From 5f3508fef0227bd8e7fb290bb2d0f3330b55c5f5 Mon Sep 17 00:00:00 2001 From: rabbitblood Date: Thu, 23 Apr 2026 21:24:53 -0700 Subject: [PATCH] ci: add merge_group trigger to ci + codeql MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Pre-work for enabling GitHub merge queue on the staging branch (#TBD follow-up issue). Without these triggers, the queue's pre-merge CI run on the speculative `gh-readonly-queue/...` ref would never fire, every queued PR would show false-green for the required checks, and queue would merge things that don't actually pass on the rebased commit. Adding the trigger now is **a no-op** — the `merge_group` event only fires once the queue is enabled on a branch, which is a separate UI/API toggle. So this PR is safe to land in isolation; merge-queue enablement is the next step and reversible at the branch-protection level. Why these two workflows: - `ci.yml` provides 5 of the 8 required staging checks (Detect changes, Platform Go, Canvas Next.js, Python Lint & Test, Shellcheck E2E) - `codeql.yml` provides the other 3 (Analyze go / js-ts / python) Other workflows (e2e-staging-*, canary-*, publish-*) are not required status checks and don't need the trigger to keep the queue working. Co-Authored-By: Claude Opus 4.7 (1M context) --- .github/workflows/ci.yml | 10 +++++++++- .github/workflows/codeql.yml | 6 ++++++ 2 files changed, 15 insertions(+), 1 deletion(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index f1f9cdbb..2ee5fe5b 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -5,9 +5,17 @@ on: branches: [main, staging] pull_request: branches: [main, staging] + # GitHub merge queue fires `merge_group` for the queue's pre-merge CI run. + # Required so the queue gets a real check result instead of a false-green + # from the absence of a triggered workflow. Safe to add unconditionally — + # the event simply doesn't fire until the queue is enabled on the branch. + merge_group: + types: [checks_requested] # Cancel in-progress CI runs when a new commit arrives on the same ref. -# This prevents stale runs from queuing behind each other. +# This prevents stale runs from queuing behind each other. The merge_group +# refs (refs/heads/gh-readonly-queue/...) get their own concurrency group +# automatically because github.ref differs from the PR ref. concurrency: group: ci-${{ github.ref }} cancel-in-progress: true diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml index e1661304..22d095b4 100644 --- a/.github/workflows/codeql.yml +++ b/.github/workflows/codeql.yml @@ -18,6 +18,12 @@ on: branches: [main, staging] pull_request: branches: [main, staging] + # GitHub merge queue fires `merge_group` for the queue's pre-merge CI run. + # Required so CodeQL Analyze checks get a real result on the queued + # commit instead of a false-green. Event only fires once merge queue is + # enabled on the target branch — safe to add unconditionally. + merge_group: + types: [checks_requested] schedule: # Weekly run picks up findings in code that hasn't been touched. - cron: '30 1 * * 0'