Fix Cargo.lock and add check to ensure the working tree remains clean after build

[qmonnet]

Update Cargo.lock to account for the project version change for the latest crate, dataplane-acl.

To avoid missing things in the future such as Cargo.lock updates for new crates when a PR has been created before a version bump (which we should catch at least in the merge queue with the proposed step), or any other file generated in-tree during the build, add a dedicated step to the dev.yml workflow.

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro Plus

Run ID: 3adc6594-3140-46b4-9f65-6dd980a1050f

📥 Commits

Reviewing files that changed from the base of the PR and between fe0ec69 and 8e96921.

⛔ Files ignored due to path filters (1)

• Cargo.lock is excluded by !**/*.lock

📒 Files selected for processing (1)

• .github/workflows/dev.yml

---

📝 Walkthrough

Walkthrough

A verify-clean-tree YAML anchor is added to .github/workflows/dev.yml. The step runs a bash script that checks git status --porcelain and fails the job if the working tree is dirty, printing git status and git diff output with a Cargo.lock update hint. The anchor is then applied in the build job after the container push step.

Changes

CI Dirty-Tree Verification

Layer / File(s)	Summary
verify-clean-tree anchor definition and usage .github/workflows/dev.yml	Defines an anchored YAML step with a bash script that checks for dirty git state, prints diagnostics, and fails with a Cargo.lock hint; reuses the anchor in the build job after the container push step.

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title accurately summarizes the two main changes: updating Cargo.lock and adding a CI check to ensure the working tree stays clean after builds.
Description check	✅ Passed	The description is clearly related to the changeset, explaining both the Cargo.lock update and the rationale for adding the new CI verification step.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[qmonnet]

Without the Cargo.lock fix, this fails as expected 🎉

[Copilot]

Pull request overview

Updates the Rust lockfile for the recent dataplane-acl workspace version bump and adds a CI safeguard to detect when build/test steps leave tracked files modified (e.g., an uncommitted Cargo.lock update).

Changes:

• Bump dataplane-acl’s recorded version in Cargo.lock to 0.22.0.
• Add a verify-clean-tree step (via YAML anchor) to fail the workflow if git status is dirty after running build-related steps.

Reviewed changes

Copilot reviewed 1 out of 2 changed files in this pull request and generated 1 comment.

File	Description
Cargo.lock	Updates the dataplane-acl package version to match the workspace version bump.
.github/workflows/dev.yml	Adds a post-build git status cleanliness check and reuses it across jobs via an anchor.

[qmonnet]

And it passes with the Cargo.lock fix. Seems all good.