fix(ci): handle cargo-public-api JSON format compatibility

[EffortlessSteven]

Problem

The Public API Guard CI job fails with \invalid type: integer 4370\ when \cargo-public-api\ v0.38.0 cannot parse newer nightly rustdoc JSON format versions.

Changes

CI workflow (.github/workflows/ci.yml)

• Remove version pin — install latest \cargo-public-api\ instead of @=0.38.0\
• Use nightly toolchain for rustdoc JSON generation (required by \cargo-public-api)
• Emit GitHub Actions warnings (::warning::) instead of hard failures on format mismatches
• Remove redundant retry steps — nightly is now the default, eliminating the need for stable→nightly fallback
• Graceful install failure — if \cargo-public-api\ install fails, emit warning and skip

xtask (\xtask/src/validate.rs)

• Detect JSON format errors in stderr (e.g., \invalid type: integer,
  ustdoc JSON, \ormat version)
• Treat format mismatches as warnings (\Ok(false)) rather than hard failures
• Maintains hard failure for genuine API change detection errors

[gemini-code-assist]

Warning

You have reached your daily quota limit. Please wait up to 24 hours and I will start processing your requests again!

[coderabbitai]

Warning

Rate limit exceeded

@EffortlessSteven has exceeded the limit for the number of commits that can be reviewed per hour. Please wait 20 minutes and 32 seconds before requesting another review.

⌛ How to resolve this issue?

After the wait time has elapsed, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

We recommend that you space out your commits to avoid hitting the rate limit.

🚦 How do rate limits work?

CodeRabbit enforces hourly rate limits for each developer per organization.

Our paid plans have higher rate limits than the trial, open-source and free plans. In all cases, we re-allow further reviews after a brief timeout.

Please see our FAQ for further information.

📥 Commits

Reviewing files that changed from the base of the PR and between cd2e54d and 1c9e40d.

📒 Files selected for processing (2)

• .github/workflows/ci.yml
• xtask/src/validate.rs

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch fix/public-api-guard

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[qodo-free-for-open-source-projects]

Review Summary by Qodo

Handle cargo-public-api JSON format compatibility gracefully

🐞 Bug fix ✨ Enhancement

Walkthroughs

Description

• Handle rustdoc JSON format incompatibility gracefully in public API checks
• Remove pinned cargo-public-api version; install latest instead
• Use nightly toolchain for rustdoc JSON generation by default
• Detect and treat JSON format errors as warnings, not failures
• Simplify CI workflow by eliminating redundant retry logic

Diagram

flowchart LR
  A["CI Workflow"] -->|"Install latest cargo-public-api"| B["cargo-public-api"]
  A -->|"Use nightly toolchain"| C["rustdoc JSON generation"]
  B -->|"Detect format errors"| D["xtask validate"]
  D -->|"Format mismatch"| E["Emit warning, skip check"]
  D -->|"API change"| F["Hard failure"]
  E -->|"Continue CI"| G["Build succeeds"]
  F -->|"Block merge"| H["Build fails"]

Loading

File Changes

1. xtask/src/validate.rs Error handling +28/-8

Detect and gracefully handle JSON format errors

• Enhanced verify_public_api() to detect rustdoc JSON format errors in stderr
• Added detection for "invalid type: integer", "rustdoc JSON", and "format version" error patterns
• Changed function to capture command output instead of just status code
• Treat JSON format mismatches as warnings (Ok(false)) rather than hard failures
• Updated documentation to clarify return values for format incompatibility scenarios

xtask/src/validate.rs

---

2. .github/workflows/ci.yml ⚙️ Configuration changes +20/-39

Simplify CI workflow and handle format errors gracefully

• Removed pinned cargo-public-api v0.38.0; now installs latest version
• Added explicit nightly toolchain installation for rustdoc JSON generation
• Replaced stable toolchain with nightly for cache key generation
• Removed redundant binary caching step for cargo-public-api
• Simplified public API checks by removing retry logic and using nightly directly
• Added graceful failure handling with GitHub Actions warnings instead of hard failures
• Consolidated three separate check steps with retry logic into streamlined single-command steps

.github/workflows/ci.yml

---

[qodo-free-for-open-source-projects]

Code Review by Qodo

🐞 Bugs (4) 📘 Rule violations (0) 📎 Requirement gaps (0)

1. API guard errors swallowed 🐞 Bug ✓ Correctness

Description

The CI public API steps unconditionally convert any cargo public-api ... diff failure into a
success, so real API drift (or other errors) won’t be reflected as a failing step/check. This
undermines the job’s stated purpose of detecting unintended public API changes.

Code

.github/workflows/ci.yml[R552-574]

    - name: Check flight-core public API
      if: needs.path-filter.outputs.core == 'true'
-      id: check-core-api
      continue-on-error: true
-      run: cargo public-api -p flight-core diff origin/main..HEAD
-
-    - name: Retry flight-core API check with nightly (if needed)
-      if: needs.path-filter.outputs.core == 'true' && steps.check-core-api.outcome == 'failure'
      run: |
-        echo "Retrying with nightly toolchain..."
-        rustup toolchain install nightly
-        cargo +nightly public-api -p flight-core diff origin/main..HEAD
+        cargo +nightly public-api -p flight-core diff origin/main..HEAD 2>&1 || {
+          echo "::warning::flight-core public API check failed (possible rustdoc JSON format mismatch)"
+        }

    - name: Check flight-ipc public API
      if: needs.path-filter.outputs.ipc == 'true'
-      id: check-ipc-api
      continue-on-error: true
-      run: cargo public-api -p flight-ipc diff origin/main..HEAD
-
-    - name: Retry flight-ipc API check with nightly (if needed)
-      if: needs.path-filter.outputs.ipc == 'true' && steps.check-ipc-api.outcome == 'failure'
      run: |
-        echo "Retrying with nightly toolchain..."
-        rustup toolchain install nightly
-        cargo +nightly public-api -p flight-ipc diff origin/main..HEAD
+        cargo +nightly public-api -p flight-ipc diff origin/main..HEAD 2>&1 || {
+          echo "::warning::flight-ipc public API check failed (possible rustdoc JSON format mismatch)"
+        }

    - name: Check flight-hid public API
      if: needs.path-filter.outputs.hid == 'true'
-      id: check-hid-api
      continue-on-error: true
-      run: cargo public-api -p flight-hid diff origin/main..HEAD
-
-    - name: Retry flight-hid API check with nightly (if needed)
-      if: needs.path-filter.outputs.hid == 'true' && steps.check-hid-api.outcome == 'failure'
      run: |
-        echo "Retrying with nightly toolchain..."
-        rustup toolchain install nightly
-        cargo +nightly public-api -p flight-hid diff origin/main..HEAD
+        cargo +nightly public-api -p flight-hid diff origin/main..HEAD 2>&1 || {
+          echo "::warning::flight-hid public API check failed (possible rustdoc JSON format mismatch)"
+        }

Evidence

Each public API step uses cmd || { echo ::warning::... }, which makes the step exit 0 even when
cargo +nightly public-api ... diff ... fails; the CI docs describe this job as preventing
unintended breaking changes.

.github/workflows/ci.yml[552-574]
infra/ci/README.md[69-76]

Agent prompt

The issue below was found during a code review. Follow the provided context and guidance below and implement a solution

### Issue description
CI’s `public-api-check` currently masks *all* failures from `cargo public-api ... diff` as a successful step by using `|| { echo "::warning::..." }`. This makes genuine API drift indistinguishable from rustdoc JSON format incompatibilities.

### Issue Context
The PR intent is to treat known rustdoc JSON format mismatches as warnings, not to suppress true API-diff failures.

### Fix Focus Areas
- .github/workflows/ci.yml[552-574]

ⓘ Copy this prompt and use it to remediate the issue with your preferred AI generation tools

---

2. Install failure not gated 🐞 Bug ⛯ Reliability

Description

If cargo-public-api fails to install, the workflow exits 0 from the install step but still runs
the subsequent checks, which then fail for the wrong reason and emit misleading “format mismatch”
warnings. This can fully bypass the guard while producing confusing output.

Code

.github/workflows/ci.yml[R545-567]

+    - name: Install cargo-public-api (latest)
      run: |
-        if ! command -v cargo-public-api &> /dev/null; then
-          cargo install --locked cargo-public-api@=0.38.0
-        else
-          echo "cargo-public-api already installed"
-        fi
+        cargo install --locked cargo-public-api || {
+          echo "::warning::Failed to install cargo-public-api — skipping public API checks"
+          exit 0
+        }

    - name: Check flight-core public API
      if: needs.path-filter.outputs.core == 'true'
-      id: check-core-api
      continue-on-error: true
-      run: cargo public-api -p flight-core diff origin/main..HEAD
-
-    - name: Retry flight-core API check with nightly (if needed)
-      if: needs.path-filter.outputs.core == 'true' && steps.check-core-api.outcome == 'failure'
      run: |
-        echo "Retrying with nightly toolchain..."
-        rustup toolchain install nightly
-        cargo +nightly public-api -p flight-core diff origin/main..HEAD
+        cargo +nightly public-api -p flight-core diff origin/main..HEAD 2>&1 || {
+          echo "::warning::flight-core public API check failed (possible rustdoc JSON format mismatch)"
+        }

    - name: Check flight-ipc public API
      if: needs.path-filter.outputs.ipc == 'true'
-      id: check-ipc-api
      continue-on-error: true
-      run: cargo public-api -p flight-ipc diff origin/main..HEAD
-
-    - name: Retry flight-ipc API check with nightly (if needed)
-      if: needs.path-filter.outputs.ipc == 'true' && steps.check-ipc-api.outcome == 'failure'
      run: |
-        echo "Retrying with nightly toolchain..."
-        rustup toolchain install nightly
-        cargo +nightly public-api -p flight-ipc diff origin/main..HEAD
+        cargo +nightly public-api -p flight-ipc diff origin/main..HEAD 2>&1 || {
+          echo "::warning::flight-ipc public API check failed (possible rustdoc JSON format mismatch)"
+        }

Evidence

The install step exit 0s on failure and there is no id/output used to conditionally skip later
steps; later steps always run and also suppress failure with a generic warning.

.github/workflows/ci.yml[545-550]
.github/workflows/ci.yml[552-567]

Agent prompt

The issue below was found during a code review. Follow the provided context and guidance below and implement a solution

### Issue description
When `cargo install cargo-public-api` fails, later public API steps still run and produce misleading warnings.

### Issue Context
The PR intends to “gracefully install failure — emit warning and skip”. Currently it only exits 0 from the install step, not from the rest of the job.

### Fix Focus Areas
- .github/workflows/ci.yml[545-550]
- .github/workflows/ci.yml[552-574]

ⓘ Copy this prompt and use it to remediate the issue with your preferred AI generation tools

---

3. xtask skip reason wrong 🐞 Bug ✧ Quality

Description

verify_public_api() now returns Ok(false) for rustdoc JSON format mismatch, but `cargo xtask
validate treats all Ok(false)` as “cargo-public-api not installed”. This misleads developers and
produces inaccurate validation report details.

Code

xtask/src/validate.rs[R520-523]

+            if format_error && all_passed {
+                println!("  ⚠️  Rustdoc JSON format mismatch — upgrade cargo-public-api or pin a compatible nightly");
+                Ok(false)
+            } else if all_passed {

Evidence

verify_public_api() explicitly uses Ok(false) for JSON format incompatibility, while the caller
prints and records only the “not installed” reason whenever it sees Ok(false).

xtask/src/validate.rs[520-523]
xtask/src/validate.rs[223-239]

Agent prompt

The issue below was found during a code review. Follow the provided context and guidance below and implement a solution

### Issue description
`verify_public_api()` uses `Ok(false)` for multiple skip reasons, but the caller assumes it always means “not installed”.

### Issue Context
This PR explicitly adds a second skip reason (rustdoc JSON incompatibility), so the caller needs to distinguish or print a generic “skipped/unavailable” message with details.

### Fix Focus Areas
- xtask/src/validate.rs[223-239]
- xtask/src/validate.rs[520-535]

ⓘ Copy this prompt and use it to remediate the issue with your preferred AI generation tools

---

4. Nightly cache key churn 🐞 Bug ➹ Performance

Description

The public-api-check caches are keyed by the exact nightly rustc hash, which will change frequently
and can significantly reduce cache hit rate, slowing CI. Consider pinning nightly or separating
caches so only compiler-dependent artifacts churn.

Code

.github/workflows/ci.yml[R511-517]

    - name: Get toolchain hash
      id: toolchain-hash
      shell: bash
-      run: echo "cachekey=$(rustc -Vv | sha256sum | cut -d' ' -f1)" >> $GITHUB_OUTPUT
+      run: echo "cachekey=$(rustc +nightly -Vv | sha256sum | cut -d' ' -f1)" >> $GITHUB_OUTPUT

    - name: Cache cargo registry
      uses: actions/cache@v4

Evidence

The workflow derives a cache key from rustc +nightly -Vv and uses it for registry/index/target
caches; this couples cache reuse to the exact nightly version.

.github/workflows/ci.yml[511-537]

Agent prompt

The issue below was found during a code review. Follow the provided context and guidance below and implement a solution

### Issue description
Cache keys for the public API job are tied to the exact nightly toolchain hash, increasing cache churn.

### Issue Context
The job now uses nightly explicitly; without pinning, nightly changes frequently.

### Fix Focus Areas
- .github/workflows/ci.yml[503-538]

ⓘ Copy this prompt and use it to remediate the issue with your preferred AI generation tools

---

ⓘ The new review experience is currently in Beta. Learn more

[chatgpt-codex-connector]

You have reached your Codex usage limits for code reviews. You can see your limits in the Codex usage dashboard.
To continue using code reviews, add credits to your account and enable them for code reviews in your settings.

[qodo-free-for-open-source-projects]

1. Api guard errors swallowed 🐞 Bug ✓ Correctness

The CI public API steps unconditionally convert any cargo public-api ... diff failure into a
success, so real API drift (or other errors) won’t be reflected as a failing step/check. This
undermines the job’s stated purpose of detecting unintended public API changes.

Agent Prompt

### Issue description
CI’s `public-api-check` currently masks *all* failures from `cargo public-api ... diff` as a successful step by using `|| { echo "::warning::..." }`. This makes genuine API drift indistinguishable from rustdoc JSON format incompatibilities.

### Issue Context
The PR intent is to treat known rustdoc JSON format mismatches as warnings, not to suppress true API-diff failures.

### Fix Focus Areas
- .github/workflows/ci.yml[552-574]

ⓘ Copy this prompt and use it to remediate the issue with your preferred AI generation tools

[qodo-free-for-open-source-projects]

2. Install failure not gated 🐞 Bug ⛯ Reliability

If cargo-public-api fails to install, the workflow exits 0 from the install step but still runs
the subsequent checks, which then fail for the wrong reason and emit misleading “format mismatch”
warnings. This can fully bypass the guard while producing confusing output.

Agent Prompt

### Issue description
When `cargo install cargo-public-api` fails, later public API steps still run and produce misleading warnings.

### Issue Context
The PR intends to “gracefully install failure — emit warning and skip”. Currently it only exits 0 from the install step, not from the rest of the job.

### Fix Focus Areas
- .github/workflows/ci.yml[545-550]
- .github/workflows/ci.yml[552-574]

ⓘ Copy this prompt and use it to remediate the issue with your preferred AI generation tools

[Copilot]

Pull request overview

Updates the Public API Guard CI and xtask validation to be resilient to rustdoc JSON format changes that can break cargo-public-api, degrading to warnings/skips instead of failing CI.

Changes:

• CI: install latest cargo-public-api, use nightly for checks, and emit GitHub Actions warnings instead of hard failures.
• xtask: detect rustdoc JSON format mismatch errors in cargo public-api stderr and treat them as warnings (Ok(false)).
• CI: remove stable→nightly retry logic by defaulting checks to nightly.

Reviewed changes

Copilot reviewed 2 out of 2 changed files in this pull request and generated 4 comments.

File	Description
xtask/src/validate.rs	Detects rustdoc JSON incompatibility in cargo-public-api runs and downgrades those failures to warnings/skips.
.github/workflows/ci.yml	Switches Public API Guard to nightly + unpinned cargo-public-api and warns instead of failing on incompatibilities/installation issues.

[Copilot]

If cargo install fails, the job continues but the subsequent check steps still run and will likely fail with no such command: public-api (or similar). That failure then gets reported as a possible rustdoc JSON mismatch, which is misleading. Consider setting a step output (e.g., installed=true/false) or adding a command -v cargo-public-api guard and using it in if: to skip the check steps when the install did not succeed.

[Copilot]

Installing the latest cargo-public-api on every CI run without a version pin reduces reproducibility and increases supply-chain exposure (the behavior of this job can change without any repo change). If possible, pin to a known-good version (and bump intentionally), or at least centralize the version in an env var so updates are explicit and reviewable.

[Copilot]

Switching from .status() to .output() captures both stdout and stderr into memory. cargo public-api output can be large, so this can increase peak memory usage unnecessarily (especially in workspaces). Since you only need stderr for format detection, consider discarding stdout (e.g., configure stdout to null) and only piping/capturing stderr.

[Copilot]

The matching for format incompatibility is quite broad (\"rustdoc JSON\" / \"format version\") and may accidentally classify unrelated failures as a format mismatch, which would downgrade real failures into warnings. Consider tightening the match to more specific phrases produced by cargo-public-api/rustdoc JSON parsing errors (or using a small regex set that targets known error lines), to reduce the chance of false positives.

Suggested change

	if stderr.contains("invalid type: integer")
	|| stderr.contains("rustdoc JSON")
	|| stderr.contains("format version")
	{
	let is_format_mismatch =
	stderr.contains("invalid type: integer")
	|| stderr.contains("unsupported rustdoc JSON format version")
	|| stderr.contains("unsupported rustdoc JSON format")
	|| stderr.contains("failed to parse rustdoc JSON");
	if is_format_mismatch {