Auto assign reviewers as the author
What does this MR do and why?
Auto-assign reviewers (MergeRequests::AutoAssignReviewersWorker) now runs as the merge request author and excludes service accounts from CODEOWNERS-based reviewer selection. It means that if the author doesn't have right to assign reviewers to merge requests, this feature will silently be skipped.
The worker previously passed automation_bot as current_user into MergeRequests::UpdateReviewersService, which gates on current_user.can?(:set_merge_request_metadata, mr). The bot is not a project member by default and had no policy grant for that ability, AssignService then returned error('Failed to assign reviewers'), and the worker discarded the result. Every auto-assign attempt silently no-op'd in production while specs passed.
The existing spec masked this by promoting the bot to project Maintainer via project.add_maintainer(automation_bot), which is unrealistic as the bot is never a member in production.
Changes
- Run auto code owners assignment as the author to avoid allowing users who doesn't have right to perform this action
- Exclude service accounts from the reviews list as
UpdateReviewersService#new_user_idschecks the read_merge_request permission which makes the whole thing fail - Log
Gitlab::AppLogger.warnfrom theerror()so future silent-failure classes are visible. - remove
project.add_maintainer(automation_bot)so the spec exercises the bot's real(non-member) permission profile.
References
Screenshots or screen recordings
| Before | After |
|---|---|
How to set up and validate locally
MR acceptance checklist
Evaluate this MR against the MR acceptance checklist. It helps you analyze changes to reduce risks in quality, performance, reliability, security, and maintainability.