Skip to content

ci: enforce --locked on workspace cargo invocations#34

Merged
Emmyt24 merged 1 commit into
Octo-Protocol-org:mainfrom
Senorespecial:fix/ci/lockfile-locked
Jun 28, 2026
Merged

ci: enforce --locked on workspace cargo invocations#34
Emmyt24 merged 1 commit into
Octo-Protocol-org:mainfrom
Senorespecial:fix/ci/lockfile-locked

Conversation

@Senorespecial

Copy link
Copy Markdown
Contributor

Summary

Adds --locked to the two workspace-resolution cargo invocations in .github/workflows/ci.yml so lockfile drift surfaces as a hard CI failure instead of being silently regenerated by Swatinem/rust-cache@v2 + cargo's resolver.

Why

Sweep-of-CI parity earlier this session confirmed:

  • Local cargo check --workspace exits 0 everywhere I tested (PIPESTATUS[0]-aware, not $? through | tail -N). The "duplicate key workspace" cargo message previously seen was a $? misread, not a real Cargo.toml parse error.
  • However, cargo clippy --workspace --all-targets, cargo test --workspace, and similar workspace-resolution commands historically do NOT pass --locked, which means a stale or drifted Cargo.lock could be silently regenerated by cargo when the cache is warm. That is how local-vs-CI lockfile byte differences accumulate without anyone noticing until a real crate-version mismatch lands.

--locked flips that: if Cargo.lock does not match the committed version, the cargo invocation fails immediately with a clear "differs from current lock file" message. Failure mode becomes "DRIFT -> PR red" instead of "DRIFT -> silent regen -> merges fine, then cargo audit complains".

Diff

       - name: Clippy
-        run: cargo clippy --workspace --all-targets -- -D warnings
+        # --locked makes lockfile drift a hard failure in CI rather than cargo silently
+        # regenerating Cargo.lock from manifests, which previously masked publisher-side out-of-sync
+        # changes. See Octo-Protocol-org/Octo-Protocol#33 (sibling fix for toolchain-channel pinning).
+        run: cargo clippy --workspace --all-targets --locked -- -D warnings

       - name: Test
-        run: cargo test --workspace
+        # --locked: same rationale as Clippy above -- fail loudly on lockfile drift.
+        run: cargo test --workspace --locked

What is intentionally NOT touched

  • cargo fmt --all -- --check -- cargo fmt does not resolve dependencies; --locked has no semantic meaning there.
  • EmbarkStudios/cargo-deny-action@v2 -- first-party action; uses its own advisory database, not workspace Cargo.lock.
  • rustsec/audit-check@v2 -- same, first-party action.
  • gitleaks/gitleaks-action@v2 -- scans git history, not cargo.

Acceptance criteria

  • cargo clippy --workspace --all-targets --locked -- -D warnings succeeds in CI.
  • cargo test --workspace --locked succeeds in CI.
  • A test PR that intentionally mutates Cargo.lock to a no-op diff fails its Check job with the "lock file ... needs to be updated" message rather than silently regenerating.

References

Adds --locked to the two workspace-resolution cargo invocations in
.github/workflows/ci.yml:

  - cargo clippy --workspace --all-targets --locked -- -D warnings
  - cargo test --workspace --locked

Why: previously the cache step (Swatinem/rust-cache@v2) and the cargo
invocations could silently regenerate Cargo.lock when local vs CI
lockfile bytes diverged. --locked makes drift a hard CI failure and
forces the lockfile back into the committed version, surfacing parity
gaps at PR time instead of paper-over.

cargo fmt --all -- --check is intentionally left untouched: cargo fmt
does not resolve dependencies, so --locked has no semantic meaning there.

The deny / audit / secret-scan jobs intentionally don't take --locked:
they don't resolve the workspace Cargo.lock (cargo-deny-action and
audit-check use their own advisory databases).

Reference: Octo-Protocol-org#33 (sibling toolchain fix).

Files: .github/workflows/ci.yml (one hunks area, two --locked additions plus
comment explaining the rationale).
Senorespecial added a commit to Senorespecial/Octo-Protocol that referenced this pull request Jun 22, 2026
…nge)

Single trailing comment line added to .github/workflows/ci.yml to bump
the file SHA so a `push` event fires a fresh CI run on PR Octo-Protocol-org#35. The
commit has zero semantic effect on the toolchain action, the cargo
invocations, or any step behavior.

Purpose: distinguish a transient `Swatinem/rust-cache@v2` / rustup
cache poisoning from a real `dtolnay/rust-toolchain@v1` regression.
If the failure mode persists across this and the previous run, the
fix isn't the action pin -- it's the cache layer or `cargo install
cargo-audit` resolver, and a sibling PR is needed. If the failure
flips green on this run, the diagnosis is "transient cache"; merge
PR Octo-Protocol-org#35 as-is and proceed with the original cross-link plan
(Octo-Protocol-org#14/Octo-Protocol-org#32/Octo-Protocol-org#33/Octo-Protocol-org#34).
Emmyt24 pushed a commit that referenced this pull request Jun 28, 2026
…citly

The `rust-toolchain` install step in `.github/workflows/ci.yml` currently
uses a fully-qualified action reference: `dtolnay/rust-toolchain@1.84.1`.

That conflates two concerns: action version and Rust toolchain version.
This PR decouples them by pinning the action to its major-version tag
(`dtolnay/rust-toolchain@v1`) and moving the version into the explicit
`with.toolchain` input. Practical effects:

- Action upgrades (e.g. 1.84.1 -> 1.85.x of the action) are now a separate
  decision from Rust toolchain upgrades.
- The Rust toolchain is still effectively pinned to `1.84.1` (matches
  `rust-toolchain.toml`'s channel = "1.84.1"), so behavior on the runner
  remains identical for non-upgrade paths.
- rustup now derives the per-host triple correctly from `with.toolchain`
  ("1.84.1"), which closes the channel-name CI failure surfaced as
  `error: target tuple in channel name 'stable-x86_64-pc-windows-msvc'`
  on `ubuntu-latest` for `cargo install cargo-audit`.

Closes #33.

Cross-links (in order):
- PR #31 (Senorespecial/Octo-Protocol -> Octo-Protocol-org/Octo-Protocol): feat(dashboard): add gas sponsorship status indicator to wallet cards (#14)
- #32: api: surface fees_spent_today_stroops in GET /v1/wallets/:id/sponsorship
- PR #34: ci: enforce --locked on workspace cargo invocations
- #33: ci: install of cargo-audit errors out with stable-x86_64-pc-windows-msvc on ubuntu-latest

Files: .github/workflows/ci.yml (one block edit).
Emmyt24 pushed a commit that referenced this pull request Jun 28, 2026
…red-cache:true

Replaces the moving major tag `Swatinem/rust-cache@v2` with the SHA of the latest
v2.x release (v2.9.1 = 23869a5b) and adds:
- cache-on-failure: false  – never persist a poisoned cache from a failed job; the
                             warm-cache vector was the leading hypothesis for why
                             PR #35 kept failing identically across two clean
                             runs (target triple in channel name).
- shared-cache: true       – reuse the main-branch cache for PR builds so warm
                             caches start from a known-good baseline rather than
                             a fresh per-PR reproduction.

This seals the cache layer leak that #34 (--locked) and #35 (@v1 + toolchain
pin) alone did not. Cross-links:
  closes #33
  validates/refines #34 (Senorespecial:fix/ci/lockfile-locked)
  builds on #35 (Senorespecial:fix/ci/rust-toolchain-v1)
@Emmyt24 Emmyt24 merged commit 5687b13 into Octo-Protocol-org:main Jun 28, 2026
0 of 4 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants