T8782: Add opt-in auto-update rule for stale PRs (label=auto-update)

[andamasov]

Summary

Add a pull_request_rules entry that auto-refreshes a PR with its base branch when the PR carries the auto-update label and has at least one commit behind base. Uses the update action (merges base into PR via merge commit), not rebase.

Mirrors VyOS-Networks/mergify (separate PR).

Behavior

- name: Auto-update PR when behind base (opt-in via label)
  conditions:
    - label=auto-update
    - '#commits-behind>0'
    - '-draft'
    - '-closed'
    - '-merged'
    - '-conflict'
    - '-label=backport-conflict'
  actions:
    update: {}

Result: one new merge commit on the PR branch carrying the latest base. SHAs of prior commits are preserved.

Why update and not rebase

Concern	rebase	update (this PR)
Fork PRs	Loses support 2026-07-01 per Mergify docs	Works indefinitely
Mirror pipeline (gen-1, vyos → VyOS-Networks)	Force-pushed rebase rewrites SHAs → mirror noise or broken consumer PRs	SHAs preserved
Force-push impact on reviewers	Re-shuffles SHAs, can orphan inline review threads	None
CI cache	Every SHA changes → full re-run	One new merge commit → one re-run, prior layers cached
History style	Linear	Merge commit accumulates in PR; squashed away if base squash-merges

Forks matter for vyos/vyos-1x and vyos/vyos-documentation (community contributions). The mirror pipeline is the biggest tilt: gen-1 mirroring copies refs by SHA; a force-pushed rebase on the vyos side creates SHAs the VyOS-Networks mirror has never seen.

Why opt-in via label

Central config inherits to every extends: mergify consumer (~40 repos active, ~144 in scope post-T8852). A fleet-wide auto-update default is a behavior change everyone gets at once. Label-gating keeps adoption controlled:

• Repos that want it apply auto-update to relevant PRs (per-PR or via per-repo default-label automation).
• Repos that don't, ignore. The rule fires only when the label is present.
• Per-contributor opt-out: remove the label.

Why the carveouts

• -draft — drafts are pre-review; updates are noise.
• -conflict — already-conflicted PRs need human attention (the existing Label conflicting pull requests rule labels them).
• -label=backport-conflict — defense-in-depth against fighting the conflict workspace shipped in vyos/mergify#7.
• -closed, -merged — terminal states.

Inheritance

Same as other pull_request_rules entries: per-repo configs can override by defining a same-named rule locally (Auto-update PR when behind base (opt-in via label)). The descriptive rule name makes accidental collisions unlikely.

Related

• Pairs with VyOS-Networks/mergify (separate PR).
• Rollout context: T8782 (Mergify central-config rollout master).
• Builds on the backport-conflict workspace shipped in vyos/mergify#7 + VyOS-Networks/mergify#5.

🤖 Generated by robots

[coderabbitai]

📝 Walkthrough

Walkthrough

Adds an opt-in Mergify rule (lines 132–175) that auto-updates PRs labeled auto-update when behind the base; adds a .githooks/pre-push hook that runs coderabbit review --base origin/production and blocks pushes on findings/errors; expands README with docs and hook setup (see README.md changes).

Changes

Auto-update PR Rule

Layer / File(s)	Summary
Auto-update rule configuration .mergify.yml	New pull_request_rules entry (lines 132–175) that runs actions.update when label=auto-update and #commits-behind>0, excluding drafts, closed/merged PRs, merge conflicts, and PRs labeled backport-conflict.

Pre-push CodeRabbit review and docs

Layer / File(s)	Summary
Pre-push hook implementation .githooks/pre-push	Adds pre-push script (lines 1–57) that skips deletes and pushes to production, runs coderabbit review --base origin/production, logs errors/output, and gates the push on non-zero findings or command failure.
Hook documentation and setup README.md	Replaces minimal README with documentation (lines 1–54) describing central Mergify config, the pre-push review flow, requirements (CLI on PATH, non-blocking when missing), one-time setup, bypass via git push --no-verify, and Phase 0 notes.

Possibly Related PRs

• vyos/mergify#1: Also modifies .mergify.yml's pull_request_rules baseline; related by central Mergify config changes.
• vyos/mergify#7: Changes handling around the backport-conflict label which this new auto-update rule explicitly excludes.

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title accurately summarizes the main change: adding an opt-in auto-update rule via label. It directly reflects the core addition in .mergify.yml.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Description check	✅ Passed	The PR description is directly related to the changeset, detailing the new Mergify auto-update rule, rationale for using update over rebase, and design decisions around opt-in labeling and carveouts.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

✨ Simplify code

• Create PR with simplified code
• Commit simplified code in branch yuriy/auto-update-on-stale-base

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[andamasov]

@copilot review

[Copilot]

@copilot review

Reviewed current PR state and CI workflow runs; there are no failing jobs attributable to this change, and no additional code changes are needed at this time. Current commit: 83adbe3.

[coderabbitai]

🧹 Nitpick comments (1)

.githooks/pre-push (1)

36-37: ⚡ Quick win

Add a preflight check for origin/production before running CodeRabbit.

If origin/production is missing locally (common in fresh/fork clones), the hook fails late with a less actionable CLI error.

Proposed fix

 echo "pre-push: running coderabbit review against origin/production..." >&2
+if ! git rev-parse --verify --quiet origin/production >/dev/null; then
+  echo "pre-push: base ref origin/production not found locally." >&2
+  echo "run: git fetch origin production" >&2
+  echo "to bypass: git push --no-verify" >&2
+  exit 1
+fi
 if ! output="$(coderabbit review --base origin/production --agent 2>&1)"; then

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.githooks/pre-push around lines 36 - 37, The hook currently calls
"coderabbit review --base origin/production" without ensuring the remote ref
exists, causing a confusing failure in fresh/fork clones; add a preflight check
before the call to verify the presence of origin/production (e.g., run a git
command like "git rev-parse --verify --quiet refs/remotes/origin/production" or
"git ls-remote --exit-code origin production") and if the check fails print a
clear actionable message and exit non‑zero; update the logic around the existing
lines that run coderabbit review (the if ! output="$(coderabbit review --base
origin/production --agent 2>&1)"; then ...) so the check runs first and
short-circuits with a helpful error when origin/production is missing.

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Nitpick comments:
In @.githooks/pre-push:
- Around line 36-37: The hook currently calls "coderabbit review --base
origin/production" without ensuring the remote ref exists, causing a confusing
failure in fresh/fork clones; add a preflight check before the call to verify
the presence of origin/production (e.g., run a git command like "git rev-parse
--verify --quiet refs/remotes/origin/production" or "git ls-remote --exit-code
origin production") and if the check fails print a clear actionable message and
exit non‑zero; update the logic around the existing lines that run coderabbit
review (the if ! output="$(coderabbit review --base origin/production --agent
2>&1)"; then ...) so the check runs first and short-circuits with a helpful
error when origin/production is missing.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Central YAML (base), Organization UI (inherited)

Review profile: CHILL

Plan: Pro Plus

Run ID: 5793fd0a-b3fe-49b6-91c1-000d263b74b5

📥 Commits

Reviewing files that changed from the base of the PR and between 83adbe3 and 64e700f.

📒 Files selected for processing (2)

• .githooks/pre-push
• README.md

📜 Review details

🧰 Additional context used

🔍 Remote MCP Context7

Additional factual context for reviewing the PR (concise)

• Mergify supports an update action for pull_request_rules that updates a PR by merging the base branch into the PR (example usage matches the PR's pattern, including filtering out drafts with -draft).
• The update behavior can be controlled with update_method which accepts merge or rebase. If unspecified (null) it defaults to merge (unless merge_method: fast-forward is set, which defaults update_method to rebase) — so the PR’s use of update will default to merge semantics (preserving original commit SHAs) unless a repo-level queue/merge_method overrides it.
• Rebase-based updates rewrite commit SHAs (creates new commits) and are explicitly documented as the behavior when update_method: rebase is used; this supports the PR rationale that using merge preserves SHAs, reviewer threads, fork support, and avoids force-push semantics that can break SHA-based mirroring.
• Example from Mergify docs shows the same opt-in-by-label pattern (label + -draft) used in this PR’s rule (docs use update: under actions) — the PR’s condition syntax and negation usage (-draft, -closed, etc.) aligns with documented examples.
• Source resolved for these docs: the official Mergify documentation (Context7 library: /websites/mergify).

Sources used

• Context7 resolve call that returned the Mergify library entry.
• Context7 query to Mergify docs for update action, update_method behavior, rebase vs merge implications, and example rule patterns.

🔇 Additional comments (2)

README.md (1)

1-55: LGTM!

.githooks/pre-push (1)

26-26: ⚡ Quick win

No changes needed. The current loop guard does not trigger an unbound variable error under set -u with empty stdin. Testing confirms the unguarded [[ -n "$local_ref" ]] pattern succeeds on empty input, contradicting the original concern. The code is correct as written.

			> Likely an incorrect or invalid review comment.