Create inner workspace for rust guests to reduce compile time

.github/dependabot.yml

@@ -16,25 +16,7 @@ updates:
       - "kind/dependencies"
     open-pull-requests-limit: 20
   - package-ecosystem: "cargo"
-    directory: "/src/tests/rust_guests/dummyguest"
-    schedule:
-      interval: "daily"
-      time: "03:00"
-    labels:
-      - "kind/dependencies"
-      - "area/guest"
-    open-pull-requests-limit: 5
-  - package-ecosystem: "cargo"
-    directory: "/src/tests/rust_guests/simpleguest"
-    schedule:
-      interval: "daily"
-      time: "03:00"
-    labels:
-      - "kind/dependencies"
-      - "area/guest"
-    open-pull-requests-limit: 5
-  - package-ecosystem: "cargo"
-    directory: "/src/tests/rust_guests/witguest"
+    directory: "/src/tests/rust_guests"
     schedule:
       interval: "daily"
       time: "03:00"

.github/workflows/RustNightly.yml

@@ -61,9 +61,7 @@ jobs:
         uses: actions/cache@v5
         with:
           path: |
-            src/tests/rust_guests/simpleguest/target/sysroot
-            src/tests/rust_guests/dummyguest/target/sysroot
-            src/tests/rust_guests/witguest/target/sysroot
+            src/tests/rust_guests/target/sysroot
           key: sysroot-linux-${{ matrix.config }}-${{ hashFiles('rust-toolchain.toml') }}
 
       - name: Rust cache
@@ -73,9 +71,7 @@ jobs:
           cache-on-failure: "true"
           workspaces: |
             . -> target
-            src/tests/rust_guests/simpleguest -> target
-            src/tests/rust_guests/dummyguest -> target
-            src/tests/rust_guests/witguest -> target
+            src/tests/rust_guests -> target
 
       - name: Install cargo-hyperlight
         run: cargo install cargo-hyperlight --version 0.1.10 --locked --force

.github/workflows/ValidatePullRequest.yml

@@ -41,9 +41,9 @@ jobs:
             return all_file_count === docs_file_count;
           result-encoding: string
 
-  # Update guest Cargo.lock files for Dependabot PRs.
-  # Dependabot only updates the root Cargo.lock, leaving the guest crate
-  # Cargo.lock files stale. This job updates them before code-checks runs
+  # Update guest Cargo.lock for Dependabot PRs.
+  # Dependabot only updates the root Cargo.lock, leaving the guest workspace
+  # Cargo.lock stale. This job updates it before code-checks runs
   # `cargo fetch --locked` so that the first CI run succeeds.
   update-guest-locks:
     if: github.event.pull_request.user.login == 'dependabot[bot]'

.github/workflows/dep_build_guests.yml

@@ -51,9 +51,7 @@ jobs:
         uses: actions/cache@v5
         with:
           path: |
-            src/tests/rust_guests/simpleguest/target/sysroot
-            src/tests/rust_guests/dummyguest/target/sysroot
-            src/tests/rust_guests/witguest/target/sysroot
+            src/tests/rust_guests/target/sysroot
           key: sysroot-linux-${{ inputs.config }}-${{ hashFiles('rust-toolchain.toml') }}
 
       - name: Rust cache
@@ -66,9 +64,7 @@ jobs:
           save-if: ${{ github.ref == 'refs/heads/main' }}
           workspaces: |
             . -> target
-            src/tests/rust_guests/simpleguest -> target
-            src/tests/rust_guests/dummyguest -> target
-            src/tests/rust_guests/witguest -> target
+            src/tests/rust_guests -> target
 
       - name: Install cargo-hyperlight
         run: cargo install cargo-hyperlight --version 0.1.10 --locked --force

.github/workflows/dep_code_checks.yml

@@ -47,9 +47,7 @@ jobs:
         uses: actions/cache@v5
         with:
           path: |
-            src/tests/rust_guests/simpleguest/target/sysroot
-            src/tests/rust_guests/dummyguest/target/sysroot
-            src/tests/rust_guests/witguest/target/sysroot
+            src/tests/rust_guests/target/sysroot
           key: sysroot-linux-${{ hashFiles('rust-toolchain.toml') }}
 
       - name: Rust cache
@@ -62,16 +60,12 @@ jobs:
           save-if: ${{ github.ref == 'refs/heads/main' }}
           workspaces: |
             . -> target
-            src/tests/rust_guests/simpleguest -> target
-            src/tests/rust_guests/dummyguest -> target
-            src/tests/rust_guests/witguest -> target
+            src/tests/rust_guests -> target
 
       - name: Ensure up-to-date Cargo.lock
         run: |
           cargo fetch --locked
-          cargo fetch --manifest-path src/tests/rust_guests/simpleguest/Cargo.toml --locked
-          cargo fetch --manifest-path src/tests/rust_guests/dummyguest/Cargo.toml --locked
-          cargo fetch --manifest-path src/tests/rust_guests/witguest/Cargo.toml --locked
+          cargo fetch --manifest-path src/tests/rust_guests/Cargo.toml --locked
 
       - name: fmt
         run: just fmt-check
@@ -121,9 +115,7 @@ jobs:
         uses: actions/cache@v5
         with:
           path: |
-            src/tests/rust_guests/simpleguest/target/sysroot
-            src/tests/rust_guests/dummyguest/target/sysroot
-            src/tests/rust_guests/witguest/target/sysroot
+            src/tests/rust_guests/target/sysroot
           key: sysroot-windows-${{ hashFiles('rust-toolchain.toml') }}
 
       - name: Rust cache
@@ -136,16 +128,12 @@ jobs:
           save-if: ${{ github.ref == 'refs/heads/main' }}
           workspaces: |
             . -> target
-            src/tests/rust_guests/simpleguest -> target
-            src/tests/rust_guests/dummyguest -> target
-            src/tests/rust_guests/witguest -> target
+            src/tests/rust_guests -> target
 
       - name: Ensure up-to-date Cargo.lock
         run: |
           cargo fetch --locked
-          cargo fetch --manifest-path src/tests/rust_guests/simpleguest/Cargo.toml --locked
-          cargo fetch --manifest-path src/tests/rust_guests/dummyguest/Cargo.toml --locked
-          cargo fetch --manifest-path src/tests/rust_guests/witguest/Cargo.toml --locked
+          cargo fetch --manifest-path src/tests/rust_guests/Cargo.toml --locked
 
       - name: fmt
         run: just fmt-check

.github/workflows/dep_update_guest_locks.yml

@@ -1,8 +1,8 @@
 # yaml-language-server: $schema=https://json.schemastore.org/github-workflow.json
 
-# This reusable workflow updates the Cargo.lock files in guest crates when
+# This reusable workflow updates the guest workspace Cargo.lock when
 # Dependabot updates dependencies. Without this, Dependabot PRs only update the
-# root Cargo.lock, leaving the guest crate Cargo.lock files stale.
+# root Cargo.lock, leaving the guest workspace Cargo.lock stale.
 #
 # See: https://docs.github.com/en/code-security/tutorials/secure-your-dependencies/automating-dependabot-with-github-actions
 
@@ -55,16 +55,8 @@ jobs:
         run: |
           sudo chown -R $(id -u):$(id -g) /opt/cargo || true
 
-      - name: Update simpleguest Cargo.lock
-        working-directory: src/tests/rust_guests/simpleguest
-        run: cargo fetch
-
-      - name: Update dummyguest Cargo.lock
-        working-directory: src/tests/rust_guests/dummyguest
-        run: cargo fetch
-
-      - name: Update witguest Cargo.lock
-        working-directory: src/tests/rust_guests/witguest
+      - name: Update guest Cargo.lock
+        working-directory: src/tests/rust_guests
         run: cargo fetch
 
       # Commits created via the Git Data API are automatically signed/verified
@@ -88,13 +80,13 @@ jobs:
         run: |
           set -euo pipefail
 
-          # Check if there are any changes to the guest Cargo.lock files
-          if git diff --quiet -- src/tests/rust_guests/*/Cargo.lock; then
-            echo "No changes to guest Cargo.lock files"
+          # Check if there are any changes to the guest Cargo.lock file
+          if git diff --quiet -- src/tests/rust_guests/Cargo.lock; then
+            echo "No changes to guest Cargo.lock file"
             exit 0
           fi
 
-          echo "Guest Cargo.lock files have changed, committing via API..."
+          echo "Guest Cargo.lock file has changed, committing via API..."
 
           # Get app identity for DCO sign-off trailer
           # Use the app-slug output from create-github-app-token (the /app API
@@ -110,7 +102,7 @@ jobs:
           # The tree API accepts "content" directly and creates blobs for us,
           # avoiding the need for separate blob creation API calls.
           TREE_JSON="[]"
-          for file in $(git diff --name-only -- src/tests/rust_guests/*/Cargo.lock); do
+          for file in $(git diff --name-only -- src/tests/rust_guests/Cargo.lock); do
             TREE_JSON=$(jq \
               --arg path "$file" \
               --arg content "$(cat "$file")" \
@@ -128,7 +120,7 @@ jobs:
           # Build commit message with DCO sign-off
           SIGNOFF="${app_slug}[bot] <${app_user_id}+${app_slug}[bot]@users.noreply.github.com>"
           COMMIT_MSG=$(printf '%s\n\n%s\n%s\n\n%s' \
-            "chore: update guest Cargo.lock files" \
+            "chore: update guest Cargo.lock file" \
             "Automatically updated by dependabot-update-guest-locks workflow." \
             "Triggered by: ${PR_TITLE}" \
             "Signed-off-by: ${SIGNOFF}")

Cargo.toml

@@ -20,11 +20,10 @@ members = [
     "src/hyperlight_component_macro",
     "src/trace_dump",
 ]
-# Guests have custom linker flags, so we need to exclude them from the workspace
+# Guests have custom linker flags and live in their own nested workspace,
+# so we exclude the whole directory from the host workspace.
 exclude = [
-    "src/tests/rust_guests/dummyguest",
-    "src/tests/rust_guests/simpleguest",
-    "src/tests/rust_guests/witguest",
+    "src/tests/rust_guests",
 ]
 
 [workspace.package]

Justfile

@@ -24,9 +24,13 @@ export CROSS_CONTAINER_GID := if path_exists("/dev/kvm") == "true" { kvm-gid } e
 root := justfile_directory()
 
 default-target := "debug"
-simpleguest_source := "src/tests/rust_guests/simpleguest/target/x86_64-hyperlight-none"
-dummyguest_source := "src/tests/rust_guests/dummyguest/target/x86_64-hyperlight-none"
-witguest_source := "src/tests/rust_guests/witguest/target/x86_64-hyperlight-none"
+# All three guest crates share one workspace under src/tests/rust_guests,
+# so they share one target dir and hyperlight-libc / hyperlight-guest-bin
+# get compiled once per profile instead of once per crate.
+rust_guests_target := "src/tests/rust_guests/target/x86_64-hyperlight-none"
+simpleguest_source := rust_guests_target
+dummyguest_source := rust_guests_target
+witguest_source := rust_guests_target
 rust_guests_bin_dir := "src/tests/rust_guests/bin"
 
 ################
@@ -52,9 +56,10 @@ witguest-wit:
     cd src/tests/rust_guests/witguest && wasm-tools component wit two_worlds.wit -w -o twoworlds.wasm
 
 build-rust-guests target=default-target features="": (witguest-wit) (ensure-cargo-hyperlight)
-    cd src/tests/rust_guests/simpleguest && cargo hyperlight build {{ if features =="" {''} else if features=="no-default-features" {"--no-default-features" } else {"--no-default-features -F " + features } }} --profile={{ if target == "debug" { "dev" } else { target } }} 
-    cd src/tests/rust_guests/dummyguest && cargo hyperlight build {{ if features =="" {''} else if features=="no-default-features" {"--no-default-features" } else {"--no-default-features -F " + features } }} --profile={{ if target == "debug" { "dev" } else { target } }} 
-    cd src/tests/rust_guests/witguest && cargo hyperlight build {{ if features =="" {''} else if features=="no-default-features" {"--no-default-features" } else {"--no-default-features -F " + features } }} --profile={{ if target == "debug" { "dev" } else { target } }}
+    @# --workspace unifies feature resolution so shared deps build once. Needed because witguest
+    @# pulls bindgen via hyperlight-component-macro, which would otherwise turn on extra features
+    @# on libc's build.rs host deps and force a libc rebuild. simple/dummyguest don't hit this.
+    cd src/tests/rust_guests && cargo hyperlight build --workspace {{ if features =="" {''} else if features=="no-default-features" {"--no-default-features" } else {"--no-default-features -F " + features } }} --profile={{ if target == "debug" { "dev" } else { target } }}
 
 @move-rust-guests target=default-target:
     cp {{ simpleguest_source }}/{{ target }}/simpleguest* {{ rust_guests_bin_dir }}/{{ target }}/
@@ -68,9 +73,7 @@ clean: clean-rust
 
 clean-rust: 
     cargo clean
-    cd src/tests/rust_guests/simpleguest && cargo clean
-    cd src/tests/rust_guests/dummyguest && cargo clean
-    {{ if os() == "windows" { "cd src/tests/rust_guests/witguest -ErrorAction SilentlyContinue; cargo clean" } else { "[ -d src/tests/rust_guests/witguest ] && cd src/tests/rust_guests/witguest && cargo clean || true" } }}
+    cd src/tests/rust_guests && cargo clean
     {{ if os() == "windows" { "Remove-Item src/tests/rust_guests/witguest/interface.wasm -Force -ErrorAction SilentlyContinue" } else { "rm -f src/tests/rust_guests/witguest/interface.wasm" } }}
     git clean -fdx src/tests/c_guests/bin src/tests/rust_guests/bin
 
@@ -106,9 +109,7 @@ test-like-ci config=default-target hypervisor="kvm":
 code-checks-like-ci config=default-target hypervisor="kvm":
     @# Ensure up-to-date Cargo.lock
     cargo fetch --locked
-    cargo fetch --manifest-path src/tests/rust_guests/simpleguest/Cargo.toml --locked
-    cargo fetch --manifest-path src/tests/rust_guests/dummyguest/Cargo.toml --locked
-    cargo fetch --manifest-path src/tests/rust_guests/witguest/Cargo.toml --locked
+    cargo fetch --manifest-path src/tests/rust_guests/Cargo.toml --locked
 
     @# fmt
     just fmt-check
@@ -297,9 +298,7 @@ check:
 
 fmt-check: (ensure-nightly-fmt)
     cargo +{{nightly-toolchain}} fmt --all -- --check
-    cargo +{{nightly-toolchain}} fmt --manifest-path src/tests/rust_guests/simpleguest/Cargo.toml -- --check
-    cargo +{{nightly-toolchain}} fmt --manifest-path src/tests/rust_guests/dummyguest/Cargo.toml -- --check
-    cargo +{{nightly-toolchain}} fmt --manifest-path src/tests/rust_guests/witguest/Cargo.toml -- --check
+    cargo +{{nightly-toolchain}} fmt --manifest-path src/tests/rust_guests/Cargo.toml --all -- --check
     cargo +{{nightly-toolchain}} fmt --manifest-path src/hyperlight_guest_capi/Cargo.toml -- --check
 
 [private]
@@ -311,9 +310,7 @@ check-license-headers:
 
 fmt-apply: (ensure-nightly-fmt)
     cargo +{{nightly-toolchain}} fmt --all
-    cargo +{{nightly-toolchain}} fmt --manifest-path src/tests/rust_guests/simpleguest/Cargo.toml
-    cargo +{{nightly-toolchain}} fmt --manifest-path src/tests/rust_guests/dummyguest/Cargo.toml
-    cargo +{{nightly-toolchain}} fmt --manifest-path src/tests/rust_guests/witguest/Cargo.toml
+    cargo +{{nightly-toolchain}} fmt --manifest-path src/tests/rust_guests/Cargo.toml --all
     cargo +{{nightly-toolchain}} fmt --manifest-path src/hyperlight_guest_capi/Cargo.toml
 
 clippy target=default-target: (witguest-wit)
@@ -324,8 +321,7 @@ clippyw target=default-target: (witguest-wit)
     {{ cargo-cmd }} clippy --all-targets --all-features --target x86_64-pc-windows-gnu --profile={{ if target == "debug" { "dev" } else { target } }}  -- -D warnings
 
 clippy-guests target=default-target: (witguest-wit) (ensure-cargo-hyperlight)
-    cd src/tests/rust_guests/simpleguest && cargo hyperlight clippy --profile={{ if target == "debug" { "dev" } else { target } }} -- -D warnings
-    cd src/tests/rust_guests/witguest && cargo hyperlight clippy --profile={{ if target == "debug" { "dev" } else { target } }} -- -D warnings
+    cd src/tests/rust_guests && cargo hyperlight clippy --workspace --profile={{ if target == "debug" { "dev" } else { target } }} -- -D warnings
 
 clippy-apply-fix-unix:
     cargo clippy --fix --all 

dev/check-license-headers.sh

@@ -34,7 +34,7 @@ MISSING_FILES=""
 # Find all Rust files, excluding target directory
 while IFS= read -r -d $'\0' file; do
     # Skip some files which appear when the guests are build
-    if grep -q '^src/tests/rust_guests/[^/]*/target/' <<< "$file"; then
+    if grep -q '^src/tests/rust_guests/target/' <<< "$file"; then
         continue
     fi
 

flake.nix

@@ -114,9 +114,7 @@
 
           manifests = [
             "Cargo.toml"
-            "src/tests/rust_guests/dummyguest/Cargo.toml"
-            "src/tests/rust_guests/simpleguest/Cargo.toml"
-            "src/tests/rust_guests/witguest/Cargo.toml"
+            "src/tests/rust_guests/Cargo.toml"
           ];
           manifestDeps = builtins.map (manifest:
             let lockPath = builtins.replaceStrings [ "toml" ] [ "lock" ] manifest; in