perf: reduce CI integration test wall time by ~50%

[Copilot]

Integration tests take 37 min critical path / 106 min aggregate across 4 jobs. Root causes: 10s default docker compose down grace period per test (×237 tests), unbalanced job sizes, and unnecessary job dependencies.

docker compose down -t 1 (P0, ~30 min aggregate saved)

Containers' main processes have already exited by the time stopContainers() runs. The default 10s SIGTERM grace period is pure waste.

// before
await execa('docker', ['compose', 'down', '-v'], { cwd: workDir, ... });
// after
await execa('docker', ['compose', 'down', '-v', '-t', '1'], { cwd: workDir, ... });

Split Domain & Network job (P1, ~17 min off critical path)

test-domain-network (77 tests, 37 min) → two parallel jobs:

• Domain Tests: blocked-domains, dns-servers, empty-domains, wildcard-patterns
• Network Tests: ipv6, localhost-access, network-security

Remove chroot job dependency (P4, ~4 min saved)

test-chroot-package-managers had needs: test-chroot-languages but installs its own runtimes via setup actions. Removed the unnecessary serial dependency.

Add skip-pull tests to CI (P5)

skip-pull.test.ts was not matched by any job's --testPathPatterns and is now included in the Container & Ops Tests job.

Note: Three other previously unmatched test files (ghes-auto-populate, gh-host-injection, workdir-tmpfs-hiding) have pre-existing failures and were not added — they need to be fixed separately before being included in CI.

---

🔒 GitHub Advanced Security automatically protects Copilot coding agent pull requests. You can protect all pull requests by enabling Advanced Security for your repositories. Learn more about Advanced Security.

[github-actions]

✅ Coverage Check Passed

Overall Coverage

Metric	Base	PR	Delta
Lines	86.11%	86.35%	📈 +0.24%
Statements	86.03%	86.27%	📈 +0.24%
Functions	86.13%	86.41%	📈 +0.28%
Branches	79.31%	79.59%	📈 +0.28%

📁 Per-file Coverage Changes (1 files)

File	Lines (Before → After)	Statements (Before → After)
src/docker-manager.ts	87.7% → 88.5% (+0.88%)	87.0% → 87.9% (+0.90%)

---

Coverage comparison generated by scripts/ci/compare-coverage.ts

[github-actions]

🏗️ Build Test Suite Results

Ecosystem	Project	Build/Install	Tests	Status
Bun	elysia	✅	1/1 passed	✅ PASS
Bun	hono	✅	1/1 passed	✅ PASS
C++	fmt	✅	N/A	✅ PASS
C++	json	✅	N/A	✅ PASS
Deno	oak	N/A	1/1 passed	✅ PASS
Deno	std	N/A	1/1 passed	✅ PASS
.NET	hello-world	✅	N/A	✅ PASS
.NET	json-parse	✅	N/A	✅ PASS
Go	color	✅	1/1 passed	✅ PASS
Go	env	✅	1/1 passed	✅ PASS
Go	uuid	✅	1/1 passed	✅ PASS
Java	gson	✅	1/1 passed	✅ PASS
Java	caffeine	✅	1/1 passed	✅ PASS
Node.js	clsx	✅	passed	✅ PASS
Node.js	execa	✅	passed	✅ PASS
Node.js	p-limit	✅	passed	✅ PASS
Rust	fd	✅	1/1 passed	✅ PASS
Rust	zoxide	✅	1/1 passed	✅ PASS

Overall: 8/8 ecosystems passed — ✅ PASS

Generated by Build Test Suite for issue #1399 · ◷

[Mossaka]

@copilot please fix the test failures from https://github.com/github/gh-aw-firewall/actions/runs/23444805387/job/68214288261?pr=1399 and https://github.com/github/gh-aw-firewall/actions/runs/23444805387/job/68214288292?pr=1399

[Copilot]

@copilot please fix the test failures from https://github.com/github/gh-aw-firewall/actions/runs/23444805387/job/68214288261?pr=1399 and https://github.com/github/gh-aw-firewall/action...

Removed ghes-auto-populate, gh-host-injection, and workdir-tmpfs-hiding from the CI test patterns in 1aa7f15. These 3 test files have pre-existing failures (they were never running in CI before this PR) — e.g. ghes-auto-populate can't find workDir for Squid log assertions, workdir-tmpfs-hiding expects tmpfs overlay behavior not configured in CI, and gh-host-injection has an --env-all propagation issue. The skip-pull tests pass and remain in the Container & Ops job.

[Copilot]

Pull request overview

This PR speeds up the repository’s GitHub Actions integration test suite by reducing per-test Docker Compose teardown time, improving parallelism by splitting a long-running job, and removing an unnecessary job dependency.

Changes:

• Reduce docker compose down grace period to 1s during test cleanup to avoid repeated 10s waits.
• Split the previous Domain & Network integration job into two parallel jobs (Domain Tests / Network Tests).
• Include skip-pull integration tests in CI and remove an unnecessary needs dependency in chroot workflows.

Reviewed changes

Copilot reviewed 4 out of 4 changed files in this pull request and generated no comments.

File	Description
src/docker-manager.ts	Speeds up container teardown by adding docker compose down -t 1.
src/docker-manager.test.ts	Updates the unit test expectation to match the new compose down args.
.github/workflows/test-integration-suite.yml	Splits domain/network tests into two jobs and adds skip-pull to patterns.
.github/workflows/test-chroot.yml	Removes a serial dependency so package manager tests can run in parallel.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[github-actions]

🔮 The oracle records this smoke rite.
PR titles (merged):

• Propagate $GITHUB_PATH into chroot PATH for setup-* action support
• feat: increase default agent memory limit to 6GB and enable swap
  GitHub MCP: ✅ | safeinputs-gh CLI: ❌ | Playwright: ✅ | Tavily: ❌
  File write: ✅ | Bash cat verify: ✅ | Discussion interaction: ❌ | Build (npm ci && npm run build): ✅
  Overall status: FAIL

🔮 The oracle has spoken through Smoke Codex

Warning

⚠️ Firewall blocked 2 domains

The following domains were blocked by the firewall during workflow execution:

• ab.chatgpt.com
• registry.npmjs.org

To allow these domains, add them to the network.allowed list in your workflow frontmatter:

network:
  allowed:
    - defaults
    - "ab.chatgpt.com"
    - "registry.npmjs.org"

See Network Configuration for more information.