ci(tbtc/signer): pin cargo dependency resolution with --locked

[mswilkison]

Summary

Follow-up to #4005 (FROST/ROAST signer). Pins cargo dependency resolution in CI and the release build.

The signer-dependency-audit job runs cargo-deny against the committed Cargo.lock, but the clippy/test jobs and build.sh resolved dependencies without --locked. A PR that edits Cargo.toml so the committed lock no longer satisfies it would let those jobs silently re-resolve to newer, unaudited crate versions (running their build scripts and proc-macros on the runner) while the advisory gate still audits the stale lock — so the security gate and the code actually exercised could diverge.

Fix

Adds --locked to the clippy, test, formal-test, and release-build invocations so a lock/manifest mismatch fails loudly instead of silently re-resolving. cargo fmt is intentionally left unchanged (it does not accept --locked).

Found during review of #4005.

🤖 Generated with Claude Code

[coderabbitai]

Important

Review skipped

Auto reviews are disabled on base/target branches other than the default branch.

Please check the settings in the CodeRabbit UI or the .coderabbit.yaml file in this repository. To trigger a single review, invoke the @coderabbitai review command.

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro Plus

Run ID: b859e85e-0d80-4227-9e75-0a97392ec2a9

You can disable this status message by setting the reviews.review_status to false in the CodeRabbit configuration file.

Use the checkbox below for a quick retry:

• 🔍 Trigger review

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch fix/signer-ci-locked

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands.}