ci: add Mergify merge queue and simplify CI

[unclesp1d3r]

Summary

• Add Mergify merge queue with squash merge method and CI check requirements
• Auto-queue release-plz and dependabot PRs; queue regular PRs on approval
• Remove changes job and all path-filter conditionals from CI -- all checks always run now, eliminating the skipped-check name mismatch complexity
• Simplify merge_protections to straight check-success (no more check-skipped fallbacks)

After merging

• Set "Mergify Merge Protections" as the required status check in branch protection (replacing "CI" if it was set)
• PRs will auto-enter the merge queue when approved
• Dependabot and release-plz PRs auto-queue without manual approval

Test plan

• CI passes on this PR (all jobs run unconditionally)
• Mergify validates the config (check the "Configuration Change Requirements" status)
• After merge, verify a dependabot PR auto-enters the queue

🤖 Generated with Claude Code

[coderabbitai]

Summary by CodeRabbit

• Chores
  • Simplified CI by removing change-based gating so quality, tests (including cross-platform) and coverage run consistently.
  • Removed the separate CodeQL analysis workflow.
  • Adjusted security checks to use the default policy configuration.
  • Added queue-based PR merge rules with explicit CI success requirements and automated routing for release and dependency PRs.

Walkthrough

Removes path-based change detection and gating from CI, making quality, test, test-cross-platform, and coverage jobs run unconditionally (or depend only on their direct predecessor). Adds explicit Mergify queue rules and flattens CI success_conditions. Deletes the CodeQL workflow and tweaks cargo-deny invocation to use the default config.

Changes

Cohort / File(s)	Summary
CI workflow (gating removed) .github/workflows/ci.yml	Deletes the change-detection job and path-filter gating; removes outputs/if conditions and makes quality, test, test-cross-platform, and coverage run unconditionally or only depend on preceding jobs.
Mergify queue & protections .mergify.yml	Adds queue_rules with a default squash-merge queue and three pull_request_rules (approved, release-plz, dependabot). Replaces nested/or-and success_conditions with a flat list of explicit CI checks; updates merge_protections description accordingly.
CodeQL workflow removed .github/workflows/codeql.yml	Removes the entire CodeQL analysis workflow (triggers, permissions, and analysis job).
Security check tweak .github/workflows/security.yml	Changes cargo deny invocation to use the default configuration by removing the explicit --config deny.ci.toml flag.

Sequence Diagram(s)

(omitted)

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

Possibly related PRs

• ci: add release-plz for crates.io publishing #69 — Also modifies CI gating/ci-pass aggregation; related to removal of change-based gating.
• ci(Mergify): add outdated PR protection #75 — Adjusts Mergify merge_protections and success_conditions similarly; directly related to mergify.yml changes.
• Create CodeQL workflow for Rust analysis #3 — Adds/removes CodeQL workflow; directly related to the deletion of the CodeQL workflow file.

Poem

🐰 I hopped through workflows, trimmed each gate,
Now jobs run steady — no more wait.
Queues lined up, checks set straight,
Code cleaned, CI light and great.
Hoppity hop, merge on fate!

🚥 Pre-merge checks | ✅ 4

✅ Passed checks (4 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title accurately summarizes the main changes: adding Mergify merge queue and simplifying CI by removing path-filter conditionals and the changes job.
Description check	✅ Passed	The description is comprehensive and directly related to the changeset, covering the Mergify queue addition, removal of path-filter conditionals, CI simplification, and post-merge instructions.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Merge Conflict Detection	✅ Passed	✅ No merge conflicts detected when merging into main

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch feat/mergify-merge-queue

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[mergify]

Merge Protections

Your pull request matches the following merge protections and will not be merged until they are valid.

🟢 📃 Configuration Change Requirements

Wonderful, this rule succeeded.

Mergify configuration change

• check-success = Configuration changed

🟢 CI must pass

Wonderful, this rule succeeded.

All CI checks must pass or be legitimately skipped (path filtering). Matrix job names differ between running and skipped states, so the test-cross-platform rule uses an and/or pattern to handle both.

• any of:
  • check-success = quality
  • check-skipped = quality
• any of:
  • check-success = test
  • check-skipped = test
• any of:
  • all of:
    • check-success = test-cross-platform (macos-latest, macOS)
    • check-success = test-cross-platform (ubuntu-22.04, Linux)
    • check-success = test-cross-platform (ubuntu-latest, Linux)
    • check-success = test-cross-platform (windows-latest, Windows)
  • check-skipped = test-cross-platform
• any of:
  • check-success = coverage
  • check-skipped = coverage

🟢 Do not merge outdated PRs

Wonderful, this rule succeeded.

Make sure PRs are within 10 commits of the base branch before merging

• #commits-behind <= 10

[Copilot]

Pull request overview

This PR modernizes the CI/CD pipeline by introducing a Mergify merge queue and removing path-based conditional execution. The changes eliminate the complexity of handling skipped vs. running checks by ensuring all CI jobs run unconditionally, making the Mergify configuration simpler and more reliable.

Changes:

• Added Mergify merge queue with automatic queueing for approved PRs, release-plz PRs, and dependabot PRs
• Removed the changes job and all path-filter conditionals from CI workflow
• Simplified merge_protections to require straightforward check success without fallback logic for skipped checks

Reviewed changes

Copilot reviewed 2 out of 2 changed files in this pull request and generated no comments.

File	Description
.mergify.yml	Added queue_rules for merge queue configuration and pull_request_rules for auto-queueing; simplified merge_protections to remove check-skipped fallback logic
.github/workflows/ci.yml	Removed changes job and all conditional execution based on path filters; updated job dependencies to only depend on test where needed

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.

📢 Thoughts on this report? Let us know!

[mergify]

🧪 CI Insights

Here's what we observed from your CI run for a20b421.

🟢 All jobs passed!

But CI Insights is watching 👀

[coderabbitai]

🧹 Nitpick comments (1)

.mergify.yml (1)

23-37: Consider adding do-not-merge label exclusion to auto-queue rules.

The "Queue PRs when approved" rule (line 18) includes label != do-not-merge, but the release-plz and dependabot auto-queue rules don't. If someone adds a do-not-merge label to a dependabot/release-plz PR to temporarily block it, the PR would still enter the queue.

This may be intentional (automated PRs typically don't need manual blocking), but for consistency you could add the label check.

💡 Optional: Add do-not-merge exclusion

   - name: Auto-queue release-plz PRs
     conditions:
       - base = main
       - "head ~= ^release-plz-"
+      - label != do-not-merge
     actions:
       queue:
         name: default

   - name: Auto-queue dependabot PRs
     conditions:
       - base = main
       - author = dependabot[bot]
+      - label != do-not-merge
     actions:
       queue:
         name: default