As a deployed, given a list of commits about to be deployed I would like to be able to see who approved those commits, so that I can have confidence that the code has had sufficient code review.

I currently achieve this with a script that does the following:

• Identify merge commits with a message matching "Merge pull request #(\d+)"
• For each, hit the stash API to get the list of commits in the PR and approvers.
• Identify commits that do not have a matching PR - assume they have not been reviewed.

This is not ideal for a few reasons:
1. I have to have the git repository checked out locally to get the right set of commits and check for merge commits.
2. It misses any PRs that are merged with a custom description.
3. It prevents use of fast-forward merges. These are often preferable since they don't require a rebuild of master through CI.

A couple of potential solutions (just some ideas, may be a better way to solve this):

• Expose an API that given a commit, tells me what PRs (if any) it was in.
• Have Stash add a signed note to each commit including the approvers. (hrmm ... could maybe do this in a plugin?) (Note: can't use in-built git commit signing because it requires amending the commit, which breaks #3 above)