From 2ca035ade298e19eb12e7e724ff38e24e68b6523 Mon Sep 17 00:00:00 2001
From: "claude[bot]" <claude[bot]@users.noreply.github.com>
Date: Sat, 25 Apr 2026 12:20:06 +0000
Subject: [PATCH] fix: add --locked flag to cargo install cargo-llvm-cov in
 coverage.sh

Without --locked, cargo resolves the newest compatible versions of all
transitive dependencies at install time, which can produce different
binaries across runs and pull in unreviewed dependency updates.
The --locked flag forces cargo to use the dependency versions pinned
in cargo-llvm-cov's own Cargo.lock, making the install reproducible.

Co-Authored-By: Claude Code <noreply@anthropic.com>
---
 .changeset/fix-pin-cargo-llvm-cov.md | 5 +++++
 scripts/coverage.sh                  | 2 +-
 2 files changed, 6 insertions(+), 1 deletion(-)
 create mode 100644 .changeset/fix-pin-cargo-llvm-cov.md

diff --git a/.changeset/fix-pin-cargo-llvm-cov.md b/.changeset/fix-pin-cargo-llvm-cov.md
new file mode 100644
index 00000000..8fbe3da6
--- /dev/null
+++ b/.changeset/fix-pin-cargo-llvm-cov.md
@@ -0,0 +1,5 @@
+---
+"@googleworkspace/cli": patch
+---
+
+Add --locked flag to cargo install cargo-llvm-cov in coverage.sh for reproducible installs
diff --git a/scripts/coverage.sh b/scripts/coverage.sh
index 41df484f..9f56916f 100755
--- a/scripts/coverage.sh
+++ b/scripts/coverage.sh
@@ -18,7 +18,7 @@ set -euo pipefail
 # Check if cargo-llvm-cov is installed
 if ! cargo llvm-cov --version &> /dev/null; then
   echo "cargo-llvm-cov is not installed. Installing..."
-  cargo install cargo-llvm-cov
+  cargo install --locked cargo-llvm-cov
 fi
 
 # Run coverage and generate HTML report