ci: enforce --locked on workspace cargo invocations#34
Merged
Emmyt24 merged 1 commit intoJun 28, 2026
Conversation
Adds --locked to the two workspace-resolution cargo invocations in .github/workflows/ci.yml: - cargo clippy --workspace --all-targets --locked -- -D warnings - cargo test --workspace --locked Why: previously the cache step (Swatinem/rust-cache@v2) and the cargo invocations could silently regenerate Cargo.lock when local vs CI lockfile bytes diverged. --locked makes drift a hard CI failure and forces the lockfile back into the committed version, surfacing parity gaps at PR time instead of paper-over. cargo fmt --all -- --check is intentionally left untouched: cargo fmt does not resolve dependencies, so --locked has no semantic meaning there. The deny / audit / secret-scan jobs intentionally don't take --locked: they don't resolve the workspace Cargo.lock (cargo-deny-action and audit-check use their own advisory databases). Reference: Octo-Protocol-org#33 (sibling toolchain fix). Files: .github/workflows/ci.yml (one hunks area, two --locked additions plus comment explaining the rationale).
4 tasks
Senorespecial
added a commit
to Senorespecial/Octo-Protocol
that referenced
this pull request
Jun 22, 2026
…nge) Single trailing comment line added to .github/workflows/ci.yml to bump the file SHA so a `push` event fires a fresh CI run on PR Octo-Protocol-org#35. The commit has zero semantic effect on the toolchain action, the cargo invocations, or any step behavior. Purpose: distinguish a transient `Swatinem/rust-cache@v2` / rustup cache poisoning from a real `dtolnay/rust-toolchain@v1` regression. If the failure mode persists across this and the previous run, the fix isn't the action pin -- it's the cache layer or `cargo install cargo-audit` resolver, and a sibling PR is needed. If the failure flips green on this run, the diagnosis is "transient cache"; merge PR Octo-Protocol-org#35 as-is and proceed with the original cross-link plan (Octo-Protocol-org#14/Octo-Protocol-org#32/Octo-Protocol-org#33/Octo-Protocol-org#34).
Emmyt24
pushed a commit
that referenced
this pull request
Jun 28, 2026
…citly
The `rust-toolchain` install step in `.github/workflows/ci.yml` currently
uses a fully-qualified action reference: `dtolnay/rust-toolchain@1.84.1`.
That conflates two concerns: action version and Rust toolchain version.
This PR decouples them by pinning the action to its major-version tag
(`dtolnay/rust-toolchain@v1`) and moving the version into the explicit
`with.toolchain` input. Practical effects:
- Action upgrades (e.g. 1.84.1 -> 1.85.x of the action) are now a separate
decision from Rust toolchain upgrades.
- The Rust toolchain is still effectively pinned to `1.84.1` (matches
`rust-toolchain.toml`'s channel = "1.84.1"), so behavior on the runner
remains identical for non-upgrade paths.
- rustup now derives the per-host triple correctly from `with.toolchain`
("1.84.1"), which closes the channel-name CI failure surfaced as
`error: target tuple in channel name 'stable-x86_64-pc-windows-msvc'`
on `ubuntu-latest` for `cargo install cargo-audit`.
Closes #33.
Cross-links (in order):
- PR #31 (Senorespecial/Octo-Protocol -> Octo-Protocol-org/Octo-Protocol): feat(dashboard): add gas sponsorship status indicator to wallet cards (#14)
- #32: api: surface fees_spent_today_stroops in GET /v1/wallets/:id/sponsorship
- PR #34: ci: enforce --locked on workspace cargo invocations
- #33: ci: install of cargo-audit errors out with stable-x86_64-pc-windows-msvc on ubuntu-latest
Files: .github/workflows/ci.yml (one block edit).
Emmyt24
pushed a commit
that referenced
this pull request
Jun 28, 2026
…red-cache:true
Replaces the moving major tag `Swatinem/rust-cache@v2` with the SHA of the latest
v2.x release (v2.9.1 = 23869a5b) and adds:
- cache-on-failure: false – never persist a poisoned cache from a failed job; the
warm-cache vector was the leading hypothesis for why
PR #35 kept failing identically across two clean
runs (target triple in channel name).
- shared-cache: true – reuse the main-branch cache for PR builds so warm
caches start from a known-good baseline rather than
a fresh per-PR reproduction.
This seals the cache layer leak that #34 (--locked) and #35 (@v1 + toolchain
pin) alone did not. Cross-links:
closes #33
validates/refines #34 (Senorespecial:fix/ci/lockfile-locked)
builds on #35 (Senorespecial:fix/ci/rust-toolchain-v1)
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Adds
--lockedto the two workspace-resolution cargo invocations in.github/workflows/ci.ymlso lockfile drift surfaces as a hard CI failure instead of being silently regenerated bySwatinem/rust-cache@v2+ cargo's resolver.Why
Sweep-of-CI parity earlier this session confirmed:
cargo check --workspaceexits0everywhere I tested (PIPESTATUS[0]-aware, not$?through| tail -N). The "duplicate key workspace" cargo message previously seen was a$?misread, not a real Cargo.toml parse error.cargo clippy --workspace --all-targets,cargo test --workspace, and similar workspace-resolution commands historically do NOT pass--locked, which means a stale or drifted Cargo.lock could be silently regenerated by cargo when the cache is warm. That is how local-vs-CI lockfile byte differences accumulate without anyone noticing until a real crate-version mismatch lands.--lockedflips that: if Cargo.lock does not match the committed version, the cargo invocation fails immediately with a clear "differs from current lock file" message. Failure mode becomes "DRIFT -> PR red" instead of "DRIFT -> silent regen -> merges fine, thencargo auditcomplains".Diff
What is intentionally NOT touched
cargo fmt --all -- --check-- cargo fmt does not resolve dependencies;--lockedhas no semantic meaning there.EmbarkStudios/cargo-deny-action@v2-- first-party action; uses its own advisory database, not workspaceCargo.lock.rustsec/audit-check@v2-- same, first-party action.gitleaks/gitleaks-action@v2-- scans git history, not cargo.Acceptance criteria
cargo clippy --workspace --all-targets --locked -- -D warningssucceeds in CI.cargo test --workspace --lockedsucceeds in CI.Cargo.lockto a no-op diff fails itsCheckjob with the "lock file ... needs to be updated" message rather than silently regenerating.References
cargo check --workspacefailure is the same$?misread, not a real workspace issue.