Are there best practices w.r.t. `opam install --locked`?

Dear all,

I’m wondering whether there are best practices regarding the opam install --locked option, especially from a CI and packaging perspective?

The doc says it allows one “to share a set of dependencies that you know (locally) the project is working with”.

But to be more precise:

  1. is it advised to commit a project.opam.locked in all projects?

if yes, this yields two standard ways to build the project (with opam install --locked or simply with opam install), so:

  1. should the CI configuration build the project using the project.opam.locked or project.opam spec, or both (with two separated jobs in a fresh environment)?

  2. and for end users (assuming they build the project in a fresh switch), should we recommend using the project.opam.locked or project.opam spec?

  3. As an aside, are there standard ways (maybe semi-automatic?) to facilitate the update of a project.opam.locked spec?

Thanks for any references/suggestions,