fix: add --locked flag to cargo install cargo-llvm-cov in coverage.sh

xiaolai · xiaolai · commit 55be35a7630f · 2026-04-27T11:46:54.000+08:00
Without --locked, cargo resolves the newest compatible versions of all
transitive dependencies at install time, which can produce different
binaries across runs and pull in unreviewed dependency updates.
The --locked flag forces cargo to use the dependency versions pinned
in cargo-llvm-cov's own Cargo.lock, making the install reproducible.
diff --git a/.changeset/fix-pin-cargo-llvm-cov.md b/.changeset/fix-pin-cargo-llvm-cov.md
@@ -0,0 +1,5 @@
+---
+"@googleworkspace/cli": patch
+---
+
+Add --locked flag to cargo install cargo-llvm-cov in coverage.sh for reproducible installs
diff --git a/scripts/coverage.sh b/scripts/coverage.sh
@@ -18,7 +18,7 @@ set -euo pipefail
 # Check if cargo-llvm-cov is installed
 if ! cargo llvm-cov --version &> /dev/null; then
   echo "cargo-llvm-cov is not installed. Installing..."
-  cargo install cargo-llvm-cov
+  cargo install --locked cargo-llvm-cov
 fi
 
 # Run coverage and generate HTML report

-Original file line number
+Diff line change
@@ @@ -0,0 +1,5 @@ @@
 +---
 +"@googleworkspace/cli": patch
 +---
++
 +Add --locked flag to cargo install cargo-llvm-cov in coverage.sh for reproducible installs