chore(deps): Update dependencies and CI config

[unclesp1d3r]

This pull request primarily updates various tools and dependency versions across the project to keep the development environment and dependencies current. It also refines the Mergify configuration to improve automation and clarify PR queueing rules for trusted bots, maintainers, and external contributors. Additionally, a new justfile command is introduced to streamline dependency updates.

Dependency and Toolchain Updates:

• Updated Rust dependencies in Cargo.toml, including chrono, quick-xml, toml, tree-sitter, and tempfile, to their latest patch versions for bug fixes and compatibility improvements. [1] [2] [3] [4] [5]
• Updated pre-commit hooks in .pre-commit-config.yaml: actionlint to v1.7.11 and commitizen to v4.13.9 for improved linting and commit message checks. [1] [2]
• Updated toolchain version files: .bun-version to 1.3.10 and .python-version to 3.14.3 for environment consistency. [1] [2]

Developer Workflow Improvements:

• Added a new update-deps command to the justfile to automate updating Rust dependencies and pre-commit hooks, making it easier to keep dependencies up to date.

CI/CD and PR Automation Enhancements:

• Refactored .mergify.yml to:
  • Auto-approve and queue Dependabot PRs immediately, excluding workflow changes.
  • Clearly separate rules for trusted bots, maintainers, and external contributors.
  • Ensure only maintainers can self-queue with the lgtm label, addressing the sole-maintainer self-merge scenario.
  • Require explicit maintainer approval for external PRs.

[coderabbitai]

Note

Reviews paused

It looks like this branch is under active development. To avoid overwhelming you with review comments due to an influx of new commits, CodeRabbit has automatically paused this review. You can configure this behavior by changing the reviews.auto_review.auto_pause_after_reviewed_commits setting.

Use the following commands to manage reviews:

• @coderabbitai resume to resume automatic reviews.
• @coderabbitai review to trigger a single review.

Use the checkboxes below for quick actions:

• ▶️ Resume reviews
• 🔍 Trigger review

📝 Walkthrough

Walkthrough

Add static runtime/version files, bump dev tooling and Rust dependency versions, rework Mergify PR automation tiers to auto-approve and queue dependabot PRs and reorder maintainer tiers, add a Justfile update-deps target, and add CI-specific mise config plus CI env var. No public API or application logic changes.

Changes

Cohort / File(s)	Summary
Version indicators ./.bun-version, ./.python-version	Add static runtime/version files with 1.3.10 (Bun) and 3.14.3 (Python).
PR automation ./.mergify.yml	Rework tier rules: auto-approve and queue Dependabot PRs (author=dependabot[bot], exclude drafts and workflow-only file changes), reorganize maintainer/release tiers, and adjust approval/queue conditions.
Pre-commit & mise config ./.pre-commit-config.yaml, ./mise.toml, ./mise.ci.toml	Bump hooks (actionlint, commitizen), change act entry to structured table with OS targets, add pipx:pre-commit, and add CI-specific mise.ci.toml to disable dev-only tools when MISE_ENV=ci.
Rust dependency updates ./Cargo.toml	Bumped dependencies: chrono 0.4.43→0.4.44, quick-xml 0.39.1→0.39.2, toml 0.9.8→1.0.3, tree-sitter 0.26.5→0.26.6, tempfile 3.25.0→3.26.0.
Build/dev automation ./justfile	Add update-deps target (runs cargo update, pre-commit autoupdate, cargo outdated --depth=1 --exit-code=1) and make update alias it.
CI workflow ./.github/workflows/ci.yml	Add MISE_ENV=ci to workflow env to enable CI-specific mise configuration.

Sequence Diagram(s)

sequenceDiagram
    participant Dependabot as Dependabot
    participant Mergify as Mergify
    participant Repo as Repository
    participant Maintainers as Maintainers

    Note over Dependabot,Mergify: Dependabot opens PR
    Dependabot->>Mergify: open PR (author=dependabot[bot])
    Mergify->>Mergify: evaluate rules (not draft, files not release workflow)
    alt Matches Dependabot Tier
        Mergify->>Mergify: post APPROVE review
        Mergify->>Repo: queue PR for merge
    else Other tiers
        Mergify->>Maintainers: require maintainer approval / apply tier rules
        Maintainers->>Mergify: approve (label or review)
        Mergify->>Repo: queue PR when conditions met
    end

Loading

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~25 minutes

Poem

Pins and flows rearranged with care,
Bots nod, CI reads the air.
Versions set and targets spun,
A Justfile task, deps updated, done.
Small changes, tidy fare.

🚥 Pre-merge checks | ✅ 6 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Feature Gates	⚠️ Warning	Feature flags xai, groq, gemini are defined in Cargo.toml but lack implementations; no modules in src/llm/providers/mod.rs, missing #[cfg] gates in create_llm_client, and no tokenizer support. all-providers includes undefined features, causing cargo check --all-features to fail.	Remove undefined provider features and all-providers from Cargo.toml, or implement complete provider modules with proper #[cfg] gating and tokenizer support. Verify cargo check --all-features passes.

✅ Passed checks (6 passed)

Check name	Status	Explanation
Title check	✅ Passed	The PR title follows Conventional Commits format with type 'chore' and scope 'deps', accurately describing the main focus on dependency updates and CI configuration changes.
Description check	✅ Passed	The description comprehensively covers the changes made, including specific dependency updates, workflow improvements, and CI/CD enhancements. However, it lacks completion of the provided template structure and required checklist items.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Error Handling	✅ Passed	PR modifies only configuration files, metadata, and dependency versions with no changes to Rust source code or error handling implementations.
Async Safety	✅ Passed	PR modifies only configuration and manifest files; no async/await code, trait definitions, or async-related dependencies were changed.
Configuration Precedence	✅ Passed	PR modifies only development tooling and CI/CD configurations without introducing new Ruley application configuration options.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch update_deps_and_ci

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[mergify]

Merge Protections

Your pull request matches the following merge protections and will not be merged until they are valid.

🟢 📃 Configuration Change Requirements

Wonderful, this rule succeeded.

Mergify configuration change

• check-success = Configuration changed

🟢 Enforce conventional commit

Wonderful, this rule succeeded.

Make sure that we follow https://www.conventionalcommits.org/en/v1.0.0/

• title ~= ^(fix|feat|docs|style|refactor|perf|test|build|ci|chore|revert)(?:\(.+\))?:

🟢 CI must pass

Wonderful, this rule succeeded.

All CI checks must pass. This protection prevents manual merges that bypass the merge queue.

• check-success = coverage
• check-success = msrv
• check-success = quality
• check-success = test
• check-success = test-cross-platform (macos-latest, macOS)
• check-success = test-cross-platform (ubuntu-latest, Linux)
• check-success = test-cross-platform (windows-latest, Windows)

🟢 Do not merge outdated PRs

Wonderful, this rule succeeded.

Make sure PRs are within 10 commits of the base branch before merging

• #commits-behind <= 10

[mergify]

🧪 CI Insights

Here's what we observed from your CI run for 2069561.

🟢 All jobs passed!

But CI Insights is watching 👀

[Copilot]

Pull request overview

This PR updates project dependencies/tooling and refines automation rules so dependency updates and PR queueing/approval behavior stay current and more clearly segmented by actor (bots vs maintainers vs external contributors).

Changes:

• Bumped several Rust crate versions (plus regenerated Cargo.lock) and updated pre-commit hook revisions.
• Added just update-deps to streamline dependency/hook update workflow.
• Refactored .mergify.yml rules to auto-handle trusted bots and tighten external-contributor queueing requirements.

Reviewed changes

Copilot reviewed 6 out of 7 changed files in this pull request and generated no comments.

Show a summary per file

File	Description
justfile	Adds an update-deps recipe that runs cargo update/outdated and pre-commit autoupdate.
Cargo.toml	Updates select Rust dependency versions (incl. toml, tree-sitter, etc.).
Cargo.lock	Lockfile refresh reflecting dependency updates/transitive changes.
.python-version	Adds a pinned Python version file for local/CI tool consistency.
.bun-version	Adds a pinned Bun version file for local/CI tool consistency.
.pre-commit-config.yaml	Updates hook revisions for actionlint and commitizen.
.mergify.yml	Reorders/clarifies PR automation tiers and Dependabot/release-plz handling.

Comments suppressed due to low confidence (3)

justfile:27

• update-deps runs cargo outdated --exit-code=1 before pre-commit autoupdate. Because the justfile shell uses -e, if any dependency is reported as outdated this recipe will exit early and skip updating pre-commit hooks, undermining the purpose of the command. Consider either moving pre-commit autoupdate before the cargo outdated check, or making the outdated check non-fatal (e.g., remove --exit-code=1 / allow failure) and keep it as informational.

update-deps:
    @{{ mise_exec }} cargo update
    @{{ mise_exec }} cargo outdated --depth=1 --exit-code=1
    @{{ mise_exec }} pre-commit autoupdate

Cargo.toml:193

• The PR description says dependency updates are to the “latest patch versions”, but toml is being bumped from 0.9.8 to 1.0.3 (a major version change under semver). Either update the PR description to reflect this, or call out/justify the major bump explicitly (and ensure any API/behavior changes are accounted for).

toml  = "1.0.3"

.mergify.yml:21

• The PR description says Dependabot PRs are auto-approved/queued “excluding workflow changes”, but this rule only excludes changes to .github/workflows/release.yml. If the intent is to exclude any workflow modifications, broaden the condition to exclude .github/workflows/ (or update the description to match the narrower exclusion).

      - base = main
      - author = dependabot[bot]
      - -draft
      - label != do-not-merge
      - -files~=\.github/workflows/release\.yml

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[coderabbitai]

Actionable comments posted: 2

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In @.mergify.yml:
- Around line 14-22: The Auto-approve and queue dependabot PRs rule currently
only excludes `.github/workflows/release.yml` (condition shown as `-
-files~=\.github/workflows/release\.yml`), which lets other workflow file
changes slip through; update the condition in that rule (the "Auto-approve and
queue dependabot PRs" block) to exclude all workflow files under
`.github/workflows/` (e.g., use a regex that matches `.github/workflows/.*` or
`.github/workflows/.*\.yml`) so any changes to workflow files prevent
auto-approval and queuing.

In `@justfile`:
- Around line 24-27: The recipe update-deps can abort before running pre-commit
autoupdate because cargo outdated is invoked with --exit-code=1; move the
pre-commit autoupdate invocation to run before the cargo outdated check so that
pre-commit hooks are always updated regardless of cargo outdated exit status;
update the update-deps recipe to execute "@{{ mise_exec }} pre-commit
autoupdate" prior to "@{{ mise_exec }} cargo outdated --depth=1 --exit-code=1"
while keeping the cargo update step first.

---

ℹ️ Review info

Configuration used: Path: .coderabbit.yml

Review profile: ASSERTIVE

Plan: Pro

Disabled knowledge base sources:

• Linear integration is disabled

You can enable these sources in your CodeRabbit configuration.

📥 Commits

Reviewing files that changed from the base of the PR and between 2824483 and 28a2fc0.

⛔ Files ignored due to path filters (1)

• Cargo.lock is excluded by !**/*.lock, !**/Cargo.lock

📒 Files selected for processing (6)

• .bun-version
• .mergify.yml
• .pre-commit-config.yaml
• .python-version
• Cargo.toml
• justfile

[Copilot]

Pull request overview

Copilot reviewed 6 out of 7 changed files in this pull request and generated 1 comment.

Comments suppressed due to low confidence (2)

Cargo.toml:194

• PR description says dependencies were updated to the latest patch versions, but toml is being bumped from 0.9.x to 1.0.3 (a major version change). If this is intentional, please update the PR description accordingly; otherwise, consider staying on 0.9.x for a patch-only update.

# Async runtime
tokio = { version = "1.49.0", features = [ "full" ] }
toml  = "1.0.3"

.bun-version:1

• Since mise is configured to enable idiomatic version files for bun (see mise.toml settings) and lockfile+pin are enabled, adding/updating .bun-version typically also requires updating mise.lock so the bun version is recorded and reproducible across environments.

1.3.10

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[Copilot]

Pull request overview

Copilot reviewed 9 out of 11 changed files in this pull request and generated no new comments.

Comments suppressed due to low confidence (4)

justfile:239

• update used to only run cargo update, but is now an alias for update-deps (which also runs pre-commit autoupdate and can fail via cargo outdated --exit-code=1). If just update is expected to remain a simple, non-failing “update lockfiles” command, consider keeping the previous behavior and adding update-deps as an opt-in extended command instead.

# Update dependencies (alias for update-deps)
update: update-deps

.mergify.yml:24

• The PR description says Dependabot PRs are excluded when they include workflow changes, but this rule only blocks changes to .github/workflows/release.yml. If the goal is to prevent auto-approval/auto-queue for any workflow edits, broaden the files exclusion (e.g., all .github/workflows/**) or adjust the description to match the actual policy.

      # release.yml is autogenerated by cargo-dist -- dependabot updates to
      # pinned actions in it will break the release pipeline. Dependabot has no
      # way to ignore specific workflow files, so we block it here instead.
      - -files~=\.github/workflows/release\.yml

Cargo.toml:193

• The PR description says Rust dependencies were updated to the latest patch versions, but toml is being bumped from 0.9.x to 1.0.3 (a major version change). If the intent is patch-only updates, keep toml on 0.9.x; otherwise please call out the breaking-version bump explicitly and confirm the codebase/build is compatible with toml 1.0.

toml  = "1.0.3"

justfile:28

• update-deps runs cargo outdated --exit-code=1 after updating, which will commonly exit non-zero even when cargo update succeeded (because outdated will still report newer semver-incompatible releases). That makes this recipe (and anything that depends on it) fail by default; consider splitting the “update” and “check for outdated” steps, or make the outdated check non-fatal/optional.

update-deps:
    @{{ mise_exec }} cargo update
    @{{ mise_exec }} pre-commit autoupdate
    @{{ mise_exec }} cargo outdated --depth=1 --exit-code=1

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In @.mergify.yml:
- Around line 32-37: Update the "Auto-queue release-plz PRs" mergify rule to
restrict authors so only the bot that creates release PRs can trigger
auto-queueing: add an author condition (e.g., author = github-actions[bot])
alongside the existing head ~= ^release-plz- condition so the rule targets
branches named release-plz-* AND is authored by the expected automation account;
modify the rule that contains the "Auto-queue release-plz PRs" name to include
this new author constraint.

---

ℹ️ Review info

Configuration used: Path: .coderabbit.yml

Review profile: ASSERTIVE

Plan: Pro

Disabled knowledge base sources:

• Linear integration is disabled

You can enable these sources in your CodeRabbit configuration.

📥 Commits

Reviewing files that changed from the base of the PR and between 066e35e and 60a63db.

📒 Files selected for processing (1)

• .mergify.yml

[coderabbitai]

⚠️ Potential issue | 🔴 Critical

🧩 Analysis chain

🏁 Script executed:

git ls-files | grep -E '\.mergify|mergify'

Repository: EvilBit-Labs/ruley

Length of output: 74

---

🏁 Script executed:

cat -n .mergify.yml | head -50

Repository: EvilBit-Labs/ruley

Length of output: 2009

---

🌐 Web query:

release-plz GitHub Action bot author

💡 Result:

The release-plz GitHub Action/bot is created and maintained by Marco Ieni (GitHub: marcoieni). [1], [2]

---

🏁 Script executed:

find .github -type f -name "*.yml" -o -name "*.yaml" 2>/dev/null | head -20

Repository: EvilBit-Labs/ruley

Length of output: 369

---

🏁 Script executed:

cat -n .github/workflows/*.yml 2>/dev/null | grep -A 10 -B 2 "release-plz"

Repository: EvilBit-Labs/ruley

Length of output: 2813

---

🏁 Script executed:

rg "release-plz" --type yaml -A 5 -B 5

Repository: EvilBit-Labs/ruley

Length of output: 1001

---

Add author constraint to release-plz auto-queue rule.

Line 35 trusts only branch naming (head ~= ^release-plz-). Any contributor can fork the repo, create a release-plz-* branch, open a PR to main, and auto-queue it without author verification. The workflow uses GITHUB_TOKEN from GitHub Actions, which creates PRs as github-actions[bot].

Proposed fix

  - name: Auto-queue release-plz PRs
    conditions:
      - base = main
+     - author = github-actions[bot]
      - "head ~= ^release-plz-"
      - -draft
      - label != do-not-merge

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	- name: Auto-queue release-plz PRs
	conditions:
	- base = main
	- "head ~= ^release-plz-"
	- -draft
	- label != do-not-merge
	- name: Auto-queue release-plz PRs
	conditions:
	- base = main
	- author = github-actions[bot]
	- "head ~= ^release-plz-"
	- -draft
	- label != do-not-merge

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In @.mergify.yml around lines 32 - 37, Update the "Auto-queue release-plz PRs"
mergify rule to restrict authors so only the bot that creates release PRs can
trigger auto-queueing: add an author condition (e.g., author =
github-actions[bot]) alongside the existing head ~= ^release-plz- condition so
the rule targets branches named release-plz-* AND is authored by the expected
automation account; modify the rule that contains the "Auto-queue release-plz
PRs" name to include this new author constraint.

[Copilot]

Pull request overview

Copilot reviewed 10 out of 12 changed files in this pull request and generated no new comments.

Comments suppressed due to low confidence (2)

Cargo.toml:193

• The PR description says the Rust dependency updates are to the “latest patch versions”, but toml is being bumped from 0.9.8 to 1.0.3 (a major version change). Either update the description to reflect the major bump or constrain toml to a 0.9.x patch update if you want to avoid potential breaking changes.

toml  = "1.0.3"

.mergify.yml:24

• The PR description mentions Dependabot PRs are auto-approved/queued “excluding workflow changes”, but the Mergify rule only blocks changes to .github/workflows/release.yml. If the intent is to exclude all workflow changes from auto-approval, broaden the file exclusion to the entire workflows directory; otherwise update the PR description to match the narrower exclusion.

      # release.yml is autogenerated by cargo-dist -- dependabot updates to
      # pinned actions in it will break the release pipeline. Dependabot has no
      # way to ignore specific workflow files, so we block it here instead.
      - -files~=\.github/workflows/release\.yml

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.