Use mergify to merge PRs for stream to lake sync

[sutaakar]

What this PR does / why we need it:

Which issue(s) this PR fixes (optional, in Fixes #<issue number>, #<issue number>, ... format, will close the issue(s) when PR gets merged):
Fixes #

Checklist:

• Docs included if any changes are user facing

Summary by CodeRabbit

• Chores
  • Removed an old GitHub Actions workflow that auto-synced labeled "lake-gate" PRs into the stable branch.
  • Added new Mergify automation: matching "lake-gate" PRs targeting stable will be auto-approved and auto-merged via fast-forward when CI checks pass and required approvals are present.

[coderabbitai]

Note

Reviews paused

It looks like this branch is under active development. To avoid overwhelming you with review comments due to an influx of new commits, CodeRabbit has automatically paused this review. You can configure this behavior by changing the reviews.auto_review.auto_pause_after_reviewed_commits setting.

Use the following commands to manage reviews:

• @coderabbitai resume to resume automatic reviews.
• @coderabbitai review to trigger a single review.

Use the checkboxes below for quick actions:

• ▶️ Resume reviews
• 🔍 Trigger review

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Central YAML (base), Organization UI (inherited)

Review profile: CHILL

Plan: Pro

Run ID: 902158d6-0d84-489f-a2d8-ada3a82d79ec

📥 Commits

Reviewing files that changed from the base of the PR and between 478b84e and 57fe179.

📒 Files selected for processing (2)

• .github/workflows/auto-merge-lake-gate.yml
• .mergify.yml

💤 Files with no reviewable changes (1)

• .github/workflows/auto-merge-lake-gate.yml

✅ Files skipped from review due to trivial changes (1)

• .mergify.yml

---

📝 Walkthrough

Walkthrough

The GitHub Actions workflow .github/workflows/auto-merge-lake-gate.yml was removed. .mergify.yml was updated to add two pull request rules that auto-approve and fast-forward-merge PRs targeting stable with the lake-gate label authored by github-actions[bot], conditioned on a passing check matching ^Red Hat Konflux.*. The removed workflow’s runtime validations (fork rejection, waiting for all checks, exact SHA and ancestry verification, comment notifications, PR closing, and cleanup of lake-gate- branches) were not migrated.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~12 minutes

Security findings

1. Missing explicit fork rejection — The original workflow rejected forked PRs; new Mergify rules do not. Action: add a rule/condition to disallow merges from forked repositories or confirm repository-level enforcement. Relevant: CWE-863 (Incorrect Authorization).

2. Reduced CI verification surface — The workflow waited for all checks; Mergify only requires ^ Red Hat Konflux.*. Action: require all mandatory checks in Mergify or enforce branch protection for all required statuses. Relevant: CWE-287 (Improper Authentication) / CWE-755 (Improper Neutralization of Input During Sanitization).

3. Loss of exact SHA and ancestry checks — The workflow validated commit SHAs and that stable is ancestor of main before fast-forwarding. Action: implement pre-merge verification (e.g., a gating job) or confirm Mergify’s fast-forward mode provides equivalent guarantees. Relevant: CWE-295 (Improper Certificate/Validation).

4. No automated post-merge cleanup or notifications — Branch deletion and PR-closing notifications were removed. Action: add post-merge automation to delete lake-gate- branches and post status/comments or integrate notification steps. Relevant: CWE-346 (Origin Validation Error).

Only actionable issues are reported.

🚥 Pre-merge checks | ✅ 2

✅ Passed checks (2 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title accurately describes the main change: replacing a custom GitHub Actions workflow with Mergify automation rules for stream-to-lake synchronization.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 2

🧹 Nitpick comments (1)

.mergify.yml (1)

9-11: Add fallback merge method to handle fast-forward failures.

The rule uses method: fast-forward without a fallback strategy. While Mergify will attempt to rebase the PR onto stable first (default behavior), if rebase conflicts occur, the merge fails without an alternative. Consider adding always_create_merge_commit: true or another fallback method to allow merges to proceed when fast-forward is no longer possible after rebase.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In @.mergify.yml around lines 9 - 11, The current mergify rule sets actions:
merge with method: fast-forward which will fail if a rebase produces conflicts;
update the merge action to include a fallback by adding a field such as
always_create_merge_commit: true (or another fallback merge method) under the
same actions: merge block so that when method: fast-forward cannot complete the
bot will create a merge commit instead and allow the PR to be merged.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In @.mergify.yml:
- Line 8: Update the check-success pattern in .mergify.yml to remove the literal
double-quote characters so the regex can match actual GitHub check names;
specifically edit the entry named check-success~=^"Red Hat Konflux".* and change
it to a pattern without the literal quotes (e.g., check-success~=^Red Hat
Konflux.*) so the Konflux check name can be recognized by the rule.
- Around line 3-7: Replace the invalid literal-quote regex in the conditions
(the entry using check-success~=^"Red Hat Konflux".*) with an unquoted pattern
like check-success~=^Red Hat Konflux so the check name matches correctly, and
add the two additional safety conditions to the conditions list: require the
automation author (author=github-actions[bot]) and require at least one explicit
approval ("#approved-reviews-by>=1"); update the conditions block in
.mergify.yml accordingly.

---

Nitpick comments:
In @.mergify.yml:
- Around line 9-11: The current mergify rule sets actions: merge with method:
fast-forward which will fail if a rebase produces conflicts; update the merge
action to include a fallback by adding a field such as
always_create_merge_commit: true (or another fallback merge method) under the
same actions: merge block so that when method: fast-forward cannot complete the
bot will create a merge commit instead and allow the PR to be merged.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Central YAML (base), Organization UI (inherited)

Review profile: CHILL

Plan: Pro

Run ID: ab70188d-e94f-4ed4-81e7-3e08e17bb1fd

📥 Commits

Reviewing files that changed from the base of the PR and between d9f1c23 and e0cd903.

📒 Files selected for processing (2)

• .github/workflows/auto-merge-lake-gate.yml
• .mergify.yml

💤 Files with no reviewable changes (1)

• .github/workflows/auto-merge-lake-gate.yml

[ChughShilpa]

/lgtm