Skip to content

image(rust): pin rustup-init checksum via committed checksum files#158

Merged
nozaq merged 1 commit into
mainfrom
claude/pr-pin-checksums
Jul 13, 2026
Merged

image(rust): pin rustup-init checksum via committed checksum files#158
nozaq merged 1 commit into
mainfrom
claude/pr-pin-checksums

Conversation

@nozaq

@nozaq nozaq commented Jul 12, 2026

Copy link
Copy Markdown
Member

Reworked based on feedback: instead of storing a raw checksum value in build.yaml and re-deriving it via a dedicated update-checksums.yml workflow, commit the checksum file itself (rust/rustup-init-{amd64,arm64}.sha256), matching the existing pattern already used for every other image's signing key/keyring (bun/bun-signing-key.asc, mise/mise-minisign.pub, node/node-keyring.kbx, etc.). update-keys.yml already existed to keep exactly that kind of file in sync, so it's generalized (and renamed update-material.yml, since its job is no longer limited to signing keys) to support per-version URLs instead of introducing a second, near-duplicate workflow.

Summary

  • rustup publishes no signature for rustup-init, so it had no independent trust anchor — the checksum file was previously fetched at build time from the same server as the binary.
  • Commit rust/rustup-init-amd64.sha256 / rust/rustup-init-arm64.sha256 and bind-mount them into rust/Dockerfile's build for direct sha256sum -c verification, instead of downloading a same-channel checksum file at build time.
  • Generalize update-keys.ymlupdate-material.yml: an entry can now set version_file/version_key to have VERSION substituted from a build.yaml before downloading, which is how the two new rustup-init entries track the currently pinned RUSTUP_VERSION. The workflow also now runs on rust/build.yaml changes (in addition to its own file and the weekly schedule) so a Renovate version bump gets a checksum-update PR promptly.
  • Fixed hardcoded references to the old update-keys.yml name in release.yml and uv/Dockerfile comments, and added the new checksum files to build-checks.yml's trigger paths.

Test plan

  • Verified rust/rustup-init-amd64.sha256 against the live rustup-init binary end-to-end (sha256sum -c reports OK)
  • Validated the workflow's YAML and embedded shell syntax
  • CI: build-checks.yml builds rust successfully with the committed checksum files on both architectures
  • Post-merge: trigger workflow_dispatch on update-material.yml and confirm the rust entries are no-ops

@nozaq nozaq force-pushed the claude/pr-readme-renovate-sync branch from d1e1a79 to 8d252ca Compare July 13, 2026 00:11
@nozaq nozaq force-pushed the claude/pr-pin-checksums branch from 2a17da7 to 73df312 Compare July 13, 2026 00:11
@nozaq nozaq changed the base branch from claude/pr-readme-renovate-sync to claude/pr-per-image-oci-labels July 13, 2026 00:12
@nozaq nozaq force-pushed the claude/pr-pin-checksums branch from f8a01ae to adfdd85 Compare July 13, 2026 01:40
Base automatically changed from claude/pr-per-image-oci-labels to main July 13, 2026 09:38
@nozaq nozaq force-pushed the claude/pr-pin-checksums branch from dd83f01 to 1ba668e Compare July 13, 2026 11:42
@nozaq nozaq force-pushed the claude/pr-pin-checksums branch from 30830d1 to f9a4aa8 Compare July 13, 2026 20:59
rustup publishes no signature for rustup-init, so it had no independent
trust anchor — the checksum file was previously fetched at build time
from the same server as the binary. Commit the checksum files
themselves (rust/rustup-init-{amd64,arm64}.sha256) instead of a raw
hash value in build.yaml, matching the existing pattern used for other
images' signing keys/keyrings, and bind-mount them into the Dockerfile
build for direct sha256sum -c verification against the exact upstream
file format.

ci: fold checksum-file syncing into update-material.yml

update-keys.yml and the now-removed update-checksums.yml both existed
to keep upstream-sourced trust material in sync with a scheduled PR,
duplicating the same download/diff/open-PR flow. Generalize
update-keys.yml (renamed update-material.yml, since its job is no
longer limited to signing keys) to support per-version URLs: an entry
can set version_file/version_key to have VERSION substituted from a
build.yaml before downloading, which is how the two new rustup-init
checksum entries pick up the currently pinned RUSTUP_VERSION. The
workflow also now runs on rust/build.yaml changes (in addition to its
own file and the weekly schedule) so a Renovate version bump gets a
checksum-update PR promptly instead of waiting for the next scheduled
run.

Fixed hardcoded references to the old update-keys.yml name in
release.yml and uv/Dockerfile comments, and added the new checksum
files to build-checks.yml's trigger paths so a housekeeper PR that
only changes them still runs the build/smoke-test/Trivy checks.

Verified rustup-init-amd64.sha256 against the live rustup-init binary
end-to-end (sha256sum -c reports OK).

Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
Claude-Session: https://claude.ai/code/session_01Rt6cdQY4Q3ie1xpMgyy33S
@nozaq nozaq force-pushed the claude/pr-pin-checksums branch from f9a4aa8 to 9131812 Compare July 13, 2026 21:13
@nozaq nozaq changed the title image: pin rustup-init and gh checksums in the repository image(rust): pin rustup-init checksum via committed checksum files Jul 13, 2026
@nozaq nozaq merged commit 59a6645 into main Jul 13, 2026
168 checks passed
@nozaq nozaq deleted the claude/pr-pin-checksums branch July 13, 2026 21:22
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants