From 16930dca708bfd24b284d8d88c94ffc3b0ade6a7 Mon Sep 17 00:00:00 2001
From: Shaun Arman <shaun.arman@motorolasolutions.com>
Date: Sun, 12 Apr 2026 18:28:07 -0500
Subject: [PATCH] =?UTF-8?q?fix(ci):=20address=20AI=20review=20=E2=80=94=20?=
 =?UTF-8?q?rustup=20idempotency=20and=20cargo=20--locked?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Dockerfiles:
- Merge rustup target add and component add into one chained RUN with
  || true guard, making it safe if rustfmt/clippy are already present
  in the base image's default toolchain profile (rust:1.88-slim default
  profile includes both; the guard is belt-and-suspenders)

test.yml:
- Add --locked to cargo clippy and cargo test to enforce Cargo.lock
  during CI, preventing silent dependency upgrades

Not addressed (accepted/out of scope):
- git in images: already installed in all three Dockerfiles (lines 19,
  13, 15 respectively) — reviewer finding was incorrect
- HTTP registry: accepted risk for air-gapped self-hosted infrastructure
- Image signing (Cosign): no infrastructure in place yet
- Hardcoded registry IP: consistent with project-wide pattern
---
 .docker/Dockerfile.linux-amd64 | 4 ++--
 .docker/Dockerfile.linux-arm64 | 2 +-
 .gitea/workflows/test.yml      | 4 ++--
 3 files changed, 5 insertions(+), 5 deletions(-)

diff --git a/.docker/Dockerfile.linux-amd64 b/.docker/Dockerfile.linux-amd64
index 600862a1..50267841 100644
--- a/.docker/Dockerfile.linux-amd64
+++ b/.docker/Dockerfile.linux-amd64
@@ -21,5 +21,5 @@ RUN apt-get update -qq \
     && apt-get install -y --no-install-recommends nodejs \
     && rm -rf /var/lib/apt/lists/*
 
-RUN rustup target add x86_64-unknown-linux-gnu
-RUN rustup component add rustfmt clippy
+RUN rustup target add x86_64-unknown-linux-gnu \
+    && rustup component add rustfmt clippy || true
diff --git a/.docker/Dockerfile.linux-arm64 b/.docker/Dockerfile.linux-arm64
index 2c43af2c..be6a9f51 100644
--- a/.docker/Dockerfile.linux-arm64
+++ b/.docker/Dockerfile.linux-arm64
@@ -41,6 +41,6 @@ RUN curl -fsSL https://deb.nodesource.com/setup_22.x | bash - \
 RUN curl --proto '=https' --tlsv1.2 -sSf https://sh.rustup.rs | sh -s -- -y \
     --default-toolchain 1.88.0 --profile minimal --no-modify-path \
     && /root/.cargo/bin/rustup target add aarch64-unknown-linux-gnu \
-    && /root/.cargo/bin/rustup component add rustfmt clippy
+    && (/root/.cargo/bin/rustup component add rustfmt clippy || true)
 
 ENV PATH="/root/.cargo/bin:${PATH}"
diff --git a/.gitea/workflows/test.yml b/.gitea/workflows/test.yml
index 1613500c..a87baff0 100644
--- a/.gitea/workflows/test.yml
+++ b/.gitea/workflows/test.yml
@@ -72,7 +72,7 @@ jobs:
           key: ${{ runner.os }}-cargo-${{ hashFiles('**/Cargo.lock') }}
           restore-keys: |
             ${{ runner.os }}-cargo-
-      - run: cargo clippy --manifest-path src-tauri/Cargo.toml -- -D warnings
+      - run: cargo clippy --locked --manifest-path src-tauri/Cargo.toml -- -D warnings
 
   rust-tests:
     runs-on: ubuntu-latest
@@ -107,7 +107,7 @@ jobs:
           key: ${{ runner.os }}-cargo-${{ hashFiles('**/Cargo.lock') }}
           restore-keys: |
             ${{ runner.os }}-cargo-
-      - run: cargo test --manifest-path src-tauri/Cargo.toml -- --test-threads=1
+      - run: cargo test --locked --manifest-path src-tauri/Cargo.toml -- --test-threads=1
 
   frontend-typecheck:
     runs-on: ubuntu-latest