I wonder why you use --locked with cargo test in inside jobs, even if respecting the lockfile is the default behavior.
To my knowledge, only cargo install don't respect the lockfile
I see your great video about how to set up CI and even some extra explanations you gave on twitter

--locked may seem over-zealous (compared to leaving it off) since Cargo will respect the lockfile without it. But otherwise your lockfile will be allowed to drift with respect to your declared dependencies, losing its effect (avoiding CI failures unrelated to PR changes).

but I still struggle to understand why. Could you please elaborate on this?

Ah, so, the --locked is there to ensure that the checked-in Cargo.lock is actually up-to-date. The default behavior of Cargo isn't quite the same as --locked, as by default it will automatically update your Cargo.lock if you have added a new dependency to your Cargo.toml for example. If CI didn't check with --locked then you could make a change to your Cargo.toml, check in that change without checking in an updated lockfile, and then still have CI succeed even though your project actually doesn't build with the currently-present Cargo.lock.