ci(release): sync Cargo.lock in create-release and gate CI on --locked (FJ-21) #20

Merged

David merged 1 commit from ci/create-release-cargo-lock-fj-21 into chore/create-release-bump-libs-lockstep-fj-20

2026-05-28 10:01:33 +02:00

David commented

2026-05-28 04:15:24 +02:00

Owner

Summary

Two coupled fixes so the create-release recipe always produces a Cargo.lock that matches the bumped manifests, and so ordinary CI catches lock drift at PR time instead of only at release-build time.

Changes

justfile create-release recipe (around line 168): after the lockstep manifest bump and before git commit, run cargo update --workspace to rewrite only the workspace member entries in Cargo.lock, and stage the lockfile alongside the three manifests. cargo update --workspace is the targeted operation: it touches only workspace members and leaves third-party pins alone, with no full compile required.

.forgejo/workflows/check.yml: add --locked to cargo build --all-targets (step Build, line 30) and cargo test (step Unit tests, line 33). The release Docker build already uses --locked (oci-build/Dockerfile lines 39 and 71; oci-build/Dockerfile.windows lines 39 and 63); mirroring it in normal CI moves drift detection from release time to PR time. The v0.6.0 release was bitten by this: the release commit bumped crates/fj/Cargo.toml to 0.6.0 but left Cargo.lock's forgejo-cli entry at 0.5.0, and the lock had to be patched post-hoc in 94534e9.

Stacking note

Stacked on FJ-20 (PR #19): the base is chore/create-release-bump-libs-lockstep-fj-20, so the git add line in the recipe already lists all three manifests. Merge FJ-20 first; the FJ-21 diff is the cargo update --workspace line, the Cargo.lock prepend on the git add line, and the two --locked flags in check.yml.

Acceptance criteria

just create-release <bump> runs cargo update --workspace after the version bump and stages Cargo.lock in the release commit.
The release commit's Cargo.lock matches all bumped manifests; cargo build --release --locked succeeds on the release commit with no follow-up lock patch.
.forgejo/workflows/check.yml runs cargo build --all-targets --locked and cargo test --locked.
A PR that bumps a manifest without updating Cargo.lock fails check.yml (the --locked flag now in Build/Unit tests enforces this).

Resolves FJ-21.

#FJ-21

## Summary Two coupled fixes so the `create-release` recipe always produces a `Cargo.lock` that matches the bumped manifests, and so ordinary CI catches lock drift at PR time instead of only at release-build time. ## Changes `justfile` `create-release` recipe (around line 168): after the lockstep manifest bump and before `git commit`, run `cargo update --workspace` to rewrite only the workspace member entries in `Cargo.lock`, and stage the lockfile alongside the three manifests. `cargo update --workspace` is the targeted operation: it touches only workspace members and leaves third-party pins alone, with no full compile required. `.forgejo/workflows/check.yml`: add `--locked` to `cargo build --all-targets` (step `Build`, line 30) and `cargo test` (step `Unit tests`, line 33). The release Docker build already uses `--locked` (`oci-build/Dockerfile` lines 39 and 71; `oci-build/Dockerfile.windows` lines 39 and 63); mirroring it in normal CI moves drift detection from release time to PR time. The `v0.6.0` release was bitten by this: the release commit bumped `crates/fj/Cargo.toml` to `0.6.0` but left `Cargo.lock`'s `forgejo-cli` entry at `0.5.0`, and the lock had to be patched post-hoc in `94534e9`. ## Stacking note Stacked on FJ-20 (PR #19): the base is `chore/create-release-bump-libs-lockstep-fj-20`, so the `git add` line in the recipe already lists all three manifests. Merge FJ-20 first; the FJ-21 diff is the `cargo update --workspace` line, the `Cargo.lock` prepend on the `git add` line, and the two `--locked` flags in `check.yml`. ## Acceptance criteria - [x] `just create-release <bump>` runs `cargo update --workspace` after the version bump and stages `Cargo.lock` in the release commit. - [x] The release commit's `Cargo.lock` matches all bumped manifests; `cargo build --release --locked` succeeds on the release commit with no follow-up lock patch. - [x] `.forgejo/workflows/check.yml` runs `cargo build --all-targets --locked` and `cargo test --locked`. - [x] A PR that bumps a manifest without updating `Cargo.lock` fails `check.yml` (the `--locked` flag now in `Build`/`Unit tests` enforces this). Resolves FJ-21. #FJ-21

David added 1 commit

2026-05-28 04:15:24 +02:00

ci(release): sync Cargo.lock in create-release and gate normal CI on --locked 28ee30de13

Two coupled fixes so lock drift can never make it into a release commit, and so any drift in normal development fails CI on the PR rather than at release-build time.

In `justfile` `create-release`, after the lockstep manifest bump (FJ-20) and before `git commit`, run `cargo update --workspace` to rewrite only the workspace member entries in `Cargo.lock` and stage the lockfile alongside the three manifests. `cargo update --workspace` is the targeted operation: it touches only workspace members, leaves third-party pins alone, and avoids a full compile.

In `.forgejo/workflows/check.yml`, add `--locked` to both `cargo build --all-targets` (step `Build`) and `cargo test` (step `Unit tests`). The release Docker build already uses `--locked` (`oci-build/Dockerfile` lines 39, 71 and `oci-build/Dockerfile.windows` lines 39, 63); mirroring it in ordinary CI moves drift detection from release time to PR time, which is where it is cheap to fix. The `v0.6.0` release was bitten by exactly this: the release commit bumped `crates/fj/Cargo.toml` to `0.6.0` but left `Cargo.lock`'s `forgejo-cli` entry at `0.5.0`, and the lock had to be patched post-hoc in `94534e9`.

Stacked on FJ-20 (PR #19): this branch's base is `chore/create-release-bump-libs-lockstep-fj-20`, so the `git add` line in the recipe already lists all three manifests. Merge FJ-20 first; the FJ-21 diff then reduces to the `cargo update --workspace` line, the `Cargo.lock` prepend on the `git add` line, and the two `--locked` flags in `check.yml`.

Signed-off-by: David Randall <David@NiceGuyIT.biz>

#FJ-21