fix(release): sync full workspace in Cargo.lock on release

[amondnet]

Problem

The v0.1.5 release build failed:

error: cannot update the lock file ... Cargo.lock because --locked was passed to prevent this
Error: Process completed with exit code 101.

The release-rust.yml build runs cargo build --release --locked, but the v0.1.5 tag shipped a stale Cargo.lock — all three workspace members were still pinned at 0.1.4 while Cargo.toml declared 0.1.5.

Root cause

release-please.yml's "Sync Cargo.lock" step ran:

cargo update -p csp -p csp-cli

But csp stopped being a package name:

• the library crate was renamed csp → code-search-please for the crates.io publish (ci(release): publish library crate to crates.io via Trusted Publishing #53/docs: note the library is on crates.io as code-search-please #54), and
• csp-node was added (feat(sdk): remove deprecated TS implementation; add napi-rs SDK (@pleaseai/csp-sdk) #56) and was never in the update list.

So -p csp now hard-errors:

error: package ID specification `csp` did not match any packages

That failed the whole step, the release PR never committed a synced lockfile, and v0.1.5 was tagged with the stale 0.1.4 lock.

Fix

• Replace the brittle per-package list with cargo update --workspace, which re-locks every local member by its real package name (code-search-please / csp-cli / csp-node) without bumping external deps — and won't break again on future renames or new crates.
• Refresh the currently-stale Cargo.lock on main (members 0.1.4 → 0.1.5), so cargo build --locked / cargo test --locked pass again.

Verification

$ cargo update --workspace
    Updating code-search-please v0.1.4 -> v0.1.5
    Updating csp-cli v0.1.4 -> v0.1.5
    Updating csp-node v0.1.4 -> v0.1.5
$ cargo build --locked -p csp-cli   # ✅ compiles
$ cargo metadata --locked            # ✅ lock in sync

Note for maintainers

The v0.1.5 tag itself still points at the stale-lock commit, so re-running its release build won't help — cut 0.1.6 to ship released binaries.

---

Summary by cubic

Sync the full Rust workspace in Cargo.lock during releases to keep versions aligned and fix failing cargo build --locked release builds. Replaces brittle per-package updates with a workspace-wide re-lock that survives crate renames and new members, and triggers a patch release to ship the fix.

• Bug Fixes
  • Use cargo update --workspace in release-please.yml to re-lock only local members (no external bumps). Marked as a fix so release-please cuts 0.1.6 with the corrected workflow.
  • Refresh Cargo.lock on main (members 0.1.4 → 0.1.5) so cargo build --locked and tests pass.

^{Written for commit 85574e7. Summary will update on new commits.}

Summary by CodeRabbit

• Chores
  • Improved the release process so workspace dependency lockfiles are refreshed more consistently during release updates.

[coderabbitai]

📝 Walkthrough

Walkthrough

The release-please workflow now refreshes Cargo.lock with a workspace-wide cargo update in the Sync Cargo.lock step. The step comment is updated, and the commit/push behavior is unchanged.

Changes

Release workflow lockfile sync

Layer / File(s)	Summary
Workspace Cargo.lock refresh .github/workflows/release-please.yml	The Sync Cargo.lock step switches from per-package updates to cargo update --workspace, and its explanatory comment is updated.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

Possibly related PRs

• pleaseai/code-search#43 — Also changes .github/workflows/release-please.yml’s Sync Cargo.lock step and the scope of cargo update.
• pleaseai/code-search#53 — Adds a publish-crate job that relies on the lockfile behavior produced by the release workflow.

Poem

I nibbled the lockfile, hop by hop,
then let --workspace do the swap.
The release PR hums, tidy and bright,
with carrot-bright updates tucked in just right. 🐰

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title clearly matches the main change: switching the release workflow to sync the full workspace Cargo.lock.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

📝 Generate docstrings

• Create stacked PR
• Commit on current branch

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch ci/sync-cargo-lock-workspace

---

_{Comment @coderabbitai help to get the list of available commands.}

[gemini-code-assist]

Code Review

This pull request updates the version of the code-search-please, csp-cli, and csp-node packages from 0.1.4 to 0.1.5 in Cargo.lock. There are no review comments to assess, and I have no additional feedback to provide.

[greptile-apps]

Greptile Summary

This PR fixes a broken release pipeline caused by stale package names in the cargo update command. The Sync Cargo.lock step previously used -p csp -p csp-cli, which hard-errored after the library crate was renamed to code-search-please and csp-node was added, leaving Cargo.lock unupdated and causing cargo build --locked to fail on the tagged release commit.

• Workflow fix: Replaces cargo update -p csp -p csp-cli with cargo update --workspace, which re-locks all local workspace members by their real package names without touching external deps, and is immune to future renames or new crates.
• Lock file sync: Updates Cargo.lock on main so all three workspace members (code-search-please, csp-cli, csp-node) reflect version 0.1.5, unblocking cargo build --locked and cargo test --locked.

Confidence Score: 5/5

Safe to merge — the change is a targeted one-line fix in the release workflow and a mechanical lockfile sync with no external dependency changes.

The workflow change replaces a broken, name-sensitive command with the standard workspace-wide equivalent. The Cargo.lock update is exactly what cargo update --workspace produces: three local members bumped from 0.1.4 to 0.1.5, no external crates touched. The surrounding git-diff guard and commit/push logic is unchanged and correct.

No files require special attention.

Important Files Changed

Filename	Overview
.github/workflows/release-please.yml	Replaces brittle per-package cargo update -p ... with cargo update --workspace; fix is minimal, correct, and the surrounding logic (diff-check, git commit, push) is unchanged.
Cargo.lock	Bumps all three workspace members (code-search-please, csp-cli, csp-node) from 0.1.4 to 0.1.5; no external dependency versions changed, consistent with a --workspace-only update.

_{Reviews (2): Last reviewed commit: "fix(release): sync full workspace in Car..." | Re-trigger Greptile}

[codacy-production]

Up to standards ✅

🟢 Issues 0 issues

Results:
0 new issues

View in Codacy

🟢 Metrics 0 complexity · 0 duplication

Metric	Results
Complexity	0
Duplication	0

View in Codacy

_{NEW Get contextual insights on your PRs based on Codacy's metrics, along with PR and Jira context, without leaving GitHub. Enable AI reviewer
TIP This summary will be updated as you push new changes.}

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.

📢 Thoughts on this report? Let us know!

[sonarqubecloud]

Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud