How Attercop works

One job: notice when a pull request has waited too long for review, and send the reviewer a polite Slack nudge. Here's exactly how โ€” and exactly what it touches.

The flow

  1. 1

    Connect Slack and GitHub

    Authorize Slack, then install the GitHub app on the repos you choose. We only ever read pull requests and post Slack messages.

  2. 2

    Choose repos and a threshold

    Pick which repositories to watch and how long a PR may sit awaiting review before a nudge โ€” 24 hours by default, adjustable per repo.

  3. 3

    A scheduled check does the watching

    Staleness is the absence of activity, so a webhook can't catch it. Every 30 minutes Attercop scans your watched repos' open PRs and compares each one's last activity to your threshold.

  4. 4

    The reviewer gets one nudge

    When a PR crosses the line, the pending reviewer gets a single Slack message โ€” not a repeat every tick. A new round of activity resets the clock.

AttercopApp10:42 AM

๐Ÿ‘€ Heads up โ€” acme/web #214 Add rate limiting to the API gateway has been waiting on your review for about 26h.

What we access, and why

We ask for the narrowest set of permissions the job needs, and use them for nothing else.

GitHubPull requests: Read ยท Metadata: Read

Attercop is a GitHub App with exactly two read-only permissions โ€” Pull requests and Metadata โ€” and you choose which repositories it's installed on. It reads PRs and nothing else: no access to your code, no write access, no other repos. There is no broad repo scope, and no long-lived token is stored โ€” each run mints a short-lived installation token from the app key.

Slackchat:write, users:read, users:read.email

chat:write posts the nudge; users:read.email lets us match a reviewer's GitHub email to their Slack account so the DM reaches the right person.

How a nudge reaches the right person

We try to DM the reviewer directly by matching their public GitHub email to a Slack account. Be aware: GitHub usually hides that email, so when we can't match it, the nudge is posted to a fallback Slack channel you configure (invite the bot to it). In real teams the fallback channel does most of the work โ€” setting one is part of onboarding, and there's a one-click test to confirm it's wired up.

Your data and security

  • Your Slack bot token is stored server-side and never exposed to the browser. GitHub access uses a short-lived token minted from the app key at run time โ€” nothing long-lived is stored.
  • Access is owner-scoped with Postgres row-level security โ€” your workspace can only ever read its own data.
  • Billing runs through Stripe Checkout and the Customer Portal โ€” we never see or store your card details.
  • Disconnect Slack or GitHub at any time, or email support@attercop.dev to delete your account and data.