Skip to content

Install rustup and cargo in CI and prod build images#64725

Merged
potiuk merged 1 commit intoapache:mainfrom
potiuk:install-rustup-cargo-in-images
Apr 4, 2026
Merged

Install rustup and cargo in CI and prod build images#64725
potiuk merged 1 commit intoapache:mainfrom
potiuk:install-rustup-cargo-in-images

Conversation

@potiuk
Copy link
Copy Markdown
Member

@potiuk potiuk commented Apr 4, 2026

Verify rustup-init binary with SHA256 checksum instead of curl-pipe-sh

Download the rustup-init binary directly and verify its SHA256 checksum before execution, instead of piping the shell installer script through sh.

Pin rustup-init to version 1.29.0 with hardcoded SHA256 checksums for amd64 and arm64, matching the existing cosign verification pattern. This prevents a compromised server from serving a tampered binary with a matching checksum.

Was generative AI tooling used to co-author this PR?
  • Yes (please specify the tool below)
  • Read the Pull Request Guidelines for more information. Note: commit author/co-author name and email in commits become permanently public when merged.
  • For fundamental code changes, an Airflow Improvement Proposal (AIP) is needed.
  • When adding dependency, check compliance with the ASF 3rd Party License Policy.
  • For significant user-facing changes create newsfragment: {pr_number}.significant.rst, in airflow-core/newsfragments. You can add this file in a follow-up commit after the PR is created so you know the PR number.

@potiuk
Install rustup and cargo in CI and prod build images
5897aa8 
Verify rustup-init binary with SHA256 checksum instead of curl-pipe-sh

Download the rustup-init binary directly and verify its SHA256 checksum
before execution, instead of piping the shell installer script through sh.

Pin rustup-init to version 1.29.0 with hardcoded SHA256 checksums for
amd64 and arm64, matching the existing cosign verification pattern.
This prevents a compromised server from serving a tampered binary with
a matching checksum.
@boring-cyborg boring-cyborg bot added area:dev-tools area:production-image Production image improvements and fixes backport-to-v3-2-test Mark PR with this label to backport to v3-2-test branch labels Apr 4, 2026
@potiuk potiuk mentioned this pull request Apr 4, 2026
Closed
1 task
@potiuk potiuk merged commit 1b28933 into apache:main Apr 4, 2026
150 checks passed
@potiuk potiuk deleted the install-rustup-cargo-in-images branch April 4, 2026 17:57
github-actions bot pushed a commit that referenced this pull request Apr 4, 2026
@potiuk
[v3-2-test] Install rustup and cargo in CI and prod build images (#64725
5097da3 
)

Verify rustup-init binary with SHA256 checksum instead of curl-pipe-sh

Download the rustup-init binary directly and verify its SHA256 checksum
before execution, instead of piping the shell installer script through sh.

Pin rustup-init to version 1.29.0 with hardcoded SHA256 checksums for
amd64 and arm64, matching the existing cosign verification pattern.
This prevents a compromised server from serving a tampered binary with
a matching checksum.
(cherry picked from commit 1b28933)

Co-authored-by: Jarek Potiuk <jarek@potiuk.com>
@github-actions
Copy link
Copy Markdown

github-actions bot commented Apr 4, 2026

Backport successfully created: v3-2-test

Note: As of Merging PRs targeted for Airflow 3.X
the committer who merges the PR is responsible for backporting the PRs that are bug fixes (generally speaking) to the maintenance branches.

In matter of doubt please ask in #release-management Slack channel.

Status Branch Result
v3-2-test PR Link

github-actions bot pushed a commit to aws-mwaa/upstream-to-airflow that referenced this pull request Apr 4, 2026
@potiuk
[v3-2-test] Install rustup and cargo in CI and prod build images (apa…
41b06ca 
…che#64725)

Verify rustup-init binary with SHA256 checksum instead of curl-pipe-sh

Download the rustup-init binary directly and verify its SHA256 checksum
before execution, instead of piping the shell installer script through sh.

Pin rustup-init to version 1.29.0 with hardcoded SHA256 checksums for
amd64 and arm64, matching the existing cosign verification pattern.
This prevents a compromised server from serving a tampered binary with
a matching checksum.
(cherry picked from commit 1b28933)

Co-authored-by: Jarek Potiuk <jarek@potiuk.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@bugraoz93 bugraoz93 bugraoz93 approved these changes

@ashb ashb Awaiting requested review from ashb ashb is a code owner

@gopidesupavan gopidesupavan Awaiting requested review from gopidesupavan gopidesupavan is a code owner

@amoghrajesh amoghrajesh Awaiting requested review from amoghrajesh amoghrajesh is a code owner

@jscheffl jscheffl Awaiting requested review from jscheffl jscheffl is a code owner

@jason810496 jason810496 Awaiting requested review from jason810496 jason810496 is a code owner

@kaxil kaxil Awaiting requested review from kaxil kaxil is a code owner

Assignees

No one assigned

Labels

area:dev-tools area:production-image Production image improvements and fixes backport-to-v3-2-test Mark PR with this label to backport to v3-2-test branch

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@potiuk @bugraoz93