Support request for changes and approvals with Duo Code Review

Everyone can contribute. Help move this issue forward while earning points, leveling up and collecting rewards.

• Close this issue

Release notes

GitLab Duo Code Review can now request changes and approve merge requests. Organizations can configure whether Duo's approval is required before merging, making it a more powerful component of the code review workflow. Reviewers can also provide feedback when AI suggestions are incorrect, helping to improve future code reviews.

Problem to solve

As Duo Code Review becomes a more trusted and integrated piece of Code Review, its feedback needs to be properly incorporated into the review workflow. Currently, Duo Code Review just provides feedback, but users are able to resolve those threads and ignore the feedback from the review without any way to verify if issues were addressed.

As a developer using Duo Code Review, I want it to be able to request specific changes and verify those changes have been made, so I can ensure code quality standards are maintained and receive proper approval from the AI reviewer.

User experience goal

The user should be able to configure Duo Code Review to request changes on merge requests, receive verification that those changes were properly addressed, and receive approval from Duo, with the ability to override AI suggestions that may be incorrect.

Proposal

Enhance GitLab Duo Code Review to support a complete review workflow by implementing:

1. Change request and approval capabilities:

   • Allow Duo to formally "request changes" on merge requests when it finds issues
   • Enable Duo to "approve" merge requests when all identified issues are resolved
   • Support re-review of changes to verify fixes

2. Focused follow-up reviews:

   • On subsequent reviews, Duo should primarily verify that prior identified issues have been addressed
   • Also check any new/modified code introduced during fixes
   • Always use focused approach to avoid creating an "infinite loop" of new issues with each review

3. Override and feedback mechanism:

   • Allow users with appropriate permissions to override or dismiss Duo's change requests when they're inappropriate
   • Provide a simple way to indicate when AI suggestions are incorrect

4. Configurable approval requirements:

   • Allow organizations to configure whether Duo's approval can:
     • Count as a valid approver for merge
     • Be required in addition to human reviewers
     • Only serve as advisory without blocking merges

5. Review status visibility:

   • Clearly indicate Duo's review status in the merge request UI:
     • Approved: "Nice work!" when no issues found
     • Commented: When suggestions are made but not blocking
     • Changes Requested: When critical issues need addressing

6. Review status visibility:

   • Clearly indicate Duo's review status in the merge request UI:
     • Approved: "Nice work!" when no issues found
     • Commented: When suggestions are made but not blocking
     • Changes Requested: When critical issues need addressing

User journey

1. Initial merge request creation:

   • Developer creates a merge request and assigns @GitLabDuo as a reviewer
   • Duo analyzes the code and provides feedback, potentially "requesting changes"
   • The MR is returned to the developer with clear indications of what needs to be fixed

2. Addressing feedback:

   • Developer addresses the requested changes in their code
   • Developer requests a re-review from Duo
   • Duo verifies the previously identified issues are fixed and checks any new code

3. Approval flow:

   • If all critical issues are addressed, Duo approves the merge request
   • If configured as a valid approver, this approval contributes to meeting merge requirements
   • The MR can then proceed according to the project's approval workflow

4. Handling incorrect suggestions:

   • If Duo makes incorrect suggestions, the developer can mark them as incorrect
   • Developer can provide context about why the suggestion is not applicable
   • MR can still proceed if Duo's approval is not strictly required or is overridden

Further details

Integration with existing approval workflows:

• Duo's approval should work seamlessly with existing approval rules
• Projects can configure whether Duo counts toward approval requirements
• Teams with compliance requirements can ensure human approval is still required

Configuration approach considerations:

• Duo Code Review settings:

  • Create configuration options within Duo settings to enable/disable the "request changes" workflow
  • Include settings for override permissions and behavior-specific options
  • Add a setting to control whether Duo's approvals "count" toward general approval requirements
  • These settings define Duo's behavior as a reviewer and the weight of its approvals

• Approval rules integration:

  • Integrate Duo's approval capabilities with existing approval rules interface
  • Allow Duo to be explicitly selected as an approval source in specific rules when needed
  • Respect the global "Duo approvals count" setting for generic rules like "Any approver"
  • These settings define how Duo's approval affects merge permissions in specific contexts

This separation allows behavioral configuration to live with other Duo settings while keeping approval consequences within the familiar approval rules system. The global "Duo approvals count" setting ensures organizations can control whether AI approvals satisfy generic approval requirements without needing to modify each rule.

Override mechanism for incorrect suggestions:

• Allow users to indicate when suggestions are not applicable
• Support appropriate permissions for overriding Duo's change requests
• Maintain audit trail of override decisions for transparency

Resolving requested changes:

• When Duo has requested changes, it must verify those changes before the MR can proceed
• After verification, Duo should provide a standard approval to the MR
• This approval will:
  • Clear the "changes requested" status from Duo
  • Count toward approval requirements based on:
    • The global "Duo approvals count" setting for generic rules
    • Explicit inclusion of Duo in specific approval rules
  • Allow the MR to proceed even if Duo is not counted toward required approvers
• This approach maintains the blocking nature of requested changes while integrating smoothly with the existing approval system
• Even if Duo's approval doesn't count toward approval requirements, its approval is still required to resolve its own "changes requested" status

UI mockups: See the accompanying settings UI mockup that illustrates:

1. Toggle for enabling the "request changes" workflow
2. Option to control whether Duo approvals count in generic approval rules
3. Dropdown for configuring which roles can override Duo change requests

This mockup provides a visual guide for implementing the key configuration settings described in this feature.

Compliance considerations:

• For regulated environments, configure Duo as an advisory reviewer only
• Ensure human reviews are still required for compliance purposes
• Provide audit trail of which suggestions were implemented vs. overridden

Feature Usage Metrics

We will track:

1. Engagement metrics:

   • Number of merge requests with Duo as reviewer
   • Percentage of MRs where Duo requested changes
   • Percentage of MRs approved by Duo
   • Average number of review cycles before approval

2. Quality metrics:

   • Number of Duo suggestions implemented vs. dismissed
   • User override frequency and patterns
   • Types of issues most commonly identified by Duo

3. Workflow impact:

   • Time to resolution for Duo-reviewed MRs vs. human-only reviews
   • Reduction in human reviewer comments after Duo adoption
   • Percentage of projects configuring Duo as required approver

What does success look like, and how can we measure that?

Success for this feature means:

1. Increased usage and trust:

   • Increase in Duo Code Review usage after release
   • More projects using Duo as part of their approval workflow
   • High retention rate of projects using Duo as reviewer

2. Workflow improvements:

   • Reduction in time to merge for MRs reviewed by Duo
   • Reduction in number of review cycles needed before approval
   • Positive user feedback on the approval workflow

3. Code quality impact:

   • Reduction in post-merge issues for code reviewed by Duo
   • More consistent code quality across projects

We will measure this through a combination of usage data, user surveys, and analyzing the correlation between Duo reviews and issue/bug reports.

What is the competitive advantage or differentiation for this feature?

This feature differentiates GitLab's AI code review capabilities by:

1. Complete integration with approval workflows: Unlike standalone AI code review tools, Duo is fully integrated into GitLab's merge request approval system.

2. Configurability for different compliance needs: Organizations can configure how Duo's approvals integrate with their requirements, supporting both highly automated and compliance-focused workflows.

3. Focused re-reviews: Smart handling of subsequent reviews prevents the "infinite loop" problem that plagues many AI code reviewers, focusing on verifying fixes rather than continuously finding new issues.

4. Override capabilities: The ability for users with appropriate permissions to override incorrect AI suggestions provides necessary flexibility while maintaining review integrity.

By creating a true AI reviewer that can participate in the approval workflow while respecting the need for human oversight, GitLab provides a more complete and practical AI code review solution than competitors.