fix(review): address review comments

Author: p0wline

.cargo/audit.toml

@@ -9,10 +9,4 @@ ignore = [
   "RUSTSEC-2025-0009",
   "RUSTSEC-2025-0010",
   "RUSTSEC-2023-0071",
-  # rustls-webpki 0.101.7 via hyper-rustls 0.24 / rustls 0.21 (hyper 0.14 transitive dependency).
-  # KMS does not use CRLs, does not assert URI SANs, and exploiting wildcard name constraints
-  # requires certificate misissuance upstream.
-  "RUSTSEC-2026-0098",
-  "RUSTSEC-2026-0099",
-  "RUSTSEC-2026-0104",
 ]

.github/scripts/nix.sh

@@ -513,24 +513,24 @@ test_command() {
     SCRIPT="$REPO_ROOT/.github/scripts/test/test_secret_vault.sh"
     ;;
   secret_aws)
-    SCRIPT="$REPO_ROOT/.github/scripts/test/test_secret_aws.sh"
     for var in AWS_ACCESS_KEY_ID AWS_SECRET_ACCESS_KEY AWS_REGION; do
       if [ -z "${!var:-}" ]; then
         echo "Error: Required environment variable $var is not set" >&2
         echo "AWS SSM secret backend tests require AWS credentials." >&2
         exit 1
       fi
     done
+    SCRIPT="$REPO_ROOT/.github/scripts/test/test_secret_aws.sh"
     ;;
   secret_azure)
-    SCRIPT="$REPO_ROOT/.github/scripts/test/test_secret_azure.sh"
     for var in AZURE_TENANT_ID AZURE_CLIENT_ID AZURE_CLIENT_SECRET AZURE_KV_NAME; do
       if [ -z "${!var:-}" ]; then
         echo "Error: Required environment variable $var is not set" >&2
         echo "Azure KV secret backend tests require Azure credentials." >&2
         exit 1
       fi
     done
+    SCRIPT="$REPO_ROOT/.github/scripts/test/test_secret_azure.sh"
     ;;
   ui)
     SCRIPT="$REPO_ROOT/.github/scripts/test/test_ui.sh"

.github/workflows/test_all.yml

@@ -36,7 +36,7 @@ jobs:
           - secret_vault
           - secret_aws
           - secret_azure
-        features: [ fips, non-fips ]
+        features: [fips, non-fips]
         exclude:
           # redis is exclusively for non-fips
           - type: redis
@@ -155,8 +155,9 @@ jobs:
     # give it a fixed concurrency group so only one job runs at a time across all PRs.
     # utimaco and softhsm2 use a per-run group so they are never blocked by other PRs.
     concurrency:
-      group: ${{ matrix.hsm-type == 'proteccio' && 'hsm-proteccio' ||
-        format('hsm-{0}-{1}', matrix.hsm-type, github.run_id) }}
+      group:
+        ${{ (matrix.hsm-type == 'proteccio' && 'hsm-proteccio') || (matrix.hsm-type == 'crypt2pay' && 'hsm-crypt2pay') || format('hsm-{0}-{1}', matrix.hsm-type,
+        github.run_id) }}
       cancel-in-progress: false
     strategy:
       fail-fast: false
@@ -166,7 +167,7 @@ jobs:
           - proteccio
           - softhsm2
           - crypt2pay
-        features: [ fips, non-fips ]
+        features: [fips, non-fips]
         exclude:
           # parallel connections on proteccio is not supported
           - hsm-type: proteccio