ci: halve the Quality gate (single race+json pass + golangci-lint cache)#567
Merged
Conversation
…ci-lint The "Quality + security gates" job ran the full serial DB-bound test suite TWICE: `make test-race` (go test -race -p 1 ./...) and a separate `go test -json -p 1 ./...` for specter ingest. And it rebuilt golangci-lint from source every run (~1-3 min, no cache). - Collapse the two passes into one `go test -race -json -timeout 600s -p 1 ./...` step that both detects data races AND emits the JSON specter ingests. Coverage is unaffected: the only `//go:build !race` test file holds constants (with a `race` twin), so every test still compiles + runs under -race, and the perf budgets are non-gating (internal/perftest.Budgetf logs unless enforcement is set). No new -race flake exposure either — `make test-race` already gated on -race. - Cache the from-source golangci-lint binary (skip the build on hit, keyed on lint version + Go toolchain) and its analysis cache. Together ~23 min -> roughly 12-14 min. The Makefile `test-race` / `check` targets are unchanged (local dev still has them); only the CI workflow stops invoking `make test-race` separately. Spec release-ci-gates AC-07/AC-09 + the AC-09 test updated: the workflow race-detection gate is now the `go test -race ... -json` run, not a `make test-race` step.
remyluslosius
added a commit
that referenced
this pull request
Jun 16, 2026
Tracks the two larger CI perf wins beyond PR #567's single-pass + golangci cache: per-package DB isolation to drop `-p 1` (P2), and splitting the monolithic gate into parallel jobs (P3, needs a branch-protection required-checks change).
remyluslosius
added a commit
that referenced
this pull request
Jun 16, 2026
Tracks the two larger CI perf wins beyond PR #567's single-pass + golangci cache: per-package DB isolation to drop `-p 1` (P2), and splitting the monolithic gate into parallel jobs (P3, needs a branch-protection required-checks change).
remyluslosius
added a commit
that referenced
this pull request
Jun 16, 2026
…563) * docs(backlog): remove completed tasks; add soft-deleted-host retention sweep - Drop both "Recently Completed" sections and every Done/shipped row from the Active tables (the file now tracks only pending work; provenance lives in git history + SESSION_LOG). - Fix the stale tree header: active tree is the repo root (app/ promoted 2026-06-05), and the Python backend was archived OUT of the repo, not just frozen. - Add P3 "Retention sweep for soft-deleted hosts": today hosts.deleted_at is retained indefinitely (no purge job; a soft-deleted row from 2026-05-25 is still present). Proposes an optional, operator-configurable retention sweep (default disabled). - "Email alert notifications" downgraded Planned -> Partial (channel layer shipped; alert-dispatch + per-user prefs remain). * docs(backlog): add "raise specter gate to 100%" item Records the work to lift the specter coverage gate from tier1:100 / tier2:80 / tier3:50 to 100% across all tiers. Gated on backfilling real AC tests for currently-sub-100% specs first; flipping the threshold alone would red-wall every PR. * docs(backlog): add CI gate-speed follow-ups (DB isolation, job split) Tracks the two larger CI perf wins beyond PR #567's single-pass + golangci cache: per-package DB isolation to drop `-p 1` (P2), and splitting the monolithic gate into parallel jobs (P3, needs a branch-protection required-checks change). * docs(backlog): add the three regression-coverage gaps Records the test blind spots surfaced reviewing this session's work: live-host SSH/sudo integration (CI never dials a real box), frontend E2E (zero Playwright today), and negative-path ACs for security gates (the scan kill-switch bug passed all tests because no AC required the disallowed path — the same class AC-07 now guards for the scan).
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Problem
The required Quality + security gates job takes ~23 min on every PR. Two causes:
make test-race(go test -race -p 1 ./...) and a separatego test -json -p 1 ./...forspecter ingest.golangci-lintis rebuilt from source every run (~1–3 min, no cache).Changes (#1 + #2 of the perf plan)
go test -race -json -timeout 600s -p 1 ./...that both detects data races and emits the JSON specter ingests.//go:build !racetest file holds constants (with aracetwin), so every test still compiles+runs under-race; perf budgets are non-gating (internal/perftest.Budgetflogs unless an enforce env is set).make test-racealready gated on-race, so the-racerun was always there — this drops the redundant non-race pass, not the race detection.make lintonly re-lints changed packages.Expected: ~23 min → ~12–14 min.
Spec
The Makefile
test-race/checktargets are unchanged (local dev unaffected).release-ci-gatesAC-07/AC-09 + the AC-09 test updated: the workflow's race-detection gate is now thego test -race … -jsonrun rather than amake test-racestep.Not in this PR (tracked separately)
The bigger structural wins — per-package DB isolation to drop
-p 1(parallel test packages), and splitting the monolith into parallel CI jobs (needs a branch-protection required-checks change) — are added to the backlog.Verification
YAML valid;
gofmtclean;specter check(106 specs) clean;TestCIGates_*pass against the new workflow (AC-09 now assertsgo test -race+-jsoninstead ofmake test-race).