From fe1404b8030cec1dc55eafd1d23dda304bfefa68 Mon Sep 17 00:00:00 2001
From: Wolfgang Walther <walther@technowledgy.de>
Date: Tue, 5 Aug 2025 12:53:12 +0200
Subject: [PATCH] workflows/merge-group: init

Introduces a basic merge queue workflow to initially only run lints.
This will avoid accidentally merging changes which break nixfmt after
its recent update to 1.0.0.

(cherry picked from commit 04c039f993175056ec96a409f7ac6987ddbd4f71)
---
 .github/workflows/README.md       | 14 ++++++++++++++
 .github/workflows/merge-group.yml | 31 +++++++++++++++++++++++++++++++
 2 files changed, 45 insertions(+)
 create mode 100644 .github/workflows/merge-group.yml

diff --git a/.github/workflows/README.md b/.github/workflows/README.md
index c2a16827ebd4..10b0276be144 100644
--- a/.github/workflows/README.md
+++ b/.github/workflows/README.md
@@ -61,3 +61,17 @@ This results in a key with the following semantics:
 ```
 <running-workflow>-<triggering-workflow>-<triggered-event>-<pull-request/fallback>
 ```
+
+## Required Status Checks
+
+The "Required Status Checks" branch ruleset is implemented in two top-level workflows: `pr.yml` and `merge-group.yml`.
+
+The PR workflow defines all checks that need to succeed to add a Pull Request to the Merge Queue.
+If no Merge Queue is set up for a branch, the PR workflow defines the checks required to merge into the target branch.
+
+The Merge Group workflow defines all checks that are run as part of the Merge Queue.
+Only when these pass, a Pull Request is finally merged into the target branch.
+They don't apply when no Merge Queue is set up.
+
+Both workflows work with the same `no PR failures` status check.
+This name can never be changed, because it's used in the branch ruleset for these rules.
diff --git a/.github/workflows/merge-group.yml b/.github/workflows/merge-group.yml
new file mode 100644
index 000000000000..72b8deeb2dbc
--- /dev/null
+++ b/.github/workflows/merge-group.yml
@@ -0,0 +1,31 @@
+name: Merge Group
+
+on:
+  merge_group:
+
+permissions: {}
+
+jobs:
+  lint:
+    name: Lint
+    uses: ./.github/workflows/lint.yml
+    with:
+      mergedSha: ${{ github.event.merge_group.head_sha }}
+      targetSha: ${{ github.event.merge_group.base_sha }}
+
+  # This job's only purpose is to serve as a target for the "Required Status Checks" branch ruleset.
+  # It "needs" all the jobs that should block the Merge Queue.
+  # If they pass, it is skipped — which counts as "success" for purposes of the branch ruleset.
+  # However, if any of them fail, this job will also fail — thus blocking the branch ruleset.
+  no-pr-failures:
+    # Modify this list to add or remove jobs from required status checks.
+    needs:
+      - lint
+    # WARNING:
+    # Do NOT change the name of this job, otherwise the rule will not catch it anymore.
+    # This would prevent all PRs from passing the merge queue.
+    name: no PR failures
+    if: ${{ failure() }}
+    runs-on: ubuntu-24.04-arm
+    steps:
+      - run: exit 1