Skip to content

chore(deps): Update dependencies and CI config #59

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
unclesp1d3r merged 11 commits into from
Mar 1, 2026
Merged

chore(deps): Update dependencies and CI config #59

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
11 commits
Select commit Hold shift + click to select a range
93389e5
deps: update chrono, quick-xml, tree-sitter, tempfile to latest versions
unclesp1d3r Feb 28, 2026
7442c75
chore: add .bun-version and .python-version files with specified vers…
unclesp1d3r Feb 28, 2026
2f09e4b
fix(mergify): update pull request rules for auto-approval and queuing
unclesp1d3r Feb 28, 2026
aa4c522
feat(deps): add update-deps command to manage dependencies and pre-co…
unclesp1d3r Feb 28, 2026
28a2fc0
bump toml dependency to version 1.0.3 in Cargo.toml
unclesp1d3r Feb 28, 2026
c41d297
fix(deps): enhance update-deps command and create alias for update
unclesp1d3r Mar 1, 2026
2069561
fix(mergify): update pull request rules to include all workflow files…
unclesp1d3r Mar 1, 2026
066e35e
feat(ci): add MISE_ENV variable for CI-specific overrides and update …
unclesp1d3r Mar 1, 2026
60a63db
fix(mergify): block dependabot updates to autogenerated release.yml t…
unclesp1d3r Mar 1, 2026
ad4c29e
feat(mergify): add auto-approval for dosu PRs and update conditions f…
unclesp1d3r Mar 1, 2026
8497992
fix(deps): add commit-message prefix for dependabot updates
unclesp1d3r Mar 1, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
1 change: 1 addition & 0 deletions .bun-version
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1 @@
1.3.10
6 changes: 6 additions & 0 deletions .github/dependabot.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -5,15 +5,21 @@ updates:
schedule:
interval: "weekly"
rebase-strategy: "disabled"
commit-message:
prefix: "chore(deps)"

- package-ecosystem: "github-actions"
directory: "/"
schedule:
interval: "weekly"
rebase-strategy: "disabled"
commit-message:
prefix: "chore(deps)"

- package-ecosystem: "devcontainers"
directory: "/"
schedule:
interval: "weekly"
rebase-strategy: "disabled"
commit-message:
prefix: "chore(deps)"
1 change: 1 addition & 0 deletions .github/workflows/ci.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -22,6 +22,7 @@ env:
CARGO_TERM_COLOR: always
CI: true
GITHUB_ACTIONS: true
MISE_ENV: ci

jobs:
quality:
Expand Down
46 changes: 34 additions & 12 deletions .mergify.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -11,47 +11,69 @@ queue_rules:
- check-success = coverage

pull_request_rules:
# Tier 1: Maintainer PRs -- queue when maintainer adds 'lgtm' label
- name: Queue maintainer PRs with lgtm label
# Tier 1: Trusted bot PRs -- auto-approve and queue immediately
- name: Auto-approve and queue dependabot PRs
conditions:
- base = main
- "author=@maintainers"
- label = lgtm
- author = dependabot[bot]
- -draft
- label != do-not-merge
# release.yml is autogenerated by cargo-dist -- dependabot updates to
# pinned actions in it will break the release pipeline. Dependabot has no
# way to ignore specific workflow files, so we block it here instead.
- -files~=\.github/workflows/release\.yml
actions:
review:
type: APPROVE
message: Automatically approved by Mergify
queue:
name: default

- name: Auto-approve and queue dosu PRs
conditions:
- base = main
- author = dosubot[bot]
- -draft
- label != do-not-merge
actions:
review:
type: APPROVE
message: Automatically approved by Mergify
queue:
name: default

# Tier 2: Trusted bot PRs -- auto-queue when checks pass
- name: Auto-queue release-plz PRs
conditions:
- base = main
- "head ~= ^release-plz-"
- -draft
- label != do-not-merge
Comment on lines 45 to 50
Copy link

@coderabbitai coderabbitai bot Mar 1, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🔴 Critical

🧩 Analysis chain

🏁 Script executed:

git ls-files | grep -E '\.mergify|mergify'

Repository: EvilBit-Labs/ruley

Length of output: 74

🏁 Script executed:

cat -n .mergify.yml | head -50

Repository: EvilBit-Labs/ruley

Length of output: 2009

🌐 Web query:

release-plz GitHub Action bot author

💡 Result:

The release-plz GitHub Action/bot is created and maintained by Marco Ieni (GitHub: marcoieni). [1], [2]

🏁 Script executed:

find .github -type f -name "*.yml" -o -name "*.yaml" 2>/dev/null | head -20

Repository: EvilBit-Labs/ruley

Length of output: 369

🏁 Script executed:

cat -n .github/workflows/*.yml 2>/dev/null | grep -A 10 -B 2 "release-plz"

Repository: EvilBit-Labs/ruley

Length of output: 2813

🏁 Script executed:

rg "release-plz" --type yaml -A 5 -B 5

Repository: EvilBit-Labs/ruley

Length of output: 1001

Add author constraint to release-plz auto-queue rule.

Line 35 trusts only branch naming (head ~= ^release-plz-). Any contributor can fork the repo, create a release-plz-* branch, open a PR to main, and auto-queue it without author verification. The workflow uses GITHUB_TOKEN from GitHub Actions, which creates PRs as github-actions[bot].

Proposed fix 
  - name: Auto-queue release-plz PRs
    conditions:
      - base = main
+     - author = github-actions[bot]
      - "head ~= ^release-plz-"
      - -draft
      - label != do-not-merge
📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change
- name: Auto-queue release-plz PRs
conditions:
- base = main
- "head ~= ^release-plz-"
- -draft
- label != do-not-merge
- name: Auto-queue release-plz PRs
conditions:
- base = main
- author = github-actions[bot]
- "head ~= ^release-plz-"
- -draft
- label != do-not-merge
🤖 Prompt for AI Agents 
Verify each finding against the current code and only fix it if needed.

In @.mergify.yml around lines 32 - 37, Update the "Auto-queue release-plz PRs"
mergify rule to restrict authors so only the bot that creates release PRs can
trigger auto-queueing: add an author condition (e.g., author =
github-actions[bot]) alongside the existing head ~= ^release-plz- condition so
the rule targets branches named release-plz-* AND is authored by the expected
automation account; modify the rule that contains the "Auto-queue release-plz
PRs" name to include this new author constraint.

actions:
queue:
name: default

- name: Auto-approve and queue dependabot PRs
# Tier 2: Maintainer PRs -- queue when maintainer self-labels 'lgtm'
# (no approval required; solves the sole-maintainer self-merge problem)
- name: Queue maintainer PRs with lgtm label
conditions:
- base = main
- author = dependabot[bot]
- "author=@maintainers"
- -draft
- label = lgtm
- label != do-not-merge
- -files~=\.github/workflows/release\.yml
actions:
review:
type: APPROVE
message: Automatically approved by Mergify
queue:
name: default

# Tier 3: All other PRs (external contributors, copilot) -- require maintainer approval
# Tier 3: External contributor PRs -- require maintainer approval
- name: Queue external PRs when approved by maintainer
conditions:
- base = main
- "-author=@maintainers"
- author != dependabot[bot]
- author != dosubot[bot]
- "-head ~= ^release-plz-"
- -draft
- "approved-reviews-by=@maintainers"
- label != do-not-merge
actions:
Expand Down
4 changes: 2 additions & 2 deletions .pre-commit-config.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -29,7 +29,7 @@ repos:

# 🧪 GitHub Actions validation
- repo: https://github.com/rhysd/actionlint
rev: v1.7.7
rev: v1.7.11
hooks:
- id: actionlint
files: ".github/workflows/"
Expand All @@ -44,7 +44,7 @@ repos:

# 📝 Commit message linting (commit-msg only, not blocking push)
- repo: https://github.com/commitizen-tools/commitizen
rev: v4.9.1
rev: v4.13.9
hooks:
- id: commitizen
stages: [commit-msg]
Expand Down
1 change: 1 addition & 0 deletions .python-version
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1 @@
3.14.3
Loading