From f932c64c4243f90a617745f5e29782f961272bcb Mon Sep 17 00:00:00 2001
From: UncleSp1d3r <unclesp1d3r@evilbitlabs.io>
Date: Sun, 15 Feb 2026 17:34:33 -0500
Subject: [PATCH 1/2] ci: add Mergify merge queue and simplify CI workflow

- Add merge queue (squash method) with CI check requirements
- Auto-queue release-plz and dependabot PRs
- Queue regular PRs on approval (>= 1 review)
- Remove changes job and path-filter conditionals so all CI
  checks always run, eliminating skipped-check complexity
- Simplify merge_protections now that checks never skip
- Keep merge_protections as safety net against queue bypass

Signed-off-by: UncleSp1d3r <unclesp1d3r@evilbitlabs.io>
---
 .github/workflows/ci.yml | 44 ++-------------------------
 .mergify.yml             | 66 ++++++++++++++++++++++++++++------------
 2 files changed, 49 insertions(+), 61 deletions(-)

diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index bc1edd3c..ff278bf6 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -21,38 +21,8 @@ env:
     GITHUB_ACTIONS: true
 
 jobs:
-    # Detect if Rust code has changed
-    changes:
-        runs-on: ubuntu-latest
-        outputs:
-            rust: ${{ steps.filter.outputs.rust }}
-            docs: ${{ steps.filter.outputs.docs }}
-        steps:
-            - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
-
-            - uses: dorny/paths-filter@de90cc6fb38fc0963ad72b210f1f284cd68cea36 # v3.0.2
-              id: filter
-              with:
-                  filters: |
-                      rust:
-                        - '**/*.rs'
-                        - '**/Cargo.toml'
-                        - '**/Cargo.lock'
-                        - '**/build.rs'
-                        - 'justfile'
-                        - 'rust-toolchain.toml'
-                        - 'deny.toml'
-                      docs:
-                        - 'docs/**'
-                        - '*.md'
-                        - '.kiro/**'
-                        - 'spec/**'
-
-    # Code quality checks - always run
     quality:
         runs-on: ubuntu-latest
-        needs: changes
-        if: needs.changes.outputs.rust == 'true'
         steps:
             - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
             - uses: dtolnay/rust-toolchain@0dd4a6d07aedb0ef7f65e79f3e229a6c102ae2e0 # 1.91.0
@@ -69,8 +39,6 @@ jobs:
 
     test:
         runs-on: ubuntu-latest
-        needs: changes
-        if: needs.changes.outputs.rust == 'true'
         steps:
             - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
             - uses: jdx/mise-action@6d1e696aa24c1aa1bcc1adea0212707c71ab78a8 # v3.6.1
@@ -85,26 +53,21 @@ jobs:
             - name: Build release
               run: cargo build --release --all-features
 
-    # Test cross-platform - only run when Rust code changes
     test-cross-platform:
         strategy:
             matrix:
                 include:
-                    # Primary Support - Linux
                     - os: ubuntu-latest
                       platform: "Linux"
                     - os: ubuntu-22.04
                       platform: "Linux"
-                    # Primary Support - macOS (using available runners)
                     - os: macos-latest
                       platform: "macOS"
-                    # Primary Support - Windows
                     - os: windows-latest
                       platform: "Windows"
 
         runs-on: ${{ matrix.os }}
-        needs: [changes, test]
-        if: needs.changes.outputs.rust == 'true'
+        needs: test
         steps:
             - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
             - uses: jdx/mise-action@6d1e696aa24c1aa1bcc1adea0212707c71ab78a8 # v3.6.1
@@ -113,15 +76,12 @@ jobs:
                   cache: true
                   github_token: ${{ secrets.GITHUB_TOKEN }}
 
-            # Run tests and build the release binary
             - run: cargo nextest run --all-features
             - run: cargo build --release --all-features
 
-    # Generate coverage for TLS-enabled builds - only run when Rust code changes
     coverage:
         runs-on: ubuntu-latest
-        needs: [changes, test]
-        if: needs.changes.outputs.rust == 'true'
+        needs: test
         steps:
             - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
             - uses: jdx/mise-action@6d1e696aa24c1aa1bcc1adea0212707c71ab78a8 # v3.6.1
diff --git a/.mergify.yml b/.mergify.yml
index e1360c07..8a04dbef 100644
--- a/.mergify.yml
+++ b/.mergify.yml
@@ -1,28 +1,56 @@
+queue_rules:
+  - name: default
+    merge_method: squash
+    merge_conditions:
+      - check-success = quality
+      - check-success = test
+      - "check-success = test-cross-platform (ubuntu-latest, Linux)"
+      - "check-success = test-cross-platform (ubuntu-22.04, Linux)"
+      - "check-success = test-cross-platform (macos-latest, macOS)"
+      - "check-success = test-cross-platform (windows-latest, Windows)"
+      - check-success = coverage
+
+pull_request_rules:
+  - name: Queue PRs when approved
+    conditions:
+      - base = main
+      - "#approved-reviews-by >= 1"
+      - label != do-not-merge
+    actions:
+      queue:
+        name: default
+
+  - name: Auto-queue release-plz PRs
+    conditions:
+      - base = main
+      - "head ~= ^release-plz-"
+    actions:
+      queue:
+        name: default
+
+  - name: Auto-queue dependabot PRs
+    conditions:
+      - base = main
+      - author = dependabot[bot]
+    actions:
+      queue:
+        name: default
+
 merge_protections:
   - name: CI must pass
     description: >-
-      All CI checks must pass or be legitimately skipped (path filtering).
-      Matrix job names differ between running and skipped states, so the
-      test-cross-platform rule uses an and/or pattern to handle both.
+      All CI checks must pass. This protection prevents manual merges
+      that bypass the merge queue.
     if:
       - base = main
     success_conditions:
-      - or:
-          - check-success = quality
-          - check-skipped = quality
-      - or:
-          - check-success = test
-          - check-skipped = test
-      - or:
-          - and:
-              - "check-success = test-cross-platform (ubuntu-latest, Linux)"
-              - "check-success = test-cross-platform (ubuntu-22.04, Linux)"
-              - "check-success = test-cross-platform (macos-latest, macOS)"
-              - "check-success = test-cross-platform (windows-latest, Windows)"
-          - check-skipped = test-cross-platform
-      - or:
-          - check-success = coverage
-          - check-skipped = coverage
+      - check-success = quality
+      - check-success = test
+      - "check-success = test-cross-platform (ubuntu-latest, Linux)"
+      - "check-success = test-cross-platform (ubuntu-22.04, Linux)"
+      - "check-success = test-cross-platform (macos-latest, macOS)"
+      - "check-success = test-cross-platform (windows-latest, Windows)"
+      - check-success = coverage
 
   - name: Do not merge outdated PRs
     description: Make sure PRs are within 10 commits of the base branch before merging

From a20b42113de6c3d21c01fcb8582104670c67ed7c Mon Sep 17 00:00:00 2001
From: UncleSp1d3r <unclesp1d3r@evilbitlabs.io>
Date: Sun, 15 Feb 2026 17:40:45 -0500
Subject: [PATCH 2/2] ci: fix cargo deny config path and remove advanced CodeQL
 workflow

- Fix security workflow: use deny.toml (deny.ci.toml never existed,
  causing all license checks to fail with default deny-all config)
- Remove advanced CodeQL workflow in favor of standard GitHub default
  code scanning setup (configured via repo settings)

Signed-off-by: UncleSp1d3r <unclesp1d3r@evilbitlabs.io>
---
 .github/workflows/codeql.yml   | 35 ----------------------------------
 .github/workflows/security.yml |  2 +-
 2 files changed, 1 insertion(+), 36 deletions(-)
 delete mode 100644 .github/workflows/codeql.yml

diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml
deleted file mode 100644
index 3dabbf10..00000000
--- a/.github/workflows/codeql.yml
+++ /dev/null
@@ -1,35 +0,0 @@
-name: CodeQL
-
-on:
-    push:
-        branches: [main]
-    pull_request:
-        branches: [main]
-    schedule:
-        - cron: "43 22 * * 1"
-    workflow_dispatch:
-
-permissions:
-    contents: read
-    actions: read
-    security-events: write
-
-jobs:
-    analyze:
-        name: CodeQL Analyze
-        runs-on: ubuntu-22.04
-        steps:
-            - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
-            - uses: jdx/mise-action@6d1e696aa24c1aa1bcc1adea0212707c71ab78a8 # v3.6.1
-              with:
-                  install: true
-                  cache: true
-                  github_token: ${{ secrets.GITHUB_TOKEN }}
-
-            - uses: github/codeql-action/init@f5c2471be782132e47a6e6f9c725e56730d6e9a3 # v3.32.3
-              with:
-                  languages: rust
-
-            - uses: github/codeql-action/autobuild@f5c2471be782132e47a6e6f9c725e56730d6e9a3 # v3.32.3
-
-            - uses: github/codeql-action/analyze@f5c2471be782132e47a6e6f9c725e56730d6e9a3 # v3.32.3
diff --git a/.github/workflows/security.yml b/.github/workflows/security.yml
index 5d1a36ee..b418a10a 100644
--- a/.github/workflows/security.yml
+++ b/.github/workflows/security.yml
@@ -32,7 +32,7 @@ jobs:
                   github_token: ${{ secrets.GITHUB_TOKEN }}
 
             - name: Run cargo deny check
-              run: cargo deny check --config deny.ci.toml
+              run: cargo deny check
 
             - name: Run cargo outdated
               run: cargo outdated --depth=1 --exit-code=1