ci: overhaul CI

This is a general CI overhaul.

### Summary

  - Add `cargo-deny` security audit for vulnerability and license checking
  - Add MSRV (1.89) verification job
  - Add documentation build check
  - Add Windows to tests and pre-commit
  - Rewrite test workflow with grouped multi-platform matrix (Linux x86/ARM, macOS, Windows)
  - Add `verify-coverage` job that fails if any crate isn't assigned to a test group
  - Drop the complex segfault detection logic in the SPV part which was actually hiding test failures
  - Add x86_64 runner to fuzz workflow alongside ARM for cross-architecture coverage
  - Add enable concurrency control in `pre-commit.yml` to cancel redundant runs

  ### Test Groups
  Tests are now organized in `.github/ci-groups.yml`. CI fails if a new crate is added without being assigned to a group.

  ### Jobs: 4 → ~25 (parallel)
  - 20 test jobs (5 groups (core, spv, wallet, rpc, tools) × 4 platforms (ubuntu arm, ubuntu x86_64, macos, windows))
  - security, msrv, docs build, verify-coverage

Author: xdustinface

.github/ci-groups.yml

@@ -0,0 +1,31 @@
+# Test group configuration for CI
+# CI will fail if any workspace crate is not assigned to a group or excluded
+
+groups:
+  core:
+    - dashcore
+    - dashcore_hashes
+    - dashcore-private
+    - dash-network
+    - dash-network-ffi
+
+  spv:
+    - dash-spv
+    - dash-spv-ffi
+
+  wallet:
+    - key-wallet
+    - key-wallet-ffi
+    - key-wallet-manager
+
+  rpc:
+    - dashcore-rpc
+    - dashcore-rpc-json
+
+  tools:
+    - dashcore-test-utils
+    - dash-fuzz
+
+# Crates intentionally not tested (with reason)
+excluded:
+  - integration_test  # Requires live Dash node

.github/ci-no-std.yml

@@ -0,0 +1,16 @@
+# No-std build checks
+#
+# Lists crates that support no-std and their test configurations.
+# Each entry runs: cargo check --no-default-features --features <entry>
+
+dashcore_hashes:
+  - bare              # --no-default-features only
+  - alloc
+  - alloc serde       # multiple features
+
+dashcore-private:
+  - bare
+  - alloc
+
+dash-network:
+  - no-std

.github/scripts/ci_config.py

@@ -0,0 +1,224 @@
+#!/usr/bin/env python3
+"""CI configuration management script.
+
+Used by GitHub Actions workflows for test management.
+
+Subcommands:
+    verify-groups    Check all workspace crates are assigned to test groups
+    run-group        Run tests for all crates in a group
+    run-no-std       Run no-std build checks
+"""
+
+import argparse
+import json
+import subprocess
+import sys
+from pathlib import Path
+
+import yaml
+
+
+def get_workspace_metadata():
+    """Get workspace metadata from cargo."""
+    result = subprocess.run(
+        ["cargo", "metadata", "--no-deps", "--format-version", "1"],
+        capture_output=True,
+        text=True,
+        check=True,
+    )
+    return json.loads(result.stdout)
+
+
+def load_yaml(path: Path):
+    """Load YAML file."""
+    with open(path) as f:
+        return yaml.safe_load(f)
+
+
+def github_error(msg: str):
+    """Print GitHub Actions error annotation."""
+    print(f"::error::{msg}")
+
+
+def github_notice(msg: str):
+    """Print GitHub Actions notice annotation."""
+    print(f"::notice::{msg}")
+
+
+def github_group_start(name: str):
+    """Start a GitHub Actions log group."""
+    print(f"::group::{name}")
+
+
+def github_group_end():
+    """End a GitHub Actions log group."""
+    print("::endgroup::")
+
+
+def verify_groups(args):
+    """Verify all workspace crates are assigned to test groups."""
+    metadata = get_workspace_metadata()
+    workspace_crates = {pkg["name"] for pkg in metadata["packages"]}
+
+    config = load_yaml(args.groups_file)
+
+    assigned = set()
+    for group_crates in config.get("groups", {}).values():
+        if group_crates:
+            assigned.update(group_crates)
+    assigned.update(config.get("excluded", []) or [])
+
+    unassigned = workspace_crates - assigned
+    if unassigned:
+        github_error(
+            f"Crates not assigned to any test group: {', '.join(sorted(unassigned))}"
+        )
+        print("\nPlease add them to a group or 'excluded' section in ci-groups.yml")
+        return 1
+
+    print(f"All {len(workspace_crates)} workspace crates are assigned to test groups")
+    return 0
+
+
+def run_no_std(args):
+    """Run no-std build checks from ci-no-std.yml.
+
+    Format: crate_name: [list of configs]
+    Each config runs: cargo check -p crate --no-default-features --features <config>
+    Special: 'bare' means just --no-default-features (no features)
+    """
+    config = load_yaml(args.no_std_file) or {}
+
+    failed = []
+
+    for crate_name, entries in config.items():
+        if not entries:
+            continue
+
+        for entry in entries:
+            if not isinstance(entry, str) or not entry.strip():
+                continue
+
+            entry_clean = entry.strip()
+
+            # Build cargo flags
+            if entry_clean == "bare":
+                flags = ["--no-default-features"]
+                display_name = "bare"
+            elif entry_clean == "no-std":
+                flags = ["--no-default-features", "--features", "no-std"]
+                display_name = "no-std"
+            elif " " in entry_clean:
+                # Multiple features (space-separated)
+                features = entry_clean.replace(" ", ",")
+                flags = ["--no-default-features", "--features", features]
+                display_name = entry_clean.replace(" ", "+")
+            else:
+                # Single feature
+                flags = ["--no-default-features", "--features", entry_clean]
+                display_name = entry_clean
+
+            github_group_start(f"{crate_name} ({display_name})")
+
+            cmd = ["cargo", "check", "-p", crate_name] + flags
+            result = subprocess.run(cmd)
+
+            github_group_end()
+
+            if result.returncode != 0:
+                failed.append(f"{crate_name} ({display_name})")
+                github_error(f"No-std check failed: {crate_name} with {' '.join(flags)}")
+
+    if failed:
+        print("\n" + "=" * 40)
+        print("FAILED NO-STD CHECKS:")
+        for f in failed:
+            print(f"  - {f}")
+        print("=" * 40)
+        return 1
+
+    return 0
+
+
+def run_group_tests(args):
+    """Run tests for all crates in a group."""
+    config = load_yaml(args.groups_file)
+    groups = config.get("groups", {})
+
+    if args.group not in groups:
+        github_error(f"Unknown group: {args.group}")
+        return 1
+
+    crates = groups[args.group] or []
+    failed = []
+
+    for crate in crates:
+        # Skip dash-fuzz on Windows
+        if args.os == "windows-latest" and crate == "dash-fuzz":
+            github_notice(f"Skipping {crate} on Windows (honggfuzz not supported)")
+            continue
+
+        github_group_start(f"Testing {crate}")
+
+        # On Windows, skip --all-features to avoid x11 feature
+        if args.os == "windows-latest":
+            cmd = ["cargo", "test", "-p", crate]
+        else:
+            cmd = ["cargo", "test", "-p", crate, "--all-features"]
+
+        result = subprocess.run(cmd)
+
+        github_group_end()
+
+        if result.returncode != 0:
+            failed.append(crate)
+            github_error(f"Test failed for {crate} on {args.os}")
+
+    if failed:
+        print("\n" + "=" * 40)
+        print(f"FAILED TESTS ({args.group} on {args.os}):")
+        for f in failed:
+            print(f"  - {f}")
+        print("=" * 40)
+        return 1
+
+    return 0
+
+
+def main():
+    parser = argparse.ArgumentParser(description="CI configuration management")
+    parser.add_argument(
+        "--groups-file",
+        type=Path,
+        default=Path(".github/ci-groups.yml"),
+        help="Path to ci-groups.yml",
+    )
+    parser.add_argument(
+        "--no-std-file",
+        type=Path,
+        default=Path(".github/ci-no-std.yml"),
+        help="Path to ci-no-std.yml",
+    )
+
+    subparsers = parser.add_subparsers(dest="command", required=True)
+
+    subparsers.add_parser("verify-groups", help="Verify all crates assigned to groups")
+    subparsers.add_parser("run-no-std", help="Run no-std checks")
+
+    run_group_parser = subparsers.add_parser("run-group", help="Run tests for a group")
+    run_group_parser.add_argument("group", help="Group name")
+    run_group_parser.add_argument("--os", default="ubuntu-latest", help="OS name")
+
+    args = parser.parse_args()
+
+    commands = {
+        "verify-groups": verify_groups,
+        "run-no-std": run_no_std,
+        "run-group": run_group_tests,
+    }
+
+    return commands[args.command](args)
+
+
+if __name__ == "__main__":
+    sys.exit(main())

.github/scripts/requirements.txt

@@ -0,0 +1 @@
+pyyaml

.github/workflows/fuzz.yml

@@ -18,10 +18,11 @@ concurrency:
 jobs:
   fuzz:
     if: ${{ !github.event.act }}
-    runs-on: ubuntu-22.04-arm
+    runs-on: ${{ matrix.os }}
     strategy:
       fail-fast: false
       matrix:
+        os: [ubuntu-latest, ubuntu-22.04-arm]
         fuzz_target: [
           dash_outpoint_string,
           dash_deserialize_amount,
@@ -46,7 +47,7 @@ jobs:
     steps:
       - name: Install test dependencies
         run: sudo apt-get update -y && sudo apt-get install -y binutils-dev libunwind8-dev libcurl4-openssl-dev libelf-dev libdw-dev cmake gcc libiberty-dev
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@v6
       - name: Setup Rust toolchain
         uses: dtolnay/rust-toolchain@stable
         with:
@@ -57,20 +58,23 @@ jobs:
           workspaces: "fuzz -> target"
       - name: fuzz
         run: cd fuzz && ./fuzz.sh "${{ matrix.fuzz_target }}"
-      - run: echo "${{ matrix.fuzz_target }}" >executed_${{ matrix.fuzz_target }}
-      - uses: actions/upload-artifact@v4
+      - run: echo "${{ matrix.fuzz_target }}" >executed_${{ matrix.fuzz_target }}_${{ matrix.os }}
+      - uses: actions/upload-artifact@v6
         with:
-          name: executed_${{ matrix.fuzz_target }}
-          path: executed_${{ matrix.fuzz_target }}
+          name: executed_${{ matrix.fuzz_target }}_${{ matrix.os }}
+          path: executed_${{ matrix.fuzz_target }}_${{ matrix.os }}
 
   verify-execution:
     if: ${{ !github.event.act }}
     needs: fuzz
-    runs-on: ubuntu-22.04-arm
+    runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v4
-      - uses: actions/download-artifact@v4
+      - uses: actions/checkout@v6
+      - uses: actions/download-artifact@v6
       - name: Display structure of downloaded files
         run: ls -R
-      - run: find executed_* -type f -exec cat {} + | sort > executed
-      - run: source ./fuzz/fuzz-util.sh && listTargetNames | sort | diff - executed
+      - name: Verify all fuzz targets were executed
+        run: |
+          # Each target runs on multiple platforms, so deduplicate
+          find executed_* -type f -exec cat {} + | sort -u > executed
+          source ./fuzz/fuzz-util.sh && listTargetNames | sort | diff - executed

.github/workflows/pre-commit.yml

@@ -7,18 +7,21 @@ on:
       - 'v**-dev'
   pull_request:
 
+concurrency:
+  group: ${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: true
+
 jobs:
   pre-commit:
     name: Pre-commit (${{ matrix.os }})
     runs-on: ${{ matrix.os }}
     strategy:
       fail-fast: false
       matrix:
-        # TODO: Windows excluded - rs-x11-hash requires POSIX headers (unistd.h)
-        os: [ubuntu-latest, macos-latest]
+        os: [ubuntu-latest, macos-latest, windows-latest]
     steps:
       - name: Checkout repository
-        uses: actions/checkout@v5
+        uses: actions/checkout@v6
 
       - name: Set up Python
         uses: actions/setup-python@v6