ci: surface parser dependency updates in release changelog#178
Conversation
Parser/grammar bumps (oxc, tree-sitter, ANTLR runtime, pulldown-cmark,
mago, ruff, sqruff, ra_ap_syntax) were invisible in the release-please
changelog, along with every other dependency update. Make the parser
family visible while keeping the rest of the dependency noise out.
Two coordinated fixes:
* release-please-config.json: the section overrides lived under the key
`changelog-types`, but the schema property is `changelog-sections`.
Since the config schema is additionalProperties:false, the misspelled
key was silently ignored and release-please fell back to its defaults
(only feat/fix/perf/revert shown) — which is why no dependency updates
ever reached the changelog. Rename the key, add a custom `deps` section
("Parser & Grammar Updates"), and hide build/chore/ci/docs/style/
refactor/test. Custom sections replace the defaults wholesale, so
feat/fix/perf/revert are re-listed explicitly.
* dependabot-auto-merge.yml: release-please matches on commit TYPE only
(there is no scope filter), so `build(deps): bump oxc` and
`build(deps): bump serde_json` are indistinguishable to it. Dependabot
cannot set per-group commit prefixes, so the discrimination is applied
at squash-merge time: a dependabot/fetch-metadata step reads the crate
names, and parser-family PRs are relabeled from `build(deps)` to the
shown `deps:` type. All other bumps keep `build(deps)` and stay hidden.
Matching on crate name (not PR title) classifies grouped PRs correctly.
|
Warning Review limit reached
Next review available in: 30 minutes Enable usage-based reviews in Billing to review now. Otherwise, wait until the next included review is available. How can I continue?After more reviews become available, a review can be triggered using the To avoid repeated limits, reduce automatic review volume by pausing incremental auto-reviews earlier, using label-based review opt-in, excluding WIP or generated PR titles, or requesting reviews manually when the PR is ready. If your team needs uninterrupted high-volume reviews, an organization admin can enable usage-based reviews. How do review limits work?CodeRabbit enforces per-developer PR review limits for each organization. Most developers receive the normal plan review availability. For paid Pro and Pro+ PR reviews, CodeRabbit uses adaptive limits for sustained high-volume activity. When a developer's recent PR review activity reaches the 95th percentile or higher among CodeRabbit users, additional reviews become available more gradually as earlier reviews age out of the rolling window. Please refer docs for additional details. Review details⚙️ Run configurationConfiguration used: Organization UI Review profile: ASSERTIVE Plan: Pro Run ID: 📒 Files selected for processing (1)
WalkthroughThe Dependabot workflow now retrieves dependency metadata and uses dependency-name matching to choose whether to add a custom subject during automatic squash merges. The release configuration now uses changelog sections, exposes dependency updates under “Parser & Grammar Updates,” and hides documentation, style, chore, refactor, test, build, and CI categories. Poem
🚥 Pre-merge checks | ✅ 5✅ Passed checks (5 passed)
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
There was a problem hiding this comment.
Code Review
This pull request updates the release-please-config.json configuration by renaming changelog-types to changelog-sections, adding a new deps section, and setting several other commit types to hidden. The reviewer noted that explicitly listing these hidden types is redundant because unlisted types are automatically ignored when changelog-sections is defined, and suggested removing them to simplify the configuration.
Important
The consumer version of Gemini Code Assist on GitHub is being sunset. Starting June 18, 2026, new organization installations will be blocked, and all code review activity will officially cease on July 17, 2026.
For more details on the timeline and next steps, please review the Help Documentation.
Binary Size ReportMeasured artifact: release Linux
Size historyxychart-beta
title "Binary size (bytes)"
x-axis ["build(deps): bump log from 0.4", "build(deps): bump the ruff gro", "build(deps): bump the mago gro", "build: sync workspace crate ve", "build(deps): bump the oxc grou", "build(deps): bump tree-sitter ", "build(deps): bump camino from ", "feat: add Java analyzer and up", "build(deps): bump sqruff-lib-d", "build(deps): bump the mago gro", "build(deps): bump ra_ap_syntax", "build(deps): bump the oxc grou", "build(deps): bump mago-syntax-", "chore(main): release 1.3.0 (#1", "docs: surface SQL + ANTLR acro", "refactor(markdown): replace tr", "docs: post-classical metrics r", "feat(metrics): explain SQL cha", "This PR"]
y-axis "Bytes"
bar [29184128, 29154616, 29184664, 29184664, 29194704, 29194696, 29194704, 30767472, 30833880, 30833888, 30834016, 30811952, 30811944, 30811984, 31135680, 31113224, 31113224, 31143608, 31143608]
|
There was a problem hiding this comment.
Actionable comments posted: 1
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
Inline comments:
In @.github/workflows/dependabot-auto-merge.yml:
- Around line 21-23: Pin the dependabot/fetch-metadata action used by the “Fetch
Dependabot metadata” step to a full commit SHA instead of the mutable v3 tag;
also pin actions/create-github-app-token in the same workflow to a commit SHA to
satisfy the zizmor policy.
🪄 Autofix (Beta)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration
Configuration used: Organization UI
Review profile: ASSERTIVE
Plan: Pro
Run ID: 3972af31-0d94-4c37-85b3-6e15253acaa5
📒 Files selected for processing (2)
.github/workflows/dependabot-auto-merge.ymlrelease-please-config.json
Remove the seven redundant `hidden: true` changelog-sections entries (docs/style/chore/refactor/test/build/ci). Verified against conventional-changelog-conventionalcommits@^6 (the preset release-please uses): writer-opts discards a commit when its type entry is either undefined OR hidden — `if (discard && (entry === undefined || entry.hidden)) return` — so an absent type and a hidden type yield identical output. Listing only the shown types (feat/fix/perf/deps/revert) is equivalent and simpler. Addresses: #178 (comment)
Goal
Make parser/grammar dependency updates (oxc, tree-sitter, ANTLR runtime,
pulldown-cmark, mago, ruff, sqruff,ra_ap_syntax) visible in the release-please changelog, while keeping every other dependency bump out of the release notes.Root cause (a latent bug)
No dependency updates appear in the changelog today — not even the parser ones — even though
release-please-config.jsonlooks like it enables a "Dependencies" section.The section overrides lived under the key
changelog-types, but the schema property ischangelog-sections. The config schema isadditionalProperties: false, so at runtime the misspelled key is silently ignored and release-please falls back to its built-in defaults (onlyfeat/fix/perf/revertshown, everything else hidden).Empirical confirmation: the
v1.2.0..v1.3.0range contained ~9build(deps)commits, and none appear in the 1.3.0 changelog — pure default behavior.Why config alone can't do this
release-please matches on commit type only — there is no
scopefilter in the schema (required: ["type", "section"], plus optionalhidden). Sobuild(deps): bump oxcandbuild(deps): bump serde_jsonare indistinguishable to it: any single rule shows both or hides both.Dependabot can't disambiguate either —
commit-message.prefixis per-ecosystem (not per-group), and twocargo+/update entries are forbidden (unique ecosystem+directory+branch required).The only lever both tools agree on is the squash-merge subject, which is what release-please actually parses.
Changes
release-please-config.jsonchangelog-types→changelog-sections(the real key).deps→ "Parser & Grammar Updates" section (shown).build,chore,ci,docs,style,refactor,test.feat/fix/perf/revert(custom sections replace defaults, not merge)..github/workflows/dependabot-auto-merge.ymldependabot/fetch-metadata@v3step.tree-sitter,oxc_*,mago-*,ruff_*,sqruff-*,pulldown-cmark,ra_ap_*,antlr-rust-runtime), relabel the squash subject frombuild(deps): …todeps: … (#NN). Otherwise it staysbuild(deps): …and remains hidden.Release policy
Parser updates use the custom
deps:type, which does not bump the version — they accumulate silently and surface in the changelog of the nextfeat/fix-triggered release (the "ride along" choice). No dependency batch cuts a release on its own.Verification
additionalProperties: falsepackage object; shown types =[feat, fix, perf, deps, revert].actionlintclean.deps:; all 4 noise PRs (serde_json, camino, log, gix) → hiddenbuild(deps).Notes for reviewers
deps:manually to route into the same section. Heads-up: commitlint (webiny/action-conventional-commits) uses the default type-enum, which does not includedeps— so a hand-writtendeps:commit on a PR branch would fail that check. Dependabot's relabel is safe because it happens at squash time onmain, which commitlint doesn't gate. Happy to add a commitlint config allowingdepsin a follow-up if wanted.