Introduce cargo-ox-check: unified Rust build/CI scaffolding

.delta.toml

@@ -81,3 +81,14 @@ assume_patterns = [
 # The remote branch to compare against for determining changed files
 # If not specified, uses the default branch detection
 remote_branch = "origin/main"
+
+# >>> ox-check-managed: ox-check-delta
+[delta]
+# Include the workspace root files that should invalidate every member's
+# impact analysis when changed (lockfile, root manifest, toolchain).
+root-files = [
+    "Cargo.lock",
+    "Cargo.toml",
+    "rust-toolchain.toml",
+]
+# <<< ox-check-managed: ox-check-delta

.github/actions/ox-check-impact/action.yml

@@ -0,0 +1,89 @@
+# Copyright (c) Microsoft Corporation.
+# Licensed under the MIT License.
+# Owned by cargo-ox-check; edit via `cargo ox-check update`.
+name: ox-check-impact
+description: |
+  Compute the cargo-delta impact set for this PR and emit per-tier
+  include lists.
+
+  Outputs:
+    include_modified - "--package X --package Y" string for crates whose
+                       source files changed in the diff, or "--skip" if
+                       the modified set is empty.
+    include_affected - same shape, for crates in the affected set
+                       (modified ∪ rev-deps).
+    include_required - same shape, for crates in the required set
+                       (affected ∪ workspace-internal transitive deps).
+
+  Recipes in checks.just interpret each variable per their tier:
+  modified-tier recipes (fmt, license-headers, spellcheck, ...) short-
+  circuit on "--skip"; affected-tier recipes (clippy, tests, ...) and
+  required-tier recipes (doc, cargo-hack, udeps) splice their include
+  list into the cargo invocation, defaulting to --workspace when unset
+  (local runs without impact wiring).
+
+  Unscoped recipes (deny, audit, aprz, pr-title) ignore all three
+  variables and always run unconditionally.
+outputs:
+  include_modified:
+    description: Pre-formatted --package args for the modified tier.
+    value: ${{ steps.compute.outputs.include_modified }}
+  include_affected:
+    description: Pre-formatted --package args for the affected tier.
+    value: ${{ steps.compute.outputs.include_affected }}
+  include_required:
+    description: Pre-formatted --package args for the required tier.
+    value: ${{ steps.compute.outputs.include_required }}
+runs:
+  using: composite
+  steps:
+    - name: Install cargo-delta
+      shell: bash
+      run: cargo install --locked cargo-delta
+    - id: compute
+      name: Compute impact
+      shell: bash
+      run: |
+        set -euo pipefail
+        # GITHUB_BASE_REF is the target-branch name on a PR event
+        # (e.g. "main"); we resolve it to origin/<name>. Adopters can
+        # override via the BASE_REF env var.
+        base="${BASE_REF:-origin/${GITHUB_BASE_REF:-main}}"
+        # cargo delta has no --base flag; the flow is two snapshots
+        # (baseline at the merge target + current at HEAD) compared by
+        # `cargo delta impact`. We use a temporary worktree to snapshot
+        # the baseline without disturbing the checked-out tree.
+        cargo delta snapshot > "$RUNNER_TEMP/ox-check-current.json"
+        git worktree add --detach "$RUNNER_TEMP/ox-check-baseline" "$base"
+        ( cd "$RUNNER_TEMP/ox-check-baseline" && cargo delta snapshot ) \
+            > "$RUNNER_TEMP/ox-check-baseline.json"
+        git worktree remove --force "$RUNNER_TEMP/ox-check-baseline"
+        result="$(cargo delta impact \
+            --baseline "$RUNNER_TEMP/ox-check-baseline.json" \
+            --current  "$RUNNER_TEMP/ox-check-current.json" \
+            --format json)"
+        # cargo-delta emits TitleCase keys (Modified / Affected /
+        # Required), not lowercase. Format each tier into the
+        # `--package X --package Y` shape recipes expect, or the
+        # literal "--skip" sentinel when the tier is empty.
+        format_set() {
+            local field="$1"
+            local pkgs
+            pkgs=$(printf '%s' "$result" | jq -r --arg f "$field" '(.[$f] // []) | .[]' 2>/dev/null || true)
+            if [ -z "$pkgs" ] ; then
+                printf '%s' "--skip"
+            else
+                local out=""
+                while IFS= read -r pkg ; do
+                    [ -z "$pkg" ] && continue
+                    out="$out --package $pkg"
+                done <<EOF
+        $pkgs
+        EOF
+                # shellcheck disable=SC2001
+                printf '%s' "${out# }"
+            fi
+        }
+        echo "include_modified=$(format_set Modified)" >> "$GITHUB_OUTPUT"
+        echo "include_affected=$(format_set Affected)" >> "$GITHUB_OUTPUT"
+        echo "include_required=$(format_set Required)" >> "$GITHUB_OUTPUT"

.github/actions/ox-check-nightly-advisories/action.yml

@@ -0,0 +1,39 @@
+# Copyright (c) Microsoft Corporation.
+# Licensed under the MIT License.
+# Owned by cargo-ox-check; edit via `cargo ox-check update`.
+# The token nightly-advisories is substituted by cargo-ox-check at emit time with
+# the concrete check-group name (pr-fast, pr-test, nightly-runtime, ...).
+name: ox-check-nightly-advisories
+description: Run the nightly-advisories check group.
+inputs:
+  include_modified:
+    description: |
+      Pre-formatted --package args (e.g. "--package alpha --package beta")
+      for the modified tier, or the sentinel "--skip" when nothing
+      modified. Local invocations leave it unset; recipes default to
+      --workspace.
+    default: ""
+    required: false
+  include_affected:
+    description: |
+      Same shape as include_modified, but for the affected tier
+      (modified ∪ rev-deps).
+    default: ""
+    required: false
+  include_required:
+    description: |
+      Same shape as include_modified, but for the required tier
+      (affected ∪ workspace-internal transitive deps).
+    default: ""
+    required: false
+runs:
+  using: composite
+  steps:
+    - uses: ./.github/actions/ox-check-setup
+    - name: Run just ox-check-nightly-advisories
+      shell: bash
+      env:
+        OX_CHECK_INCLUDE_MODIFIED: ${{ inputs.include_modified }}
+        OX_CHECK_INCLUDE_AFFECTED: ${{ inputs.include_affected }}
+        OX_CHECK_INCLUDE_REQUIRED: ${{ inputs.include_required }}
+      run: just ox-check-nightly-advisories

.github/actions/ox-check-nightly-exhaustive/action.yml

@@ -0,0 +1,39 @@
+# Copyright (c) Microsoft Corporation.
+# Licensed under the MIT License.
+# Owned by cargo-ox-check; edit via `cargo ox-check update`.
+# The token nightly-exhaustive is substituted by cargo-ox-check at emit time with
+# the concrete check-group name (pr-fast, pr-test, nightly-runtime, ...).
+name: ox-check-nightly-exhaustive
+description: Run the nightly-exhaustive check group.
+inputs:
+  include_modified:
+    description: |
+      Pre-formatted --package args (e.g. "--package alpha --package beta")
+      for the modified tier, or the sentinel "--skip" when nothing
+      modified. Local invocations leave it unset; recipes default to
+      --workspace.
+    default: ""
+    required: false
+  include_affected:
+    description: |
+      Same shape as include_modified, but for the affected tier
+      (modified ∪ rev-deps).
+    default: ""
+    required: false
+  include_required:
+    description: |
+      Same shape as include_modified, but for the required tier
+      (affected ∪ workspace-internal transitive deps).
+    default: ""
+    required: false
+runs:
+  using: composite
+  steps:
+    - uses: ./.github/actions/ox-check-setup
+    - name: Run just ox-check-nightly-exhaustive
+      shell: bash
+      env:
+        OX_CHECK_INCLUDE_MODIFIED: ${{ inputs.include_modified }}
+        OX_CHECK_INCLUDE_AFFECTED: ${{ inputs.include_affected }}
+        OX_CHECK_INCLUDE_REQUIRED: ${{ inputs.include_required }}
+      run: just ox-check-nightly-exhaustive

.github/actions/ox-check-nightly-runtime/action.yml

@@ -0,0 +1,39 @@
+# Copyright (c) Microsoft Corporation.
+# Licensed under the MIT License.
+# Owned by cargo-ox-check; edit via `cargo ox-check update`.
+# The token nightly-runtime is substituted by cargo-ox-check at emit time with
+# the concrete check-group name (pr-fast, pr-test, nightly-runtime, ...).
+name: ox-check-nightly-runtime
+description: Run the nightly-runtime check group.
+inputs:
+  include_modified:
+    description: |
+      Pre-formatted --package args (e.g. "--package alpha --package beta")
+      for the modified tier, or the sentinel "--skip" when nothing
+      modified. Local invocations leave it unset; recipes default to
+      --workspace.
+    default: ""
+    required: false
+  include_affected:
+    description: |
+      Same shape as include_modified, but for the affected tier
+      (modified ∪ rev-deps).
+    default: ""
+    required: false
+  include_required:
+    description: |
+      Same shape as include_modified, but for the required tier
+      (affected ∪ workspace-internal transitive deps).
+    default: ""
+    required: false
+runs:
+  using: composite
+  steps:
+    - uses: ./.github/actions/ox-check-setup
+    - name: Run just ox-check-nightly-runtime
+      shell: bash
+      env:
+        OX_CHECK_INCLUDE_MODIFIED: ${{ inputs.include_modified }}
+        OX_CHECK_INCLUDE_AFFECTED: ${{ inputs.include_affected }}
+        OX_CHECK_INCLUDE_REQUIRED: ${{ inputs.include_required }}
+      run: just ox-check-nightly-runtime

.github/actions/ox-check-nightly-test/action.yml

@@ -0,0 +1,39 @@
+# Copyright (c) Microsoft Corporation.
+# Licensed under the MIT License.
+# Owned by cargo-ox-check; edit via `cargo ox-check update`.
+# The token nightly-test is substituted by cargo-ox-check at emit time with
+# the concrete check-group name (pr-fast, pr-test, nightly-runtime, ...).
+name: ox-check-nightly-test
+description: Run the nightly-test check group.
+inputs:
+  include_modified:
+    description: |
+      Pre-formatted --package args (e.g. "--package alpha --package beta")
+      for the modified tier, or the sentinel "--skip" when nothing
+      modified. Local invocations leave it unset; recipes default to
+      --workspace.
+    default: ""
+    required: false
+  include_affected:
+    description: |
+      Same shape as include_modified, but for the affected tier
+      (modified ∪ rev-deps).
+    default: ""
+    required: false
+  include_required:
+    description: |
+      Same shape as include_modified, but for the required tier
+      (affected ∪ workspace-internal transitive deps).
+    default: ""
+    required: false
+runs:
+  using: composite
+  steps:
+    - uses: ./.github/actions/ox-check-setup
+    - name: Run just ox-check-nightly-test
+      shell: bash
+      env:
+        OX_CHECK_INCLUDE_MODIFIED: ${{ inputs.include_modified }}
+        OX_CHECK_INCLUDE_AFFECTED: ${{ inputs.include_affected }}
+        OX_CHECK_INCLUDE_REQUIRED: ${{ inputs.include_required }}
+      run: just ox-check-nightly-test

.github/actions/ox-check-pr-fast/action.yml

@@ -0,0 +1,39 @@
+# Copyright (c) Microsoft Corporation.
+# Licensed under the MIT License.
+# Owned by cargo-ox-check; edit via `cargo ox-check update`.
+# The token pr-fast is substituted by cargo-ox-check at emit time with
+# the concrete check-group name (pr-fast, pr-test, nightly-runtime, ...).
+name: ox-check-pr-fast
+description: Run the pr-fast check group.
+inputs:
+  include_modified:
+    description: |
+      Pre-formatted --package args (e.g. "--package alpha --package beta")
+      for the modified tier, or the sentinel "--skip" when nothing
+      modified. Local invocations leave it unset; recipes default to
+      --workspace.
+    default: ""
+    required: false
+  include_affected:
+    description: |
+      Same shape as include_modified, but for the affected tier
+      (modified ∪ rev-deps).
+    default: ""
+    required: false
+  include_required:
+    description: |
+      Same shape as include_modified, but for the required tier
+      (affected ∪ workspace-internal transitive deps).
+    default: ""
+    required: false
+runs:
+  using: composite
+  steps:
+    - uses: ./.github/actions/ox-check-setup
+    - name: Run just ox-check-pr-fast
+      shell: bash
+      env:
+        OX_CHECK_INCLUDE_MODIFIED: ${{ inputs.include_modified }}
+        OX_CHECK_INCLUDE_AFFECTED: ${{ inputs.include_affected }}
+        OX_CHECK_INCLUDE_REQUIRED: ${{ inputs.include_required }}
+      run: just ox-check-pr-fast

.github/actions/ox-check-pr-mutants/action.yml

@@ -0,0 +1,39 @@
+# Copyright (c) Microsoft Corporation.
+# Licensed under the MIT License.
+# Owned by cargo-ox-check; edit via `cargo ox-check update`.
+# The token pr-mutants is substituted by cargo-ox-check at emit time with
+# the concrete check-group name (pr-fast, pr-test, nightly-runtime, ...).
+name: ox-check-pr-mutants
+description: Run the pr-mutants check group.
+inputs:
+  include_modified:
+    description: |
+      Pre-formatted --package args (e.g. "--package alpha --package beta")
+      for the modified tier, or the sentinel "--skip" when nothing
+      modified. Local invocations leave it unset; recipes default to
+      --workspace.
+    default: ""
+    required: false
+  include_affected:
+    description: |
+      Same shape as include_modified, but for the affected tier
+      (modified ∪ rev-deps).
+    default: ""
+    required: false
+  include_required:
+    description: |
+      Same shape as include_modified, but for the required tier
+      (affected ∪ workspace-internal transitive deps).
+    default: ""
+    required: false
+runs:
+  using: composite
+  steps:
+    - uses: ./.github/actions/ox-check-setup
+    - name: Run just ox-check-pr-mutants
+      shell: bash
+      env:
+        OX_CHECK_INCLUDE_MODIFIED: ${{ inputs.include_modified }}
+        OX_CHECK_INCLUDE_AFFECTED: ${{ inputs.include_affected }}
+        OX_CHECK_INCLUDE_REQUIRED: ${{ inputs.include_required }}
+      run: just ox-check-pr-mutants

.github/actions/ox-check-pr-test/action.yml

@@ -0,0 +1,39 @@
+# Copyright (c) Microsoft Corporation.
+# Licensed under the MIT License.
+# Owned by cargo-ox-check; edit via `cargo ox-check update`.
+# The token pr-test is substituted by cargo-ox-check at emit time with
+# the concrete check-group name (pr-fast, pr-test, nightly-runtime, ...).
+name: ox-check-pr-test
+description: Run the pr-test check group.
+inputs:
+  include_modified:
+    description: |
+      Pre-formatted --package args (e.g. "--package alpha --package beta")
+      for the modified tier, or the sentinel "--skip" when nothing
+      modified. Local invocations leave it unset; recipes default to
+      --workspace.
+    default: ""
+    required: false
+  include_affected:
+    description: |
+      Same shape as include_modified, but for the affected tier
+      (modified ∪ rev-deps).
+    default: ""
+    required: false
+  include_required:
+    description: |
+      Same shape as include_modified, but for the required tier
+      (affected ∪ workspace-internal transitive deps).
+    default: ""
+    required: false
+runs:
+  using: composite
+  steps:
+    - uses: ./.github/actions/ox-check-setup
+    - name: Run just ox-check-pr-test
+      shell: bash
+      env:
+        OX_CHECK_INCLUDE_MODIFIED: ${{ inputs.include_modified }}
+        OX_CHECK_INCLUDE_AFFECTED: ${{ inputs.include_affected }}
+        OX_CHECK_INCLUDE_REQUIRED: ${{ inputs.include_required }}
+      run: just ox-check-pr-test