Skip to content

fix(ci): wire required checks for the merge queue#88

Open
williaby wants to merge 1 commit into
mainfrom
claude/merge-queue-merge-group-0
Open

fix(ci): wire required checks for the merge queue#88
williaby wants to merge 1 commit into
mainfrom
claude/merge-queue-merge-group-0

Conversation

@williaby

Copy link
Copy Markdown
Contributor

Summary

Adds a bare Security Gate Validation aggregator job to security-analysis.yml (which already triggers on merge_group). The reusable security workflow only emitted Security Analysis / Security Gate Validation (caller/callee form), which never matched the bare required context, so that check was unsatisfiable on every PR, not just in the queue. The other three required checks were already wired correctly.

Files changed

  • .github/workflows/security-analysis.yml

Why

GitHub merge queues dispatch a merge_group event, not pull_request. A
required status check whose workflow does not trigger on merge_group never
reports on the queued commit, so the entry waits the full timeout and fails.
Required checks produced by reusable workflows surface as caller-job / callee-job, which cannot match a bare ruleset context; the org pattern is an
in-line aggregator job named exactly the bare context.

Landing this PR (deadlock)

For merge_group events GitHub uses the workflow definition from the default
branch, so this fix does not take effect in the queue until it is on main.
This repo's merge-queue ruleset has no bypass actor, so an admin must break the
deadlock once: temporarily set the merge-queue ruleset to Evaluate (or
Disabled), squash-merge this PR, then re-enable. Subsequent PRs drain normally.

Validation

actionlint and yamllint (repo config) pass on the changed files; no new
findings introduced. Generated as part of an org-wide read-only audit.

Adds a bare `Security Gate Validation` aggregator job to `security-analysis.yml` (which already triggers on `merge_group`). The reusable security workflow only emitted `Security Analysis / Security Gate Validation` (caller/callee form), which never matched the bare required context, so that check was unsatisfiable on every PR, not just in the queue. The other three required checks were already wired correctly.

Part of the org-wide merge-queue stall remediation. A required merge queue
stalls when required-check workflows do not trigger on the merge_group event;
the queue dispatches merge_group, waits for checks that never report, and times
out. See reference-library PR #64 for the reference fix.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
@coderabbitai

coderabbitai Bot commented Jun 29, 2026

Copy link
Copy Markdown

Warning

Review limit reached

@williaby, you've reached your PR review limit, so we couldn't start this review.

Next review available in: 27 minutes

Enable usage-based reviews in Billing to review now. Otherwise, wait until the next included review is available.
You're only billed for reviews past your plan's rate limits ($0.25/file).

How can I continue?

After more reviews become available, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

To avoid repeated limits, reduce automatic review volume by pausing incremental auto-reviews earlier, using label-based review opt-in, excluding WIP or generated PR titles, or requesting reviews manually when the PR is ready. If your team needs uninterrupted high-volume reviews, an organization admin can enable usage-based reviews.

How do review limits work?

CodeRabbit enforces per-developer PR review limits for each organization. Most developers receive the normal plan review availability.

For paid Pro and Pro+ PR reviews, CodeRabbit uses adaptive limits for sustained high-volume activity. When a developer's recent PR review activity reaches the 95th percentile or higher among CodeRabbit users, additional reviews become available more gradually as earlier reviews age out of the rolling window.

Please refer docs for additional details.

Review details
⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: ASSERTIVE

Plan: Pro

Run ID: 8d826f6b-728c-405b-8fdd-757582a5cbae

📥 Commits

Reviewing files that changed from the base of the PR and between a06abe3 and d797f81.

📒 Files selected for processing (1)
  • .github/workflows/security-analysis.yml
✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Commit unit tests in branch claude/merge-queue-merge-group-0

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands.

@github-actions

Copy link
Copy Markdown

⚠️ Deprecation Warning: The deny-licenses option is deprecated for possible removal in the next major release. For more information, see issue 997.

Dependency Review

✅ No vulnerabilities or license issues or OpenSSF Scorecard issues found.

OpenSSF Scorecard

PackageVersionScoreDetails
actions/step-security/harden-runner 9af89fc71515a100421586dfdb3dc9c984fbf411 🟢 7.9
Details
CheckScoreReason
Binary-Artifacts🟢 10no binaries found in the repo
Branch-Protection🟢 8branch protection is not maximal on development and all release branches
CI-Tests🟢 1016 out of 16 merged PRs checked by a CI test -- score normalized to 10
CII-Best-Practices⚠️ 0no effort to earn an OpenSSF best practices badge detected
Code-Review🟢 10all changesets reviewed
Contributors🟢 6project has 2 contributing companies or organizations -- score normalized to 6
Dangerous-Workflow🟢 10no dangerous workflow patterns detected
Dependency-Update-Tool🟢 10update tool detected
Fuzzing⚠️ 0project is not fuzzed
License🟢 10license file detected
Maintained🟢 1014 commit(s) and 4 issue activity found in the last 90 days -- score normalized to 10
Packaging⚠️ -1packaging workflow not detected
Pinned-Dependencies🟢 6dependency not pinned by hash detected -- score normalized to 6
SAST🟢 10SAST tool is run on all commits
Security-Policy🟢 10security policy file detected
Signed-Releases⚠️ -1no releases found
Token-Permissions🟢 10GitHub workflow tokens follow principle of least privilege
Vulnerabilities⚠️ 016 existing vulnerabilities detected

Scanned Files

  • .github/workflows/security-analysis.yml

@sonarqubecloud

Copy link
Copy Markdown

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant