From 4b625f3e390ad99400160eecdf0ee6c98b5b807a Mon Sep 17 00:00:00 2001 From: Senorespecial Date: Mon, 22 Jun 2026 10:25:18 +0000 Subject: [PATCH] ci: enforce --locked on workspace cargo invocations Adds --locked to the two workspace-resolution cargo invocations in .github/workflows/ci.yml: - cargo clippy --workspace --all-targets --locked -- -D warnings - cargo test --workspace --locked Why: previously the cache step (Swatinem/rust-cache@v2) and the cargo invocations could silently regenerate Cargo.lock when local vs CI lockfile bytes diverged. --locked makes drift a hard CI failure and forces the lockfile back into the committed version, surfacing parity gaps at PR time instead of paper-over. cargo fmt --all -- --check is intentionally left untouched: cargo fmt does not resolve dependencies, so --locked has no semantic meaning there. The deny / audit / secret-scan jobs intentionally don't take --locked: they don't resolve the workspace Cargo.lock (cargo-deny-action and audit-check use their own advisory databases). Reference: Octo-Protocol-org/Octo-Protocol#33 (sibling toolchain fix). Files: .github/workflows/ci.yml (one hunks area, two --locked additions plus comment explaining the rationale). --- .github/workflows/ci.yml | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 9496f9c..829fc90 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -46,10 +46,14 @@ jobs: run: cargo fmt --all -- --check - name: Clippy - run: cargo clippy --workspace --all-targets -- -D warnings + # --locked makes lockfile drift a hard failure in CI rather than cargo silently + # regenerating Cargo.lock from manifests, which previously masked publisher-side out-of-sync + # changes. See Octo-Protocol-org/Octo-Protocol#33 (sibling fix for toolchain-channel pinning). + run: cargo clippy --workspace --all-targets --locked -- -D warnings - name: Test - run: cargo test --workspace + # --locked: same rationale as Clippy above — fail loudly on lockfile drift. + run: cargo test --workspace --locked deny: name: cargo-deny (licenses + advisories)