merge queue: embarking main (e387cbb) and #1447 together#1483
Closed
mergify[bot] wants to merge 3 commits into
Closed
merge queue: embarking main (e387cbb) and #1447 together#1483mergify[bot] wants to merge 3 commits into
mergify[bot] wants to merge 3 commits into
Conversation
`ci queue-info::write_github_output` formatted a unique `ghadelimiter_<uuid-v4>` to guard against a metadata payload that happens to contain its own heredoc delimiter. The actual contract is "32 unpredictable hex chars", not "a UUID per RFC 4122" — the delimiter is never parsed by anyone, only matched as a string. Pull 16 random bytes straight from `getrandom::fill` and hex-encode them. Drops `uuid` from the direct deps (it stays unreferenced and disappears from `Cargo.lock`), with `getrandom` taking its place — which `uuid` was already pulling in transitively, so the net add is zero new code shipped to the binary. The local helper is six lines. Same blast radius for a maintainer-attack story, smaller surface to read. Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com> Change-Id: Ib6599e9b6fca49281186b726a63e4641fa32596e
… parsing
The workspace had two YAML parsers — both forks of the archived
`dtolnay/serde-yaml`. `mergify-config` used `serde_norway` for
`.mergify.yml`; `mergify-ci` used `serde_yaml_ng` for merge-queue
metadata in PR bodies and git notes. Same job, two crates, two
transitive `unsafe-libyaml*` trees in Cargo.lock.
Standardize on `serde_yaml_ng` for both. The decision is grounded
in concrete signal, not vibe:
Metric serde_norway serde_yaml_ng
───────────────────────── ───────────── ─────────────
Reverse-deps on lib.rs 229 (78 dir.) 618 (349 dir.)
GitHub stars 53 109
Last commit 2025-08-04 2025-09-14
Bus factor (recent prs) 1 (solo) merges externals
Maintainer statement v0.9.40 title README: explicit
"I'm gonna upstream-compat
maintain this" intent
unsafe-libyaml backend forked ("…- canonical
norway")
Open since 2024-06-10 2024-05-03
License Apache-2.0 MIT (= upstream)
`serde_yaml_ng` wins on every axis that matters for the "will this
still be alive in two years" question: three-times the ecosystem
adoption, more recent activity, accepts third-party PRs, declares
the maintenance commitment in writing, and uses the canonical
`unsafe-libyaml` rather than a parallel-fork backend.
Functional surface is identical for both of our use shapes —
`from_str` to a typed struct for ci, `from_str` to `Value`
then convert to `serde_json::Value` for config validation.
Migration is purely a rename at the one call site.
Cargo.lock drops `serde_norway` and `unsafe-libyaml-norway`.
Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
Change-Id: If5d28d2c4259127181bace5bafb0ac02c78d8f7b
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
🎉 This pull request has been checked successfully and will be merged soon. 🎉
Branch main (e387cbb) and #1447 are embarked together for merge.
This pull request has been created by Mergify to speculatively check the mergeability of #1447.
You don't need to do anything. Mergify will close this pull request automatically when it is complete.
Required conditions of queue rule
defaultfor merge:depends-on = Mergifyio/mergify-cli#1446[⛓️ refactor(ci): swap uuid for getrandom in the GHA heredoc delimiter #1446]title ~= ^(fix|feat|docs|style|refactor|perf|test|build|ci|chore|revert|ui)(?:\(.+\))?:#approved-reviews-by>=2author = dependabot[bot]author = mergify-ci-botauthor = renovate[bot]body ~= (?ms:.{48,})#changes-requested-reviews-by = 0#review-requested = 0#review-threads-unresolved = 0check-success=ci-gateRequired conditions to stay in the queue:
base=maindepends-on = Mergifyio/mergify-cli#1446[⛓️ refactor(ci): swap uuid for getrandom in the GHA heredoc delimiter #1446]label!=manual mergetitle ~= ^(fix|feat|docs|style|refactor|perf|test|build|ci|chore|revert|ui)(?:\(.+\))?:#approved-reviews-by>=2author = dependabot[bot]author = mergify-ci-botauthor = renovate[bot]body ~= (?ms:.{48,})#changes-requested-reviews-by = 0#review-requested = 0#review-threads-unresolved = 0check-success=ci-gate