kevinjqliu opened a new pull request, #746: URL: https://github.com/apache/arrow-rs-object-store/pull/746
## What Pass `--locked` to the `cargo install` invocations for `cargo-msrv` and `cargo-audit` in CI. ## Why Observed on https://github.com/apache/arrow-rs-object-store/pull/724 — failing run: https://github.com/apache/arrow-rs-object-store/actions/runs/27380222949/job/80920110172?pr=724 Without `--locked`, `cargo install` ignores the `Cargo.lock` published alongside the tool and re-resolves all transitive dependencies to the latest semver-compatible versions at install time. This can pick up upstream releases that the tool's maintainers never tested against, leading to install failures that have nothing to do with our code. The MSRV job is currently failing for this reason. `cargo-msrv 0.19.3` transitively depends on the AWS SDK (via `rust-releases`, which fetches the Rust release index from S3). Without `--locked`, cargo resolves `aws-runtime` to `1.7.4`, which does not compile on recent rustc due to a type-inference regression in its SigV4 signer: ``` error[E0282]: type annotations needed --> aws-runtime-1.7.4/src/auth/sigv4.rs:278:22 | 278 | .send(Box::new(SigV4MessageSigner::new( | ^^^^ cannot infer type of the type parameter `T` ``` cargo-msrv's published `Cargo.lock` pins `aws-runtime 1.7.2`, which builds cleanly. `--locked` tells cargo to honor it. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
