[ci] split verify into 3 parallel jobs + aggregator (~7m -> ~2:45m)

.github/workflows/ci.yml

@@ -9,18 +9,54 @@ permissions:
   contents: read
 
 jobs:
-  verify:
-    # Each step name mirrors a Makefile target so a failing gate is
-    # identifiable at a glance in the GitHub UI without scrolling
-    # through one undifferentiated bash step. Sequential + fail-fast
-    # matches `make ci`'s local-run semantics.
-    #
-    # We previously ran a 2-arm matrix (go.mod + stable) for early
-    # warning of Go-toolchain regressions; dropped because the second
-    # arm added two visible check rows per PR for ~no actionable
-    # signal at the cadence we ship. If we ever need that signal
-    # back, add it as a separate scheduled job, not a matrix.
-    name: verify
+  # `verify` is split into three parallel jobs (verify-test, verify-lint,
+  # verify-static) that feed an aggregator named `verify`. Wall time drops
+  # from ~7m to ~2:45m without touching branch protection — the aggregator
+  # inherits failure from any sub-job via `needs:` short-circuit, so the
+  # existing required-check `verify` stays accurate. `make ci` is still
+  # sequential locally; only CI parallelizes.
+  #
+  # Partition rationale: keep the longest single step (`coverage-check`,
+  # ~125s) on its own job so it bounds wall time. Pair `vet` + `lint`
+  # because they share golangci-lint setup. Everything else lands in
+  # verify-static — a grab-bag bounded by `build` (~55s) + `fuzz` (~40s).
+  # When adding a new gate: default to verify-static. Promote it to its
+  # own job only when it pushes verify-static past the verify-lint pole.
+  #
+  # We previously ran a 2-arm matrix (go.mod + stable) for early warning
+  # of Go-toolchain regressions; dropped because the second arm added
+  # two visible check rows per PR for ~no actionable signal at the
+  # cadence we ship. If we ever need that signal back, add it as a
+  # separate scheduled job, not a matrix.
+
+  verify-test:
+    name: verify-test
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd  # v6.0.2
+      - uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c  # v6.4.0
+        with:
+          go-version-file: go.mod
+          cache: true
+      - name: test (race) + coverage-check
+        run: make coverage-check
+
+  verify-lint:
+    name: verify-lint
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd  # v6.0.2
+      - uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c  # v6.4.0
+        with:
+          go-version-file: go.mod
+          cache: true
+      - name: vet
+        run: make vet
+      - name: lint
+        run: make lint
+
+  verify-static:
+    name: verify-static
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd  # v6.0.2
@@ -32,14 +68,10 @@ jobs:
         run: make license-check
       - name: generate-check
         run: make generate-check
-      - name: vet
-        run: make vet
       - name: build-tags
         run: make build-tags
       - name: tidy-check
         run: make tidy-check
-      - name: lint
-        run: make lint
       - name: nccl_fr RCE gate
         run: make nccl-fr-rce-gate
       - name: register-lint
@@ -52,8 +84,6 @@ jobs:
           echo "$HOME/.local/bin" >> "$GITHUB_PATH"
       - name: zizmor
         run: make zizmor
-      - name: test (race) + coverage-check
-        run: make coverage-check
       - name: 30s fuzz (nccl_fr parser)
         run: make ci-fuzz-nccl-fr
       - name: govulncheck
@@ -63,6 +93,14 @@ jobs:
       - name: build
         run: make build
 
+  verify:
+    name: verify
+    runs-on: ubuntu-latest
+    needs: [verify-test, verify-lint, verify-static]
+    steps:
+      - name: aggregator
+        run: echo "all verify-* gates passed"
+
   build:
     # Cross-compiles release-candidate binaries for the platforms we ship.
     # One job, two arches: one Go-toolchain setup instead of two.