diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index cfb8d1a0e..4468053c3 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -40,7 +40,7 @@ jobs: # Go is required for FIPS builds - uses: actions/setup-go@v5 with: - go-version: 'stable' + go-version: "stable" # Prevent feature unification from selecting *ring* as the crypto provider - run: RUST_BACKTRACE=1 cargo test --locked --manifest-path noq-proto/Cargo.toml --no-default-features --features rustls,aws-lc-rs - run: RUST_BACKTRACE=1 cargo test --locked --manifest-path noq/Cargo.toml --no-default-features --features rustls,aws-lc-rs,runtime-tokio,__rustls-post-quantum-test @@ -345,6 +345,30 @@ jobs: run: | cargo +$MSRV check --workspace --exclude fuzz --all-targets + external_types: + runs-on: ubuntu-latest + env: + RUSTC_WRAPPER: "sccache" + SCCACHE_GHA_ENABLED: "on" + # Pin to the nightly that the pinned `cargo-check-external-types` + # release was last tested against. Update both together. + CARGO_CHECK_EXTERNAL_TYPES_VERSION: "0.4.0" + TOOLCHAIN: "nightly-2025-10-18" + steps: + - uses: actions/checkout@v6 + - uses: dtolnay/rust-toolchain@master + with: + toolchain: ${{ env.TOOLCHAIN }} + - name: Install sccache + uses: mozilla-actions/sccache-action@v0.0.9 + - name: Install cargo-binstall + uses: cargo-bins/cargo-binstall@v1.18.1 + - uses: taiki-e/install-action@cargo-make + - name: Install cargo-check-external-types + run: cargo binstall cargo-check-external-types@${{ env.CARGO_CHECK_EXTERNAL_TYPES_VERSION }} --locked --no-confirm + - name: Check external types + run: cargo make check-external-types + cargo_deny: timeout-minutes: 30 name: cargo deny @@ -384,7 +408,7 @@ jobs: # Go is required for FIPS builds - uses: actions/setup-go@v5 with: - go-version: 'stable' + go-version: "stable" - name: Setup Environment (PR) if: ${{ github.event_name == 'pull_request' }} diff --git a/Makefile.toml b/Makefile.toml index 2b5d89aac..0fafae6f5 100644 --- a/Makefile.toml +++ b/Makefile.toml @@ -7,6 +7,11 @@ default_to_workspace = false [env] RUSTFLAGS = "-Dwarnings" RUSTDOCFLAGS = "-Dwarnings" +CARGO_MAKE_EXTEND_WORKSPACE_MAKEFILE = true +# Workspace members to exclude when setting `workspace = true` for a task. +# Must live at global env (not task-level) so it's read before workspace iteration +# is generated. Only the `check-external-types` task uses this. +CARGO_MAKE_WORKSPACE_SKIP_MEMBERS = ["bench", "fuzz", "perf", "docs/book"] [tasks.default] alias = "dev-flow" @@ -96,3 +101,10 @@ env = { "PROPTEST_CASES" = "10000" } description = "Run proptests in regression-only mode (runs for <5 seconds)" command = "cargo" args = ["nextest", "run", "--package=noq-proto", "-P", "proptests", "--no-fail-fast", "${@}"] + +[tasks.check-external-types] +description = "Run cargo check-external-types on workspace crates" +workspace = true +toolchain = "${TOOLCHAIN:nightly-2025-10-18}" +command = "cargo" +args = ["check-external-types", "--features", "__all_without_fips"] diff --git a/noq-proto/Cargo.toml b/noq-proto/Cargo.toml index 8e253a013..a6e674466 100644 --- a/noq-proto/Cargo.toml +++ b/noq-proto/Cargo.toml @@ -50,6 +50,7 @@ rustls-aws-lc-rs = ["rustls", "aws-lc-rs"] # Don't rely on these whatsoever. They may disappear at any time. __rustls-post-quantum-test = [] +__all_without_fips = ["arbitrary", "aws-lc-rs", "rustls", "ring", "platform-verifier", "rustls-log", "qlog", "bench", "bloom", "tracing-log"] [dependencies] aes-gcm = { workspace = true, optional = true } @@ -107,4 +108,15 @@ workspace = true [package.metadata.docs.rs] # all non-default features except fips (cannot build on docs.rs environment) -features = ["aws-lc-rs", "rustls", "ring", "platform-verifier", "rustls-log", "qlog", "bench"] +features = ["__all_without_fips"] + +[package.metadata.cargo_check_external_types] +allowed_external_types = [ + "arbitrary::Arbitrary", # gated behind `arbitrary` feature + "criterion::Criterion", # gated behind `bench` feature + "identity_hash::IdentityHashable", + "bytes::*", + "rustls", + "rustls::*", + "rustls_pki_types::*", +] diff --git a/noq-udp/Cargo.toml b/noq-udp/Cargo.toml index 306322cd2..6d6165793 100644 --- a/noq-udp/Cargo.toml +++ b/noq-udp/Cargo.toml @@ -20,6 +20,11 @@ log = ["dep:log"] # Support private Apple APIs to send multiple packets in a single syscall. fast-apple-datapath = [] +# Internal (PRIVATE!) features used to aid testing. +# Don't rely on these whatsoever. They may disappear at any time. + +__all_without_fips = ["tracing-log", "tracing", "log", "fast-apple-datapath"] + [dependencies] libc = "0.2.175" log = { workspace = true, optional = true } diff --git a/noq/Cargo.toml b/noq/Cargo.toml index e7de61bf6..56bfa6d17 100644 --- a/noq/Cargo.toml +++ b/noq/Cargo.toml @@ -57,6 +57,7 @@ rustls-aws-lc-rs = ["rustls", "aws-lc-rs"] # Don't rely on these whatsoever. They may disappear at any time. __rustls-post-quantum-test = ["rustls/prefer-post-quantum", "rustls", "aws-lc-rs", "proto/__rustls-post-quantum-test"] +__all_without_fips = ["lock_tracking", "aws-lc-rs", "rustls", "ring", "runtime-tokio", "runtime-smol", "tracing-log", "rustls-log", "bloom", "platform-verifier", "qlog", "fast-apple-datapath"] [dependencies] async-io = { workspace = true, optional = true } @@ -144,4 +145,16 @@ required-features = ["rustls", "ring"] [package.metadata.docs.rs] # all non-default features except fips (cannot build on docs.rs environment) -features = ["lock_tracking", "aws-lc-rs", "rustls", "ring", "runtime-tokio", "runtime-smol", "tracing-log", "rustls-log"] +features = ["__all_without_fips"] + +[package.metadata.cargo_check_external_types] +allowed_external_types = [ + "noq_proto::*", + "noq_udp", + "noq_udp::*", + "bytes::bytes::Bytes", + "futures_core::stream::Stream", + "rustls", + "tokio::io::async_read::AsyncRead", + "tokio::io::async_write::AsyncWrite", +]