🤖 ci: enforce merge queue required CI checks

[ThomasK33]

Summary

This PR makes merge queue runs execute and enforce the same CI checks as pull requests.

Background

The main branch already enforced merge queue, but required status checks were not configured and CI did not run on merge_group events. That allowed queued entries to proceed without guaranteed re-validation in merge-group context.

Implementation

• Added merge_group (checks_requested) as a trigger in .github/workflows/ci.yaml.
• Updated lint, test, and lint-actions job conditions to always run on merge_group while preserving path-filtered behavior for PR/push events.
• Kept Codex Comments PR-only.
• Updated repository ruleset 12597808 (main) to include required status checks:
  • Detect changed paths
  • lint
  • test
  • Lint GitHub Actions

Validation

• go run github.com/rhysd/actionlint/cmd/actionlint@v1.7.10
• make verify-vendor
• make test
• make build
• gh ruleset check main --repo coder/coder-k8s
• gh api repos/coder/coder-k8s/rulesets/12597808 --jq '.rules[] | select(.type=="required_status_checks")'

Risks

• Low risk for non-queue workflows. The only behavior change is explicit execution of CI jobs on merge_group events and branch-protection enforcement via required checks.

---

📋 Implementation Plan

Plan: make merge queue enforce and rerun CI checks correctly

Context / Why

The repository already has a merge queue enabled on main, but queued merges currently are not guaranteed to run the same CI checks that PRs run. To make merge queue behavior match expectations (re-run checks on merge groups and block merges on failures), we need to:

1. Trigger CI on merge_group events.
2. Mark the intended CI checks as required in the main ruleset.

This closes the current gap where merge queue entries can proceed without required status-check enforcement.

Evidence

• .github/workflows/ci.yaml currently triggers only on pull_request and push (on: block at lines 3–7); there is no merge_group trigger.
• The same workflow defines CI job/check names currently emitted by Actions: Detect changed paths, lint, test, Lint GitHub Actions, and Codex Comments.
• gh ruleset check main --repo coder/coder-k8s currently reports only four rules: deletion, non_fast_forward, required_linear_history, merge_queue (no required_status_checks).
• gh api repos/{owner}/{repo}/rulesets/12597808 confirms the active main ruleset has merge_queue parameters but no required_status_checks rule.
• GitHub docs confirm merge queues require workflows to listen to merge_group for required checks:
  • https://docs.github.com/en/actions/using-workflows/events-that-trigger-workflows#merge_group
  • https://docs.github.com/en/repositories/configuring-branches-and-merges-in-your-repository/configuring-pull-request-merges/managing-a-merge-queue

Implementation details

1) Update CI workflow trigger for merge queue events

File: .github/workflows/ci.yaml

Add merge_group trigger (scoped to checks_requested) alongside existing triggers.

on:
  pull_request:
  merge_group:
    types: [checks_requested]
  push:
    branches:
      - main

2) Ensure required jobs run for merge-group builds

File: .github/workflows/ci.yaml

To avoid path-filter edge cases on merge_group, make CI jobs run unconditionally for merge-group events while preserving current selective behavior for PR/push events.

lint:
  needs: changes
  if: github.event_name == 'merge_group' || needs.changes.outputs.go == 'true'
  ...

test:
  needs: changes
  if: github.event_name == 'merge_group' || needs.changes.outputs.go == 'true'
  ...

lint-actions:
  needs: changes
  if: github.event_name == 'merge_group' || needs.changes.outputs.workflows == 'true'
  ...

Keep codex-comments PR-only (do not make it required for merge queue):

codex-comments:
  if: github.event_name == 'pull_request'

3) Add required status checks to the active main ruleset

Scope: GitHub repository settings/ruleset (not stored in repo files)

Update ruleset 12597808 by adding a required_status_checks rule. Recommended contexts:

• Detect changed paths
• lint
• test
• Lint GitHub Actions

Do not include Codex Comments as a required check (it does not run on merge_group).

Example update flow with gh api:

RULESET_ID=12597808

gh api repos/{owner}/{repo}/rulesets/$RULESET_ID > /tmp/ruleset.json

jq '
  .rules |= (
    map(select(.type != "required_status_checks")) +
    [{
      "type": "required_status_checks",
      "parameters": {
        "required_status_checks": [
          {"context": "Detect changed paths"},
          {"context": "lint"},
          {"context": "test"},
          {"context": "Lint GitHub Actions"}
        ],
        "strict_required_status_checks_policy": false
      }
    }]
  )
  | {name, target, enforcement, conditions, bypass_actors, rules}
' /tmp/ruleset.json > /tmp/ruleset-update.json

gh api \
  --method PUT \
  repos/{owner}/{repo}/rulesets/$RULESET_ID \
  --input /tmp/ruleset-update.json

Why include Detect changed paths as required?

That job always runs and provides a fast, deterministic check context for every PR/merge-group run. Requiring it helps avoid “missing required check” confusion when selective jobs (lint, test, lint-actions) are skipped due to path filters.

4) Validation checklist after implementation

1. go run github.com/rhysd/actionlint/cmd/actionlint@v1.7.10 (workflow syntax/logic).
2. gh ruleset check main --repo coder/coder-k8s now shows required_status_checks in effective rules.
3. gh api repos/{owner}/{repo}/rulesets/12597808 --jq '.rules[] | select(.type=="required_status_checks")' returns configured contexts.
4. Add a PR to merge queue and confirm a merge_group run is created for workflow CI and reports the required checks.

Constraints / prerequisites

• Updating the ruleset requires repository-admin permissions and a token with sufficient scopes for ruleset modification.
• Workflow edits and ruleset updates should land together to avoid transient queue failures/missing-check states.

---

Generated with mux • Model: openai:gpt-5.3-codex • Thinking: xhigh • Cost: $0.19

[ThomasK33]

@codex review

[chatgpt-codex-connector]

Codex Review: Didn't find any major issues. Keep them coming!

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

[ThomasK33]

https://mux.md/mUd9A#_VookjS8NyBCUg

[ThomasK33]

@codex review

[ThomasK33]

@codex review

[chatgpt-codex-connector]

Codex Review: Didn't find any major issues. More of your lovely PRs please.

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

[ThomasK33]

https://mux.md/hu6R9#ns3ow4oJ9ApE8Q