[go: up one dir, main page]

Require additional approvals for merge requests with AI-authored commits

Proposal

The Problem

Organizations using AI tools to create branches and merge requests need enhanced oversight for AI-generated code changes. Current approval policies apply uniformly to all merge requests regardless of authorship. When AI agents submit code, there is no native way to require additional human review beyond the standard approval requirements. This creates a governance gap where AI-generated changes could be merged with the same level of scrutiny as human-authored changes, despite the need for extra validation of automated code contributions.

Use Case

Customer has a standard policy requiring 1 non-author approval for all merge requests. They are implementing AI tooling that will autonomously create branches and submit merge requests. To maintain appropriate oversight, they want to require 2 human approvals specifically for merge requests containing commits authored by AI service accounts, while maintaining the existing 1-approval requirement for human-authored changes. This ensures AI-generated code receives enhanced scrutiny before reaching production.

Proposed Solution

Introduce conditional approval rules based on commit authorship. Allow administrators to configure approval policies that detect when a merge request contains commits authored by specific users (such as AI service accounts or bots) and automatically require additional approvals. This could be implemented as:

  • A new approval rule type that triggers based on commit author identity
  • Configuration option to specify which users/service accounts should trigger enhanced approval requirements
  • Ability to set different minimum approval counts based on whether AI-authored commits are present
  • Clear visibility in the merge request UI indicating when enhanced approval requirements are active due to AI authorship

@phikai - This feature request is coming from an Ultimate customer who is looking at solutions to ensure their AI-submitted MRs are compliant. Would love to hear your thoughts on this!