Remove pr-add-reviewers.yml (auto-add of compromised cx-plugins-releases account) (AST-154939, CISO-1134)

[cx-noam-brendel]

Why

The workflow's only step hard-codes cx-plugins-releases as a PR reviewer:

run: gh pr edit $PRNUM --add-reviewer cx-plugins-releases

The cx-plugins-releases account ("AST Sypher", astsypher@checkmarx.com) appears to be compromised by the Mini Shai-Hulud supply-chain worm:

• On 2026-05-09 it created 11 public Dune-themed repos under github.com/cx-plugins-releases/* (fedaykin-laza-800, fremen-navigator-45, mentat-navigator-388, …), each described "A Mini Shai-Hulud has Appeared" and containing a results/ directory with exfiltrated data dumps (one repo holds ~52 MB of split JSON).
• The same day, a rogue version 2026.5.09 of checkmarx-ast-scanner was uploaded to repo.jenkins-ci.org/releases/... outside the plugin's release pipeline (no git tag, no release, no workflow run produced it).
• ~1,930 victim repos org-wide on GitHub match the same campaign.

Auto-adding this account as reviewer across Checkmarx PRs embeds a now-untrusted principal into our PR flow. Removing the static reference until Security/IR completes credential rotation and a clean replacement reviewer is decided.

What this PR does

Deletes .github/workflows/pr-add-reviewers.yml outright. The workflow had no other purpose; once the compromised user is removed, the file becomes a no-op. Easier to re-introduce a clean version later than to leave dead code.

Related

• Forensic write-up: ~/Downloads/forensic-report-checkmarx-ast-scanner-2026.5.09.md (Noam Brendel)
• jenkins-infra takedown of the rogue plugin version: remove specific version jenkins-infra/update-center2#914 (merged) and Add security warning for checkmarx-ast-scanner@2026.5.09 (rogue release) jenkins-infra/update-center2#916 (warning entry, open)
• Sibling workflow with the same hardcoded reviewer: Checkmarx/ast-azure-plugin/.github/workflows/pr-automation.yml — should be removed in a separate PR.

cc @AlexMarviCx (please tag the right Security/IR contacts)

[cx-noam-brendel]

@Checkmarx/sg-app-github-owners-local — please review and bypass-merge.

Context: active Mini Shai-Hulud supply-chain worm response. Tracked under CISO-1134 (parent epic CISO-815). The cx-plugins-releases ("AST Sypher", astsypher@checkmarx.com) GitHub account that this workflow auto-adds as reviewer appears compromised:

• 11 public Dune-themed exfil repos created on its account on 2026-05-09 (one ~52 MB), each described "A Mini Shai-Hulud has Appeared".
• Same day, a rogue version 2026.5.09 of checkmarx-ast-scanner was uploaded to repo.jenkins-ci.org outside the release pipeline — already yanked via jenkins-infra/update-center2#914 (merged) and warning entry pending in #916.

This PR removes the static reference. While it's open, every PR opened in this repo continues to auto-assign the compromised account as reviewer. Forensic write-up: ~/Downloads/forensic-report-checkmarx-ast-scanner-2026.5.09.md (Noam Brendel).

The Checkmarx One Scan and lint failures are policy/secrets-related (fork PR can't run the Checkmarx scan; lint requires Jira ID — now (CISO-1134) is in the title). Please bypass-merge under the org ruleset.

[cx-noam-brendel]

Update for the bypass team — title now contains the required (AST-154939) plus (CISO-1134) for the parent CISO incident ticket.

The three failing required checks (Checkmarx One Scan, integration-tests, scan Docker Image with Trivy) are fork-PR secret failures, not real test failures. Excerpt from the integration-tests log:

err: assertion failed: error is not nil:
     Error validating scan types: Failed to authenticate - please provide an access key ID

GitHub does not pass repository secrets to workflows triggered by pull_request from a fork (standard supply-chain protection). This PR is from cx-noam-brendel/ast-cli-fork, so the runs spawn but die at the auth step. The change itself is one deletion: .github/workflows/pr-add-reviewers.yml.

Please admin-merge despite the failing checks. The bleeding (auto-adding the compromised cx-plugins-releases account to every new PR) keeps happening until this lands.