refactor: reorganize CI/CD workflows to eliminate functional overlap

Option A: Clear separation of concerns

- build.yml: Only responsible for cross-platform builds and releases
- test.yml: NEW - Responsible for running tests (multi-platform)
- coverage.yml: Responsible for test coverage (single-platform)
- security.yml: Responsible for security verification (multi-platform)
- codeql.yaml: Unchanged - static analysis

Changes:
- Removed test job from build.yml (was running tests 4x)
- Created new test.yml for multi-platform testing
- Standardized cache keys with prefixes (build-, test-, coverage-, security-)
- Removed 'cd keyring-cli' commands (workflows already in project root)
- Removed clippy/format from build.yml (now in test.yml)

Benefits:
- Eliminates duplicate test execution (was: build.yml 3x + coverage.yml)
- Clear separation of concerns
- Better cache utilization
- Faster CI feedback

Co-Authored-By: Claude (glm-4.7) <noreply@anthropic.com>

Author: alphaqiu

.github/workflows/build.yml

@@ -31,19 +31,19 @@ jobs:
         uses: actions/cache@v4
         with:
           path: ~/.cargo/registry
-          key: ${{ runner.os }}-cargo-registry-${{ hashFiles('**/Cargo.lock') }}
+          key: build-${{ runner.os }}-cargo-registry-${{ hashFiles('**/Cargo.lock') }}
 
       - name: Cache cargo index
         uses: actions/cache@v4
         with:
           path: ~/.cargo/git
-          key: ${{ runner.os }}-cargo-index-${{ hashFiles('**/Cargo.lock') }}
+          key: build-${{ runner.os }}-cargo-index-${{ hashFiles('**/Cargo.lock') }}
 
       - name: Cache cargo build
         uses: actions/cache@v4
         with:
           path: target
-          key: ${{ runner.os }}-cargo-build-target-${{ hashFiles('**/Cargo.lock') }}
+          key: build-${{ runner.os }}-cargo-${{ hashFiles('**/Cargo.lock') }}
 
       - name: Build for x86_64
         run: |
@@ -108,7 +108,7 @@ jobs:
             ~/.cargo/registry
             ~/.cargo/git
             target
-          key: ${{ runner.os }}-cargo-${{ hashFiles('**/Cargo.lock') }}
+          key: build-${{ runner.os }}-cargo-${{ hashFiles('**/Cargo.lock') }}
 
       - name: Build
         run: |
@@ -163,7 +163,7 @@ jobs:
             ~/.cargo/registry
             ~/.cargo/git
             target
-          key: ${{ runner.os }}-cargo-arm64-${{ hashFiles('**/Cargo.lock') }}
+          key: build-${{ runner.os }}-cargo-arm64-${{ hashFiles('**/Cargo.lock') }}
 
       - name: Build
         run: |
@@ -217,7 +217,7 @@ jobs:
             ~/.cargo/registry
             ~/.cargo/git
             target
-          key: ${{ runner.os }}-cargo-${{ hashFiles('**/Cargo.lock') }}
+          key: build-${{ runner.os }}-cargo-${{ hashFiles('**/Cargo.lock') }}
 
       - name: Build
         run: |
@@ -266,7 +266,7 @@ jobs:
             ~/.cargo/registry
             ~/.cargo/git
             target
-          key: ${{ runner.os }}-cargo-arm64-${{ hashFiles('**/Cargo.lock') }}
+          key: build-${{ runner.os }}-cargo-arm64-${{ hashFiles('**/Cargo.lock') }}
 
       - name: Build
         run: |
@@ -290,47 +290,3 @@ jobs:
           files: ok-windows-aarch64.zip
           generate_release_notes: true
 
-  # Run tests
-  test:
-    name: Run Tests
-    runs-on: ${{ matrix.os }}
-    strategy:
-      matrix:
-        os: [ubuntu-latest, macos-latest, windows-latest]
-        rust: [stable]
-
-    steps:
-      - name: Checkout code
-        uses: actions/checkout@v4
-
-      - name: Install Rust toolchain
-        uses: dtolnay/rust-toolchain@master
-        with:
-          toolchain: ${{ matrix.rust }}
-
-      - name: Install dependencies (Linux)
-        if: runner.os == 'Linux'
-        run: |
-          sudo apt-get update
-          sudo apt-get install -y pkg-config libssl-dev
-
-      - name: Cache cargo
-        uses: actions/cache@v4
-        with:
-          path: |
-            ~/.cargo/registry
-            ~/.cargo/git
-            target
-          key: ${{ runner.os }}-test-${{ hashFiles('**/Cargo.lock') }}
-
-      - name: Run tests
-        run: |
-          cargo test --verbose --all-features
-
-      - name: Run clippy
-        run: |
-          cargo clippy -- -D warnings
-
-      - name: Check formatting
-        run: |
-          cargo fmt -- --check

.github/workflows/coverage.yml

@@ -25,23 +25,21 @@ jobs:
             ~/.cargo/registry
             ~/.cargo/git
             target
-          key: ${{ runner.os }}-cargo-${{ hashFiles('**/Cargo.lock') }}
+          key: coverage-${{ runner.os }}-cargo-${{ hashFiles('**/Cargo.lock') }}
 
       - name: Run tests with coverage
         run: |
           cargo install cargo-tarpaulin
-          cd keyring-cli
           cargo tarpaulin --out Html --output-dir coverage --timeout 300 --verbose
 
       - name: Upload coverage report
         uses: actions/upload-artifact@v4
         with:
           name: coverage-report
-          path: keyring-cli/coverage/
+          path: coverage/
 
       - name: Check coverage threshold
         run: |
-          cd keyring-cli
           COVERAGE=$(cargo tarpaulin --out Json 2>/dev/null | jq '.coverage // 0' || echo "0")
           echo "Coverage: $COVERAGE%"
           if (( $(echo "$COVERAGE < 80" | bc -l) )); then
@@ -53,7 +51,6 @@ jobs:
 
       - name: Add coverage summary
         run: |
-          cd keyring-cli
           COVERAGE=$(cargo tarpaulin --out Json 2>/dev/null | jq '.coverage // 0' || echo "0")
           echo "## Test Coverage" >> $GITHUB_STEP_SUMMARY
           echo "Current coverage: **$COVERAGE%**" >> $GITHUB_STEP_SUMMARY

.github/workflows/security.yml

@@ -38,18 +38,17 @@ jobs:
             ~/.cargo/registry
             ~/.cargo/git
             target
-          key: ${{ runner.os }}-cargo-${{ hashFiles('**/Cargo.lock') }}
+          key: security-${{ runner.os }}-cargo-${{ hashFiles('**/Cargo.lock') }}
 
       - name: Build release without test-env
         run: |
-          cd keyring-cli
           cargo build --release --no-default-features
 
       - name: Verify test-env NOT in release binary (Linux/macOS)
         if: runner.os != 'Windows'
         run: |
           echo "Checking for test environment variables in release binary..."
-          if grep -r "OK_MASTER_PASSWORD\|OK_CONFIG_DIR\|OK_DATA_DIR" keyring-cli/target/release/keyring-cli 2>/dev/null; then
+          if grep -r "OK_MASTER_PASSWORD\|OK_CONFIG_DIR\|OK_DATA_DIR" target/release/keyring-cli 2>/dev/null; then
             echo "❌ ERROR: Test environment variables leaked to release!"
             exit 1
           fi
@@ -60,7 +59,7 @@ jobs:
         shell: pwsh
         run: |
           Write-Host "Checking for test environment variables in release binary..."
-          $binaryPath = "keyring-cli\target\release\keyring-cli.exe"
+          $binaryPath = "target\release\keyring-cli.exe"
           if (Test-Path $binaryPath) {
             $content = Get-Content $binaryPath -Raw -Encoding ASCII
             if ($content -match "OK_MASTER_PASSWORD|OK_CONFIG_DIR|OK_DATA_DIR") {
@@ -72,19 +71,16 @@ jobs:
 
       - name: Verify test-env feature works
         run: |
-          cd keyring-cli
           cargo build --features test-env
           echo "✅ Build with test-env feature successful"
 
       - name: Run security audit
         run: |
           cargo install cargo-audit
-          cd keyring-cli
           cargo audit || echo "⚠️  Security audit found potential issues"
 
       - name: Check MSRV in Cargo.toml
         run: |
-          cd keyring-cli
           if grep -q "rust-version" Cargo.toml; then
             echo "✅ MSRV declared in Cargo.toml"
             grep "rust-version" Cargo.toml

.github/workflows/test.yml

@@ -0,0 +1,67 @@
+name: Test
+
+on:
+  push:
+    branches: [ master, develop ]
+  pull_request:
+    branches: [ master, develop ]
+  workflow_dispatch:
+
+env:
+  CARGO_TERM_COLOR: always
+  RUST_BACKTRACE: 1
+
+jobs:
+  test:
+    name: Test on ${{ matrix.os }}
+    runs-on: ${{ matrix.os }}
+    strategy:
+      matrix:
+        os: [ubuntu-latest, macos-latest, windows-latest]
+        rust: [stable]
+
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v4
+
+      - name: Install Rust toolchain
+        uses: dtolnay/rust-toolchain@stable
+        with:
+          toolchain: ${{ matrix.rust }}
+
+      - name: Install dependencies (Linux)
+        if: runner.os == 'Linux'
+        run: |
+          sudo apt-get update
+          sudo apt-get install -y pkg-config libssl-dev
+
+      - name: Cache cargo
+        uses: actions/cache@v4
+        with:
+          path: |
+            ~/.cargo/registry
+            ~/.cargo/git
+            target
+          key: test-${{ runner.os }}-cargo-${{ hashFiles('**/Cargo.lock') }}
+
+      - name: Run tests
+        run: |
+          cargo test --verbose --all-features
+
+      - name: Run clippy
+        run: |
+          cargo clippy --all-features -- -D warnings
+
+      - name: Check formatting
+        run: |
+          cargo fmt --all -- --check
+
+      - name: Test summary
+        run: |
+          echo "## Test Results" >> $GITHUB_STEP_SUMMARY
+          echo "" >> $GITHUB_STEP_SUMMARY
+          echo "✅ Platform: ${{ runner.os }}" >> $GITHUB_STEP_SUMMARY
+          echo "✅ Rust: ${{ matrix.rust }}" >> $GITHUB_STEP_SUMMARY
+          echo "✅ Tests passed" >> $GITHUB_STEP_SUMMARY
+          echo "✅ Clippy checks passed" >> $GITHUB_STEP_SUMMARY
+          echo "✅ Format checks passed" >> $GITHUB_STEP_SUMMARY