From 413f7821766164b64f653a76bf107999bd6f9c7f Mon Sep 17 00:00:00 2001
From: Sergei Zimmerman <sergei@zimmerman.foo>
Date: Mon, 28 Jul 2025 23:07:59 +0300
Subject: [PATCH] ci: Run sanitizer tests in a separate job

This should speed up the CI somewhat by parallelizing
the work across the matrix of configurations.
---
 .github/workflows/ci.yml                      | 21 ++++++++++++++--
 {scripts => ci/gha/tests}/build-checks        |  0
 .../prepare-installer-for-github-actions      |  0
 flake.nix                                     | 24 ++++---------------
 4 files changed, 24 insertions(+), 21 deletions(-)
 rename {scripts => ci/gha/tests}/build-checks (100%)
 rename {scripts => ci/gha/tests}/prepare-installer-for-github-actions (100%)

diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index f1faeb505..c7e2782d8 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -29,9 +29,18 @@ jobs:
           - scenario: on ubuntu
             runs-on: ubuntu-24.04
             os: linux
+            sanitizers: false
+            primary: true
           - scenario: on macos
             runs-on: macos-14
             os: darwin
+            sanitizers: false
+            primary: true
+          - scenario: on ubuntu (with sanitizers)
+            runs-on: ubuntu-24.04
+            os: linux
+            sanitizers: true
+            primary: false
     name: tests ${{ matrix.scenario }}
     runs-on: ${{ matrix.runs-on }}
     timeout-minutes: 60
@@ -52,13 +61,21 @@ jobs:
     # https://ubuntu.com/blog/ubuntu-23-10-restricted-unprivileged-user-namespaces
     - run: sudo sysctl -w kernel.apparmor_restrict_unprivileged_userns=0
       if: matrix.os == 'linux'
-    - run: scripts/build-checks
-    - run: scripts/prepare-installer-for-github-actions
+    - name: Run component tests
+      run: |
+        nix build --file ci/gha/tests componentTests -L \
+          --arg withSanitizers ${{ matrix.sanitizers }}
+    - name: Run flake checks and prepare the installer tarball
+      run: |
+        ci/gha/tests/build-checks
+        ci/gha/tests/prepare-installer-for-github-actions
+      if: ${{ matrix.primary }}
     - name: Upload installer tarball
       uses: actions/upload-artifact@v4
       with:
         name: installer-${{matrix.os}}
         path: out/*
+      if: ${{ matrix.primary }}
 
   installer_test:
     needs: [tests]
diff --git a/scripts/build-checks b/ci/gha/tests/build-checks
similarity index 100%
rename from scripts/build-checks
rename to ci/gha/tests/build-checks
diff --git a/scripts/prepare-installer-for-github-actions b/ci/gha/tests/prepare-installer-for-github-actions
similarity index 100%
rename from scripts/prepare-installer-for-github-actions
rename to ci/gha/tests/prepare-installer-for-github-actions
diff --git a/flake.nix b/flake.nix
index 03d77e055..6a6f2cfd8 100644
--- a/flake.nix
+++ b/flake.nix
@@ -337,25 +337,11 @@
         # Add "passthru" tests
         //
           flatMapAttrs
-            (
-              {
-                "" = {
-                  pkgs = nixpkgsFor.${system}.native;
-                };
-              }
-              // lib.optionalAttrs (!nixpkgsFor.${system}.native.stdenv.hostPlatform.isDarwin) {
-                # TODO: enable static builds for darwin, blocked on:
-                #       https://github.com/NixOS/nixpkgs/issues/320448
-                # TODO: disabled to speed up GHA CI.
-                # "static-" = {
-                #   pkgs = nixpkgsFor.${system}.native.pkgsStatic;
-                # };
-                "sanitized-" = {
-                  pkgs = nixpkgsFor.${system}.native;
-                  withSanitizers = true;
-                };
-              }
-            )
+            {
+              "" = {
+                pkgs = nixpkgsFor.${system}.native;
+              };
+            }
             (
               nixpkgsPrefix: args:
               (import ./ci/gha/tests (