feat(ci): bifurcate CI into hosted and self-hosted jobs

.github/workflows/ci.yml

@@ -101,7 +101,7 @@ jobs:
         run: bash scripts/ci/setup-whisper-cache.sh
 
   # Security scanning for vulnerabilities and license compliance
-  security_audit:
+  security:
     name: Security Audit
     runs-on: ubuntu-latest
     steps:
@@ -123,108 +123,36 @@ jobs:
       - name: Run cargo deny
         run: cargo deny check
 
-  # Build, check, and test with multiple Rust versions
-  unit_tests_hosted:
-    name: Unit Tests & Golden Master (Hosted)
+  lint:
+    name: Lint (fmt + clippy)
     runs-on: ubuntu-latest
-    needs: [setup-whisper-dependencies]
-    strategy:
-      matrix:
-        rust-version: [stable] # Use stable only
     steps:
       - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v5.0.0
-
-      - name: Install system dependencies
-        run: |
-          sudo apt-get update
-          sudo apt-get install -y xdotool wget unzip gcc g++ make xvfb openbox dbus-x11 wl-clipboard xclip ydotool x11-utils wmctrl pkg-config pulseaudio libasound2-dev libgtk-3-dev libatspi2.0-dev libxtst-dev python3-pip python3-venv
-
       - name: Set up Rust toolchain
         uses: actions-rust-lang/setup-rust-toolchain@v1
         with:
-          toolchain: ${{ matrix.rust-version }}
+          toolchain: stable
           components: rustfmt, clippy
-          override: true
-
-      # Only run formatting and linting on stable
-      - name: Check formatting (advisory)
-        if: matrix.rust-version == 'stable'
-        run: |
-          set +e
-          cargo fmt --all -- --check
-          status=$?
-          if [ "$status" -ne 0 ]; then
-            echo "::warning::cargo fmt detected formatting differences. Please run 'cargo fmt --all' locally before committing."
-          fi
-          exit 0
-
+      - name: Check formatting
+        run: cargo fmt --all -- --check
       - name: Run clippy
-        if: matrix.rust-version == 'stable'
         run: cargo clippy --all-targets --locked
 
-      - name: Type check
-        run: cargo check --workspace --all-targets --locked
-
-      - name: Build
-        run: cargo build --workspace --locked
-
-      # Only build docs and run tests on stable
+  docs:
+    name: Documentation
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v5.0.0
+      - name: Set up Rust toolchain
+        uses: actions-rust-lang/setup-rust-toolchain@v1
+        with:
+          toolchain: stable
       - name: Build documentation
-        if: matrix.rust-version == 'stable'
         run: cargo doc --workspace --no-deps --locked
 
-      - name: Run unit and integration tests (skip E2E)
-        if: matrix.rust-version == 'stable'
-        env:
-          WHISPER_MODEL_PATH: ${{ needs.setup-whisper-dependencies.outputs.model_path }}
-          WHISPER_MODEL_SIZE: ${{ needs.setup-whisper-dependencies.outputs.model_size }}
-        run: |
-          echo "=== Environment Validation ==="
-          echo "WHISPER_MODEL_PATH: $WHISPER_MODEL_PATH"
-          echo "WHISPER_MODEL_SIZE: $WHISPER_MODEL_SIZE"
-          echo "Model directory contents:"
-          ls -la "$WHISPER_MODEL_PATH" || echo "Model directory not accessible"
-          echo "=== Running Tests ==="
-          cargo test --workspace --locked --
-
-      - name: Run Golden Master pipeline test
-        if: matrix.rust-version == 'stable'
-        env:
-          WHISPER_MODEL_PATH: ${{ needs.setup-whisper-dependencies.outputs.model_path }}
-          WHISPER_MODEL_SIZE: ${{ needs.setup-whisper-dependencies.outputs.model_size }}
-        run: |
-          echo "=== Running Golden Master Test ==="
-          # Install Python dependencies for Golden Master
-          pip install faster-whisper
-          export PYTHONPATH=$(python3 -c "import site; print(site.getsitepackages()[0])")
-          cargo test -p coldvox-app --test golden_master -- --nocapture
-
-      # Moonshine E2E skipped on GitHub-hosted: PyTorch+CUDA deps (4GB+) exceed disk space
-      # These tests run on self-hosted via moonshine_check job instead
-      - name: Skip Moonshine E2E Tests (runs on self-hosted)
-        if: matrix.rust-version == 'stable'
-        run: |
-          echo "::notice::Moonshine E2E tests skipped on GitHub-hosted (disk space). See moonshine_check job."
-
-      # GUI groundwork check integrated here
-      - name: Detect and test Qt 6 GUI
-        if: matrix.rust-version == 'stable'
-        run: |
-          # Qt6 might not be easily available on ubuntu-latest without extra actions, skipping for now or adding if needed
-          echo "Skipping Qt6 check on hosted runner"
-
-      - name: Upload test artifacts on failure
-        if: failure()
-        uses: actions/upload-artifact@v6
-        with:
-          name: test-artifacts-build-${{ matrix.rust-version }}
-          path: |
-            target/debug/deps/
-            target/debug/build/
-          retention-days: 7
-
-  text_injection_tests:
-    name: Hardware Integration Tests (Self-Hosted)
+  # Main build and test job on self-hosted runner
+  build_and_test:
+    name: Build & Test (Self-Hosted)
     runs-on: [self-hosted, Linux, X64, fedora, nobara]
     needs: [setup-whisper-dependencies]
     timeout-minutes: 30
@@ -239,6 +167,8 @@ jobs:
       # Build optimizations
       CARGO_INCREMENTAL: "1"
       RUSTFLAGS: "-C link-arg=-fuse-ld=mold"
+      WHISPER_MODEL_PATH: ${{ needs.setup-whisper-dependencies.outputs.model_path }}
+      WHISPER_MODEL_SIZE: ${{ needs.setup-whisper-dependencies.outputs.model_size }}
     steps:
       - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v5.0.0
       - uses: dtolnay/rust-toolchain@e97e2d8cc328f1b50210efc529dca0028893a2d9 # v1
@@ -338,6 +268,11 @@ jobs:
           command -v alsa-info >/dev/null && echo "  - ALSA: available" || echo "  - ALSA: not found"
           echo "=== Validation Complete ==="
 
+      - name: Run Workspace Unit Tests
+        run: |
+          echo "=== Running Workspace Unit Tests ==="
+          cargo test --workspace --locked
+
       - name: Test with real-injection-tests feature
         run: |
           dbus-run-session -- bash -lc '
@@ -383,7 +318,7 @@ jobs:
         if: failure()
         uses: actions/upload-artifact@v6
         with:
-          name: test-artifacts-text-injection
+          name: test-artifacts-build-and-test
           path: |
             target/debug/deps/
             target/debug/build/
@@ -441,9 +376,10 @@ jobs:
     needs:
       - validate-workflows
       - setup-whisper-dependencies
-      - security_audit
-      - unit_tests_hosted
-      - text_injection_tests
+      - lint
+      - security
+      - docs
+      - build_and_test
       - moonshine_check
     if: always()
     steps:
@@ -453,15 +389,19 @@ jobs:
           echo "## CI Report" > report.md
           echo "- validate-workflows:            ${{ needs.validate-workflows.result }}" >> report.md
           echo "- setup-whisper-dependencies:    ${{ needs.setup-whisper-dependencies.result }}" >> report.md
-          echo "- security_audit:                ${{ needs.security_audit.result }}" >> report.md
-          echo "- unit_tests_hosted:             ${{ needs.unit_tests_hosted.result }}" >> report.md
-          echo "- text_injection_tests:          ${{ needs.text_injection_tests.result }}" >> report.md
+          echo "- lint:                          ${{ needs.lint.result }}" >> report.md
+          echo "- security:                      ${{ needs.security.result }}" >> report.md
+          echo "- docs:                          ${{ needs.docs.result }}" >> report.md
+          echo "- build_and_test:                ${{ needs.build_and_test.result }}" >> report.md
           echo "- moonshine_check:               ${{ needs.moonshine_check.result }} (optional)" >> report.md
+
           if [[ "${{ needs.setup-whisper-dependencies.result }}" != "success" ]]; then echo "::error::Setup Whisper dependencies failed."; exit 1; fi
-          if [[ "${{ needs.security_audit.result }}" != "success" ]]; then echo "::warning::Security audit failed - check for vulnerabilities."; fi
-          if [[ "${{ needs.unit_tests_hosted.result }}" != "success" ]]; then echo "::error::Build and check failed."; exit 1; fi
-          if [[ "${{ needs.text_injection_tests.result }}" != "success" ]]; then echo "::error::Text injection tests failed."; exit 1; fi
+          if [[ "${{ needs.lint.result }}" != "success" ]]; then echo "::error::Lint checks failed."; exit 1; fi
+          if [[ "${{ needs.security.result }}" != "success" ]]; then echo "::warning::Security audit failed - check for vulnerabilities."; fi
+          if [[ "${{ needs.docs.result }}" != "success" ]]; then echo "::warning::Documentation build failed."; fi
+          if [[ "${{ needs.build_and_test.result }}" != "success" ]]; then echo "::error::Build and Test failed."; exit 1; fi
           if [[ "${{ needs.moonshine_check.result }}" != "success" ]]; then echo "::warning::Moonshine check failed (optional)."; fi
+
           echo "All critical stages passed successfully."
       - name: Upload CI Report
         uses: actions/upload-artifact@v6