Re-add merge queue, but only run sanity checks

[adamsachs]

Summary

Configures the merge queue to only run lightweight sanity checks instead of the full test suite, drastically reducing queue drain time and flakiness.

• Removes merge_group trigger from most non-backend workflows (static checks, CLI, Cypress, Chromatic)
• Keeps merge_group trigger on Frontend Code Checks (typecheck, lint, format, unit tests — ~5-6 min)
• Skips heavy backend test jobs (Safe-Tests, Misc-Tests, Pytest-Redis-Cluster, Collect-Tests) on merge_group events
• Removes merge_group from the Pytest-Ctl-External unsafe test condition

The full test suite still runs on pull_request and push to main/release — this only affects what runs inside the merge queue after a PR is already approved and enqueued.

---

What's changing

On main today, every workflow triggers on merge_group and runs its full suite — the same jobs that run on pull_request. This means every test runs twice: once on the PR, and again in the merge queue. That's the source of the slowness and flakiness.

This PR changes the merge queue to only run a sanity-check subset:

Workflow	On main (before)	This PR (after)
Backend Code Checks	Full suite: container startup, migrations, Safe-Tests (8 matrix jobs), Misc-Tests (4 matrix jobs), Redis Cluster, Collect-Tests, Ctl-External	Sanity checks only: container startup + migration checks
Frontend Code Checks	Full suite: typecheck, lint, format, unit tests	No change — still runs full suite (~5-6 min)
Backend Static Checks	Full suite: ruff, mypy, check_install, pytest(nox)	Skipped (removed merge_group trigger)
CLI Checks	Full suite: fides install smoke test	Skipped (removed merge_group trigger)
Admin UI Cypress	Full suite: 5 parallel E2E groups	Skipped (removed merge_group trigger)
Privacy Center Cypress	Full suite: E2E tests	Skipped (removed merge_group trigger)
FidesJS Cypress	Full suite: banner/modal E2E tests	Skipped (removed merge_group trigger)
Chromatic	Full suite: visual regression	Skipped (removed merge_group trigger)

Additionally, Pytest-Ctl-External previously ran on merge_group events (alongside push and the run unsafe ci checks label). This PR removes the merge_group condition so it only runs on push to main or with the label.

---

CI suite breakdown: what runs when

1. On pull request (must pass to enter merge queue)

Workflow	Jobs	Notes
Backend Code Checks	Check-Container-Startup (webserver + Celery worker), Migration-Checks (check_migrations, check_migration_downgrade), Misc-Tests (check_fides_annotations, fides_db_scan, docs_check, minimal_config_startup), Safe-Tests (ctl-not-external, ops-unit-api, ops-unit-non-api, ops-integration, api, lib, misc-unit, misc-integration), Pytest-Redis-Cluster, Collect-Tests	Required: Backend-Checks-Summary
Backend Static Code Checks	ruff(check), mypy, check_install, pytest(nox)	Required: Static-Checks-Summary
Frontend Code Checks	Typecheck, lint, format, unit tests	Required: Frontend-Checks-Summary
CLI Command Checks	fides --version install smoke test	Required: CLI-Checks-Summary
Admin UI Cypress	E2E tests (5 parallel groups)	Required: Admin-UI-Cypress-Summary
Privacy Center Cypress	E2E tests	Required: Privacy-Center-Cypress-Summary
FidesJS Cypress	Banner/modal E2E tests	Required: FidesJS-Cypress-Summary
Chromatic	Visual regression (Storybook)	Only if clients/fidesui/** changed
Check Changelog Entry	Validates changelog YAML exists and is well-formed	PR-only (not on push or merge queue)
Check PR Size	Warns on large PRs	PR-only
Unsafe tests (opt-in)	Pytest-Ctl-External, External-Datastores, External-SaaS-Connectors	Only with run unsafe ci checks label

All workflows are gated by path filters — they skip entirely if no relevant files changed.

2. On merge queue (must pass to merge into main)

Backend Code Checks and Frontend Code Checks trigger on merge_group. All other workflows are skipped.

Workflow	Jobs	Duration
Backend Code Checks	Check-Backend-Changes (path filter), Build (Docker image), Check-Container-Startup (webserver + Celery worker), Migration-Checks (check_migrations + check_migration_downgrade), Backend-Checks-Summary	~10 min
Frontend Code Checks	Check-Frontend-Changes (path filter), Clients-Unit (typecheck, lint, format, unit tests), Frontend-Checks-Summary	~5-6 min

Skipped on merge queue: Collect-Tests, Safe-Tests, Misc-Tests, Pytest-Redis-Cluster, all unsafe tests, static checks, CLI checks, Cypress tests, Chromatic.

This is the key change — the queue runs in ~10 min instead of 30+, draining faster with less flakiness, while still catching the main risks: migration head conflicts (that can't be detected as merge conflicts) and frontend type/test regressions.

3. On push to main / release branches (post-merge)

Everything from the PR suite runs again, plus the unsafe external tests run unconditionally (no label needed):

Additional jobs on push	What they test
Pytest-Ctl-External	External CTL tests (AWS, Okta, Snowflake, Redshift, etc.)
External-Datastores	BigQuery, DynamoDB, GCP SQL, RDS, Redshift, Snowflake, S3, MongoDB Atlas
External-SaaS-Connectors	SaaS connector integration tests

These run with max-parallel: 1 to avoid collisions on shared external resources.

---

To complete rollout

When re-enabling the merge queue in repo settings, the required status checks should be:

• Backend-Checks-Summary
• Frontend-Checks-Summary

The other workflow summary checks should not be listed as merge queue requirements since those workflows no longer trigger on merge_group.

Test plan

• Verify all CI checks still pass on this PR (full suite on pull_request)
• Re-enable merge queue in repo settings with Backend-Checks-Summary and Frontend-Checks-Summary as required
• Enqueue a test PR and verify only backend sanity checks + frontend checks run
• Verify a PR with a migration conflict is caught by the queue

🤖 Generated with Claude Code

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

2 Skipped Deployments

Project	Deployment	Actions	Updated (UTC)
fides-plus-nightly	Ignored	Preview	Mar 17, 2026 3:54pm
fides-privacy-center	Ignored		Mar 17, 2026 3:54pm

[lucanovera]

For frontend we're good with just keeping the frontend_checks.yml that includes lint, typecheck and unit tests. approved

[greptile-apps]

Greptile Summary

This PR reconfigures the GitHub Actions merge queue to run only lightweight sanity checks (container startup + migration verification + frontend unit/type checks) instead of the full test suite, reducing queue drain time from 30+ minutes to ~10 minutes and reducing flakiness from redundant test runs.

Key changes:

• backend_checks.yml: Adds github.event_name != 'merge_group' guards on Collect-Tests, Misc-Tests, Safe-Tests, Pytest-Redis-Cluster, and removes merge_group from Pytest-Ctl-External. The Backend-Checks-Summary job correctly treats skipped jobs as passing (checks only for failure/cancelled), so the required status check will still be reported correctly in the merge queue.
• Six other workflow files (static_checks.yml, chromatic.yml, cli_checks.yml, cypress_admin-ui.yml, cypress_fides-js.yml, cypress_privacy-center.yml): Remove the merge_group trigger entirely so these workflows do not fire during merge queue events.
• The PR explicitly notes a required manual follow-up: repo branch protection settings must be updated so only Backend-Checks-Summary and Frontend-Checks-Summary are listed as merge queue required status checks — removing the summary checks for static, CLI, and Cypress workflows that no longer report during queue events.

Confidence Score: 5/5

• Safe to merge — changes are purely CI configuration with no application code affected.
• All changes are surgical and internally consistent. The Backend-Checks-Summary logic correctly handles newly-skipped jobs (only fails on failure/cancelled, not skipped), so the required status check continues to work properly in the merge queue. The six workflow files that drop merge_group do so cleanly without side effects. The only remaining action is a repo-settings update (documented in the PR description) to align the required merge-queue status checks with what now actually runs.
• No files require special attention — all changes are straightforward trigger/condition adjustments.

Important Files Changed

Filename	Overview
.github/workflows/backend_checks.yml	Adds github.event_name != 'merge_group' skip conditions to Collect-Tests, Misc-Tests, Safe-Tests, Pytest-Redis-Cluster, and removes merge_group from Pytest-Ctl-External. The Backend-Checks-Summary job correctly handles skipped jobs by only failing on "failure" or "cancelled" results. Container startup and migration checks continue to run on merge_group events as intended.
.github/workflows/static_checks.yml	Removes merge_group trigger — the workflow will no longer run on merge queue events. The corresponding Static-Checks-Summary status check will need to be removed from merge queue requirements in repo settings as part of the rollout noted in the PR description.
.github/workflows/chromatic.yml	Removes merge_group trigger so Chromatic visual regression tests no longer run in the merge queue, consistent with the PR strategy of limiting queue checks to lightweight sanity checks.
.github/workflows/cli_checks.yml	Removes merge_group trigger — CLI smoke tests will no longer run in the merge queue.
.github/workflows/cypress_admin-ui.yml	Removes merge_group trigger — Admin UI Cypress E2E tests (5 parallel groups) will no longer run in the merge queue.
.github/workflows/cypress_fides-js.yml	Removes merge_group trigger — FidesJS banner/modal Cypress E2E tests will no longer run in the merge queue.
.github/workflows/cypress_privacy-center.yml	Removes merge_group trigger — Privacy Center Cypress E2E tests will no longer run in the merge queue.

_{Last reviewed commit: 5e7f9e4}