Implementation Plan: Issue #152 CI Race Detector and Branch Protection Policy
+Approved and implemented
+ +Task Summary
+Record a clear policy for race-detector CI and branch protection, then implement only the parts that are justified now.
+Current Behavior
+-
+
.github/workflows/ci.ymlhas one required-looking build job namedBuild, Vet & Test.
+ - The job runs
CGO_ENABLED=0 go build,go vet, andgo test.
+ - The workflow comment explicitly says
-raceis skipped because it requiresCGO=1and the current test set is mostly pure math-kernel code.
+ - The repo contains concurrency-sensitive code and tests, for example
internal/storage/recompute.goandinternal/tenants/manager.go.
+ - Branch protection state is a GitHub repository setting, not represented in the working tree. +
Desired Behavior
+-
+
- A documented policy says when
go test -raceis required, optional, or deferred.
+ - If race CI is added, it is a separate job with clear CGO expectations and does not slow the default pure test loop unnecessarily. +
- Branch protection decision is explicit: either require the existing CI check, or document why it remains manual for now. +
- This issue stays separate from product guardrail tests and no-vendor migration. +
Assumptions And Unknowns
+-
+
- Assumption: the default fast CI job should remain pure and easy to understand. +
- Assumption: race detector is most valuable for PRs touching scheduler, tenant manager, async AI generation, recompute, webhook dispatch, or notification goroutines. +
- Unknown: whether GitHub branch protection is already configured outside the repository. +
- Unknown: whether the user wants enforcement now or just a recorded revisit policy. +
Files Likely To Change
+-
+
.github/workflows/ci.yml- add an optional/manual or path-scoped race job only if approved.
+ CONTRIBUTING.md- document localgo test -race ./...guidance and CI policy.
+ README.mdordocs/ARCHITECTURE.md- only if branch protection policy belongs in operator docs.
+ - GitHub repository settings - if branch protection is approved, apply through
gh apiafter confirming exact required check names.
+
Implementation Steps
+-
+
- Inspect current branch protection via GitHub API before changing settings. +
- Choose one of three race-detector policies: defer with revisit criteria, manual workflow-only job, or PR job for all branches. +
- If implementing race CI, add a separate
Race Detectorjob usingCGO_ENABLED=1 go test -race ./....
+ - Keep the existing
Build, Vet & Testjob name stable unless branch protection is updated at the same time.
+ - Document local developer guidance and revisit criteria. +
- If branch protection is approved, update GitHub settings and verify required status checks match actual workflow job names. +
Impact
+-
+
- CI: possible extra job duration if race detector is enabled. +
- Repository process: branch protection could block direct merges/pushes when CI fails. +
- Runtime: no production code changes expected. +
- Permissions: branch protection changes require GitHub admin capability and explicit user approval. +
Test Plan
+-
+
go test ./...
+ go vet ./...
+ - If race job is added:
CGO_ENABLED=1 go test -race ./...locally or in CI.
+ - If branch protection is changed: verify via
gh api repos/Dzarlax-AI/health_dashboard/branches/main/protection.
+ - After PR: confirm workflow job names match any required status checks. +
Risks And Edge Cases
+-
+
- Race detector can be slow and may need CGO toolchain behavior that differs from the production
CGO_ENABLED=0build.
+ - Branch protection misconfiguration can block urgent fixes or require admin intervention. +
- Changing CI policy at the same time as no-vendor migration can make failures harder to attribute; coordinate with issue #170. +
Rollback Plan
+Remove the race job or switch it back to manual-only. For branch protection, restore the previous protection JSON or remove the newly required check after confirming with the user.
+Open Questions
+-
+
- Should race detector be required on every PR, manual-only, or deferred with explicit triggers? +
- Do we want branch protection on
mainnow?
+ - If issue #170 is approved, should this policy be implemented after no-vendor CI settles? +
Approval Gate
+Approved by the user on 2026-06-06. Branch protection settings were inspected but not changed, because settings mutation requires additional explicit approval.
+Implementation Result
+-
+
- Kept the default
Build, Vet & Testjob name stable.
+ - Added a manual-only
Race Detectorjob behindworkflow_dispatchinputrun_race=true.
+ - Race detector job runs
CGO_ENABLED=1 go test -race ./...and is not required on normal PR or push runs.
+ - Guarded Docker publish jobs so race-only dispatches do not push images when
run_race=true, and so arm64 image publishing is limited tomain.
+ - Hardened the manual race job with
permissions: contents: read,persist-credentials: false, and SHA-pinned checkout/setup-go actions.
+ - Documented local and CI race-detector guidance in
CONTRIBUTING.md.
+ - Recorded current branch protection state: GitHub API returned
Branch not protectedformainon 2026-06-06.
+
Verification Run
+-
+
go test ./...
+ go vet ./...
+ CGO_ENABLED=1 go test -race ./...on Windows was blocked before tests by missinggccinPATH; the manual GitHub Actions job is the Ubuntu validation path.
+ - Manual GitHub Actions run
27062004434passed withrun_race=true, including theRace Detectorjob on Ubuntu.
+ - Manual GitHub Actions run
27062164558passed withbuild_amd64=true,build_arm64=true, andrun_race=true; race detector passed and both Docker publish jobs were skipped.
+ gh api repos/Dzarlax-AI/health_dashboard/branches/main/protectionreturned404 Branch not protected.
+
Known Limitations
+-
+
- Race detector is intentionally manual-only; it will not block PRs unless branch protection and workflow policy are changed later. +
- Local race-detector runs require a working CGO C compiler. This Windows workspace did not have
gccavailable.
+ - Branch protection remains unchanged to avoid silently imposing repository-admin policy from a code PR. +