T8531: add Mergify config with commands restrictions

[andamasov]

Summary

Add .github/mergify.yml with conflict-label rule and commands_restrictions block, restricting the 10 Mergify slash commands (backport, copy, dequeue, queue, rebase, refresh, requeue, squash, unqueue, update) to members of the @vyos/maintainers team, plus the vyosbot automation account.

Test plan

• Non-maintainer comments @Mergifyio backport sagitta on a PR → Mergify refuses
• Maintainer comments the same → backport PR created
• Conflict-labeling rule fires on conflicting PRs

References

• Ticket: T8531
• Mergify docs: https://docs.mergify.com/commands/restrictions/

🤖 Generated by robots

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro Plus

Run ID: e0511046-975f-4253-8180-e44c6ca2ae71

📥 Commits

Reviewing files that changed from the base of the PR and between d751342 and 6897a5c.

📒 Files selected for processing (1)

• .github/mergify.yml

📜 Recent review details

🧰 Additional context used

🔍 Remote MCP Context7

Additional Context for PR Review

Mergify Configuration Features

Based on the Mergify documentation, here are the key features relevant to this PR:

Command Restrictions:
The PR correctly implements command restrictions using Mergify's built-in mechanism. According to the documentation, "With command restrictions, you can leverage conditions to define the valid context that are authorized to run a specific command. This could be a list of allowed users or teams, or even attributes related to the pull request itself." The syntax sender = @team`` is the standard approach for restricting commands to specific GitHub teams.

Conflict Labeling Rule:
The conflict-labeling implementation aligns with documented best practices. The documentation states: "When browsing the list of pull request, GitHub does not give any indication on which pull requests might be in conflict. Mergify allows to do this easily by adding a label." The toggle action is the standard method for automatically managing conflict labels. An example from the documentation shows:

pull_request_rules:
  - name: warn on conflicts
    conditions:
      - conflict
    actions:
      label:
        toggle:
          - conflict

YAML Reusability Pattern:
The PR's approach of defining a reusable &allowed condition anchor using YAML anchors is a documented best practice. The Mergify documentation demonstrates this exact pattern with both anchors (&) and aliases (*), stating: "YAML anchors and aliases are supported in the configuration file. These allow you to reuse configuration sections." This approach reduces duplication across multiple command restrictions.

Commands Subject to Restrictions:
All nine commands specified in the PR (backport, copy, dequeue, queue, rebase, refresh, requeue, squash, unqueue, update) are standard Mergify slash commands that support the commands_restrictions configuration.,

🔇 Additional comments (2)

.github/mergify.yml (2)

1-11: Conflict-label rule is correctly scoped and actionable.

The conditions and toggle action are set up properly to manage the conflicts label for open PRs with merge conflicts.

---

12-26: Command restrictions are cleanly centralized and correctly reused.

Using &allowed and *allowed keeps all listed commands behind the same sender guard without duplication, matching the PR objective.

---

📝 Walkthrough

Summary by CodeRabbit

• Chores
  • Updated pull request automation to automatically label pull requests with merge conflicts for better visibility.
  • Enhanced security controls by restricting certain pull request operations to authorized maintainers.

Walkthrough

Updates .github/mergify.yml to automatically label pull requests with merge conflicts and restricts Mergify command execution (copy, dequeue, queue, rebase, refresh, requeue, squash, unqueue, update) to authorized users and the VyOS maintainers group via a centralized sender-based condition.

Changes

Cohort / File(s)	Summary
Mergify Configuration .github/mergify.yml	Added automatic conflict labeling rule and centralized &allowed condition to restrict Mergify command execution to authorized maintainers and bot accounts.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

Poem

🐰 Conflicts now wear their warning signs,
While gatekeepers guard the merge lines,
Only maintainers' paws may command,
A warren's workflow, orderly and planned! 🔐

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title directly references the main change: adding Mergify configuration with command restrictions, which matches the core purpose of the PR.
Description check	✅ Passed	The description clearly relates to the changeset, detailing the Mergify configuration being added, the commands being restricted, who can use them, and providing a test plan.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch T8531-restrict-mergify-commands

✨ Simplify code

• Create PR with simplified code
• Commit simplified code in branch T8531-restrict-mergify-commands

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[github-actions]

👍
No issues in PR Title / Commit Title

[asklymenko]

Configure Mergify restrictions, looks good.