Skip to content

Add manual race detector CI policy#179

Merged
dzarlax merged 3 commits into
mainfrom
codex/ci-race-policy
Jun 6, 2026
Merged

Add manual race detector CI policy#179
dzarlax merged 3 commits into
mainfrom
codex/ci-race-policy

Conversation

@dzarlax

@dzarlax dzarlax commented Jun 6, 2026

Copy link
Copy Markdown
Collaborator

Summary

  • add a manual Race Detector workflow job behind workflow_dispatch run_race=true
  • keep the default Build, Vet & Test job name stable for future branch protection
  • prevent race-only dispatches from publishing Docker images when run_race=true
  • limit manual arm64 image publishing to main
  • harden the manual race job with read-only permissions, no checkout credential persistence, and SHA-pinned actions
  • document local/CI race-detector policy and current branch protection state

Verification

  • go test ./...
  • go vet ./...
  • CGO_ENABLED=1 go test -race ./... could not run locally because gcc is not installed on this Windows PATH
  • manual GitHub Actions run 27062004434 passed, including Race Detector on Ubuntu
  • manual GitHub Actions run 27062164558 passed with build_amd64=true, build_arm64=true, run_race=true; Race Detector passed and both Docker publish jobs were skipped
  • manual GitHub Actions run 27062284291 passed with pinned race actions and both Docker publish jobs skipped
  • manual GitHub Actions run 27062284960 passed with build_arm64=true, run_race=false on the feature branch; arm64 publish was skipped off main
  • gh api repos/Dzarlax-AI/health_dashboard/branches/main/protection returned 404 Branch not protected

Closes #152

@coderabbitai

coderabbitai Bot commented Jun 6, 2026

Copy link
Copy Markdown

Review Change Stack

📝 Walkthrough

Walkthrough

This PR implements a policy decision on race-detector CI testing and documents it for developers. A new workflow_dispatch parameter enables optional, manual-only race testing with CGO_ENABLED=1, while Docker builds are gated to skip during race-only runs. The policy, implementation steps, and decision record are documented in CONTRIBUTING.md and a comprehensive HTML implementation plan.

Changes

Race Detector CI Policy

Layer / File(s) Summary
Workflow race detector implementation
.github/workflows/ci.yml
Adds run_race workflow dispatch input, creates a conditional race job running go test -race with CGO_ENABLED=1 only when manually triggered, and updates docker-amd64 and docker-arm64 job conditions to exclude race-only dispatches.
Policy and decision documentation
CONTRIBUTING.md, docs/ai-plans/2026-06-06-issue-152-ci-race-detector-branch-protection-policy.html
CONTRIBUTING.md documents the stable required CI job name, CGO_ENABLED=0 default for PRs/pushes, manual race triggering syntax, Docker publishing constraints, and local -race testing guidance. The HTML plan records the full decision-making process, current/desired behavior, assumptions, implementation steps, test plan, risks, rollback, open questions, approval status, and verification results showing a successful manual run and API confirmation that main is not branch-protected.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~12 minutes

Poem

🐰 A race to the finish, with checks in a row,
Manual dispatch makes the detectors go,
Docker gates closed when the -race flag flies,
Docs and decisions documented wise.

🚥 Pre-merge checks | ✅ 4 | ❌ 1

❌ Failed checks (1 warning)

Check name Status Explanation Resolution
Description check ⚠️ Warning The PR description adequately covers the changes and verification but does not follow the repository's required template structure. Reorganize the description to match the template: include Summary, Linked Issue, Privacy/Data Impact checklist, Evidence Boundary, Test Plan checklist, Methodology/Documentation checklist, and Deployment Notes sections.
✅ Passed checks (4 passed)
Check name Status Explanation
Title check ✅ Passed The title accurately summarizes the main change: adding a manual race detector CI policy. It is concise, specific, and clearly conveys the primary objective of the PR.
Linked Issues check ✅ Passed The PR successfully addresses Issue #152 objectives: it adds a manual race-detector CI job (gated by workflow_dispatch), keeps the job name stable for branch protection, and documents the policy and current branch protection state.
Out of Scope Changes check ✅ Passed All changes are directly related to Issue #152 objectives: workflow automation changes for race detector, documentation of CI policy, and branch protection state recording. No unrelated changes detected.
Docstring Coverage ✅ Passed No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

✏️ Tip: You can configure your own custom pre-merge checks in the settings.

✨ Finishing Touches
📝 Generate docstrings
  • Create stacked PR
  • Commit on current branch
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Commit unit tests in branch codex/ci-race-policy

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands and usage tips.

@chatgpt-codex-connector chatgpt-codex-connector Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: 2fa1bc9183

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

  • Open a pull request for review
  • Mark a draft as ready
  • Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

Comment thread .github/workflows/ci.yml
description: "Build ARM64 image"
type: boolean
default: false
run_race:

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

P2 Badge Prevent race-only dispatches from publishing images

When a reviewer follows the new manual path and runs the CI workflow with run_race=true, the existing build_amd64 dispatch input still defaults to true, so the docker-amd64 job also runs on workflow_dispatch and pushes the latest GHCR image. That makes a race-detector check unexpectedly publish an image from the selected main workflow run; either gate the Docker job out when run_race is set or make the documented race run require build_amd64=false.

Useful? React with 👍 / 👎.

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 2

🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In @.github/workflows/ci.yml:
- Line 118: The if conditional that gates the arm64 publish currently allows
manual dispatch from any branch; update the condition on the publish job to also
require the workflow is running on the main branch by adding a branch check
(e.g. include && github.ref == 'refs/heads/main' to the existing condition that
contains github.event_name, inputs.build_arm64 and !inputs.run_race). Locate the
existing if: line (the expression starting with ${{ github.event_name ==
'workflow_dispatch' && inputs.build_arm64 && !inputs.run_race }}) and extend it
to require the main branch so arm64 image pushes are only allowed from main.
- Around line 58-68: The CI race job currently uses unpinned actions and leaves
the GITHUB_TOKEN writable; update the race job to harden credentials by (1)
pinning both actions/checkout@v5 and actions/setup-go@v6 to specific commit SHAs
or full refs instead of the major tag, (2) add a minimal permissions block
(e.g., permissions: contents: read) at the race job level to avoid default broad
token scopes, and (3) set persist-credentials: false on the actions/checkout
step to prevent writing the token into git config; target the job named "race"
and the steps referencing actions/checkout and actions/setup-go when making
these changes.
🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

  • Push a commit to this branch (recommended)
  • Create a new PR with the fixes

ℹ️ Review info
⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro Plus

Run ID: 8ec32db3-3bce-4bdf-81fb-c02b77800e5a

📥 Commits

Reviewing files that changed from the base of the PR and between 5fafdee and 6d761d5.

📒 Files selected for processing (3)
  • .github/workflows/ci.yml
  • CONTRIBUTING.md
  • docs/ai-plans/2026-06-06-issue-152-ci-race-detector-branch-protection-policy.html

Comment thread .github/workflows/ci.yml
Comment thread .github/workflows/ci.yml Outdated
@dzarlax dzarlax merged commit f08303c into main Jun 6, 2026
13 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

Decide CI policy for race detector and branch protection

1 participant