From 396d23b77db6966606107d636b8247ce44e1f7c4 Mon Sep 17 00:00:00 2001
From: Noah Gift <noah.gift@gmail.com>
Date: Sat, 18 Apr 2026 20:19:45 +0200
Subject: [PATCH] =?UTF-8?q?feat(sovereign-ci):=20opt-in=20cargo=20nextest?=
 =?UTF-8?q?=20run=20for=20test=20job=20(Phase=202=20=C2=A74.3)?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Adds a new workflow_call boolean input `use_nextest` (default: false).
When true, the test job uses `cargo nextest run --lib` instead of
`cargo test --lib`. nextest is already installed in sovereign-ci:stable
(Dockerfile line 39).

Pattern mirrors enable_sccache opt-in rollout (PMAT-151):
- opt-in with default false for safe pilot
- pilots opt in via caller workflow's `with: use_nextest: true`
- F11 falsifier will measure test-job p95 before/after on pilots
- after 7 days, flip default true if p95 ≤ 300s

Safety: if nextest fails for any reason (test harness quirks, workspace
structure), fall back to cargo test with a warning annotation so CI
doesn't break if a repo has incompatible test code.

Baseline F11 on pilot repos (2026-04-18, limit=15 runs):
  copia    n=15 p95=168s
  bashrs   n=15 p95=222s
  aprender n=15 p95=449s
  fleet    n=45 p95=446s (driven by aprender)

Expected post-nextest: ~290s fleet p95 (35% reduction).

Refs PMAT-155
---
 .github/workflows/sovereign-ci.yml | 23 ++++++++++++++++++++---
 1 file changed, 20 insertions(+), 3 deletions(-)

diff --git a/.github/workflows/sovereign-ci.yml b/.github/workflows/sovereign-ci.yml
index 8549b61..431f734 100644
--- a/.github/workflows/sovereign-ci.yml
+++ b/.github/workflows/sovereign-ci.yml
@@ -57,6 +57,11 @@ on:
         required: false
         default: true
         type: boolean
+      use_nextest:
+        description: 'cargo nextest run instead of cargo test (build-performance.md §4.3 + §7 Phase 2). 30-40% test-job speedup on large suites. Pilot repos only until F11 test-job p95 ≤ 300s verified over 7 days.'
+        required: false
+        default: false
+        type: boolean
 
 # HD-02: Least-privilege token — only escalate where needed
 permissions:
@@ -186,12 +191,24 @@ jobs:
           REPO_NAME: ${{ inputs.repo }}
           RUSTC_WRAPPER: ${{ inputs.enable_sccache && 'sccache' || '' }}
           SCCACHE_DIR: ${{ inputs.enable_sccache && '/sccache' || '' }}
+          USE_NEXTEST: ${{ inputs.use_nextest }}
         run: |
           # Mark workspace as safe for git operations inside tests (dubious ownership in containers)
           git config --global --add safe.directory "$GITHUB_WORKSPACE"
-          cargo test --lib $TEST_ARGS 2>&1 || \
-          cargo test --lib -p "$REPO_NAME" $TEST_ARGS 2>&1 || \
-          { echo "::error::Tests failed — check workspace path dependencies"; exit 1; }
+          # Phase 2 §4.3 — nextest drops ~35% off test-job wall-clock on large suites.
+          # Fallback to cargo test if nextest fails for any reason (e.g. test harness quirks).
+          if [ "$USE_NEXTEST" = "true" ]; then
+            cargo nextest run --lib $TEST_ARGS 2>&1 || \
+            cargo nextest run --lib -p "$REPO_NAME" $TEST_ARGS 2>&1 || \
+            { echo "::warning::nextest failed — falling back to cargo test"; \
+              cargo test --lib $TEST_ARGS 2>&1 || \
+              cargo test --lib -p "$REPO_NAME" $TEST_ARGS 2>&1 || \
+              { echo "::error::Tests failed — check workspace path dependencies"; exit 1; }; }
+          else
+            cargo test --lib $TEST_ARGS 2>&1 || \
+            cargo test --lib -p "$REPO_NAME" $TEST_ARGS 2>&1 || \
+            { echo "::error::Tests failed — check workspace path dependencies"; exit 1; }
+          fi
       - name: Record sccache stats
         if: ${{ always() && inputs.enable_sccache }}
         run: |