AO
PluginsSCMGitLab SCM

GitLab SCM

Merge requests, discussions, and pipelines via the glab CLI.

Slot: scm · Name: gitlab
macOSSupported
LinuxSupported
WindowsSupported

Setup

glab auth login
agent-orchestrator.yaml
scm: gitlab
scmConfig:
  host: gitlab.com       # default; override for self-hosted

Mapping

ConceptGitHub termGitLab term
Review requestPull requestMerge request
ReviewReviewDiscussion / note
CI statusCheck runsPipelines / jobs

AO normalises these internally — the dashboard and lifecycle state machine don't know which you use.

Webhook endpoint

AO's dashboard receives webhook events at:

POST /api/webhooks

The absolute URL is https://<your-ao-host>/api/webhooks. To expose your local dashboard publicly, see Remote access.

GitLab project settings

In your GitLab project go to Settings → Webhooks → Add new webhook:

  • URL: https://<your-ao-host>/api/webhooks
  • Secret token: the value of your secretEnvVar environment variable
  • Trigger events: Merge request events, Pipeline events, Push events, Note events (review comments)

Config

scm: gitlab
projects:
  myproject:
    repo: group/project
    scm:
      webhook:
        secretEnvVar: GITLAB_WEBHOOK_TOKEN    # env var holding the token

Full webhook.* sub-object:

FieldDefaultDescription
enabledtrueEnable or disable webhook processing
path/api/webhooksOverride the receive path
secretEnvVarName of the env var holding the token
signatureHeaderx-gitlab-tokenHeader carrying the secret token
eventHeaderx-gitlab-eventHeader carrying the event type
deliveryHeaderx-gitlab-event-uuidHeader carrying the delivery UUID
maxBodyBytesunlimitedReject payloads larger than this (bytes)

Verification: GitLab sends the configured secret as a literal string in X-Gitlab-Token. AO compares this value directly (no HMAC — unlike GitHub's SHA-256 approach).

Polling is still active as a fallback — webhooks are a latency optimisation, not a hard dependency.

Automated review authors

AO ignores review comments from known bot accounts so they don't block the merge-readiness check. The full list:

Hardcoded bots:

Username
gitlab-bot
ghost
dependabot[bot]
renovate[bot]
sast-bot
codeclimate[bot]
sonarcloud[bot]
snyk-bot

Runtime catch-all: any username matching /^project_\d+_bot/ (GitLab project access tokens) or ending in [bot].

See Review loop — bot detection for how AO uses this list during the review-pending → mergeable transition.

Edit on GitHub

GitHub SCM

PRs, reviews, and CI status via the gh CLI. Optional webhook for real-time events.

Notifiers overview

Who gets pinged when an agent needs you. Six notifiers ship; pick one or stack several.

On this page

Setup
Mapping
Webhook endpoint
GitLab project settings
Config
Automated review authors