Skip to content

bin: pre-push hook to catch stale Cargo.lock#36130

Draft
jasonhernandez wants to merge 1 commit intomainfrom
jasonhernandez/pre-push-cargo-lock
Draft

bin: pre-push hook to catch stale Cargo.lock#36130
jasonhernandez wants to merge 1 commit intomainfrom
jasonhernandez/pre-push-cargo-lock

Conversation

@jasonhernandez
Copy link
Copy Markdown
Contributor

@jasonhernandez jasonhernandez commented Apr 17, 2026

Summary

  • Adds bin/git-hook-pre-push that fails fast (~0.5s) with cargo metadata --locked --offline when pushed commits leave Cargo.lock out of sync with Cargo.toml.
  • Only runs when the push actually touches Cargo.toml or Cargo.lock, so non-Rust pushes are unaffected.
  • Documents the one-line install in CLAUDE.md under the existing Cargo.lock section.

Motivated by #35704, where a missing Cargo.lock line sunk both lint-and-rustfmt (check-no-diff.sh) and lint-dependencies (cargo tree --locked refuses to run against a stale lock). This hook would have caught it before the 15-minute CI round-trip.

Install is opt-in per clone:

ln -sf ../../bin/git-hook-pre-push .git/hooks/pre-push

Bypass with git push --no-verify if ever needed.

Test plan

  • Verified hook exits 0 on a clean push (no Cargo changes, or Cargo changes with fresh lockfile).
  • Verified hook exits 1 with the actionable message against the exact state from authenticator: zeroize ValidatedClaims and OidcClaims on drop #35704 (Cargo.toml added zeroize without updated Cargo.lock).
  • Draft pending team review of the approach before flipping to ready.

🤖 Generated with Claude Code

@jasonhernandez @claude
bin: add pre-push hook that catches stale Cargo.lock
64e546e 
Adds bin/git-hook-pre-push, which runs `cargo metadata --locked
--offline` (~0.5s) when the pushed commits touch any Cargo.toml or
Cargo.lock. If Cargo.lock is out of sync, the push is rejected with an
actionable message instead of a 15-minute CI round-trip.

Motivated by #35704, where a workspace dep was added but Cargo.lock
wasn't committed, failing lint-and-rustfmt (check-no-diff.sh) and
lint-dependencies (cargo tree --locked refused to run).

Install is opt-in per clone:

  ln -sf ../../bin/git-hook-pre-push .git/hooks/pre-push

Bypass with `git push --no-verify` if needed.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@jasonhernandez