Add manual race detector CI policy#179
Conversation
📝 WalkthroughWalkthroughThis PR implements a policy decision on race-detector CI testing and documents it for developers. A new ChangesRace Detector CI Policy
Estimated code review effort🎯 2 (Simple) | ⏱️ ~12 minutes Poem
🚥 Pre-merge checks | ✅ 4 | ❌ 1❌ Failed checks (1 warning)
✅ Passed checks (4 passed)
✏️ Tip: You can configure your own custom pre-merge checks in the settings. ✨ Finishing Touches📝 Generate docstrings
🧪 Generate unit tests (beta)
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
There was a problem hiding this comment.
💡 Codex Review
Here are some automated review suggestions for this pull request.
Reviewed commit: 2fa1bc9183
ℹ️ About Codex in GitHub
Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you
- Open a pull request for review
- Mark a draft as ready
- Comment "@codex review".
If Codex has suggestions, it will comment; otherwise it will react with 👍.
Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".
| description: "Build ARM64 image" | ||
| type: boolean | ||
| default: false | ||
| run_race: |
There was a problem hiding this comment.
Prevent race-only dispatches from publishing images
When a reviewer follows the new manual path and runs the CI workflow with run_race=true, the existing build_amd64 dispatch input still defaults to true, so the docker-amd64 job also runs on workflow_dispatch and pushes the latest GHCR image. That makes a race-detector check unexpectedly publish an image from the selected main workflow run; either gate the Docker job out when run_race is set or make the documented race run require build_amd64=false.
Useful? React with 👍 / 👎.
There was a problem hiding this comment.
Actionable comments posted: 2
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
Inline comments:
In @.github/workflows/ci.yml:
- Line 118: The if conditional that gates the arm64 publish currently allows
manual dispatch from any branch; update the condition on the publish job to also
require the workflow is running on the main branch by adding a branch check
(e.g. include && github.ref == 'refs/heads/main' to the existing condition that
contains github.event_name, inputs.build_arm64 and !inputs.run_race). Locate the
existing if: line (the expression starting with ${{ github.event_name ==
'workflow_dispatch' && inputs.build_arm64 && !inputs.run_race }}) and extend it
to require the main branch so arm64 image pushes are only allowed from main.
- Around line 58-68: The CI race job currently uses unpinned actions and leaves
the GITHUB_TOKEN writable; update the race job to harden credentials by (1)
pinning both actions/checkout@v5 and actions/setup-go@v6 to specific commit SHAs
or full refs instead of the major tag, (2) add a minimal permissions block
(e.g., permissions: contents: read) at the race job level to avoid default broad
token scopes, and (3) set persist-credentials: false on the actions/checkout
step to prevent writing the token into git config; target the job named "race"
and the steps referencing actions/checkout and actions/setup-go when making
these changes.
🪄 Autofix (Beta)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration
Configuration used: defaults
Review profile: CHILL
Plan: Pro Plus
Run ID: 8ec32db3-3bce-4bdf-81fb-c02b77800e5a
📒 Files selected for processing (3)
.github/workflows/ci.ymlCONTRIBUTING.mddocs/ai-plans/2026-06-06-issue-152-ci-race-detector-branch-protection-policy.html
Summary
Verification
Closes #152