CI: Verify Cargo.lock is in sync with Cargo.toml without updating dependencies

[coderabbitai]

Objective

• Investigate and implement a non-mutating verification that ensures Rust Cargo.lock is in sync with Cargo.toml across the workspace, preserving deterministic CI runs and builds.

Motivation

• Avoid non-deterministic behaviour caused by implicit lockfile updates during CI, and surface drift between manifests and the lockfile early.

Requirements

• The CI step must fail if Cargo.lock is out-of-date or inconsistent with the manifest(s), without modifying any files.
• Must work across the full Rust workspace (e.g., components/clp-rust-utils, components/log-ingestor).
• Should be fast and safe to run in CI without producing build artefacts.

Approaches to evaluate (non-exhaustive)

• Use cargo metadata --locked at the workspace root (and/or per member) to error when the lockfile is stale.
• Use cargo fetch --locked to validate resolution without compiling.
• Consider cargo check --locked -q as a fallback if needed.
• Explore cargo tree --locked for dependency resolution verification without mutation.

Definition of Done

• A dedicated step in .github/workflows/clp-rust-checks.yaml performs this verification and deterministically fails when Cargo.lock is not in sync, without altering repository files.
• Developer docs (e.g., CONTRIBUTING.md or Taskfile) updated to explain how to run the check locally.

Backlinks

• PR: fix(ci): Run Rust workflows only when changes affect Rust code (fixes #1463, resolves #1464); Update Cargo lock file. #1466
• Comment permalink: fix(ci): Run Rust workflows only when changes affect Rust code (fixes #1463, resolves #1464); Update Cargo lock file. #1466 (comment)
• Related: CI: Rust lock file validation step failing in clp-rust-checks workflow #1463, CI: Skip Rust checks workflow when no Rust-related changes are detected #1464, PR feat(ci): Add tasks for checking and updating Rust lock file (Cargo.lock); Add check to GH workflow. #1448

Assignee

• @junhaoliao