chore: check external types in CI

.github/workflows/ci.yml

@@ -40,7 +40,7 @@ jobs:
       # Go is required for FIPS builds
       - uses: actions/setup-go@v5
         with:
-          go-version: 'stable'
+          go-version: "stable"
       # Prevent feature unification from selecting *ring* as the crypto provider
       - run: RUST_BACKTRACE=1 cargo test --locked --manifest-path noq-proto/Cargo.toml --no-default-features --features rustls,aws-lc-rs
       - run: RUST_BACKTRACE=1 cargo test --locked --manifest-path noq/Cargo.toml --no-default-features --features rustls,aws-lc-rs,runtime-tokio,__rustls-post-quantum-test
@@ -345,6 +345,30 @@ jobs:
         run: |
           cargo +$MSRV check --workspace --exclude fuzz --all-targets
 
+  external_types:
+    runs-on: ubuntu-latest
+    env:
+      RUSTC_WRAPPER: "sccache"
+      SCCACHE_GHA_ENABLED: "on"
+      # Pin to the nightly that the pinned `cargo-check-external-types`
+      # release was last tested against. Update both together.
+      CARGO_CHECK_EXTERNAL_TYPES_VERSION: "0.4.0"
+      TOOLCHAIN: "nightly-2025-10-18"
+    steps:
+      - uses: actions/checkout@v6
+      - uses: dtolnay/rust-toolchain@master
+        with:
+          toolchain: ${{ env.TOOLCHAIN }}
+      - name: Install sccache
+        uses: mozilla-actions/sccache-action@v0.0.9
+      - name: Install cargo-binstall
+        uses: cargo-bins/cargo-binstall@v1.18.1
+      - uses: taiki-e/install-action@cargo-make
+      - name: Install cargo-check-external-types
+        run: cargo binstall cargo-check-external-types@${{ env.CARGO_CHECK_EXTERNAL_TYPES_VERSION }} --locked --no-confirm
+      - name: Check external types
+        run: cargo make check-external-types
+
   cargo_deny:
     timeout-minutes: 30
     name: cargo deny
@@ -384,7 +408,7 @@ jobs:
       # Go is required for FIPS builds
       - uses: actions/setup-go@v5
         with:
-          go-version: 'stable'
+          go-version: "stable"
 
       - name: Setup Environment (PR)
         if: ${{ github.event_name == 'pull_request' }}

Makefile.toml

@@ -7,6 +7,11 @@ default_to_workspace = false
 [env]
 RUSTFLAGS = "-Dwarnings"
 RUSTDOCFLAGS = "-Dwarnings"
+CARGO_MAKE_EXTEND_WORKSPACE_MAKEFILE = true
+# Workspace members to exclude when setting `workspace = true` for a task.
+# Must live at global env (not task-level) so it's read before workspace iteration
+# is generated. Only the `check-external-types` task uses this.
+CARGO_MAKE_WORKSPACE_SKIP_MEMBERS = ["bench", "fuzz", "perf", "docs/book"]
 
 [tasks.default]
 alias = "dev-flow"
@@ -96,3 +101,10 @@ env = { "PROPTEST_CASES" = "10000" }
 description = "Run proptests in regression-only mode (runs for <5 seconds)"
 command = "cargo"
 args = ["nextest", "run", "--package=noq-proto", "-P", "proptests", "--no-fail-fast", "${@}"]
+
+[tasks.check-external-types]
+description = "Run cargo check-external-types on workspace crates"
+workspace = true
+toolchain = "${TOOLCHAIN:nightly-2025-10-18}"
+command = "cargo"
+args = ["check-external-types", "--features", "__all_without_fips"]

noq-proto/Cargo.toml

@@ -50,6 +50,7 @@ rustls-aws-lc-rs = ["rustls", "aws-lc-rs"]
 # Don't rely on these whatsoever. They may disappear at any time.
 
 __rustls-post-quantum-test =  []
+__all_without_fips = ["arbitrary", "aws-lc-rs", "rustls", "ring", "platform-verifier", "rustls-log", "qlog", "bench", "bloom", "tracing-log"]
 
 [dependencies]
 aes-gcm = { workspace = true, optional = true }
@@ -107,4 +108,15 @@ workspace = true
 
 [package.metadata.docs.rs]
 # all non-default features except fips (cannot build on docs.rs environment)
-features = ["aws-lc-rs", "rustls", "ring", "platform-verifier", "rustls-log", "qlog", "bench"]
+features = ["__all_without_fips"]
+
+[package.metadata.cargo_check_external_types]
+allowed_external_types = [
+    "arbitrary::Arbitrary", # gated behind `arbitrary` feature
+    "criterion::Criterion", # gated behind `bench` feature
+    "identity_hash::IdentityHashable",
+    "bytes::*",
+    "rustls",
+    "rustls::*",
+    "rustls_pki_types::*",
+]

noq-udp/Cargo.toml

@@ -20,6 +20,11 @@ log = ["dep:log"]
 # Support private Apple APIs to send multiple packets in a single syscall.
 fast-apple-datapath = []
 
+# Internal (PRIVATE!) features used to aid testing.
+# Don't rely on these whatsoever. They may disappear at any time.
+
+__all_without_fips = ["tracing-log", "tracing", "log", "fast-apple-datapath"]
+
 [dependencies]
 libc = "0.2.175"
 log = { workspace = true, optional = true }

noq/Cargo.toml

@@ -57,6 +57,7 @@ rustls-aws-lc-rs = ["rustls", "aws-lc-rs"]
 # Don't rely on these whatsoever. They may disappear at any time.
 
 __rustls-post-quantum-test =  ["rustls/prefer-post-quantum", "rustls", "aws-lc-rs", "proto/__rustls-post-quantum-test"]
+__all_without_fips = ["lock_tracking", "aws-lc-rs", "rustls", "ring", "runtime-tokio", "runtime-smol", "tracing-log", "rustls-log", "bloom", "platform-verifier", "qlog", "fast-apple-datapath"]
 
 [dependencies]
 async-io = { workspace = true, optional = true }
@@ -144,4 +145,16 @@ required-features = ["rustls", "ring"]
 
 [package.metadata.docs.rs]
 # all non-default features except fips (cannot build on docs.rs environment)
-features = ["lock_tracking", "aws-lc-rs", "rustls", "ring", "runtime-tokio", "runtime-smol", "tracing-log", "rustls-log"]
+features = ["__all_without_fips"]
+
+[package.metadata.cargo_check_external_types]
+allowed_external_types = [
+    "noq_proto::*",
+    "noq_udp",
+    "noq_udp::*",
+    "bytes::bytes::Bytes",
+    "futures_core::stream::Stream",
+    "rustls",
+    "tokio::io::async_read::AsyncRead",
+    "tokio::io::async_write::AsyncWrite",
+]