Auto assign reviewers as the author

Sincheol (David) Kimrequested to merge
grant-automation-bot-permission-to-change-mr-medatada into master

What does this MR do and why?

Auto-assign reviewers (MergeRequests::AutoAssignReviewersWorker) now runs as the merge request author and excludes service accounts from CODEOWNERS-based reviewer selection. It means that if the author doesn't have right to assign reviewers to merge requests, this feature will silently be skipped.

The worker previously passed automation_bot as current_user into MergeRequests::UpdateReviewersService, which gates on current_user.can?(:set_merge_request_metadata, mr). The bot is not a project member by default and had no policy grant for that ability, AssignService then returned error('Failed to assign reviewers'), and the worker discarded the result. Every auto-assign attempt silently no-op'd in production while specs passed.

The existing spec masked this by promoting the bot to project Maintainer via project.add_maintainer(automation_bot), which is unrealistic as the bot is never a member in production.

Changes

  • Run auto code owners assignment as the author to avoid allowing users who doesn't have right to perform this action
  • Exclude service accounts from the reviews list as UpdateReviewersService#new_user_ids checks the read_merge_request permission which makes the whole thing fail
  • Log Gitlab::AppLogger.warn from the error() so future silent-failure classes are visible.
  • remove project.add_maintainer(automation_bot) so the spec exercises the bot's real(non-member) permission profile.

References

#590879 (comment 3316414856)

Screenshots or screen recordings

Before After

How to set up and validate locally

MR acceptance checklist

Evaluate this MR against the MR acceptance checklist. It helps you analyze changes to reduce risks in quality, performance, reliability, security, and maintainability.

Edited by Sincheol (David) Kim

Merge request reports