[cargo-concordium] Reproducible builds fail for contracts that .gitignore Cargo.lock

[lassemoldrup]

When creating a reproducible build with the --verifiable flag, files that are .gitignored are not added to the docker image. This causes the build to fail in projects where Cargo.lock is ignored, which is recommended for library crates (https://github.com/rust-lang/cargo/issues/315). An example of this is any smart contract in the concordium-rust-smart-contracts repo.

We should decide whether this is acceptable or if we should make an exception for Cargo.lock.

[abizjak]

There are two things to say here

• smart contracts cannot be library crates. They have to be cdylib as well, and for those it is recommended to have Cargo.lock committed.
• You can always add !Cargo.lock to an extra .ignore file as documented in the README.

And additionally, the reason we don't commit the lock files for those example contracts is that they are examples, they are not meant as artifacts themselves.

So the only thing that should be done is to add those .ignore files so that reproducible builds also work out of the box for our examples.