ci: run Test Workspace only on main, not on pull requests (#212)

The full workspace + failpoints suite was the slowest PR gate (~15min
warm, up to the 75min cold ceiling) and dominated PR turnaround. Gate the
`test` job with `if: github.event_name != 'pull_request'` so it runs only
on push to `main` (post-merge), on `v*` tags, and on manual
`workflow_dispatch`. `RustFS S3 Integration` needs `test`, so it becomes
push-/dispatch-only by the same cascade.

Drop `Test Workspace` from the required-check list in
branch-protection.json: a required context that never reports on PRs (the
job no longer runs there) would leave every PR permanently pending — the
job-never-reports trap the policy already documents.

Trade-off accepted deliberately (chosen by the maintainer): a regression
the suite would catch now lands on `main` and reddens the post-merge run
instead of being blocked pre-merge, so `main` can briefly break. Mitigations
documented in ci.md: run `cargo test --workspace --locked` locally before
merging non-trivial changes (or trigger the workflow on your branch via
workflow_dispatch), and regenerate openapi.json locally for server/API
changes (the auto-regen step lived in the now-PR-skipped test job).

The fast PR gates remain: Classify Changes, Check AGENTS.md Links, the
AWS-feature build/test, and the two CODEOWNERS checks.

NOTE: an admin must run ./scripts/apply-branch-protection.sh after this
merges, or GitHub keeps requiring the now-unreported Test Workspace context.

Co-authored-by: Claude Opus 4.8 <noreply@anthropic.com>

.github/workflows/ci.yml

@@ -128,6 +128,23 @@ jobs:
   test:
     name: Test Workspace
     needs: classify_changes
+    # PR latency: the full workspace + failpoints build/test is the slowest
+    # gate (~15min warm, up to the 75min ceiling cold) and dominated PR
+    # turnaround. It now runs only on push to `main` (post-merge), on tags,
+    # and on manual `workflow_dispatch` — NOT on pull_request. Trade-off
+    # accepted deliberately: a regression is caught on the `main` run after
+    # merge rather than before it, so `main` can briefly go red. Mitigations:
+    # (1) `Test Workspace` is removed from required PR checks in
+    #     `.github/branch-protection.json` (a required check that never
+    #     reports would leave every PR permanently pending);
+    # (2) run the full suite locally before merging risky changes
+    #     (`cargo test --workspace --locked`), or trigger this workflow via
+    #     the Actions "Run workflow" button (workflow_dispatch) on your branch;
+    # (3) openapi.json is no longer auto-regenerated on PRs (that step lived
+    #     here) — regenerate it locally for server/API changes
+    #     (`OMNIGRAPH_UPDATE_OPENAPI=1 cargo test -p omnigraph-server --test openapi`)
+    #     or the strict drift check fails the post-merge `main` run.
+    if: github.event_name != 'pull_request'
     runs-on: ubuntu-latest
     # 75, not 45: a cold rust-cache (every Cargo.lock change) costs a full
     # workspace + failpoints-feature build on a 2-core runner, which now
@@ -274,6 +291,9 @@ jobs:
 
   rustfs_integration:
     name: RustFS S3 Integration
+    # `needs: test` means this is push-/dispatch-only too: on pull_request the
+    # `test` job is skipped, so this dependent is skipped with it. S3
+    # integration runs post-merge on `main`, alongside the workspace suite.
     needs:
       - classify_changes
       - test