Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Build in CI with --locked #96

Merged
merged 1 commit into from
May 29, 2024
Merged

Build in CI with --locked #96

merged 1 commit into from
May 29, 2024

Conversation

faern
Copy link
Member

@faern faern commented May 29, 2024
edited
Loading

Small follow-up to #89

This ensures the Cargo.lock file stays up to date. If someone add or change a dependency in a way that require lockfile changes, the CI should fail. When the lockfile is versioned it has to stay up to date

This change is Reviewable

@faern faern requested a review from Serock3 May 29, 2024 14:56
Serock3
Serock3 approved these changes May 29, 2024
View reviewed changes
Copy link

@Serock3 Serock3 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

:lgtm:

Reviewed 1 of 1 files at r1, all commit messages.
Reviewable status: :shipit: complete! all files reviewed, all discussions resolved

@faern
Build in CI with --locked
8ac5795 
This ensures the Cargo.lock file stays up to date. If someone add or
change a dependency in a way that require lockfile changes, the CI
should fail. When the lockfile is versioned it has to stay up to date
@faern faern force-pushed the build-with-locked-lockfile branch from b23778d to 8ac5795 Compare May 29, 2024 15:18
@Serock3
Copy link

Serock3 commented May 29, 2024

I suppose we don't want to force gpg key signatures on commits that change the lockfile, right?

@faern
Copy link
Member Author

faern commented May 29, 2024

I suppose we don't want to force gpg key signatures on commits that change the lockfile, right?

We don't have the infrastructure in place to check GPG signatures anywhere but our main repository. The keys are locally checked in there and that's why we can do it there. We have not worked on generalizing it to be able to check other repositories.

We don't really check in the lockfile in this crate for supply chain security. More for CI and debug stability/reproducibility.

@faern faern merged commit 8548959 into main May 29, 2024
6 of 7 checks passed
@faern faern deleted the build-with-locked-lockfile branch May 29, 2024 15:25
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@Serock3 Serock3 Serock3 approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@faern @Serock3