diff --git a/.gitea/workflows/secrets.yml b/.gitea/workflows/secrets.yml
index 7e37d04..b8eb019 100644
--- a/.gitea/workflows/secrets.yml
+++ b/.gitea/workflows/secrets.yml
@@ -10,6 +10,13 @@ on:
       # systemd / 部署模板变更也应跑构建（产物无变时可快速跳过 check）
       - 'deploy/**'
       - '.gitea/workflows/**'
+  workflow_dispatch:
+    inputs:
+      release_build:
+        description: "同时执行版本发布、打 tag 与部署"
+        required: false
+        type: boolean
+        default: false
 
 concurrency:
   group: ${{ github.workflow }}-${{ github.ref }}
@@ -27,8 +34,66 @@ env:
   RUST_BACKTRACE: short
 
 jobs:
+  changes:
+    name: 检测变更范围
+    runs-on: debian
+    outputs:
+      build_required: ${{ steps.scope.outputs.build_required }}
+      release_required: ${{ steps.scope.outputs.release_required }}
+    steps:
+      - uses: actions/checkout@v4
+        with:
+          fetch-depth: 0
+
+      - name: 计算构建 / 发版范围
+        id: scope
+        shell: bash
+        run: |
+          set -euo pipefail
+
+          build_required=false
+          release_required=false
+
+          if [ "${{ github.event_name }}" = "workflow_dispatch" ]; then
+            build_required=true
+            release_required="${{ inputs.release_build }}"
+          else
+            before="${{ github.event.before }}"
+            if [ -z "$before" ] || [ "$before" = "0000000000000000000000000000000000000000" ]; then
+              before=$(git rev-parse HEAD^ 2>/dev/null || true)
+            fi
+
+            if [ -n "$before" ]; then
+              changed_files=$(git diff --name-only "$before" "${{ github.sha }}")
+            else
+              changed_files=$(git show --pretty='' --name-only "${{ github.sha }}")
+            fi
+
+            echo "changed files:"
+            printf '%s\n' "$changed_files"
+
+            while IFS= read -r file; do
+              [ -z "$file" ] && continue
+              case "$file" in
+                crates/*|Cargo.toml|Cargo.lock)
+                  release_required=true
+                  build_required=true
+                  ;;
+                deploy/*|.gitea/workflows/*)
+                  build_required=true
+                  ;;
+              esac
+            done <<< "$changed_files"
+          fi
+
+          echo "build_required=${build_required}" >> "$GITHUB_OUTPUT"
+          echo "release_required=${release_required}" >> "$GITHUB_OUTPUT"
+          echo "build_required=${build_required}, release_required=${release_required}"
+
   version:
     name: 版本 & Release
+    needs: [changes]
+    if: needs.changes.outputs.release_required == 'true'
     runs-on: debian
     outputs:
       version: ${{ steps.ver.outputs.version }}
@@ -140,7 +205,10 @@ jobs:
 
   check:
     name: 质量检查 (fmt / clippy / test)
-    needs: [version]
+    needs: [changes, version]
+    if: |
+      needs.changes.outputs.build_required == 'true' &&
+      (needs.changes.outputs.release_required != 'true' || needs.version.result == 'success')
     runs-on: debian
     timeout-minutes: 15
     steps:
@@ -176,7 +244,11 @@ jobs:
 
   build-linux:
     name: Build Linux (secrets-mcp, musl)
-    needs: [version, check]
+    needs: [changes, version, check]
+    if: |
+      needs.changes.outputs.build_required == 'true' &&
+      needs.check.result == 'success' &&
+      (needs.changes.outputs.release_required != 'true' || needs.version.result == 'success')
     runs-on: debian
     timeout-minutes: 25
     steps:
@@ -239,6 +311,7 @@ jobs:
           [ -z "$WEBHOOK_URL" ] && exit 0
           command -v jq >/dev/null 2>&1 || (sudo apt-get update -qq && sudo apt-get install -y -qq jq)
           tag="${{ needs.version.outputs.tag }}"
+          [ -z "$tag" ] && tag="build-only"
           commit=$(git log -1 --pretty=format:"%s" 2>/dev/null || echo "N/A")
           url="${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_number }}"
           result="${{ job.status }}"
@@ -253,13 +326,13 @@ jobs:
 
   deploy-mcp:
     name: 部署 secrets-mcp
-    needs: [version, build-linux]
+    needs: [changes, version, build-linux]
     # 部署目标由仓库 Actions 配置：vars.DEPLOY_HOST / vars.DEPLOY_USER；私钥 secrets.DEPLOY_SSH_KEY（PEM 原文，勿 base64）
     # （可用 scripts/setup-gitea-actions.sh 或 Gitea API 写入，勿写进本文件）
     # Google OAuth / SERVER_MASTER_KEY / SECRETS_DATABASE_URL 等勿写入 CI，请在 ECS 上
     # /opt/secrets-mcp/.env 配置（见 deploy/.env.example）。
     # 若仓库 main 仍为纯 CLI、仅 feat/mcp 含本 workflow，请去掉条件里的 main，避免误部署。
-    if: needs.build-linux.result == 'success' && (github.ref == 'refs/heads/main' || github.ref == 'refs/heads/feat/mcp' || github.ref == 'refs/heads/mcp')
+    if: needs.changes.outputs.release_required == 'true' && needs.build-linux.result == 'success' && (github.ref == 'refs/heads/main' || github.ref == 'refs/heads/feat/mcp' || github.ref == 'refs/heads/mcp')
     runs-on: debian
     timeout-minutes: 10
     steps:
@@ -333,6 +406,7 @@ jobs:
           [ -z "$WEBHOOK_URL" ] && exit 0
           command -v jq >/dev/null 2>&1 || (sudo apt-get update -qq && sudo apt-get install -y -qq jq)
           tag="${{ needs.version.outputs.tag }}"
+          [ -z "$tag" ] && tag="build-only"
           commit=$(git log -1 --pretty=format:"%s" 2>/dev/null || echo "N/A")
           url="${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_number }}"
           result="${{ job.status }}"
@@ -347,8 +421,8 @@ jobs:
 
   publish-release:
     name: 发布草稿 Release
-    needs: [version, build-linux]
-    if: always() && needs.version.outputs.release_id != ''
+    needs: [changes, version, build-linux]
+    if: needs.changes.outputs.release_required == 'true' && always() && needs.version.outputs.release_id != ''
     runs-on: debian
     timeout-minutes: 5
     steps: