Commit 972ab2d
authored
fix(ci): commit Cargo.lock for reproducible builds (#1123)
## Summary
- Remove `Cargo.lock` from `.gitignore` and commit it to the repo
- Remove the `cargo generate-lockfile` step from CI audit job
- Prevents spontaneous CI breakage when upstream crates publish new
versions
**Root cause:** `Cargo.lock` was gitignored, so CI generated a fresh
lockfile each run via `cargo generate-lockfile`. When `python3-dll-a`
0.2.15 was published to crates.io, the fresh resolve picked it up but
the cargo-vet exemption still listed 0.2.14 — breaking main without any
code change.
**Fix:** Committing `Cargo.lock` pins exact versions. Dependency bumps
become explicit (`cargo update`) and show up in diffs, so cargo-vet
exemptions can be updated in the same PR.
## Test plan
- [x] `cargo vet --locked` passes locally
- [ ] CI audit job passes without `generate-lockfile` step1 parent 33e4d62 commit 972ab2d
File tree
4 files changed
+5726
-5
lines changed- .github/workflows
- supply-chain
4 files changed
+5726
-5
lines changed| Original file line number | Diff line number | Diff line change | |
|---|---|---|---|
| |||
50 | 50 | | |
51 | 51 | | |
52 | 52 | | |
53 | | - | |
54 | | - | |
55 | | - | |
56 | 53 | | |
57 | 54 | | |
58 | 55 | | |
| |||
| Original file line number | Diff line number | Diff line change | |
|---|---|---|---|
| |||
1 | 1 | | |
2 | 2 | | |
3 | | - | |
4 | 3 | | |
5 | 4 | | |
6 | 5 | | |
| |||
0 commit comments