feat(ci): check only affected Rust packages

[poroh]

Replace full-workspace Rust pre-build checks with an affected-package selection flow. The new xtask maps changed Git paths to workspace packages, expands the selection to transitive workspace dependents, and falls back to the full workspace when a change is global or cannot be mapped safely.

This reduces CI time for package-scoped changes while preserving coverage for shared inputs such as Cargo files, toolchain config, CI config, custom lints, xtask code, and other global build inputs.

The affected check now runs:

• isolated default-feature package builds
• Clippy with all targets/features
• carbide-lints with all targets/features

Also add reviewer guidance for keeping the global-path fallback list up to date.

Related issues

Type of Change

• Add - New feature or capability
• Change - Changes in existing functionality
• Fix - Bug fixes
• Remove - Removed features or deprecated functionality
• Internal - Internal changes (refactoring, tests, docs, etc.)

Breaking Changes

• This PR contains breaking changes

Testing

• Unit tests added/updated
• Integration tests added/updated
• Manual testing performed
• No testing required (docs, internal refactor, etc.)

Additional Notes

[coderabbitai]

Summary by CodeRabbit

• New Features

  • Added a new “affected Rust checks” workflow so CI can run Rust validation only on packages touched by a change.
  • Introduced a new top-level command for checking affected Rust packages, with support for choosing the base revision.

• Bug Fixes

  • Improved package selection to better handle changed paths, renames, and dependency-related impact.
  • Added safer fallback behavior when changes can’t be mapped reliably.

• Documentation

  • Updated build and CI guidance to reflect the new Rust workflow and command entrypoints.

Walkthrough

Introduces a cargo xtask affected-packages subcommand that computes changed workspace packages from a git diff against a base ref, expands selections to transitive reverse dependents, and outputs name@version selectors. A new check-affected cargo-make task consumes these selectors to run isolated builds, clippy, and carbide-lints only for affected packages. The CI lint-police job and top-level Makefile are updated to invoke this pipeline.

Changes

Affected-package CI pipeline

Layer / File(s)	Summary
affected_packages module: types, selection logic, and git parsing crates/xtask/src/affected_packages.rs	New module with WorkspacePackage, Selection, FullWorkspaceReason, and ChangedPaths types; implements merge-base git diff parsing (NUL-terminated, rename-aware), deepest-manifest-root ownership, safe-path validation, global-path detection, transitive reverse-dependency expansion, full-workspace conservative fallback, and comprehensive unit tests.
isolated_package_builds: explicit package selection crates/xtask/src/isolated_package_builds.rs	check() now accepts selected_packages: &[String]; adds WorkspacePackage struct with cargo_selector (name@version), select_packages() helper with name-or-selector validation, BTreeSet deduplication, and full-workspace passthrough on empty input; adds unit tests.
xtask CLI: new subcommand and updated args crates/xtask/src/main.rs	Registers affected_packages module, adds AffectedPackages { base } clap struct defaulting to origin/main, extends IsolatedPackageBuilds with repeatable --package args, updates main() routing, and adds CLI argument tests.
Makefile.toml: check-affected task Makefile.toml	New check-affected cargo-make task: queries cargo xtask affected-packages, builds -p argument array, then sequentially runs isolated-package-builds, clippy, and carbide-lints each with an isolated CARGO_TARGET_DIR subdirectory.
CI job, Makefile entrypoint, and docs .github/workflows/ci.yaml, Makefile, AGENTS.md	lint-police fetches full git history (fetch-depth: 0), configures git safe-directory, and replaces individual lint steps with cargo make check-affected; removes standalone isolated-package-builds step. Adds core/check-affected Makefile target with AFFECTED_BASE variable. Updates AGENTS.md with affected-package CI maintenance guidance.

Estimated code review effort

🎯 4 (Complex) | ⏱️ ~60 minutes

🚥 Pre-merge checks | ✅ 4 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 43.24% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.

✅ Passed checks (4 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title clearly captures the main CI change: checking only affected Rust packages.
Description check	✅ Passed	The description is directly aligned with the changeset and explains the affected-package CI flow.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

_{Comment @coderabbitai help to get the list of available commands.}

[coderabbitai]

Caution

Failed to replace (edit) comment. This is likely due to insufficient permissions or the comment being deleted.

Error details

{}

[coderabbitai]

🧹 Nitpick comments (1)

crates/xtask/src/affected_packages.rs (1)

545-605: 📐 Maintainability & Code Quality | 🔵 Trivial | ⚡ Quick win

Drive the global-path regression cases from the fallback list.

This test only samples part of GLOBAL_FILES / GLOBAL_DIRECTORIES, so a future addition to is_global_path() can land without matching coverage. Please derive the cases from a single shared table so the safety check and its test stay in sync. As per coding guidelines, crates/xtask/src/affected_packages.rs: Keep is_global_path() ... up to date; as per path instructions, crates/**/*.rs: Prefer findings about behavior ... and missing tests over style-only comments; based on learnings, When writing tests, prefer the table-driven style.

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@crates/xtask/src/affected_packages.rs` around lines 545 - 605, The regression
test for global path handling is only covering a hand-written subset of the
fallback globals, so it can drift from is_global_path() as GLOBAL_FILES or
GLOBAL_DIRECTORIES change. Refactor
global_unmapped_unsafe_and_empty_changes_select_all_with_a_reason in
affected_packages.rs to drive its cases from one shared table/source used by
is_global_path(), and iterate that table in the test so new global paths
automatically stay covered. Keep the existing assertions around select_affected
and Selection::All, but make the test table-driven and shared with the
production global-path matcher.

Sources: Coding guidelines, Path instructions, Learnings

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Nitpick comments:
In `@crates/xtask/src/affected_packages.rs`:
- Around line 545-605: The regression test for global path handling is only
covering a hand-written subset of the fallback globals, so it can drift from
is_global_path() as GLOBAL_FILES or GLOBAL_DIRECTORIES change. Refactor
global_unmapped_unsafe_and_empty_changes_select_all_with_a_reason in
affected_packages.rs to drive its cases from one shared table/source used by
is_global_path(), and iterate that table in the test so new global paths
automatically stay covered. Keep the existing assertions around select_affected
and Selection::All, but make the test table-driven and shared with the
production global-path matcher.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Enterprise

Run ID: 4f042823-af75-49f5-8e78-97fe6dfa5f74

📥 Commits

Reviewing files that changed from the base of the PR and between 0082abd and f77625f.

📒 Files selected for processing (7)

• .github/workflows/ci.yaml
• AGENTS.md
• Makefile
• Makefile.toml
• crates/xtask/src/affected_packages.rs
• crates/xtask/src/isolated_package_builds.rs
• crates/xtask/src/main.rs

[github-actions]

🔍 Container Scan Summary

Service	Total	Critical	High	Medium	Low	Other
boot-artifacts-aarch64	3	0	0	3	0	0
boot-artifacts-x86_64	3	0	0	3	0	0
forge-admin-cli-x86_64	285	6	25	103	7	144
machine-validation-runner	748	30	189	272	36	221
machine_validation	748	30	189	272	36	221
machine_validation-aarch64	748	30	189	272	36	221
nvmetal-carbide	748	30	189	272	36	221
TOTAL	3283	126	781	1197	151	1028

Per-CVE detail lives in the per-service grype-* artifacts (JSON + SARIF). Severity counts only — no CVE IDs published here.

[poroh]

@coderabbitai full_review

[coderabbitai]

@poroh Re-running a full review of PR #2963 with emphasis on correctness, fallback safety, performance, and maintainability.

✅ Action performed

Full review finished.

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@AGENTS.md`:
- Around line 129-137: Clarify the maintenance guidance for is_global_path() in
crates/xtask/src/affected_packages.rs by replacing the vague phrase with
explicit categories of shared paths; spell out which kinds of generated or
configuration directories should be treated as global, and keep the existing
examples of root Cargo files, Cargo.lock, cargo-make files, Rust toolchain
config, .cargo/, CI config, custom lint/xtask code, and include/ aligned with
that list. Make the wording unambiguous so contributors can tell when a newly
introduced shared directory must be added, and preserve the fallback rule that
any path not safely attributable to exactly one workspace package should select
the full workspace.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Enterprise

Run ID: fa5e3d37-e6f3-494b-846b-2f824b5f1ca4

📥 Commits

Reviewing files that changed from the base of the PR and between 0082abd and 375e302.

📒 Files selected for processing (7)

• .github/workflows/ci.yaml
• AGENTS.md
• Makefile
• Makefile.toml
• crates/xtask/src/affected_packages.rs
• crates/xtask/src/isolated_package_builds.rs
• crates/xtask/src/main.rs

[coderabbitai]

📐 Maintainability & Code Quality | 🟡 Minor | ⚡ Quick win

Clarify the directory categories in this guidance.

Line 134’s shared generated or configuration directories is ambiguous, so the is_global_path() maintenance rule is easy to misread. Please spell the categories out explicitly.

✏️ Proposed fix

- Rust toolchain configuration, `.cargo/`, CI configuration, custom lint and xtask
- code, and `include/`. Add any newly introduced or repurposed shared generated or
- configuration directories to the predicate.
+ Rust toolchain configuration, `.cargo/`, CI configuration, custom lint and xtask
+ code, and `include/`. Add any newly introduced or repurposed shared
+ generated/configuration directories to the predicate.

As per path instructions, review Markdown for correctness, clarity, spelling, grammar, working links, and whether commands/examples are realistic and safe.

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	When reviewing changes that add, remove, rename, or repurpose shared Rust build
	inputs, verify that `is_global_path()` in
	`crates/xtask/src/affected_packages.rs` remains up to date. Currently matched
	shared inputs include the root Cargo files and `Cargo.lock`, cargo-make files,
	Rust toolchain configuration, `.cargo/`, CI configuration, custom lint and xtask
	code, and `include/`. Add any newly introduced or repurposed shared generated or
	configuration directories to the predicate. If a changed path cannot be mapped
	safely to exactly one workspace package, affected-package selection must fall
	back to the full workspace.
	When reviewing changes that add, remove, rename, or repurpose shared Rust build
	inputs, verify that `is_global_path()` in
	`crates/xtask/src/affected_packages.rs` remains up to date. Currently matched
	shared inputs include the root Cargo files and `Cargo.lock`, cargo-make files,
	Rust toolchain configuration, `.cargo/`, CI configuration, custom lint and xtask
	code, and `include/`. Add any newly introduced or repurposed shared
	generated/configuration directories to the predicate. If a changed path cannot be mapped
	safely to exactly one workspace package, affected-package selection must fall
	back to the full workspace.

🧰 Tools

🪛 LanguageTool

[grammar] ~134-~134: Use a hyphen to join words.
Context: ...ny newly introduced or repurposed shared generated or configuration directories t...

(QB_NEW_EN_HYPHEN)

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@AGENTS.md` around lines 129 - 137, Clarify the maintenance guidance for
is_global_path() in crates/xtask/src/affected_packages.rs by replacing the vague
phrase with explicit categories of shared paths; spell out which kinds of
generated or configuration directories should be treated as global, and keep the
existing examples of root Cargo files, Cargo.lock, cargo-make files, Rust
toolchain config, .cargo/, CI config, custom lint/xtask code, and include/
aligned with that list. Make the wording unambiguous so contributors can tell
when a newly introduced shared directory must be added, and preserve the
fallback rule that any path not safely attributable to exactly one workspace
package should select the full workspace.

Sources: Path instructions, Linters/SAST tools

[poroh]

We decided not to make things more complex than needed and just remove check isolated packages from lint-police job: #2984