Streamline GitHub action runs

Expected impact:
- Website-only PR: 22 min → 2 min (website job only)
- Svelte-only PR: 22 min → 3 min (svelte + e2e)
- Rust-only PR: 22 min → 8 min (rust checks, no slow deps)
- Full-stack PR: 22 min → 8 min (all fast jobs in parallel)

Author: vdavid

.github/workflows/ci.yml

@@ -9,12 +9,53 @@ on:
             - main
 
 jobs:
+    # ===========================================
+    # Determine which jobs to run based on changed files
+    # ===========================================
+    changes:
+        name: Detect changes
+        runs-on: ubuntu-latest
+        outputs:
+            rust: ${{ steps.filter.outputs.rust }}
+            svelte: ${{ steps.filter.outputs.svelte }}
+            desktop: ${{ steps.filter.outputs.desktop }}
+            website: ${{ steps.filter.outputs.website }}
+            license-server: ${{ steps.filter.outputs.license-server }}
+        steps:
+            - name: Checkout code
+              uses: actions/checkout@v4
+
+            - name: Detect file changes
+              uses: dorny/paths-filter@v3
+              id: filter
+              with:
+                  filters: |
+                      rust:
+                        - 'apps/desktop/src-tauri/**'
+                      svelte:
+                        - 'apps/desktop/src/**'
+                        - 'apps/desktop/static/**'
+                        - 'apps/desktop/package.json'
+                        - 'apps/desktop/pnpm-lock.yaml'
+                        - 'apps/desktop/svelte.config.js'
+                        - 'apps/desktop/vite.config.ts'
+                        - 'apps/desktop/tsconfig.json'
+                        - 'apps/desktop/tailwind.config.ts'
+                      desktop:
+                        - 'apps/desktop/**'
+                      website:
+                        - 'apps/website/**'
+                      license-server:
+                        - 'apps/license-server/**'
+
     # ===========================================
     # Desktop app - Rust backend
     # ===========================================
     desktop-rust:
         name: Desktop (Rust)
         runs-on: ubuntu-latest
+        needs: changes
+        if: needs.changes.outputs.rust == 'true' || github.event_name == 'push'
 
         steps:
             - name: Checkout code
@@ -49,18 +90,6 @@ jobs:
             - name: Run clippy
               run: ./scripts/check/check --check clippy --ci
 
-            - name: Run cargo-audit
-              run: ./scripts/check/check --check cargo-audit --ci
-
-            - name: Run cargo-deny
-              run: ./scripts/check/check --check cargo-deny --ci
-
-            - name: Install nightly toolchain (for cargo-udeps)
-              run: rustup toolchain install nightly
-
-            - name: Run cargo-udeps
-              run: ./scripts/check/check --check cargo-udeps --ci
-
             - name: Run Rust tests
               run: ./scripts/check/check --check rust-tests --ci
 
@@ -70,6 +99,8 @@ jobs:
     desktop-svelte:
         name: Desktop (Svelte)
         runs-on: ubuntu-latest
+        needs: changes
+        if: needs.changes.outputs.svelte == 'true' || github.event_name == 'push'
 
         steps:
             - name: Checkout code
@@ -116,6 +147,8 @@ jobs:
     desktop-e2e:
         name: Desktop (E2E)
         runs-on: ubuntu-latest
+        needs: changes
+        if: needs.changes.outputs.desktop == 'true' || github.event_name == 'push'
         timeout-minutes: 30
 
         steps:
@@ -157,6 +190,8 @@ jobs:
     website:
         name: Website
         runs-on: ubuntu-latest
+        needs: changes
+        if: needs.changes.outputs.website == 'true' || github.event_name == 'push'
 
         steps:
             - name: Checkout code
@@ -224,6 +259,8 @@ jobs:
     license-server:
         name: License server
         runs-on: ubuntu-latest
+        needs: changes
+        if: needs.changes.outputs.license-server == 'true' || github.event_name == 'push'
 
         steps:
             - name: Checkout code

.github/workflows/slow-checks.yml

@@ -0,0 +1,53 @@
+name: Slow checks
+
+# Daily security and dependency checks
+# Runs at 4 AM CET (3 AM UTC) to catch newly disclosed vulnerabilities
+# GitHub automatically emails repo admins on failure
+on:
+    schedule:
+        - cron: '0 3 * * *' # 4 AM CET = 3 AM UTC
+    workflow_dispatch: # Allow manual trigger
+
+jobs:
+    dependency-checks:
+        name: Dependency checks
+        runs-on: ubuntu-latest
+
+        steps:
+            - name: Checkout code
+              uses: actions/checkout@v4
+
+            - name: Install mise
+              uses: jdx/mise-action@v2
+
+            - name: Install tools with mise
+              run: mise install
+
+            - name: Cache Cargo
+              uses: actions/cache@v4
+              with:
+                  path: ~/.cargo/registry/cache
+                  key: ${{ runner.os }}-cargo-${{ hashFiles('apps/desktop/src-tauri/Cargo.lock') }}
+                  restore-keys: |
+                      ${{ runner.os }}-cargo-
+
+            - name: Install Tauri dependencies (Linux)
+              run: |
+                  sudo apt-get update
+                  sudo apt-get install -y libwebkit2gtk-4.1-dev libappindicator3-dev librsvg2-dev patchelf
+
+            - name: Build check tool
+              run: go build -o check .
+              working-directory: ./scripts/check
+
+            - name: Run cargo-audit
+              run: ./scripts/check/check --check cargo-audit --ci
+
+            - name: Run cargo-deny
+              run: ./scripts/check/check --check cargo-deny --ci
+
+            - name: Install nightly toolchain (for cargo-udeps)
+              run: rustup toolchain install nightly
+
+            - name: Run cargo-udeps
+              run: ./scripts/check/check --check cargo-udeps --ci