Skip to content

feat: add reviewers to PR metadata#2857

Merged
jiparis merged 5 commits into
chainloop-dev:mainfrom
jiparis:jiparis/pfm-4945-impl
Mar 15, 2026
Merged

feat: add reviewers to PR metadata#2857
jiparis merged 5 commits into
chainloop-dev:mainfrom
jiparis:jiparis/pfm-4945-impl

Conversation

@jiparis

@jiparis jiparis commented Mar 14, 2026

Copy link
Copy Markdown
Member

This is a follow up for #2843. Adding reviewers to PR metadata to look for known bots.

  • Add a reviewers field to PR/MR metadata collected during attestation, enabling detection of AI agent reviewers (e.g., coderabbitai, cubic-dev-ai, devin-ai-integration) in the software supply chain
  • For GitHub, reviewers are parsed from requested_reviewers in the event payload (no API call needed)
  • For GitLab, reviewers are fetched from the MR API using CI_JOB_TOKEN (best-effort, graceful degradation)
  • Introduces pr-info schema v1.1 with the new reviewers field while preserving v1.0 for backward compatibility

Add a reviewers field to PR/MR metadata collected during attestation,
enabling detection of AI agent reviewers in the software supply chain.

For GitHub, reviewers are parsed from the requested_reviewers array in
the event payload. For GitLab, reviewers are fetched from the MR API
using CI_JOB_TOKEN (best-effort, gracefully degrades if unavailable).

Introduces pr-info schema v1.1 with the new reviewers field while
preserving v1.0 for backward compatibility.

Signed-off-by: Jose I. Paris <jiparis@chainloop.dev>

@cubic-dev-ai cubic-dev-ai Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

5 issues found across 12 files

Prompt for AI agents (unresolved issues)

Check if these issues are valid — if so, understand the root cause of each and fix them. If appropriate, use sub-agents to investigate and fix each issue separately.


<file name="pkg/attestation/crafter/prmetadata_test.go">

<violation number="1" location="pkg/attestation/crafter/prmetadata_test.go:81">
P2: This test locks the new GitLab `reviewers` field to empty instead of covering the integration path that should populate it, so wiring regressions can slip through.

(Based on your team's feedback about adding or updating tests for new paths.) [FEEDBACK_USED]</violation>
</file>

<file name="pkg/attestation/crafter/materials/chainloop_pr_info_test.go">

<violation number="1" location="pkg/attestation/crafter/materials/chainloop_pr_info_test.go:121">
P2: Keep a v1.0 validation assertion here as well. Replacing the old check with v1.1 removes test coverage for the backward-compatible 1.0 schema path.

(Based on your team's feedback about cross-version compatibility.) [FEEDBACK_USED]</violation>
</file>

<file name="pkg/attestation/crafter/prmetadata.go">

<violation number="1" location="pkg/attestation/crafter/prmetadata.go:167">
P2: Use the merge-request project path here; `CI_PROJECT_PATH` will miss reviewers for fork-based GitLab MRs.</violation>
</file>

<file name="internal/prinfo/prinfo.go">

<violation number="1" location="internal/prinfo/prinfo.go:42">
P2: `omitempty` makes reviewer collection failures indistinguishable from a PR/MR that truly has no reviewers, so downstream policy checks can silently miss unavailable reviewer data.

(Based on your team's feedback about preferring explicit states over omission.) [FEEDBACK_USED]</violation>
</file>

<file name="internal/prinfo/prinfo_test.go">

<violation number="1" location="internal/prinfo/prinfo_test.go:178">
P2: Keep a test path for `PRInfoVersion1_0`; this change drops coverage for the backward-compatible schema the PR says is still supported.</violation>
</file>

Reply with feedback, questions, or to request a fix. Tag @cubic-dev-ai to re-run a review.

Comment thread pkg/attestation/crafter/prmetadata_test.go
Comment thread pkg/attestation/crafter/materials/chainloop_pr_info_test.go
Comment thread pkg/attestation/crafter/prmetadata.go Outdated
Comment thread internal/prinfo/prinfo.go
Comment thread internal/prinfo/prinfo_test.go
- Use CI_MERGE_REQUEST_PROJECT_PATH for fork-based GitLab MRs,
  falling back to CI_PROJECT_PATH
- Add v1.0 schema backward compatibility tests
- Add integration test for GitLab MR metadata with reviewers via API

Signed-off-by: Jose I. Paris <jiparis@chainloop.dev>

@cubic-dev-ai cubic-dev-ai Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

1 issue found across 4 files (changes from recent commits).

Prompt for AI agents (unresolved issues)

Check if these issues are valid — if so, understand the root cause of each and fix them. If appropriate, use sub-agents to investigate and fix each issue separately.


<file name="pkg/attestation/crafter/prmetadata.go">

<violation number="1" location="pkg/attestation/crafter/prmetadata.go:168">
P2: Use `envVars` here instead of `os.Getenv`, otherwise reviewer collection can fail in runners that supply CI context via `ResolveEnvVars` rather than the process environment.</violation>
</file>

Reply with feedback, questions, or to request a fix. Tag @cubic-dev-ai to re-run a review.

Comment thread pkg/attestation/crafter/prmetadata.go Outdated

@migmartri migmartri left a comment

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I was actually thinking about this today :)

jiparis added 2 commits March 15, 2026 00:23
Use the envVars map from ResolveEnvVars instead of os.Getenv for
CI_SERVER_URL, CI_MERGE_REQUEST_PROJECT_PATH, CI_PROJECT_PATH, and
CI_JOB_TOKEN. This ensures reviewer collection works correctly in
runners that supply CI context via ResolveEnvVars rather than the
process environment.

Signed-off-by: Jose I. Paris <jiparis@chainloop.dev>
Add CI_PROJECT_PATH, CI_JOB_TOKEN, and CI_MERGE_REQUEST_PROJECT_PATH
to the GitLab runner's ListEnvVars so they are resolved via
ResolveEnvVars and available in the envVars map for reviewer fetching.
Also add them to the Dagger runner for GitLab-in-Dagger contexts.

Signed-off-by: Jose I. Paris <jiparis@chainloop.dev>

@cubic-dev-ai cubic-dev-ai Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

2 issues found across 4 files (changes from recent commits).

Prompt for AI agents (unresolved issues)

Check if these issues are valid — if so, understand the root cause of each and fix them. If appropriate, use sub-agents to investigate and fix each issue separately.


<file name="pkg/attestation/crafter/runners/gitlabpipeline.go">

<violation number="1" location="pkg/attestation/crafter/runners/gitlabpipeline.go:82">
P1: Do not include `CI_JOB_TOKEN` in `ListEnvVars`; it will leak the job token into persisted attestation metadata.</violation>
</file>

<file name="pkg/attestation/crafter/runners/daggerpipeline.go">

<violation number="1" location="pkg/attestation/crafter/runners/daggerpipeline.go:74">
P1: Do not inject `CI_JOB_TOKEN` into attestation metadata; this leaks a live GitLab credential.</violation>
</file>

Reply with feedback, questions, or to request a fix. Tag @cubic-dev-ai to re-run a review.

Comment thread pkg/attestation/crafter/runners/gitlabpipeline.go Outdated
Comment thread pkg/attestation/crafter/runners/daggerpipeline.go Outdated
…tions

CI_JOB_TOKEN is sensitive and should not be included in the envVars
map that gets persisted in attestations. Read it directly via
os.Getenv instead, while keeping the other non-sensitive reviewer
env vars (CI_PROJECT_PATH, CI_MERGE_REQUEST_PROJECT_PATH) in
ListEnvVars.

Signed-off-by: Jose I. Paris <jiparis@chainloop.dev>
@jiparis jiparis merged commit 3390768 into chainloop-dev:main Mar 15, 2026
15 checks passed
@jiparis jiparis deleted the jiparis/pfm-4945-impl branch March 15, 2026 10:24
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants