | CI Passes | Webhook Lambda updates status to resolved |
Nova Proposal:
{
"root_cause": "The module pandas is imported but not listed in requirements.txt.",
"files_to_modify": [
{
"file_path": "requirements.txt",
"original": "",
"replacement": ""
}
],
"confidence": 0.91
}PR commit message:
fix(ci): add missing pandas dependency
Built with β€οΈ using AWS Lambda, DynamoDB, Amazon Nova, and GitHub Apps.