diff --git a/.ci/argo-workflows/pdftract-ci.yaml b/.ci/argo-workflows/pdftract-ci.yaml index 75044e5..171f4c8 100644 --- a/.ci/argo-workflows/pdftract-ci.yaml +++ b/.ci/argo-workflows/pdftract-ci.yaml @@ -209,6 +209,9 @@ spec: # === Setup Step === # Clones repo, fetches dependencies, warms cargo cache # Filled in by subsequent Phase 0 bead + # + # CRITICAL: All cargo commands in this workflow MUST use --locked (or --locked --frozen) + # to enforce the workspace Cargo.lock policy. See CONTRIBUTING.md for details. - name: setup activeDeadlineSeconds: 600 container: @@ -425,6 +428,9 @@ spec: # - default features on x86_64-unknown-linux-musl # - all features on x86_64-unknown-linux-gnu (with OCR system libs) # Filled in by subsequent Phase 0 bead + # + # CRITICAL: All cargo commands MUST use --locked (or --locked --frozen) + # Example: cargo test --locked --all-features - name: test-matrix activeDeadlineSeconds: 1800 container: @@ -451,6 +457,12 @@ spec: # === Quality Matrix === # Run linting (clippy, fmt), security audit (cargo-audit), dependency review # Filled in by subsequent Phase 0 bead + # + # CRITICAL: All cargo commands MUST use --locked (or --locked --frozen) + # Examples: + # - cargo clippy --locked --all-targets --all-features + # - cargo fmt --check + # - cargo audit --locked (if supported) - name: quality-matrix activeDeadlineSeconds: 900 container: @@ -915,6 +927,10 @@ spec: # === Publish If Tag === # On milestone tags, upload binaries to GitHub Releases # Filled in by subsequent Phase 0 bead + # + # CRITICAL: All cargo commands MUST use --locked (or --locked --frozen) + # The build step already uses --locked, so artifacts are reproducible. + # This step only uploads pre-built binaries to GitHub Releases. - name: publish-if-tag activeDeadlineSeconds: 600 container: diff --git a/.renovaterc.json b/.renovaterc.json index 9fc4653..3aa108b 100644 --- a/.renovaterc.json +++ b/.renovaterc.json @@ -5,7 +5,7 @@ ], "lockFileMaintenance": { "enabled": true, - "schedule": ["every weekday"], + "schedule": ["before 6am on Monday"], "automerge": false, "commitMessageAction": "Lockfile maintenance", "commitMessageTopic": "{{{groupName}}}", diff --git a/notes/pdftract-49f8.md b/notes/pdftract-49f8.md index 777e520..9c5b388 100644 --- a/notes/pdftract-49f8.md +++ b/notes/pdftract-49f8.md @@ -12,12 +12,13 @@ Established and enforced the Cargo.lock policy for reproducible builds across al - **Status:** Tracked by git, not excluded by .gitignore ### 2. Argo Workflow Updates -- **File:** `/home/coding/declarative-config/k8s/iad-ci/argo-workflows/pdftract-ci.yaml` +- **File:** `/home/coding/pdftract/.ci/argo-workflows/pdftract-ci.yaml` - **Changes:** + - Added CRITICAL comments to `setup` template specifying `--locked` / `--frozen` requirements - Added CRITICAL comments to `test-matrix` template specifying `--locked` / `--frozen` requirements - Added CRITICAL comments to `quality-matrix` template specifying `--locked` / `--frozen` requirements - - Added CRITICAL comments to `bench-matrix` template specifying `--locked` / `--frozen` requirements - - Existing `build-target` template already had `--locked` at line 316 + - Added CRITICAL comments to `publish-if-tag` template specifying `--locked` / `--frozen` requirements + - Existing `build-target` template already had `--locked` at line 355 ### 3. CONTRIBUTING.md Created - **File:** `/home/coding/pdftract/CONTRIBUTING.md` @@ -30,10 +31,11 @@ Established and enforced the Cargo.lock policy for reproducible builds across al ### 4. Renovate Config Created - **File:** `/home/coding/pdftract/.renovaterc.json` - **Configuration:** - - Weekly lockfile maintenance PRs (weekdays) + - Weekly lockfile maintenance PRs (before 6am on Monday) - Human-gated automerge (false) - Separate lockfile-only PRs from dependency updates - `labels: ["lockfile-only"]` for easy identification +- **Update:** Changed schedule from `"every weekday"` to `"before 6am on Monday"` to meet bead requirement for weekly PRs ### 5. crates/pdftract-core/README.md Created - **File:** `/home/coding/pdftract/crates/pdftract-core/README.md`