ci: skip irrelevant jobs on Dependabot bumps; un-block EOL Laravel 11

[Vusys]

Why

The three open github-actions Dependabot PRs (#172, #173, #174) are all red, for two reasons — neither caused by the bump itself:

1. The 12 Tests failures are the Laravel 11.0 matrix cells, dying at composer update (not in a test). Laravel 11.x is EOL and now carries five security advisories; the workflow's ignore-list only covered one (PKSA-mdq4-51ck-6kdq), so Composer's resolver blocked install. This reddens every PR and master right now, not just Dependabot.
2. Bencher fails because Dependabot PRs run against the Dependabot secret store, not the repo's Actions secrets — BENCHER_API_KEY is empty and the comparison step exits 2. Guaranteed red on every Dependabot PR regardless of what it bumps.

A github-actions bump (an action SHA) changes zero PHP, so running the full 36-cell matrix + Bencher + PR mutation testing is wasteful as well as misleading.

What

• tests.yml
  • PHP matrix now skips dependabot/github_actions/* branches. Composer bumps (the composer-dev-tools group) still run the full matrix.
  • Added a small SHA-pinned actionlint job (runs on every PR) so action bumps get a meaningful green check rather than just skipping everything.
  • Extended the EOL Laravel 11 advisory ignore-list with the four new IDs so the 11.x cells install again.
• bencher.yml — skip Bencher on all Dependabot PRs; the master-push baseline still runs with real secrets.
• infection.yml — PR diff-mutation job skips github-actions bumps.

Performance needs no change — it's gated on the run-perf label and never fired on these PRs.

Notes

• The repo ruleset only blocks deletion/force-push — no required status checks — so skipped jobs won't leave checks stuck "waiting" or block merge.
• Verified: all three workflows parse; composer config policy.advisories.ignore-id A B C produces the expected JSON array.
• After merge, the open Dependabot PRs need a rebase/re-run to pick up the new logic.

Summary by CodeRabbit

• Chores
  • Prevent CI jobs from running for Dependabot dependency bump PRs to avoid unnecessary work.
  • Added automated linting for workflow files to catch config issues early.
  • Adjusted test/run behaviour to better handle advisory exclusions for end-of-life deps.
• Tests
  • Tuned mutation-testing and test job conditions and execution settings for more efficient CI runs.

[coderabbitai]

Looking for one thing? Review this PR in Change Stack to search files, summaries, diffs, and code without losing your place.

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro Plus

Run ID: 684fe049-ed70-49ac-ac90-9333399baa49

📥 Commits

Reviewing files that changed from the base of the PR and between 47a2463 and f9be503.

📒 Files selected for processing (1)

• .github/workflows/infection.yml

🚧 Files skipped from review as they are similar to previous changes (1)

• .github/workflows/infection.yml

---

📝 Walkthrough

Walkthrough

Three GitHub Actions workflows are updated to avoid running unnecessary jobs on Dependabot PRs; Laravel 11 advisory ignores are expanded, an actionlint job is added, and the Infection --threads argument is quoted.

Changes

Workflow CI Optimizations and Linting

Layer / File(s)	Summary
Dependabot conditional gates .github/workflows/bencher.yml, .github/workflows/infection.yml, .github/workflows/tests.yml	Bencher, Infection (pr job), and test workflows now include job-level if: conditions to skip execution for Dependabot pull requests or Dependabot GitHub Actions update PRs.
Laravel 11 EOL advisory configuration .github/workflows/tests.yml	Replaces the single advisory ignore with a multiline composer config policy.advisories.ignore-id command listing multiple PKSA advisory IDs when matrix.laravel == '11.0'.
Workflow linting via actionlint .github/workflows/tests.yml	Adds a new actionlint job using a pinned raven-actions/actionlint version to lint workflow files on every PR.
Infection threads quoting change .github/workflows/infection.yml	Changes the --threads flag in the Infection full job to --threads="$(nproc)" (quoted shell substitution).

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~8 minutes

Possibly related PRs

• Vusys/laravel-nestedset#90: Related changes to the Infection workflow and earlier workflow additions.
• Vusys/laravel-nestedset#159: Overlaps on adjustments to the Infection --threads handling.

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title accurately summarises the two main objectives: skipping CI jobs for Dependabot bumps and unblocking Laravel 11 with extended advisory IDs.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch ci/skip-irrelevant-jobs-on-dependabot-bumps

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[github-actions]

Bencher Report

Branch	ci/skip-irrelevant-jobs-on-dependabot-bumps
Testbed	ubuntu-latest

⚠️ WARNING: Truncated view!

The full continuous benchmarking report exceeds the maximum length allowed on this platform.

⚠️ WARNING: No Threshold found!

Without a Threshold, no Alerts will ever be generated.

🐰 View full continuous benchmarking report in Bencher

[coderabbitai]

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (1)

.github/workflows/tests.yml (1)

30-32: ⚠️ Potential issue | 🟠 Major | ⚡ Quick win

Align the test matrix with the documented 24-cell CI contract.

php: ['8.3', '8.4', '8.5'] expands this workflow to 36 matrix cells, but the workflow guideline defines a 24-cell matrix (PHP 8.3/8.4 × Laravel 11/12/13 × sqlite/mysql/mariadb/pgsql).

Suggested change

-        php: ['8.3', '8.4', '8.5']
+        php: ['8.3', '8.4']

As per coding guidelines: "Tests run a 24-cell matrix (PHP 8.3/8.4 × Laravel 11/12/13 × sqlite/mysql/mariadb/pgsql)."

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/tests.yml around lines 30 - 32, The CI matrix currently
lists php: ['8.3', '8.4', '8.5'] which expands to 36 cells; update the workflow
matrix (the php, laravel and db entries in the tests.yml job) to match the
documented 24-cell contract by removing PHP 8.5 so php becomes ['8.3','8.4']
while keeping laravel: ['11.0','12.0','13.0'] and db: [sqlite, mysql, mariadb,
pgsql]; ensure no other matrix permutations are added so the total stays 24
cells.

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Outside diff comments:
In @.github/workflows/tests.yml:
- Around line 30-32: The CI matrix currently lists php: ['8.3', '8.4', '8.5']
which expands to 36 cells; update the workflow matrix (the php, laravel and db
entries in the tests.yml job) to match the documented 24-cell contract by
removing PHP 8.5 so php becomes ['8.3','8.4'] while keeping laravel:
['11.0','12.0','13.0'] and db: [sqlite, mysql, mariadb, pgsql]; ensure no other
matrix permutations are added so the total stays 24 cells.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro Plus

Run ID: 46bbcc9f-9cd5-437e-8b23-6adb19fad852

📥 Commits

Reviewing files that changed from the base of the PR and between d0b308f and 47a2463.

📒 Files selected for processing (3)

• .github/workflows/bencher.yml
• .github/workflows/infection.yml
• .github/workflows/tests.yml

[codecov-commenter]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 93.82%. Comparing base (d0b308f) to head (f9be503).

Additional details and impacted files

@@            Coverage Diff            @@
##             master     #185   +/-   ##
=========================================
  Coverage     93.82%   93.82%           
  Complexity     3779     3779           
=========================================
  Files           134      134           
  Lines         11847    11847           
=========================================
  Hits          11116    11116           
  Misses          731      731           

Flag	Coverage Δ
mariadb	92.81% <ø> (ø)
mysql	92.41% <ø> (ø)
pgsql	92.16% <ø> (ø)
sqlite	92.52% <ø> (ø)

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Harness.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.