fix(release): sync Cargo.lock on release so --locked builds pass

[amondnet]

Problem

The v0.1.0 release build failed on every target. release-please bumps the workspace version in Cargo.toml (via the x-release-please-version annotation) but does not update Cargo.lock, so the csp/csp-cli lock entries stayed at 0.0.0 while Cargo.toml moved to 0.1.0. release-rust.yml builds with cargo build --release --locked, which then fails:

error: cannot update the lock file ... because --locked was passed to prevent this

release-please job succeeded (v0.1.0 tag/release created) but build-and-upload failed → publish-npm + homebrew were skipped → nothing published.

Fix

• Regenerate Cargo.lock to match the 0.1.0 workspace version (also unbreaks main, which was left mismatched).
• Add a Sync Cargo.lock step to release-please.yml that runs cargo update -p csp -p csp-cli on the release PR branch and commits the lockfile — mirrors the existing bun.lock sync step, so future release PRs keep the lock in sync automatically.

Recovery plan

Merging this fix: triggers release-please to cut 0.1.1; the new sync step keeps its Cargo.lock in sync, so that release builds + publishes cleanly via OIDC. The empty v0.1.0 tag/release will be cleaned up afterward.

Test plan

• cargo metadata --locked passes locally after the lock regen
• YAML validated
• CI green

---

Summary by cubic

Fixes release builds by keeping Cargo.lock in sync with workspace versions. Regenerates the lockfile and adds an automated sync so cargo build --release --locked passes and publish steps run.

• Bug Fixes
  • Regenerated Cargo.lock to align csp and csp-cli with 0.1.0.
  • Added a "Sync Cargo.lock" step to release-please.yml that runs cargo update -p csp -p csp-cli on the release PR branch and commits the lockfile.

^{Written for commit 7cc7b83. Summary will update on new commits.}

Summary by CodeRabbit

• Chores
  • Improved release workflow to ensure consistent dependency lockfiles during release creation.

[coderabbitai]

📝 Walkthrough

Walkthrough

A new "Sync Cargo.lock" step is added to the release-please workflow. It triggers only when release-please creates a PR, checks out the PR branch, runs cargo update for csp and csp-cli, then commits and pushes Cargo.lock back to the branch if the file changed.

Changes

Cargo.lock Sync in Release Workflow

Layer / File(s)	Summary
Conditional Cargo.lock sync step .github/workflows/release-please.yml	Adds a step that runs cargo update for csp and csp-cli on release PR branches, then conditionally commits and pushes the updated Cargo.lock only when the lockfile differs.

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~3 minutes

Poem

🐇 Hippity-hop, the lockfile's in sync,
No more broken builds on the brink!
cargo update with a wiggle and spin,
Commits the .lock so versions stay in.
A tidy PR, neat as a burrow within! 🌿

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title 'fix(release): sync Cargo.lock on release so --locked builds pass' clearly and specifically describes the main change: syncing Cargo.lock in the release workflow to fix build failures.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch fix/cargo-lock-release-sync

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.

📢 Thoughts on this report? Let us know!

[codacy-production]

Up to standards ✅

🟢 Issues 0 issues

Results:
0 new issues

View in Codacy

🟢 Metrics 0 complexity · 0 duplication

Metric	Results
Complexity	0
Duplication	0

View in Codacy

_{NEW Get contextual insights on your PRs based on Codacy's metrics, along with PR and Jira context, without leaving GitHub. Enable AI reviewer
TIP This summary will be updated as you push new changes.}

[coderabbitai]

🧹 Nitpick comments (1)

.github/workflows/release-please.yml (1)

80-80: 🧹 Nitpick | 🔵 Trivial | ⚡ Quick win

Harden shell interpolation for PR branch ref before git push.

Line 80 expands headBranchName directly in the shell command. Move it to an env var and quote the refspec to avoid template-to-shell injection risk and satisfy the zizmor finding.

Suggested patch

       - name: Sync Cargo.lock
         if: ${{ steps.release.outputs.pr }}
+        env:
+          RELEASE_PR_HEAD_BRANCH: ${{ fromJson(steps.release.outputs.pr).headBranchName }}
         run: |
           cargo update -p csp -p csp-cli
           if git diff --quiet Cargo.lock; then
             echo "Cargo.lock already in sync"
           else
             git config user.name "github-actions[bot]"
             git config user.email "github-actions[bot]`@users.noreply.github.com`"
             git add Cargo.lock
             git commit -m "chore: sync Cargo.lock"
-            git push origin HEAD:${{ fromJson(steps.release.outputs.pr).headBranchName }}
+            git push origin "HEAD:${RELEASE_PR_HEAD_BRANCH}"
           fi

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/release-please.yml at line 80, The git push command on
line 80 directly interpolates the headBranchName value from the release step
output in the shell command, creating a potential template-to-shell injection
vulnerability. To fix this, extract the headBranchName value from
steps.release.outputs.pr and assign it to an environment variable in a previous
step, then reference that environment variable in the git push command with
proper quoting around the refspec argument to safely pass the branch reference.

Source: Linters/SAST tools

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Nitpick comments:
In @.github/workflows/release-please.yml:
- Line 80: The git push command on line 80 directly interpolates the
headBranchName value from the release step output in the shell command, creating
a potential template-to-shell injection vulnerability. To fix this, extract the
headBranchName value from steps.release.outputs.pr and assign it to an
environment variable in a previous step, then reference that environment
variable in the git push command with proper quoting around the refspec argument
to safely pass the branch reference.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro Plus

Run ID: 69ed9bb4-0c1d-4fee-904b-cdae2f1ecea4

📥 Commits

Reviewing files that changed from the base of the PR and between b86661a and 7cc7b83.

⛔ Files ignored due to path filters (1)

• Cargo.lock is excluded by !**/*.lock

📒 Files selected for processing (1)

• .github/workflows/release-please.yml

[gemini-code-assist]

Code Review

This pull request updates the version of the csp and csp-cli packages in Cargo.lock from 0.0.0 to 0.1.0. There are no review comments, and I have no feedback to provide.

[cubic-dev-ai]

No issues found across 2 files

Architecture diagram

sequenceDiagram
    participant GitHub as GitHub Actions
    participant RP as Release-Please
    participant RPBranch as Release PR Branch
    participant CargoToml as Cargo.toml
    participant CargoLock as Cargo.lock
    participant RustBuild as Release Rust Build
    participant Publish as Publish Steps (npm/homebrew)

    GitHub->>RP: Trigger release-please workflow
    RP->>RP: Bump workspace version in Cargo.toml
    RP->>CargoToml: Write v0.1.0 (or new version)
    RP->>CargoLock: No change (entries stay at old version)
    RP->>RPBranch: Push PR with Cargo.toml updated, Cargo.lock stale

    Note over GitHub,RustBuild: New Sync Cargo.lock step

    GitHub->>GitHub: Check if release PR exists
    alt Release PR exists
        GitHub->>CargoLock: Run cargo update -p csp -p csp-cli
        alt Cargo.lock differs
            GitHub->>CargoLock: Commit updated Cargo.lock
            GitHub->>RPBranch: Push commit to release PR branch
        else Already in sync
            GitHub-->>GitHub: No action needed
        end
    end

    Note over GitHub,Publish: Build and publish (existing flow)

    GitHub->>RustBuild: Run cargo build --release --locked
    RustBuild->>CargoLock: Read lockfile (now in sync)
    RustBuild->>CargoToml: Read manifest (version matches)
    alt Lock file matches manifest
        RustBuild-->>GitHub: Build succeeds
        GitHub->>Publish: Trigger publish steps
        Publish-->>GitHub: npm + homebrew published
    else Lock file mismatch (old flow)
        RustBuild-->>GitHub: Build fails with --locked error
        GitHub-->>Publish: Skipped
    end

Loading

_{Re-trigger cubic}