Skip to content

ci: surface parser dependency updates in release changelog#178

Merged
tinovyatkin merged 2 commits into
mainfrom
ci/surface-parser-deps-in-changelog
Jul 10, 2026
Merged

ci: surface parser dependency updates in release changelog#178
tinovyatkin merged 2 commits into
mainfrom
ci/surface-parser-deps-in-changelog

Conversation

@tinovyatkin

Copy link
Copy Markdown
Contributor

Goal

Make parser/grammar dependency updates (oxc, tree-sitter, ANTLR runtime, pulldown-cmark, mago, ruff, sqruff, ra_ap_syntax) visible in the release-please changelog, while keeping every other dependency bump out of the release notes.

Root cause (a latent bug)

No dependency updates appear in the changelog today — not even the parser ones — even though release-please-config.json looks like it enables a "Dependencies" section.

The section overrides lived under the key changelog-types, but the schema property is changelog-sections. The config schema is additionalProperties: false, so at runtime the misspelled key is silently ignored and release-please falls back to its built-in defaults (only feat/fix/perf/revert shown, everything else hidden).

Empirical confirmation: the v1.2.0..v1.3.0 range contained ~9 build(deps) commits, and none appear in the 1.3.0 changelog — pure default behavior.

Why config alone can't do this

release-please matches on commit type only — there is no scope filter in the schema (required: ["type", "section"], plus optional hidden). So build(deps): bump oxc and build(deps): bump serde_json are indistinguishable to it: any single rule shows both or hides both.

Dependabot can't disambiguate either — commit-message.prefix is per-ecosystem (not per-group), and two cargo + / update entries are forbidden (unique ecosystem+directory+branch required).

The only lever both tools agree on is the squash-merge subject, which is what release-please actually parses.

Changes

release-please-config.json

  • Rename changelog-typeschangelog-sections (the real key).
  • Add custom deps → "Parser & Grammar Updates" section (shown).
  • Hide build, chore, ci, docs, style, refactor, test.
  • Re-list feat/fix/perf/revert (custom sections replace defaults, not merge).

.github/workflows/dependabot-auto-merge.yml

  • Add a dependabot/fetch-metadata@v3 step.
  • If the PR touches a parser/grammar crate (tree-sitter, oxc_*, mago-*, ruff_*, sqruff-*, pulldown-cmark, ra_ap_*, antlr-rust-runtime), relabel the squash subject from build(deps): … to deps: … (#NN). Otherwise it stays build(deps): … and remains hidden.
  • Matches on crate name, not PR title, so grouped PRs ("bump the oxc group") are classified correctly.

Release policy

Parser updates use the custom deps: type, which does not bump the version — they accumulate silently and surface in the changelog of the next feat/fix-triggered release (the "ride along" choice). No dependency batch cuts a release on its own.

Verification

  • Config: valid JSON, no unknown keys under the additionalProperties: false package object; shown types = [feat, fix, perf, deps, revert].
  • Workflow: valid YAML + actionlint clean.
  • Relabel logic simulated against 12 real historical PRs: all 8 parser PRs → shown deps:; all 4 noise PRs (serde_json, camino, log, gix) → hidden build(deps).

Notes for reviewers

  • Only affects Dependabot PRs merged after this lands; no retroactive changelog rewrite.
  • Hand-written parser bumps should be typed deps: manually to route into the same section. Heads-up: commitlint (webiny/action-conventional-commits) uses the default type-enum, which does not include deps — so a hand-written deps: commit on a PR branch would fail that check. Dependabot's relabel is safe because it happens at squash time on main, which commitlint doesn't gate. Happy to add a commitlint config allowing deps in a follow-up if wanted.

Parser/grammar bumps (oxc, tree-sitter, ANTLR runtime, pulldown-cmark,
mago, ruff, sqruff, ra_ap_syntax) were invisible in the release-please
changelog, along with every other dependency update. Make the parser
family visible while keeping the rest of the dependency noise out.

Two coordinated fixes:

* release-please-config.json: the section overrides lived under the key
  `changelog-types`, but the schema property is `changelog-sections`.
  Since the config schema is additionalProperties:false, the misspelled
  key was silently ignored and release-please fell back to its defaults
  (only feat/fix/perf/revert shown) — which is why no dependency updates
  ever reached the changelog. Rename the key, add a custom `deps` section
  ("Parser & Grammar Updates"), and hide build/chore/ci/docs/style/
  refactor/test. Custom sections replace the defaults wholesale, so
  feat/fix/perf/revert are re-listed explicitly.

* dependabot-auto-merge.yml: release-please matches on commit TYPE only
  (there is no scope filter), so `build(deps): bump oxc` and
  `build(deps): bump serde_json` are indistinguishable to it. Dependabot
  cannot set per-group commit prefixes, so the discrimination is applied
  at squash-merge time: a dependabot/fetch-metadata step reads the crate
  names, and parser-family PRs are relabeled from `build(deps)` to the
  shown `deps:` type. All other bumps keep `build(deps)` and stay hidden.
  Matching on crate name (not PR title) classifies grouped PRs correctly.
@coderabbitai

coderabbitai Bot commented Jul 10, 2026

Copy link
Copy Markdown

Review Change Stack

Warning

Review limit reached

@tinovyatkin, you've reached your PR review limit, so we couldn't start this review.

Next review available in: 30 minutes

Enable usage-based reviews in Billing to review now. Otherwise, wait until the next included review is available.
You're only billed for reviews past your plan's rate limits ($0.25/file).

How can I continue?

After more reviews become available, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

To avoid repeated limits, reduce automatic review volume by pausing incremental auto-reviews earlier, using label-based review opt-in, excluding WIP or generated PR titles, or requesting reviews manually when the PR is ready. If your team needs uninterrupted high-volume reviews, an organization admin can enable usage-based reviews.

How do review limits work?

CodeRabbit enforces per-developer PR review limits for each organization. Most developers receive the normal plan review availability.

For paid Pro and Pro+ PR reviews, CodeRabbit uses adaptive limits for sustained high-volume activity. When a developer's recent PR review activity reaches the 95th percentile or higher among CodeRabbit users, additional reviews become available more gradually as earlier reviews age out of the rolling window.

Please refer docs for additional details.

Review details
⚙️ Run configuration

Configuration used: Organization UI

Review profile: ASSERTIVE

Plan: Pro

Run ID: 6ecb9ea1-830d-4b1f-8e68-8a8df110a4d6

📥 Commits

Reviewing files that changed from the base of the PR and between c6710b5 and ae6efc2.

📒 Files selected for processing (1)
  • release-please-config.json

Walkthrough

The Dependabot workflow now retrieves dependency metadata and uses dependency-name matching to choose whether to add a custom subject during automatic squash merges. The release configuration now uses changelog sections, exposes dependency updates under “Parser & Grammar Updates,” and hides documentation, style, chore, refactor, test, build, and CI categories.

Poem

I’m a rabbit hopping through the merge queue,
Sorting parser carrots by name as I do.
Grammar gets a banner, bright and new,
Quiet chores hide from the changelog view.
Hop, squash, release—แล้ว! 🐇

🚥 Pre-merge checks | ✅ 5
✅ Passed checks (5 passed)
Check name Status Explanation
Title check ✅ Passed The title clearly summarizes the main change: surfacing parser dependency updates in the release changelog.
Description check ✅ Passed The description is detailed and directly matches the workflow and release-please config changes in the pull request.
Docstring Coverage ✅ Passed No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check ✅ Passed Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check ✅ Passed Check skipped because no linked issues were found for this pull request.

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands.

@gemini-code-assist gemini-code-assist Bot left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Code Review

This pull request updates the release-please-config.json configuration by renaming changelog-types to changelog-sections, adding a new deps section, and setting several other commit types to hidden. The reviewer noted that explicitly listing these hidden types is redundant because unlisted types are automatically ignored when changelog-sections is defined, and suggested removing them to simplify the configuration.

Important

The consumer version of Gemini Code Assist on GitHub is being sunset. Starting June 18, 2026, new organization installations will be blocked, and all code review activity will officially cease on July 17, 2026.
For more details on the timeline and next steps, please review the Help Documentation.

Comment thread release-please-config.json Outdated
@github-actions

Copy link
Copy Markdown
Contributor

Binary Size Report

Measured artifact: release Linux mehen binary built from this workflow.

Size
main 30MiB
This PR 30MiB
Delta +0B (+0.00%)
Size history
xychart-beta
  title "Binary size (bytes)"
  x-axis ["build(deps): bump log from 0.4", "build(deps): bump the ruff gro", "build(deps): bump the mago gro", "build: sync workspace crate ve", "build(deps): bump the oxc grou", "build(deps): bump tree-sitter ", "build(deps): bump camino from ", "feat: add Java analyzer and up", "build(deps): bump sqruff-lib-d", "build(deps): bump the mago gro", "build(deps): bump ra_ap_syntax", "build(deps): bump the oxc grou", "build(deps): bump mago-syntax-", "chore(main): release 1.3.0 (#1", "docs: surface SQL + ANTLR acro", "refactor(markdown): replace tr", "docs: post-classical metrics r", "feat(metrics): explain SQL cha", "This PR"]
  y-axis "Bytes"
  bar [29184128, 29154616, 29184664, 29184664, 29194704, 29194696, 29194704, 30767472, 30833880, 30833888, 30834016, 30811952, 30811944, 30811984, 31135680, 31113224, 31113224, 31143608, 31143608]
Loading

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In @.github/workflows/dependabot-auto-merge.yml:
- Around line 21-23: Pin the dependabot/fetch-metadata action used by the “Fetch
Dependabot metadata” step to a full commit SHA instead of the mutable v3 tag;
also pin actions/create-github-app-token in the same workflow to a commit SHA to
satisfy the zizmor policy.
🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

  • Push a commit to this branch (recommended)
  • Create a new PR with the fixes

ℹ️ Review info
⚙️ Run configuration

Configuration used: Organization UI

Review profile: ASSERTIVE

Plan: Pro

Run ID: 3972af31-0d94-4c37-85b3-6e15253acaa5

📥 Commits

Reviewing files that changed from the base of the PR and between e67f380 and c6710b5.

📒 Files selected for processing (2)
  • .github/workflows/dependabot-auto-merge.yml
  • release-please-config.json

Comment thread .github/workflows/dependabot-auto-merge.yml
Remove the seven redundant `hidden: true` changelog-sections entries
(docs/style/chore/refactor/test/build/ci). Verified against
conventional-changelog-conventionalcommits@^6 (the preset release-please
uses): writer-opts discards a commit when its type entry is either
undefined OR hidden — `if (discard && (entry === undefined ||
entry.hidden)) return` — so an absent type and a hidden type yield
identical output. Listing only the shown types (feat/fix/perf/deps/revert)
is equivalent and simpler.

Addresses: #178 (comment)
@tinovyatkin tinovyatkin merged commit 15f4e6d into main Jul 10, 2026
10 checks passed
@tinovyatkin tinovyatkin deleted the ci/surface-parser-deps-in-changelog branch July 10, 2026 20:11
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant