Skip to content

ci: add merge_group trigger to required-check workflows#64

Merged
williaby merged 3 commits into
mainfrom
chore/merge-queue-triggers
Jun 29, 2026
Merged

ci: add merge_group trigger to required-check workflows#64
williaby merged 3 commits into
mainfrom
chore/merge-queue-triggers

Conversation

@williaby

Copy link
Copy Markdown
Contributor

Summary

  • Add merge_group: to workflows emitting required status checks so they fire in the merge queue
  • Patch REUSE.toml to cover files added by the compliance rollout that were missing from annotations

GitHub merge queues fire a merge_group event, not pull_request. Without the trigger,
required checks never report and the queue stalls indefinitely waiting for them.

Test plan

  • Confirm all required checks pass on this PR
  • Add to merge queue and confirm it processes without stalling

Generated with Claude Code

@coderabbitai

coderabbitai Bot commented Jun 28, 2026

Copy link
Copy Markdown

Warning

Review limit reached

@williaby, you've reached your PR review limit, so we couldn't start this review.

Next review available in: 30 minutes

Your organization has used up its prepaid credits, and credit purchases are no longer available. Enable usage-based reviews in Billing to keep reviews running — you're only billed for reviews past your plan's rate limits ($0.25/file).

How can I continue?

After more reviews become available, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

To avoid repeated limits, reduce automatic review volume by pausing incremental auto-reviews earlier, using label-based review opt-in, excluding WIP or generated PR titles, or requesting reviews manually when the PR is ready. If your team needs uninterrupted high-volume reviews, an organization admin can enable usage-based reviews.

How do review limits work?

CodeRabbit enforces per-developer PR review limits for each organization. Most developers receive the normal plan review availability.

For paid Pro and Pro+ PR reviews, CodeRabbit uses adaptive limits for sustained high-volume activity. When a developer's recent PR review activity reaches the 95th percentile or higher among CodeRabbit users, additional reviews become available more gradually as earlier reviews age out of the rolling window.

Please see our Fair Usage Limits Policy for further information, and refer to the rate limits docs for additional details.

Review details
⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: a53cd993-fca6-4931-86ec-835c83e5d480

📥 Commits

Reviewing files that changed from the base of the PR and between 5024679 and 1ab320b.

⛔ Files ignored due to path filters (1)
  • uv.lock is excluded by !**/*.lock
📒 Files selected for processing (5)
  • .github/workflows/pr-validation.yml
  • .github/workflows/reuse.yml
  • .github/workflows/security-analysis.yml
  • .github/workflows/sonarcloud.yml
  • pyproject.toml
✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Commit unit tests in branch chore/merge-queue-triggers

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands.

@socket-security

socket-security Bot commented Jun 29, 2026

Copy link
Copy Markdown

Review the following changes in direct dependencies. Learn more about Socket for GitHub.

Diff Package Supply Chain
Security
Vulnerability Quality Maintenance License
Updatedpytest@​8.4.2 ⏵ 9.1.187 -3100 +2100100100
Addedpip-audit@​2.10.197100100100100

View full report

williaby and others added 3 commits June 28, 2026 22:18
The merge queue (ALLGREEN) requires four status checks to report on
merge_group events: Dependency & Standards Validation, Check REUSE
Compliance, Security Gate Validation, and SonarCloud Code Analysis. Only
ci.yml triggered on merge_group, so the queue stalled waiting for statuses
that never reported, blocking every PR.

- pr-validation.yml: tidy the merge_group trigger and concurrency block
- reuse.yml: correct the now-inaccurate "PR-only" comment
- security-analysis.yml: add merge_group trigger so Security Gate Validation
  reports in the queue (the reusable scan runs event-agnostically)
- sonarcloud.yml: add merge_group trigger; SonarCloud's App does not report
  on merge_group refs, so the real scan stays PR/push-only and a lightweight
  job named exactly "SonarCloud Code Analysis" satisfies the required context
  (the ruleset pins no integration_id to it)
- pyproject.toml, uv.lock: add pip-audit so the repurposed Dependency &
  Standards Validation check can spawn `uv run --frozen pip-audit`, and bump
  pytest to >=9.0.3 to fix CVE-2025-71176 surfaced once the scan is wired in

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
@williaby williaby force-pushed the chore/merge-queue-triggers branch from 57ca8cf to 1ab320b Compare June 29, 2026 05:19
@sonarqubecloud

Copy link
Copy Markdown

@williaby williaby added this pull request to the merge queue Jun 29, 2026
Merged via the queue into main with commit ee14789 Jun 29, 2026
25 checks passed
@williaby williaby deleted the chore/merge-queue-triggers branch June 29, 2026 14:29
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant