microsoft · anakrish · Jan 14, 2026
diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml
@@ -64,9 +64,24 @@ jobs:
 
     # Setup language-specific dependencies BEFORE CodeQL init for proper tracing setup
     - name: Setup Rust
-      if: matrix.language == 'rust' || matrix.language == 'c-cpp'
       uses: ./.github/actions/toolchains/rust
 
+    - name: Cache cargo
+      uses: Swatinem/rust-cache@779680da715d629ac1d338a641029a2f4372abb5 # v2.8.2
+      with:
+        shared-key: ${{ runner.os }}-regorus
+
+    - name: Fetch workspace dependencies
+      run: cargo fetch --locked
+
+    - name: Fetch FFI crate dependencies
+      if: matrix.language == 'c-cpp' || matrix.language == 'go' || matrix.language == 'csharp'
+      run: cargo fetch --locked --manifest-path bindings/ffi/Cargo.toml
+
+    - name: Fetch Java crate dependencies
+      if: matrix.language == 'java-kotlin'
+      run: cargo fetch --locked --manifest-path bindings/java/Cargo.toml
+
     - name: Setup Python
       if: matrix.language == 'python'
       uses: actions/setup-python@v5
@@ -92,6 +107,10 @@ jobs:
       with:
         global-json-file: ./bindings/csharp/global.json
 
+    - name: Invoke dotnet directly
+      if: matrix.language == 'csharp'
+      run: dotnet --info
+
     - name: Setup Node.js
       if: matrix.language == 'javascript-typescript'
       uses: actions/setup-node@v4
@@ -132,79 +151,39 @@ jobs:
         cargo install wasm-pack
 
     # Manual build steps for different languages
-    - name: Build C/C++ FFI bindings
+    - name: Build C/C++ bindings via xtask
       if: matrix.language == 'c-cpp'
-      working-directory: ${{ matrix.working-directory }}
       run: |
-          # Build FFI library in no_std mode for embedded/constrained environments
-          cargo build --release --locked --features "ast,coverage,regorus/opa-no-std" --no-default-features
-
-          # Build the Rust FFI library that provides C-compatible interface
-          cargo build --release --locked
-
-          # Build C bindings using CMake
-          cd ../c
-          mkdir -p build
-          cd build
-          cmake ..
-          make
-
-          # Build C++ bindings using CMake
-          cd ../../cpp
-          mkdir -p build
-          cd build
-          cmake ..
-          make
-
-    - name: Build Java bindings
+        cargo xtask test-c --release --frozen
+        cargo xtask test-cpp --release --frozen --skip-ffi
+        cargo xtask test-c-no-std --release --frozen --skip-ffi
+
+    - name: Build Java bindings via xtask
       if: matrix.language == 'java-kotlin'
-      working-directory: ${{ matrix.working-directory }}
-      run: |
-        # Build the Rust JNI library that provides Java-compatible interface
-        cargo fetch
-        cargo build --release --locked
-        # Compile Java source and create JAR package with Maven
-        mvn package
+      run: cargo xtask test-java --release --frozen
 
-    - name: Build Go bindings
+    - name: Build Go bindings via xtask
       if: matrix.language == 'go'
-      working-directory: ${{ matrix.working-directory }}
-      run: |
-        # Build the FFI library that Go bindings depend on via CGO
-        cd ../ffi
-        cargo fetch
-        cargo build --release --locked
-        cd ../go
-        # Download Go dependencies
-        go mod tidy
-        # Set up environment for CGO linking to Rust FFI library
-        export CGO_ENABLED=1
-        export LD_LIBRARY_PATH="$(pwd)/../ffi/target/release:$LD_LIBRARY_PATH"
-        # Build Go packages with verbose output for CodeQL tracing
-        go build -v ./pkg/regorus
-        go build -v -o regorus_test .
-
-    - name: Build C# bindings
+      run: cargo xtask test-go --release --frozen
+
+    - name: Build C# bindings manually
       if: matrix.language == 'csharp'
       working-directory: ${{ matrix.working-directory }}
       run: |
+        # Temporary workaround: CodeQL's tracer replaces dotnet with a missing shim when cargo xtask test-csharp runs,
+        # so invoke dotnet directly here until the upstream fix lands.
+        # Ideal command once fixed: cargo xtask test-csharp --release
         # Build the FFI library that C# bindings access via P/Invoke
         cd ../ffi
-        cargo fetch
         cargo build --release --locked
         cd ../csharp
         # Restore NuGet packages and build .NET assemblies in release mode
-        # Build the main Regorus library project only (tests require packaged version)
         dotnet restore Regorus/Regorus.csproj
         dotnet build Regorus/Regorus.csproj --no-restore /p:Configuration=Release /p:IgnoreMissingArtifacts=true
 
-    - name: Build WASM bindings
+    - name: Build WASM bindings via xtask
       if: matrix.language == 'javascript-typescript'
-      working-directory: ${{ matrix.working-directory }}
-      run: |
-        # Build WebAssembly module with wasm-pack for Node.js target
-        cargo fetch
-        wasm-pack build --target nodejs --release
+      run: cargo xtask build-wasm --release
 
     - name: Perform CodeQL Analysis
       uses: github/codeql-action/analyze@v3

diff --git a/.github/workflows/pr-extensions.yml b/.github/workflows/pr-extensions.yml
@@ -21,18 +21,15 @@ jobs:
     - uses: actions/checkout@08eba0b27e820071cde6df949e0beb9ba4906955 # v4
     - name: Setup Rust toolchain
       uses: ./.github/actions/toolchains/rust
-    - name: Build only std
-      run: cargo build -r --example regorus --no-default-features --features "std,rego-extensions"
-    - name: Doc Tests
-      run: cargo test -r --doc --features rego-extensions
-    - name: Run tests
-      run: cargo test -r --features rego-extensions
-    - name: Run example
-      run: cargo run --example regorus --features rego-extensions -- eval -d examples/server/allowed_server.rego -i examples/server/input.json data.example
-    - name: Run tests (ACI)
-      run: cargo test -r --test aci --features rego-extensions
-    - name: Run tests (KATA)
-      run: cargo test -r --test kata --features rego-extensions
-    - name: Run tests (OPA Conformance)
+    - name: Cache cargo
+      uses: Swatinem/rust-cache@779680da715d629ac1d338a641029a2f4372abb5 # v2.8.2
+      with:
+        shared-key: ${{ runner.os }}-regorus
+    - name: Fetch dependencies
+      run: cargo fetch --locked
+    - name: Run rego extensions CI suite
       run: >-
-        cargo test -r --test opa --features opa-testutil,serde_json/arbitrary_precision,rego-extensions  -- $(tr '\n' ' ' < tests/opa.passing)
+        cargo xtask ci-release --frozen --features rego-extensions
+        --skip-all-features-build --skip-no-default-features-tests
+        --skip-azure-policy --skip-azure-rbac
+        --opa-features "opa-testutil,serde_json/arbitrary_precision,rego-extensions"
diff --git a/.github/workflows/pr.yml b/.github/workflows/pr.yml
@@ -21,33 +21,11 @@ jobs:
     - uses: actions/checkout@08eba0b27e820071cde6df949e0beb9ba4906955 # v4
     - name: Setup Rust toolchain
       uses: ./.github/actions/toolchains/rust
-    - name: Format Check
-      run: cargo fmt --check
-    - name: Fetch
-      run: cargo fetch
-    - name: Build (all features)
-      run: cargo build -r --all-features --frozen
-    - name: Build
-      run: cargo build -r --frozen
-    - name: Test no_std
-      run: cargo test -r --no-default-features --frozen
-    - name: Build only std
-      run: cargo build -r --example regorus --no-default-features --features "std" --frozen
-    - name: Doc Tests
-      run: cargo test -r --doc --frozen
-    - name: Run tests
-      run: cargo test -r --frozen
-    - name: Run example
-      run: cargo run --example regorus --frozen -- eval -d examples/server/allowed_server.rego -i examples/server/input.json data.example
-    - name: Run tests (ACI)
-      run: cargo test -r --test aci --frozen
-    - name: Run tests (KATA)
-      run: cargo test -r --test kata --frozen
-    - name: Run tests (OPA Conformance)
-      run: >-
-        cargo test -r --test opa --frozen --features opa-testutil,serde_json/arbitrary_precision  -- $(tr '\n' ' ' < tests/opa.passing)
-    - name: Run tests (Azure Policy)
-      run: >-
-        cargo test --frozen --features azure_policy
-    - name: Run tests (Azure RBAC)
-      run: cargo test -r --frozen --features azure-rbac
+    - name: Cache cargo
+      uses: Swatinem/rust-cache@779680da715d629ac1d338a641029a2f4372abb5 # v2.8.2
+      with:
+        shared-key: ${{ runner.os }}-regorus
+    - name: Fetch dependencies
+      run: cargo fetch --locked
+    - name: Run release CI suite
+      run: cargo xtask ci-release --frozen
diff --git a/.github/workflows/publish-java.yml b/.github/workflows/publish-java.yml
@@ -48,7 +48,8 @@ jobs:
           python-version: "3.11"
       - if: ${{ matrix.build_cmd == 'zigbuild' }}
         run: pip install cargo-zigbuild
-      - run: cargo fetch
+      - run: cargo fetch --locked
+      - run: cargo fetch --locked --manifest-path bindings/java/Cargo.toml
       - run: cargo ${{ matrix.build_cmd || 'build' }} --release --frozen --target ${{ matrix.target }}${{ matrix.glibc && format('.{0}', matrix.glibc) || '' }} --manifest-path ./bindings/java/Cargo.toml
       - run: mkdir -p native/${{ matrix.target }}
       - run: mv target/${{ matrix.target }}/release/*.${{ matrix.extension }} ./native/${{ matrix.target }}/

diff --git a/.github/workflows/publish-python.yml b/.github/workflows/publish-python.yml
@@ -26,7 +26,7 @@ jobs:
 
       - name: Build Python extension
         run: |
-          cargo fetch
+          cargo fetch --locked
           cargo clippy --all-targets --no-deps -- -Dwarnings
           cargo build --release --target ${{ matrix.target }} --frozen
         working-directory: bindings/python
@@ -59,7 +59,7 @@ jobs:
 
       - name: Build Python extension
         run: |
-          cargo fetch
+          cargo fetch --locked
           cargo clippy --all-targets --no-deps -- -Dwarnings
           cargo build --release --target ${{ matrix.host.target }} --frozen
         working-directory: bindings/python
@@ -90,7 +90,7 @@ jobs:
 
       - name: Build Python extension
         run: |
-          cargo fetch
+          cargo fetch --locked
           cargo clippy --all-targets --no-deps -- -Dwarnings
           cargo build --release --target ${{ matrix.host.target }} --frozen
         working-directory: bindings/python

diff --git a/.github/workflows/rust-clippy.yml b/.github/workflows/rust-clippy.yml
@@ -34,20 +34,19 @@ jobs:
 
       - name: Setup Rust toolchain
         uses: ./.github/actions/toolchains/rust
+      - name: Cache cargo
+        uses: Swatinem/rust-cache@779680da715d629ac1d338a641029a2f4372abb5 # v2.8.2
+        with:
+          shared-key: ${{ runner.os }}-regorus
 
       - name: Install required cargo
         run: cargo install clippy-sarif sarif-fmt
 
       - name: Fetch
-        run: cargo fetch
+        run: cargo fetch --locked
 
       - name: Run rust-clippy
-        run:
-          cargo clippy
-          --all-features
-          --frozen
-          --message-format=json | clippy-sarif | tee rust-clippy-results.sarif | sarif-fmt
-
+        run: cargo xtask clippy --sarif rust-clippy-results.sarif
         continue-on-error: true
 
       - name: Upload analysis results to GitHub

diff --git a/.github/workflows/test-c-cpp.yml b/.github/workflows/test-c-cpp.yml
@@ -19,36 +19,24 @@ jobs:
           fetch-depth: 0
 
       - uses: ./.github/actions/toolchains/rust
+      - name: Cache cargo
+        uses: Swatinem/rust-cache@779680da715d629ac1d338a641029a2f4372abb5 # v2.8.2
+        with:
+          shared-key: ${{ runner.os }}-regorus
+      - name: Fetch dependencies
+        run: cargo fetch --locked
+
+      - name: Fetch FFI crate dependencies
+        run: cargo fetch --locked --manifest-path bindings/ffi/Cargo.toml
 
       - name: Setup gcc, g++, cmake, ninja
         run: sudo apt update && sudo apt install -y gcc g++ cmake ninja-build
 
-      - name: Workaround to ensure that regorus.h is generated
-        run: |
-          cargo fetch
-          cargo build -r --frozen
-        working-directory: ./bindings/ffi
-
-      - name: Test c binding
-        run: |
-          mkdir bindings/c/build
-          cd bindings/c/build
-          cmake -G Ninja ..
-          ninja
-          ./regorus_test
-
-      - name: Test c-nostd binding
-        run: |
-          mkdir bindings/c-nostd/build
-          cd bindings/c-nostd/build
-          cmake -G Ninja ..
-          ninja
-          ./regorus_test
-
-      - name: Test cpp binding
-        run: |
-          mkdir bindings/cpp/build
-          cd bindings/cpp/build
-          cmake -G Ninja ..
-          ninja
-          ./regorus_test
+      - name: Test C binding via xtask
+        run: cargo xtask test-c --release --frozen
+
+      - name: Test C (no-std) binding via xtask
+        run: cargo xtask test-c-nostd --release --frozen --skip-ffi
+
+      - name: Test C++ binding via xtask
+        run: cargo xtask test-cpp --release --frozen --skip-ffi