Enables lockfile workflow with sbt-dependency-lock

Caveats of this:

1. [Crossbuilds may not be supported][crossbuilds], impacting #84.
2. The hash used is SHA1, which is deprecated including by [NIST][nist].
   Some work is in draft PRs for introducing a new version of the
   lockfile that may enable SHA256 or other hash algorithms.

Fixes #129

[crossbuilds]: stringbean/sbt-dependency-lock#13
[nist]: https://www.nist.gov/news-events/news/2022/12/nist-retires-sha-1-cryptographic-algorithm

Author: colindean

.github/.scala-steward.conf

@@ -68,10 +68,10 @@ updates.ignore = [ { groupId = "org.scala-lang", artifactId = "scala-library" }
 
 # If set, Scala Steward will use this message template for the commit messages and PR titles.
 # Supported variables: ${artifactName}, ${currentVersion}, ${nextVersion} and ${default}
-# Default: "${default}" which is equivalent to "Update ${artifactName} to ${nextVersion}" 
+# Default: "${default}" which is equivalent to "Update ${artifactName} to ${nextVersion}"
 commits.message = "Update ${artifactName} from ${currentVersion} to ${nextVersion}"
 
-# If true and when upgrading version in .scalafmt.conf, Scala Steward will perform scalafmt 
+# If true and when upgrading version in .scalafmt.conf, Scala Steward will perform scalafmt
 # and add a separate commit when format changed. So you don't need reformat manually and can merge PR.
 # If false, Scala Steward will not perform scalafmt, so your CI may abort when reformat needed.
 # Default: true
@@ -90,9 +90,13 @@ scalafmt.runAfterUpgrading = false
 #   groupId = "com.github.sbt",
 #   artifactId = "sbt-protobuf"
 # }]
+postUpdateHooks = [{
+  command = ["sbt", "dependencyLockWrite"],
+  commitMessage = "Regenerated sbt lock file"
+}]
 
 # You can override some config options for dependencies that matches the given pattern.
-# Currently, "pullRequests" can be overridden.  
+# Currently, "pullRequests" can be overridden.
 # Each pattern must have `groupId`, and may have `artifactId` and `version`.
 # First-matched entry is used.
 # More-specific entry should be placed before less-specific entry.

.github/workflows/ci.yaml

@@ -36,4 +36,4 @@ jobs:
           key: ${{ runner.os }}-sbt-cache-v2-${{ hashFiles('**/*.sbt') }}-${{ hashFiles('project/build.properties') }}
 
       - name: Build, test, and package project
-        run: bin/sbt clean compile test package makePom
+        run: bin/sbt clean update dependencyLockCheck compile test package makePom

.github/workflows/release.yaml

@@ -33,7 +33,7 @@ jobs:
             ~/AppData/Local/Coursier/Cache/v1
             ~/Library/Caches/Coursier/v1
           key: ${{ runner.os }}-sbt-cache-v2-${{ hashFiles('**/*.sbt') }}-${{ hashFiles('project/build.properties') }}
-      
+
       # uses sbt-github-packages, see build.sbt
       - name: Publish with SBT
-        run: bin/sbt publish
+        run: bin/sbt dependencyLockCheck publish

Makefile

@@ -21,10 +21,18 @@ test: ## Runs tests
 check: ## Runs linters and other checks
 	$(SBT) scalastyle
 
+.PHONY: check-deps
+check-deps: ## Checks dependencies are what are expected
+	$(SBT) dependencyLockCheck
+
 .PHONY: build
 build:
 	$(SBT) assembly
 
+.PHONY: relock
+relock: ## Lock dependencies based on what's currently referenced
+	$(SBT) dependencyLockWrite
+
 .PHONY: format-scala
 format-scala: ## Formats all Scala code
 	$(SBT) scalafmt