Skip to content

OSAC-2333: Enable merge queues on core repos#134

Open
omer-vishlitzky wants to merge 4 commits into
osac-project:mainfrom
omer-vishlitzky:OSAC-2333-enable-merge-queues
Open

OSAC-2333: Enable merge queues on core repos#134
omer-vishlitzky wants to merge 4 commits into
osac-project:mainfrom
omer-vishlitzky:OSAC-2333-enable-merge-queues

Conversation

@omer-vishlitzky

@omer-vishlitzky omer-vishlitzky commented Jul 15, 2026

Copy link
Copy Markdown
Contributor

Summary

  • Adds a merge_queue variable to the common_repository module that creates a github_repository_ruleset with merge queue configuration
  • Enables merge queues on 5 core repos: fulfillment-service, osac-operator, osac-aap, osac-installer, osac-test-infra
  • Disables strict status checks on those repos since the merge queue handles testing against latest main automatically

Prerequisites — merge these first

The E2E workflows in each repo need the merge_group trigger before this PR is applied, otherwise the merge queue will time out (no workflow responds to merge group events) and block all merges.

Do NOT merge this PR until all 5 above are merged.

Why merge queues

This is the GitHub Actions equivalent of Prow's strict: true — but better. Instead of requiring authors to manually rebase when main moves ahead, the merge queue automatically creates a temporary merge ref on top of latest main, runs CI against it, and merges if it passes. No author action needed.

Merge queue defaults

Setting Value Why
merge_method SQUASH Clean linear history
min_entries_to_merge 1 No batching required to start
max_entries_to_merge 5 Allow batching when queue is busy
check_response_timeout_minutes 90 E2E tests take ~60-90 min
grouping_strategy ALLGREEN All entries in a batch must pass

Test plan

  • tofu plan shows 5 new github_repository_ruleset resources and 5 updated github_branch_protection resources (strict: true → false)
  • After apply, verify merge queue is available on one repo by enqueuing a test PR

🤖 Generated with Claude Code

omer-vishlitzky and others added 2 commits July 15, 2026 17:37
Adds a `merge_queue` variable to the common_repository module and
enables it on fulfillment-service, osac-operator, osac-aap,
osac-installer, and osac-test-infra.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
The merge queue automatically tests PRs against the latest main,
making strict (require branch to be up-to-date) redundant and
adding unnecessary rebase friction.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
@coderabbitai

coderabbitai Bot commented Jul 15, 2026

Copy link
Copy Markdown

Review Change Stack

Warning

Review limit reached

@omer-vishlitzky, you've reached your PR review limit, so we couldn't start this review.

Next review available in: 11 minutes

Enable usage-based reviews in Billing to review now. Otherwise, wait until the next included review is available.

How can I continue?

After more reviews become available, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

To avoid repeated limits, reduce automatic review volume by pausing incremental auto-reviews earlier, using label-based review opt-in, excluding WIP or generated PR titles, or requesting reviews manually when the PR is ready. If your team needs uninterrupted high-volume reviews, an organization admin can enable usage-based reviews.

How do review limits work?

CodeRabbit enforces per-developer PR review limits for each organization. Most developers receive the normal plan review availability.

For paid Pro and Pro+ PR reviews, CodeRabbit uses adaptive limits for sustained high-volume activity. When a developer's recent PR review activity reaches the 95th percentile or higher among CodeRabbit users, additional reviews become available more gradually as earlier reviews age out of the rolling window.

Please refer docs for additional details.

Review details
⚙️ Run configuration

Configuration used: Repository: osac-project/coderabbit/.coderabbit.yaml

Review profile: ASSERTIVE

Plan: Enterprise

Run ID: 942e76c7-74bd-413d-8ebb-644715b0aef2

📥 Commits

Reviewing files that changed from the base of the PR and between 3055467 and daea683.

📒 Files selected for processing (4)
  • modules/common_repository/README.md
  • modules/common_repository/main.tf
  • modules/common_repository/variables.tf
  • repositories.tf

Walkthrough

The repository module now supports configurable strict status checks and optional GitHub merge queue rulesets. Five repository configurations enable merge queues and set strict status checks to false.

Changes

Repository merge queue configuration

Layer / File(s) Summary
Module input contracts
modules/common_repository/variables.tf
Adds strict_status_checks and optional merge_queue inputs with defaults for merge behavior, queue sizing, timeouts, and grouping.
Repository protection and merge queue resources
modules/common_repository/main.tf
Uses the strictness input for branch protection and conditionally creates an active merge queue ruleset targeting the default branch.
Repository module configuration
repositories.tf
Enables merge queues and disables strict status checks for five repository modules.

Estimated code review effort: 3 (Moderate) | ~20 minutes

Sequence Diagram(s)

sequenceDiagram
  participant RepositoryModule
  participant GitHubRepository
  participant GitHubRuleset
  RepositoryModule->>GitHubRepository: Create repository
  RepositoryModule->>GitHubRuleset: Create active merge_queue ruleset
  GitHubRuleset->>GitHubRepository: Target default branch
Loading

Possibly related PRs

  • osac-project/github-config#131: Migrates required status check enforcement into repository rulesets, related to this module’s merge queue and status check changes.

Suggested reviewers: larsks, eliorerz

🚥 Pre-merge checks | ✅ 10 | ❌ 1

❌ Failed checks (1 warning)

Check name Status Explanation Resolution
Ai-Attribution ⚠️ Warning The two PR commits use Co-Authored-By: Claude... and I found no Assisted-by or Generated-by Red Hat trailers. Replace the AI Co-Authored-By trailers with Red Hat Assisted-by: or Generated-by: trailers on the PR commits.
✅ Passed checks (10 passed)
Check name Status Explanation
Docstring Coverage ✅ Passed No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check ✅ Passed Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check ✅ Passed Check skipped because no linked issues were found for this pull request.
No-Hardcoded-Secrets ✅ Passed No hardcoded secrets, credentials, embedded-auth URLs, or suspicious base64 literals were added in the touched Terraform files.
No-Weak-Crypto ✅ Passed Touched Terraform only configures GitHub merge queues/branch protection; no MD5/SHA1/DES/RC4/3DES/Blowfish/ECB or secret comparisons appear.
No-Injection-Vectors ✅ Passed Touched Terraform only adds GitHub ruleset/vars; no SQL/shell/eval/pickle/yaml/os.system/dangerouslySetInnerHTML patterns in the changed files.
Container-Privileges ✅ Passed Diff is Terraform-only; no container/K8s manifests or privilege flags (privileged, hostPID/Network/IPC, allowPrivilegeEscalation, SYS_ADMIN, root) were introduced.
No-Sensitive-Data-In-Logs ✅ Passed No logging, print, or secret/PII-handling code was added; the touched Terraform files only define resources and variables.
Description Check ✅ Passed Check skipped - CodeRabbit’s high-level summary is enabled.
Title check ✅ Passed The title accurately reflects the main change: enabling merge queues across the core repositories.
✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands.

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@modules/common_repository/main.tf`:
- Around line 101-103: Update the strict status-check assignment in the branch
protection configuration to force false whenever var.merge_queue is configured,
while preserving var.strict_status_checks when no merge queue is provided. Keep
the existing required status-check contexts unchanged.
🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

  • Push a commit to this branch (recommended)
  • Create a new PR with the fixes

ℹ️ Review info
⚙️ Run configuration

Configuration used: Repository: osac-project/coderabbit/.coderabbit.yaml

Review profile: ASSERTIVE

Plan: Enterprise

Run ID: 57e38b3c-fee0-491b-b311-3005496be379

📥 Commits

Reviewing files that changed from the base of the PR and between 5971b35 and 3055467.

📒 Files selected for processing (3)
  • modules/common_repository/main.tf
  • modules/common_repository/variables.tf
  • repositories.tf

Comment on lines +101 to 103
strict = var.strict_status_checks
contexts = var.required_status_checks
}

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

📐 Maintainability & Code Quality | 🔵 Trivial | ⚡ Quick win

Automatically disable strict status checks when a merge queue is configured.

GitHub does not allow requiring branches to be up to date before merging when a merge queue is active. To prevent API errors and reduce the configuration burden on module consumers, consider automatically enforcing strict = false when var.merge_queue is provided.

♻️ Proposed refactor
   required_status_checks {
-    strict   = var.strict_status_checks
+    strict   = var.merge_queue != null ? false : var.strict_status_checks
     contexts = var.required_status_checks
   }
📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change
strict = var.strict_status_checks
contexts = var.required_status_checks
}
required_status_checks {
strict = var.merge_queue != null ? false : var.strict_status_checks
contexts = var.required_status_checks
}
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@modules/common_repository/main.tf` around lines 101 - 103, Update the strict
status-check assignment in the branch protection configuration to force false
whenever var.merge_queue is configured, while preserving
var.strict_status_checks when no merge queue is provided. Keep the existing
required status-check contexts unchanged.

omer-vishlitzky and others added 2 commits July 15, 2026 17:54
- Validate merge_method (MERGE/SQUASH/REBASE) and grouping_strategy
  (ALLGREEN/HEADGREEN) at plan time instead of failing at apply
- Regenerate README.md with terraform-docs to include new variables
  and resources

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
…ns/wg-infra

ci/prow/unit and ci/prow/temp were never removed from required_status_checks
when Prow was decommissioned for these repos; they haven't posted a status on
any recent PR. Left as required checks, they would make every merge-queue
entry on fulfillment-service/osac-operator/osac-aap time out and get evicted,
since nothing produces that check on the merge-group ref.

The new merge_queue ruleset also had no bypass_actors, unlike the classic
branch protection beside it (enforce_admins = false) - rulesets don't inherit
that exemption, so there was no way for org-admins or wg-infra to merge
around a stuck queue. Added a Team-scoped bypass for both, resolved via
data "github_team" since the ruleset API needs numeric team IDs, not slugs.

Also ran tofu fmt, which fixes the currently-failing pre-commit check
(required_approvals alignment drifted in the osac_installer/osac_test_infra
blocks after the PR's new fields were added).
Comment on lines +122 to +130
rules {
merge_queue {
merge_method = var.merge_queue.merge_method
min_entries_to_merge = var.merge_queue.min_entries_to_merge
max_entries_to_merge = var.merge_queue.max_entries_to_merge
check_response_timeout_minutes = var.merge_queue.check_response_timeout_minutes
grouping_strategy = var.merge_queue.grouping_strategy
}
}

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I know that if var.merge_queue == null the count will be zero. But, will TF also skip trying to make these assignments?

Suggested change
rules {
merge_queue {
merge_method = var.merge_queue.merge_method
min_entries_to_merge = var.merge_queue.min_entries_to_merge
max_entries_to_merge = var.merge_queue.max_entries_to_merge
check_response_timeout_minutes = var.merge_queue.check_response_timeout_minutes
grouping_strategy = var.merge_queue.grouping_strategy
}
}
rules {
# Use a dynamic block to only generate the merge_queue configuration
# if var.merge_queue is not null.
dynamic "merge_queue" {
for_each = var.merge_queue != null ? [var.merge_queue] : []
content {
merge_method = merge_queue.value.merge_method
min_entries_to_merge = merge_queue.value.min_entries_to_merge
max_entries_to_merge = merge_queue.value.max_entries_to_merge
check_response_timeout_minutes = merge_queue.value.check_response_timeout_minutes
grouping_strategy = merge_queue.value.grouping_strategy
}
}
}

@omer-vishlitzky

Copy link
Copy Markdown
Contributor Author

/hold

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants