Add SemVer checks

[danieljurek]

• Fixes Use cargo-semver-checks to help verify semver compatibility between releases #1605
• Check "stable" Rust on Linux only (others add significant time to build)
• Add eng/cgmanfiest.json to track installation of a dev tool in the build system
  • Test-Semver.ps1 uses the version specified in eng/cgmanifest.json

Tested:

Scenario	Result
No packages changed
Checks SemVer of changed package in PR	Success (expected)
Fails on SemVer violation in PR	Fail (expected)
Checks SemVer of packages in service	Fail (expected)
Checks SemVer of packages in release (and blocks release)	Fail (expected)

Test performance

SemVer checks add a non-trivial amount of time in some OS configurations (Windows, MacOS) because rust-semver-checks is built.

Test Job	OS	Time
Unit	Linux	1m42s
Unit	Windows	5m40s
Unit	Mac	7m2s
Semver	Linux	6m13s
Semver	Windows	15m3s
Semver	Mac	21m19s

rust-semver-check build times (look at logs for builds of stable in this PR run):

OS	Time
Linux	4m50s
Windows	10m15s
Mac	17m12s

Caching considerations

Also discussed here: #3158

Azure DevOps caches are scoped according to several factors. In the case of a PR where speed is most important, we would need a job that runs against main to populate a cache that PRs could read. We don't currently schedule PR pipelines to run. In fact, vcpkg, uses its own cache mechanism with relevant rules.

If we needed to semver check across OS quickly, we could use a storage account to hold pre-built binaries (similar to vcpkg). The binaries would be built in a Rust pipeline and uploaded to the storage account with a path prefix like carge-semver-checks/ubuntu-24/0.45.0/. Something would need to update the cache and cgmanifes.json file and proper arrangements would need to be made locally so that calling cargo semver-checks would use the correct binary.

Similar work could also be done to cache source analysis binaries

Other considerations

Checking "nightly" and "msrv" versions of Rust is more complicated. Generally, cargo-semver-checks supports "stable" so SemVer checking focuses there.

PRs should also block on semver-breaking changes. It may be possible that future version schemes (e.g. adding -beta.x to a version number) may not block PRs because semver allows breaking changes in -beta.x versions. This will need to be investigated as part of the version incrementing script. We'd either need to adjust the version scheme or update -beta.x at CI execution time.

[github-actions]

API Change Check

APIView identified API level changes in this PR and created the following API reviews

azure_identity

[Copilot]

Pull request overview

This PR adds semantic versioning (SemVer) compatibility checks to the Azure SDK for Rust build pipeline using cargo-semver-checks. The changes ensure that package version updates comply with SemVer rules before releases.

Key changes:

• Introduces a new PowerShell script to check SemVer compatibility of packages
• Extracts common cargo metadata functions to a shared module for reuse
• Adds cgmanifest.json to track the cargo-semver-checks tool version used in builds

Reviewed changes

Copilot reviewed 5 out of 5 changed files in this pull request and generated 6 comments.

Show a summary per file

File	Description
eng/scripts/shared/Cargo.ps1	New shared module containing reusable cargo metadata and package querying functions
eng/scripts/Test-Semver.ps1	New script that installs cargo-semver-checks and validates package changes against SemVer rules
eng/scripts/Pack-Crates.ps1	Refactored to use shared cargo functions from Cargo.ps1, eliminating duplication
eng/pipelines/templates/jobs/pack.yml	Adds SemVer check tasks to both auto and manual service directory build scenarios
eng/cgmanifest.json	New manifest tracking cargo-semver-checks version 0.45.0 as a development dependency

[heaths]

Why not Invoke-LogCommand or whatever that is we use everywhere else? I see other places it'd work in this PR as well.