From 84cbef80319e58f6e45a1d93a891bb821ba659e4 Mon Sep 17 00:00:00 2001
From: Brent <brent@rager.tech>
Date: Thu, 25 Jun 2026 16:09:53 -0400
Subject: [PATCH] fix(release): stamp Cargo.lock in sync-versions; publish
 --locked
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

sync-versions.mjs stamped rust/fetch/Cargo.toml on release but not Cargo.lock, so
the lock pinned the old version — the release worked around it with
`cargo publish --allow-dirty` (no --locked, non-reproducible). Now the script also
stamps the lock's smooai-fetch entry (name-targeted so dependency versions are
never touched), and the publish uses --locked --allow-dirty (reproducible lock +
still tolerant of the in-place manifest edits at publish time). Verified: a
simulated bump stamps toml+lock together, deps untouched, cargo build --locked
builds.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Claude-Session: https://claude.ai/code/session_01U7Mn93HpqhSgEmX6tRdPAv
---
 .github/workflows/release.yml |  9 +++++----
 scripts/sync-versions.mjs     | 10 ++++++++++
 2 files changed, 15 insertions(+), 4 deletions(-)

diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index 0fa794f..87ebf5b 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -118,10 +118,11 @@ jobs:
 
             - name: Publish smooai-fetch to crates.io
               if: steps.changesets.outputs.published == 'true'
-              # --allow-dirty is needed because sync-versions.mjs modifies
-              # Cargo.toml (and rebuild updates Cargo.lock) between the
-              # committed state and publish. --locked would reject that mismatch.
-              run: cargo publish --allow-dirty --manifest-path rust/fetch/Cargo.toml
+              # --locked: sync-versions.mjs now stamps Cargo.lock in lockstep with
+              # Cargo.toml, so the lock matches and the publish build is reproducible.
+              # --allow-dirty: sync-versions.mjs modifies the manifests in-place at
+              # publish time (uncommitted), which --allow-dirty permits.
+              run: cargo publish --locked --allow-dirty --manifest-path rust/fetch/Cargo.toml
               env:
                   CARGO_REGISTRY_TOKEN: ${{ secrets.SMOOAI_CARGO_REGISTRY_TOKEN }}
 
diff --git a/scripts/sync-versions.mjs b/scripts/sync-versions.mjs
index aba8f44..165410e 100755
--- a/scripts/sync-versions.mjs
+++ b/scripts/sync-versions.mjs
@@ -27,6 +27,16 @@ const files = [
         pattern: /^version = ".*"$/m,
         replacement: `version = "${version}"`,
     },
+    {
+        // Keep rust/fetch/Cargo.lock's own crate entry in lockstep with the Cargo.toml
+        // bump above — name-targeted so a same-versioned DEPENDENCY is never touched.
+        // Without this the lock pins the old version and `cargo build/publish --locked`
+        // rejects the mismatch (which is why the release used `--allow-dirty`); stamping
+        // it lets the publish run `--locked` reproducibly.
+        path: join(rootDir, 'rust', 'fetch', 'Cargo.lock'),
+        pattern: /(name = "smooai-fetch"\nversion = )"[^"]*"/,
+        replacement: `$1"${version}"`,
+    },
     {
         path: join(rootDir, 'go', 'fetch', 'version.go'),
         pattern: /const Version = ".*"/,