From 85574e7a32a036b4352207ff4f37028a5b970872 Mon Sep 17 00:00:00 2001
From: Minsu Lee <minsu.lee@dietfriends.kr>
Date: Thu, 25 Jun 2026 20:19:37 +0900
Subject: [PATCH] fix(release): sync full workspace in Cargo.lock on release
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

The "Sync Cargo.lock" step ran `cargo update -p csp -p csp-cli`, but `csp`
stopped being a package name once the library crate was renamed to
code-search-please (crates.io publish, #53/#54) and csp-node was added
(#56). `-p csp` now errors with "package ID specification `csp` did not
match any packages", failing the step — so the release PR never synced
the lockfile and v0.1.5 shipped a stale 0.1.4 Cargo.lock. The release
build's `cargo build --locked` then fails: cannot update Cargo.lock.

Use `cargo update --workspace`, which re-locks every local member by its
real package name without bumping external deps, and refresh the stale
lockfile (members 0.1.4 -> 0.1.5) on main.

Typed `fix:` (not `ci:`) on purpose: v0.1.5 is a dud release (its tag
points at the stale-lock commit, so it can never be rebuilt), and a `ci:`
commit would not make release-please cut a new version. `fix:` triggers
the 0.1.6 patch release that actually ships binaries with the corrected
lockfile sync.
---
 .github/workflows/release-please.yml | 12 ++++++++----
 Cargo.lock                           |  6 +++---
 2 files changed, 11 insertions(+), 7 deletions(-)

diff --git a/.github/workflows/release-please.yml b/.github/workflows/release-please.yml
index 033cbec..b09d7ed 100644
--- a/.github/workflows/release-please.yml
+++ b/.github/workflows/release-please.yml
@@ -63,13 +63,17 @@ jobs:
 
       # release-please bumps the workspace version in Cargo.toml (via the
       # x-release-please-version annotation) but does not touch Cargo.lock, so
-      # the csp/csp-cli entries stay at the previous version and the release
-      # build's `cargo build --locked` fails. Refresh the member versions in the
-      # lockfile and commit it into the release PR. Mirrors the bun.lock sync.
+      # every workspace member stays at the previous version and the release
+      # build's `cargo build --locked` fails. `--workspace` re-locks only the
+      # local members by their real package names (code-search-please / csp-cli
+      # / csp-node) — it does not bump external deps. Don't name packages
+      # explicitly: `-p csp` broke once the lib crate was renamed to
+      # code-search-please and csp-node was added. Commit it into the release
+      # PR. Mirrors the bun.lock sync.
       - name: Sync Cargo.lock
         if: ${{ steps.release.outputs.pr }}
         run: |
-          cargo update -p csp -p csp-cli
+          cargo update --workspace
           if git diff --quiet Cargo.lock; then
             echo "Cargo.lock already in sync"
           else
diff --git a/Cargo.lock b/Cargo.lock
index e202a79..403838c 100644
--- a/Cargo.lock
+++ b/Cargo.lock
@@ -280,7 +280,7 @@ checksum = "c8d4a3bb8b1e0c1050499d1815f5ab16d04f0959b233085fb31653fbfc9d98f9"
 
 [[package]]
 name = "code-search-please"
-version = "0.1.4"
+version = "0.1.5"
 dependencies = [
  "fancy-regex",
  "ignore",
@@ -470,7 +470,7 @@ dependencies = [
 
 [[package]]
 name = "csp-cli"
-version = "0.1.4"
+version = "0.1.5"
 dependencies = [
  "anyhow",
  "clap",
@@ -485,7 +485,7 @@ dependencies = [
 
 [[package]]
 name = "csp-node"
-version = "0.1.4"
+version = "0.1.5"
 dependencies = [
  "code-search-please",
  "napi",