feat: update to Rust 1.96

[rwthompsonii]

Related issues

Type of Change

• Add - New feature or capability
• Change - Changes in existing functionality
• Fix - Bug fixes
• Remove - Removed features or deprecated functionality
• Internal - Internal changes (refactoring, tests, docs, etc.)

Breaking Changes

• This PR contains breaking changes

Testing

• Unit tests added/updated
• Integration tests added/updated
• Manual testing performed
• No testing required (docs, internal refactor, etc.)

Additional Notes

[coderabbitai]

Summary by CodeRabbit

• Chores
  • Updated Rust toolchain to version 1.96.0 across build environments, GitHub Actions workflows, and Docker containers used for development and CI/CD
  • Updated pinned nightly Rust toolchain version
  • Updated associated build documentation to reflect the new toolchain versions

Walkthrough

The pull request advances the pinned stable Rust toolchain from 1.95.0 to 1.96.0 and the nightly from nightly-2026-05-27 to nightly-2026-06-16. Changes span rust-toolchain.toml, Makefile.toml, eight Dockerfiles, two CI configuration files, the macOS Cargo-via-Docker manual, and removes one unused wildcard import in a test module.

Changes

Rust 1.96.0 Toolchain Bump

Layer / File(s)	Summary
Authoritative toolchain version declarations rust-toolchain.toml, lints/carbide-lints/rust-toolchain.toml	Stable channel updated to 1.96.0; nightly pin advanced to nightly-2026-06-16.
Build automation and container infrastructure Makefile.toml, dev/docker/Dockerfile.build-container-x86_64, dev/docker/Dockerfile.build-container-aarch64, dev/docker/Dockerfile.build-artifacts-container-*, dev/docker/Dockerfile.cargo-docker-minimal, dev/docker/Dockerfile.pxe-build-container, crates/dpf/dev/Dockerfile.carbide-dpf-api-harness-glibc2.34	RUST_NIGHTLY Makefile variable and three task descriptions updated to reflect Rust 1.96; all eight Dockerfiles updated from rust:1.95.0 to rust:1.96.0 base images; the x86_64 build container additionally advances its RUST_NIGHTLY environment variable.
CI action and workflow version inputs .github/actions/setup-mkosi-environment/action.yml, .github/workflows/build-boot-artifacts.yml	Default and explicit rust-version inputs updated from 1.90.0 to 1.96.0 in the mkosi setup action and the boot-artifacts workflow respectively.
Documentation updates and unused import removal docs/manuals/cargo-via-docker-macos.md, crates/bmc-proxy/src/setup.rs	Version labels in the macOS Docker Cargo guide updated from 1.95 to 1.96 at three locations; unused tracing_subscriber::prelude::* wildcard import removed from the bmc-proxy test module.

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~4 minutes

🚥 Pre-merge checks | ✅ 4 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Description check	⚠️ Warning	The PR description is blank and contains only an unchecked template with no substantive information about the changes, rationale, or scope.	Complete the PR description with a summary of changes, motivation for the Rust 1.96 upgrade, any compatibility considerations, and testing performed to validate the upgrade across all affected components.

✅ Passed checks (4 passed)

Check name	Status	Explanation
Title check	✅ Passed	The PR title clearly and concisely summarizes the primary change: updating the Rust toolchain from 1.95 to 1.96 across the entire codebase.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[github-actions]

🌿 Preview your docs: https://nvidia-preview-pull-request-2680.docs.buildwithfern.com/infra-controller

[coderabbitai]

Actionable comments posted: 1

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (1)

dev/docker/Dockerfile.cargo-docker-minimal (1)

7-12: ⚠️ Potential issue | 🟡 Minor | ⚡ Quick win

Update stale toolchain comment to match the bumped base image.

Line 7 still says Rust 1.90, but Line 12 now uses rust:1.96.0-slim-bookworm. Please align the comment to prevent version-drift confusion.

Suggested patch

-# Matches rust-toolchain.toml (Rust 1.90).
+# Matches rust-toolchain.toml (Rust 1.96).

As per coding guidelines, **/Dockerfile*: "Review Dockerfiles for reproducible builds, minimal runtime surface, correct user/permissions, cache behavior, architecture support, and avoiding embedded secrets."

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@dev/docker/Dockerfile.cargo-docker-minimal` around lines 7 - 12, The comment
at line 7 stating "Matches rust-toolchain.toml (Rust 1.90)" is outdated and does
not reflect the actual Rust version specified in the FROM instruction on line 12
which uses rust:1.96.0-slim-bookworm. Update the comment to change the version
reference from 1.90 to 1.96.0 to keep the documentation in sync with the actual
base image version being used.

Source: Coding guidelines

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@docs/manuals/cargo-via-docker-macos.md`:
- Around line 11-17: In the "What's in place" table, the row containing "This
guide" references an incorrect file path
`docs/development/cargo-via-docker-macos.md`. Update this path to
`docs/manuals/cargo-via-docker-macos.md` to match the actual location of this
guide file, ensuring readers can navigate to the correct location.

---

Outside diff comments:
In `@dev/docker/Dockerfile.cargo-docker-minimal`:
- Around line 7-12: The comment at line 7 stating "Matches rust-toolchain.toml
(Rust 1.90)" is outdated and does not reflect the actual Rust version specified
in the FROM instruction on line 12 which uses rust:1.96.0-slim-bookworm. Update
the comment to change the version reference from 1.90 to 1.96.0 to keep the
documentation in sync with the actual base image version being used.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Enterprise

Run ID: b9948992-f617-45c8-b7bb-bc9f5b1b5911

📥 Commits

Reviewing files that changed from the base of the PR and between 6d36a43 and 949fed6.

📒 Files selected for processing (13)

• .github/actions/setup-mkosi-environment/action.yml
• .github/workflows/build-boot-artifacts.yml
• Makefile.toml
• crates/bmc-proxy/src/setup.rs
• dev/docker/Dockerfile.build-artifacts-container-aarch64
• dev/docker/Dockerfile.build-artifacts-container-cross-aarch64
• dev/docker/Dockerfile.build-artifacts-container-x86_64
• dev/docker/Dockerfile.build-container-aarch64
• dev/docker/Dockerfile.build-container-x86_64
• dev/docker/Dockerfile.cargo-docker-minimal
• docs/manuals/cargo-via-docker-macos.md
• lints/carbide-lints/rust-toolchain.toml
• rust-toolchain.toml

💤 Files with no reviewable changes (1)

• crates/bmc-proxy/src/setup.rs

[github-actions]

🔍 Container Scan Summary

Service	Total	Critical	High	Medium	Low	Other
boot-artifacts-aarch64	3	0	0	3	0	0
boot-artifacts-x86_64	3	0	0	3	0	0
forge-admin-cli-x86_64	263	6	23	98	6	130
machine-validation-runner	701	34	183	255	35	194
machine_validation	701	34	183	255	35	194
nvmetal-carbide	701	34	183	255	35	194
TOTAL	2372	108	572	869	111	712

Per-CVE detail lives in the per-service grype-* artifacts (JSON + SARIF). Severity counts only — no CVE IDs published here.

[osu]

Hello, quick question @rwthompsonii: are these two Rust 1.95.0 intentional kept at this ver., or should they be updated to 1.96.0?

• dev/docker/Dockerfile.pxe-build-container:27 has ARG RUST_VERSION=1.95.0
• crates/dpf/dev/Dockerfile.carbide-dpf-api-harness-glibc2.34:33 hardcodes --default-toolchain 1.95.0

[coderabbitai]

🧹 Nitpick comments (1)

crates/dpf/dev/Dockerfile.carbide-dpf-api-harness-glibc2.34 (1)

25-35: Implement secure, deterministic Rust installation in dev Dockerfile.

Line 33 pipes a remote installer script directly without verification (curl ... | sh), undermining reproducibility and supply-chain integrity. Harden the installation by downloading a pinned rustup-init artifact and verifying its checksum before execution. Additionally, pin the base image digest to eliminate mutation from upstream image updates.

Proposed hardening pattern

-FROM ubuntu:22.04 AS builder
+FROM ubuntu:22.04@sha256:<pinned_digest> AS builder

 RUN apt-get update && \
     DEBIAN_FRONTEND=noninteractive apt-get install -y \
     curl \
@@ -32,7 +32,11 @@
     ca-certificates \
     git \
-    && curl --proto '=https' --tlsv1.2 -sSf https://sh.rustup.rs | sh -s -- -y --default-toolchain 1.96.0 \
+    && curl --proto '=https' --tlsv1.2 -fsSLo /tmp/rustup-init https://static.rust-lang.org/rustup/dist/x86_64-unknown-linux-gnu/rustup-init \
+    && echo "<sha256_of_rustup_init>  /tmp/rustup-init" | sha256sum -c - \
+    && chmod +x /tmp/rustup-init \
+    && /tmp/rustup-init -y --default-toolchain 1.96.0 \
+    && rm -f /tmp/rustup-init \
     && apt-get clean \
     && rm -rf /var/lib/apt/lists/*

-FROM ubuntu:22.04
+FROM ubuntu:22.04@sha256:<pinned_digest>

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@crates/dpf/dev/Dockerfile.carbide-dpf-api-harness-glibc2.34` around lines 25
- 35, The Dockerfile uses an unsafe pattern of piping a remote installer script
directly with curl | sh, which lacks verification and reproducibility. Replace
the curl piped installation line with a secure approach: download a specific
pinned version of the rustup-init binary, verify its checksum before execution,
and then run the installer. Additionally, pin the base image to a specific
digest hash (at the FROM statement at the beginning of the file) instead of
using just the tag, to prevent mutations from upstream image updates and ensure
deterministic builds.

Source: Coding guidelines

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Nitpick comments:
In `@crates/dpf/dev/Dockerfile.carbide-dpf-api-harness-glibc2.34`:
- Around line 25-35: The Dockerfile uses an unsafe pattern of piping a remote
installer script directly with curl | sh, which lacks verification and
reproducibility. Replace the curl piped installation line with a secure
approach: download a specific pinned version of the rustup-init binary, verify
its checksum before execution, and then run the installer. Additionally, pin the
base image to a specific digest hash (at the FROM statement at the beginning of
the file) instead of using just the tag, to prevent mutations from upstream
image updates and ensure deterministic builds.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Enterprise

Run ID: ba801b96-5ee5-46b5-a671-81fff1eba88c

📥 Commits

Reviewing files that changed from the base of the PR and between 949fed6 and 1450282.

📒 Files selected for processing (4)

• Makefile.toml
• crates/dpf/dev/Dockerfile.carbide-dpf-api-harness-glibc2.34
• dev/docker/Dockerfile.cargo-docker-minimal
• dev/docker/Dockerfile.pxe-build-container

✅ Files skipped from review due to trivial changes (2)

• dev/docker/Dockerfile.pxe-build-container
• Makefile.toml

🚧 Files skipped from review as they are similar to previous changes (1)

• dev/docker/Dockerfile.cargo-docker-minimal