feat: add reviewers to PR metadata#2857
Merged
Merged
Conversation
Add a reviewers field to PR/MR metadata collected during attestation, enabling detection of AI agent reviewers in the software supply chain. For GitHub, reviewers are parsed from the requested_reviewers array in the event payload. For GitLab, reviewers are fetched from the MR API using CI_JOB_TOKEN (best-effort, gracefully degrades if unavailable). Introduces pr-info schema v1.1 with the new reviewers field while preserving v1.0 for backward compatibility. Signed-off-by: Jose I. Paris <jiparis@chainloop.dev>
There was a problem hiding this comment.
5 issues found across 12 files
Prompt for AI agents (unresolved issues)
Check if these issues are valid — if so, understand the root cause of each and fix them. If appropriate, use sub-agents to investigate and fix each issue separately.
<file name="pkg/attestation/crafter/prmetadata_test.go">
<violation number="1" location="pkg/attestation/crafter/prmetadata_test.go:81">
P2: This test locks the new GitLab `reviewers` field to empty instead of covering the integration path that should populate it, so wiring regressions can slip through.
(Based on your team's feedback about adding or updating tests for new paths.) [FEEDBACK_USED]</violation>
</file>
<file name="pkg/attestation/crafter/materials/chainloop_pr_info_test.go">
<violation number="1" location="pkg/attestation/crafter/materials/chainloop_pr_info_test.go:121">
P2: Keep a v1.0 validation assertion here as well. Replacing the old check with v1.1 removes test coverage for the backward-compatible 1.0 schema path.
(Based on your team's feedback about cross-version compatibility.) [FEEDBACK_USED]</violation>
</file>
<file name="pkg/attestation/crafter/prmetadata.go">
<violation number="1" location="pkg/attestation/crafter/prmetadata.go:167">
P2: Use the merge-request project path here; `CI_PROJECT_PATH` will miss reviewers for fork-based GitLab MRs.</violation>
</file>
<file name="internal/prinfo/prinfo.go">
<violation number="1" location="internal/prinfo/prinfo.go:42">
P2: `omitempty` makes reviewer collection failures indistinguishable from a PR/MR that truly has no reviewers, so downstream policy checks can silently miss unavailable reviewer data.
(Based on your team's feedback about preferring explicit states over omission.) [FEEDBACK_USED]</violation>
</file>
<file name="internal/prinfo/prinfo_test.go">
<violation number="1" location="internal/prinfo/prinfo_test.go:178">
P2: Keep a test path for `PRInfoVersion1_0`; this change drops coverage for the backward-compatible schema the PR says is still supported.</violation>
</file>
Reply with feedback, questions, or to request a fix. Tag @cubic-dev-ai to re-run a review.
- Use CI_MERGE_REQUEST_PROJECT_PATH for fork-based GitLab MRs, falling back to CI_PROJECT_PATH - Add v1.0 schema backward compatibility tests - Add integration test for GitLab MR metadata with reviewers via API Signed-off-by: Jose I. Paris <jiparis@chainloop.dev>
There was a problem hiding this comment.
1 issue found across 4 files (changes from recent commits).
Prompt for AI agents (unresolved issues)
Check if these issues are valid — if so, understand the root cause of each and fix them. If appropriate, use sub-agents to investigate and fix each issue separately.
<file name="pkg/attestation/crafter/prmetadata.go">
<violation number="1" location="pkg/attestation/crafter/prmetadata.go:168">
P2: Use `envVars` here instead of `os.Getenv`, otherwise reviewer collection can fail in runners that supply CI context via `ResolveEnvVars` rather than the process environment.</violation>
</file>
Reply with feedback, questions, or to request a fix. Tag @cubic-dev-ai to re-run a review.
migmartri
approved these changes
Mar 14, 2026
migmartri
left a comment
Member
There was a problem hiding this comment.
I was actually thinking about this today :)
Use the envVars map from ResolveEnvVars instead of os.Getenv for CI_SERVER_URL, CI_MERGE_REQUEST_PROJECT_PATH, CI_PROJECT_PATH, and CI_JOB_TOKEN. This ensures reviewer collection works correctly in runners that supply CI context via ResolveEnvVars rather than the process environment. Signed-off-by: Jose I. Paris <jiparis@chainloop.dev>
Add CI_PROJECT_PATH, CI_JOB_TOKEN, and CI_MERGE_REQUEST_PROJECT_PATH to the GitLab runner's ListEnvVars so they are resolved via ResolveEnvVars and available in the envVars map for reviewer fetching. Also add them to the Dagger runner for GitLab-in-Dagger contexts. Signed-off-by: Jose I. Paris <jiparis@chainloop.dev>
There was a problem hiding this comment.
2 issues found across 4 files (changes from recent commits).
Prompt for AI agents (unresolved issues)
Check if these issues are valid — if so, understand the root cause of each and fix them. If appropriate, use sub-agents to investigate and fix each issue separately.
<file name="pkg/attestation/crafter/runners/gitlabpipeline.go">
<violation number="1" location="pkg/attestation/crafter/runners/gitlabpipeline.go:82">
P1: Do not include `CI_JOB_TOKEN` in `ListEnvVars`; it will leak the job token into persisted attestation metadata.</violation>
</file>
<file name="pkg/attestation/crafter/runners/daggerpipeline.go">
<violation number="1" location="pkg/attestation/crafter/runners/daggerpipeline.go:74">
P1: Do not inject `CI_JOB_TOKEN` into attestation metadata; this leaks a live GitLab credential.</violation>
</file>
Reply with feedback, questions, or to request a fix. Tag @cubic-dev-ai to re-run a review.
…tions CI_JOB_TOKEN is sensitive and should not be included in the envVars map that gets persisted in attestations. Read it directly via os.Getenv instead, while keeping the other non-sensitive reviewer env vars (CI_PROJECT_PATH, CI_MERGE_REQUEST_PROJECT_PATH) in ListEnvVars. Signed-off-by: Jose I. Paris <jiparis@chainloop.dev>
migmartri
approved these changes
Mar 15, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
This is a follow up for #2843. Adding reviewers to PR metadata to look for known bots.
reviewersfield to PR/MR metadata collected during attestation, enabling detection of AI agent reviewers (e.g., coderabbitai, cubic-dev-ai, devin-ai-integration) in the software supply chainrequested_reviewersin the event payload (no API call needed)CI_JOB_TOKEN(best-effort, graceful degradation)reviewersfield while preserving v1.0 for backward compatibility