Commit Cargo.lock for rust/otap-dataflow workspace

[cijothomas]

The rust/otap-dataflow workspace produces binaries (e.g. df_engine) but does not check in a Cargo.lock. Every CI run re-resolves dependencies, so an upstream release can break main with no source change on our side — as happened today with time 0.3.48 (worked around in #3282, mirroring open-telemetry/opentelemetry-rust-contrib#648).

Proposal:

• Commit rust/otap-dataflow/Cargo.lock.
• Run CI with --locked so dep updates show up as explicit diffs in PRs.
• Let Renovate/Dependabot drive intentional bumps.

[drewrelmas]

This could also be a good first issue if others agree? Fairly focused.