ci: Mergify merge queue, dependabot integration, and CI simplification#79
Conversation
dosubot
Bot
added
the
size:L
Summary by CodeRabbit
WalkthroughRenames and restructures Mergify queue rules (including auto-approve for dependabot), adds a keep-up-to-date update rule, adds label-based exclusions, disables Dependabot rebase for some ecosystems, enables DCO remediation commits, and updates README/AGENTS docs and badges. (49 words) Changes
Sequence Diagram(s)sequenceDiagram
participant Author as PR Author
participant GitHub as GitHub
participant Mergify as Mergify
participant Repo as Repository
Author->>GitHub: Open or update PR
GitHub->>Mergify: PR event
Mergify->>Mergify: Evaluate rules (author, labels, base, draft, conflicts, workflows)
alt matches dependabot auto-approve and queue
Mergify->>GitHub: Submit APPROVE review (automated)
Mergify->>Repo: Add PR to merge queue
end
alt matches "Keep PRs up to date with main"
Mergify->>Repo: Perform update (rebase/merge from main)
Repo->>GitHub: Update PR branch
end
Estimated code review effort🎯 3 (Moderate) | ⏱️ ~25 minutes Possibly related PRs
Poem
🚥 Pre-merge checks | ✅ 4✅ Passed checks (4 passed)
✏️ Tip: You can configure your own custom pre-merge checks in the settings. ✨ Finishing touches🧪 Generate unit tests (beta)
Comment |
Merge ProtectionsYour pull request matches the following merge protections and will not be merged until they are valid. 🟢 📃 Configuration Change RequirementsWonderful, this rule succeeded.Mergify configuration change
🟢 CI must passWonderful, this rule succeeded.All CI checks must pass. This protection prevents manual merges that bypass the merge queue.
🟢 Do not merge outdated PRsWonderful, this rule succeeded.Make sure PRs are within 10 commits of the base branch before merging
|
dosubot
Bot
added
size:S
There was a problem hiding this comment.
Pull request overview
This pull request appears to be merging changes from PR #78 (adding Mergify merge queue and simplifying CI) along with the addition of label != do-not-merge exclusions to auto-queue rules. While the PR description focuses only on adding the label exclusion, the actual changes include: introducing Mergify queue rules with squash merging, removing CI path filtering logic so all jobs run unconditionally, deleting the CodeQL workflow, and fixing the cargo deny configuration.
Changes:
- Add
label != do-not-mergecondition to all three Mergify auto-queue rules (approved PRs, release-plz, and dependabot) - Introduce complete Mergify queue configuration with required CI checks and simplify merge protections
- Remove CI workflow path filtering (
changesjob), making all CI jobs run unconditionally - Delete CodeQL workflow file (security scanning now via scorecard and security.yml only)
- Fix cargo deny command to use default
deny.tomlinstead of non-existentdeny.ci.toml
Reviewed changes
Copilot reviewed 1 out of 1 changed files in this pull request and generated 1 comment.
| File | Description |
|---|---|
| .mergify.yml | Adds complete queue_rules section and label exclusions to auto-queue rules; simplifies merge_protections |
| .github/workflows/security.yml | Fixes cargo deny to use default config file instead of non-existent deny.ci.toml |
| .github/workflows/codeql.yml | Deletes entire CodeQL security analysis workflow |
| .github/workflows/ci.yml | Removes path filtering logic; all CI jobs now run unconditionally; simplifies job dependencies |
unclesp1d3r
changed the title
coderabbitai
Bot
added
enhancement
Codecov Report✅ All modified and coverable lines are covered by tests. 📢 Thoughts on this report? Let us know! |
dosubot
Bot
added
size:S
![coderabbitai[bot]](https://avatars.githubusercontent.com/in/347564?s=60&v=4){kind=small}
There was a problem hiding this comment.
🧹 Nitpick comments (1)
.mergify.yml (1)
44-52: Addlabel != do-not-mergecondition for consistency with other rules.All three other pull_request rules (lines 14, 23, 32) exclude PRs labeled
do-not-merge, but the auto-update rule (line 44) does not. Adding this condition ensures that explicitly blocked PRs are not auto-rebased, avoiding unnecessary CI runs or confusion.Note: The
updateaction uses merge-based updates by default (merging the base branch into the PR branch), not rebase. If rebase behavior is intended, use the separaterebaseaction instead.💡 Optional: add label exclusion
- name: Keep PRs up to date with main conditions: - base = main - -conflict - -draft - -author = dependabot[bot] + - label != do-not-merge actions: update:
unclesp1d3r
changed the title
dosubot
Bot
added
size:M
coderabbitai
Bot
added
the
documentation
Merge Queue StatusRule:
This pull request spent 55 seconds in the queue, with no time running CI. Required conditions to merge
ReasonThe pull request #79 has been manually updated HintIf you want to requeue this pull request, you can post a |
The `-` negation prefix must be inside YAML quotes, not outside. Signed-off-by: UncleSp1d3r <unclesp1d3r@evilbitlabs.io>
Merge Queue StatusRule:
Required conditions to merge
Required conditions to stay in the queue
|
| [dist.github-action-commits] | ||
| "actions/checkout" = "v6" | ||
| "actions/checkout" = "v6.0.2" | ||
| "actions/download-artifact" = "v7" | ||
| "actions/attest-build-provenance" = "v3" | ||
| "actions/upload-artifact" = "v6" | ||
| "actions/upload-artifact" = "v6.0.0" |
There was a problem hiding this comment.
[dist.github-action-commits] is still using version tags (e.g. v6.0.2, v6.0.0). In this repo, GitHub Actions are generally pinned to full commit SHAs for supply-chain security (e.g. .github/workflows/ci.yml uses actions/checkout@de0fac…). Consider switching these entries to the same commit SHAs so the cargo-dist generated release.yml also stays SHA-pinned instead of floating tags.
| - name: Auto-approve and queue dependabot PRs | ||
| conditions: | ||
| - base = main | ||
| - author = dependabot[bot] | ||
| - label != do-not-merge | ||
| - -files~=\.github/workflows/release\.yml | ||
| actions: | ||
| review: | ||
| type: APPROVE | ||
| message: Automatically approved by Mergify | ||
| queue: | ||
| name: default | ||
|
|
||
| # Tier 3: All other PRs (external contributors, copilot) -- require maintainer approval | ||
| - name: Queue external PRs when approved by maintainer | ||
| conditions: | ||
| - base = main | ||
| - "-author=@maintainers" | ||
| - author != dependabot[bot] | ||
| - "-head ~= ^release-plz-" | ||
| - "approved-reviews-by=@maintainers" | ||
| - label != do-not-merge |
There was a problem hiding this comment.
The dependabot rule explicitly excludes PRs that touch .github/workflows/release.yml (-files~=...), but the other queueing rules also exclude author = dependabot[bot]. That combination means dependabot PRs that modify release.yml won’t be queued by Mergify at all (even after maintainer approval/label), which may strand those PRs outside the merge queue. Consider adding a separate rule to allow those PRs to be queued when a maintainer approves or applies lgtm (without auto-approving them).
There was a problem hiding this comment.
Caution
Some comments are outside the diff and can’t be posted inline due to platform limitations.
⚠️ Outside diff range comments (1)
AGENTS.md (1)
402-436:⚠️ Potential issue | 🟡 MinorClarify that auto-rebase applies only to eligible PRs.
The "Keep PRs up to date with main" rule in .mergify.yml excludes drafts, conflicted PRs, and dependabot PRs, so "Mergify rebases against main" is inaccurate as written. Update to reflect the actual conditions:
Suggested wording
-Mergify rebases against main, runs CI, and squash-merges on success. +Mergify rebases eligible PRs against main (non-draft, no conflicts, excluding dependabot), runs CI, and squash-merges on success.
🧹 Nitpick comments (1)
README.md (1)
19-24: Verify the version/metrics block is current (and consider de-staling).The fixed version number and test/coverage counts can drift quickly. Please confirm these are accurate and consider replacing with badges or CI-derived values to avoid staleness.
## 🤖 New release
* `libmagic-rs`: 0.1.1 -> 0.2.0 (⚠ API breaking changes)
### ⚠ `libmagic-rs` breaking changes
```text
--- failure enum_unit_variant_changed_kind: An enum unit variant changed kind ---
Description:
A public enum's exhaustive unit variant has changed to a different kind of enum variant, breaking possible instantiations and patterns.
ref: https://doc.rust-lang.org/reference/items/enumerations.html
impl: https://github.com/obi1kenobi/cargo-semver-checks/tree/v0.46.0/src/lints/enum_unit_variant_changed_kind.ron
Failed in:
variant TypeKind::Byte in /tmp/.tmpchbzmC/libmagic-rs/src/parser/ast.rs:84
variant TypeKind::Byte in /tmp/.tmpchbzmC/libmagic-rs/src/parser/ast.rs:84
variant TypeKind::Byte in /tmp/.tmpchbzmC/libmagic-rs/src/parser/ast.rs:84
--- failure enum_variant_added: enum variant added on exhaustive enum ---
Description:
A publicly-visible enum without #[non_exhaustive] has a new variant.
ref: https://doc.rust-lang.org/cargo/reference/semver.html#enum-variant-new
impl: https://github.com/obi1kenobi/cargo-semver-checks/tree/v0.46.0/src/lints/enum_variant_added.ron
Failed in:
variant Operator:LessThan in /tmp/.tmpchbzmC/libmagic-rs/src/parser/ast.rs:144
variant Operator:GreaterThan in /tmp/.tmpchbzmC/libmagic-rs/src/parser/ast.rs:155
variant Operator:LessEqual in /tmp/.tmpchbzmC/libmagic-rs/src/parser/ast.rs:166
variant Operator:GreaterEqual in /tmp/.tmpchbzmC/libmagic-rs/src/parser/ast.rs:177
variant Operator:LessThan in /tmp/.tmpchbzmC/libmagic-rs/src/parser/ast.rs:144
variant Operator:GreaterThan in /tmp/.tmpchbzmC/libmagic-rs/src/parser/ast.rs:155
variant Operator:LessEqual in /tmp/.tmpchbzmC/libmagic-rs/src/parser/ast.rs:166
variant Operator:GreaterEqual in /tmp/.tmpchbzmC/libmagic-rs/src/parser/ast.rs:177
variant Operator:LessThan in /tmp/.tmpchbzmC/libmagic-rs/src/parser/ast.rs:144
variant Operator:GreaterThan in /tmp/.tmpchbzmC/libmagic-rs/src/parser/ast.rs:155
variant Operator:LessEqual in /tmp/.tmpchbzmC/libmagic-rs/src/parser/ast.rs:166
variant Operator:GreaterEqual in /tmp/.tmpchbzmC/libmagic-rs/src/parser/ast.rs:177
--- failure function_parameter_count_changed: pub fn parameter count changed ---
Description:
A publicly-visible function now takes a different number of parameters.
ref: https://doc.rust-lang.org/cargo/reference/semver.html#fn-change-arity
impl: https://github.com/obi1kenobi/cargo-semver-checks/tree/v0.46.0/src/lints/function_parameter_count_changed.ron
Failed in:
libmagic_rs::evaluator::types::read_byte now takes 3 parameters instead of 2, in /tmp/.tmpchbzmC/libmagic-rs/src/evaluator/types.rs:79
```
<details><summary><i><b>Changelog</b></i></summary><p>
<blockquote>
## [0.2.0] - 2026-03-01
### Features
- **parser**: Implement comparison operators
([#104](#104))
### Miscellaneous Tasks
- **Mergify**: Add outdated PR protection
([#75](#75))
- Add Mergify merge queue and simplify CI
([#78](#78))
- Mergify merge queue, dependabot integration, and CI simplification
([#79](#79))
- **release**: Add regex for version bumping based on commit types
<!-- generated by git-cliff -->
</blockquote>
</p></details>
---
This PR was generated with
[release-plz](https://github.com/release-plz/release-plz/).
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
Summary
changesjob and all path-filter conditionals from CI -- all jobs run unconditionallycargo deny checkto use default config (was referencing non-existentdeny.ci.toml)label != do-not-mergeexclusion to all auto-queue rulesNote: The diff appears larger than expected because PR #78 was merged and the branch was deleted before additional commits were pushed to the same branch name.
Post-merge steps
Mergify Merge Protectionsas required status check in branch protectionTest plan