Summary
Enable GitHub merge queue on the main branch to eliminate the manual rebase cascade caused by strict status checks.
Problem
The main branch ruleset enforces strict_required_status_checks_policy: true ("Require branches to be up to date before merging"). This means every PR must have its required checks pass against the latest main. After any merge, all other open PRs become "behind" and must rebase + re-run CI before they can merge.
With N open PRs, merging one triggers a rebase cascade: the remaining N-1 PRs all need manual rebase and full CI re-runs. This is especially costly when GPU tests trigger on rebases (addressed separately in #558).
Current required checks: tests / Test, tests / Lint, tests / CLI E2E, tests / E2E, tests / Security Scan, analyze, malware-scan
Current open PRs affected: 13 open PRs, most showing BEHIND or BLOCKED status.
Proposal
Enable GitHub's merge queue for the main branch. The merge queue automatically rebases and tests PRs before merging, maintaining the strict guarantee without manual overhead.
Implementation
1. Add merge_group: types: [checks_requested] trigger to workflows that produce required checks:
| Check Name |
Source Workflow |
File |
tests / Test, Lint, CLI E2E, E2E, Security Scan |
Qualification (called by on-push) |
.github/workflows/on-push.yaml |
analyze |
CodeQL |
.github/workflows/codeql.yaml |
malware-scan |
Vulnerability Scan |
.github/workflows/vuln-scan.yaml |
Each workflow needs merge_group: types: [checks_requested] added to its on: triggers so checks run when the merge queue tests a PR (GitHub docs).
Note on vuln-scan.yaml: Only the malware-scan job is a required check. The vuln-scan job in the same workflow is not required. Adding merge_group at the workflow level will run both jobs on every queued PR. Either scope the trigger to just the malware-scan job, or accept the extra queue cost as a conscious decision.
2. Enable merge queue in the repo ruleset (admin, GitHub UI):
- Repository Settings → Rules → Rulesets → edit the
main branch ruleset
- Add a "Merge queue" rule
- Configure: merge method = squash, max queue size as appropriate
Trade-offs
| Approach |
Pros |
Cons |
| Current (strict + manual rebase) |
Simple, no new infra |
Rebase cascade, manual toil, wasted CI |
| Merge queue |
Automatic rebase+test, no cascade, correct by construction |
New concept for contributors, slightly longer merge latency (queued) |
| Disable strict mode |
No rebase needed |
Risks merging PRs that pass on stale base but fail on current main |
Acceptance Criteria
- A PR is queueable without manual rebasing when
main advances
- The merge queue automatically rebases, runs required checks, and merges on success
strict_required_status_checks_policy can be relaxed once the merge queue is active (the queue enforces the same guarantee automatically), but this is an implementation decision — the outcome is what matters
Out of Scope
Related
Summary
Enable GitHub merge queue on the
mainbranch to eliminate the manual rebase cascade caused by strict status checks.Problem
The
mainbranch ruleset enforcesstrict_required_status_checks_policy: true("Require branches to be up to date before merging"). This means every PR must have its required checks pass against the latestmain. After any merge, all other open PRs become "behind" and must rebase + re-run CI before they can merge.With N open PRs, merging one triggers a rebase cascade: the remaining N-1 PRs all need manual rebase and full CI re-runs. This is especially costly when GPU tests trigger on rebases (addressed separately in #558).
Current required checks:
tests / Test,tests / Lint,tests / CLI E2E,tests / E2E,tests / Security Scan,analyze,malware-scanCurrent open PRs affected: 13 open PRs, most showing
BEHINDorBLOCKEDstatus.Proposal
Enable GitHub's merge queue for the
mainbranch. The merge queue automatically rebases and tests PRs before merging, maintaining the strict guarantee without manual overhead.Implementation
1. Add
merge_group: types: [checks_requested]trigger to workflows that produce required checks:tests / Test,Lint,CLI E2E,E2E,Security Scan.github/workflows/on-push.yamlanalyze.github/workflows/codeql.yamlmalware-scan.github/workflows/vuln-scan.yamlEach workflow needs
merge_group: types: [checks_requested]added to itson:triggers so checks run when the merge queue tests a PR (GitHub docs).Note on
vuln-scan.yaml: Only themalware-scanjob is a required check. Thevuln-scanjob in the same workflow is not required. Addingmerge_groupat the workflow level will run both jobs on every queued PR. Either scope the trigger to just themalware-scanjob, or accept the extra queue cost as a conscious decision.2. Enable merge queue in the repo ruleset (admin, GitHub UI):
mainbranch rulesetTrade-offs
Acceptance Criteria
mainadvancesstrict_required_status_checks_policycan be relaxed once the merge queue is active (the queue enforces the same guarantee automatically), but this is an implementation decision — the outcome is what mattersOut of Scope
Related