Skip to content

[v3-2-test] Install rustup and cargo in CI and prod build images (#64725)#64729

Merged
potiuk merged 1 commit intov3-2-testfrom
backport-1b28933-v3-2-test
Apr 7, 2026
Merged

[v3-2-test] Install rustup and cargo in CI and prod build images (#64725)#64729
potiuk merged 1 commit intov3-2-testfrom
backport-1b28933-v3-2-test

Conversation

@github-actions
Copy link
Copy Markdown
Contributor

@github-actions github-actions bot commented Apr 4, 2026

Verify rustup-init binary with SHA256 checksum instead of curl-pipe-sh

Download the rustup-init binary directly and verify its SHA256 checksum
before execution, instead of piping the shell installer script through sh.

Pin rustup-init to version 1.29.0 with hardcoded SHA256 checksums for
amd64 and arm64, matching the existing cosign verification pattern.
This prevents a compromised server from serving a tampered binary with
a matching checksum.
(cherry picked from commit 1b28933)

Co-authored-by: Jarek Potiuk jarek@potiuk.com

@potiuk
[v3-2-test] Install rustup and cargo in CI and prod build images (#64725
5097da3 
)

Verify rustup-init binary with SHA256 checksum instead of curl-pipe-sh

Download the rustup-init binary directly and verify its SHA256 checksum
before execution, instead of piping the shell installer script through sh.

Pin rustup-init to version 1.29.0 with hardcoded SHA256 checksums for
amd64 and arm64, matching the existing cosign verification pattern.
This prevents a compromised server from serving a tampered binary with
a matching checksum.
(cherry picked from commit 1b28933)

Co-authored-by: Jarek Potiuk <jarek@potiuk.com>
@github-actions github-actions bot mentioned this pull request Apr 4, 2026
Merged
1 task
@boring-cyborg boring-cyborg bot added area:dev-tools area:production-image Production image improvements and fixes backport-to-v3-2-test Mark PR with this label to backport to v3-2-test branch labels Apr 4, 2026
@potiuk potiuk marked this pull request as ready for review April 7, 2026 08:16
@potiuk potiuk merged commit bb30ec6 into v3-2-test Apr 7, 2026
3 checks passed
@potiuk potiuk deleted the backport-1b28933-v3-2-test branch April 7, 2026 08:16
vatsrahul1001 pushed a commit that referenced this pull request Apr 8, 2026
@github-actions @potiuk @vatsrahul1001
[v3-2-test] Install rustup and cargo in CI and prod build images (#64725
d6af91a 
) (#64729)

Verify rustup-init binary with SHA256 checksum instead of curl-pipe-sh

Download the rustup-init binary directly and verify its SHA256 checksum
before execution, instead of piping the shell installer script through sh.

Pin rustup-init to version 1.29.0 with hardcoded SHA256 checksums for
amd64 and arm64, matching the existing cosign verification pattern.
This prevents a compromised server from serving a tampered binary with
a matching checksum.
(cherry picked from commit 1b28933)

Co-authored-by: Jarek Potiuk <jarek@potiuk.com>
vatsrahul1001 pushed a commit that referenced this pull request Apr 15, 2026
@github-actions @potiuk @vatsrahul1001
[v3-2-test] Install rustup and cargo in CI and prod build images (#64725
8fab25f 
) (#64729)

Verify rustup-init binary with SHA256 checksum instead of curl-pipe-sh

Download the rustup-init binary directly and verify its SHA256 checksum
before execution, instead of piping the shell installer script through sh.

Pin rustup-init to version 1.29.0 with hardcoded SHA256 checksums for
amd64 and arm64, matching the existing cosign verification pattern.
This prevents a compromised server from serving a tampered binary with
a matching checksum.
(cherry picked from commit 1b28933)

Co-authored-by: Jarek Potiuk <jarek@potiuk.com>
@vatsrahul1001 vatsrahul1001 added the changelog:skip Changes that should be skipped from the changelog (CI, tests, etc..) label Apr 15, 2026
@vatsrahul1001 vatsrahul1001 added this to the Airflow 3.2.1 milestone Apr 15, 2026
vatsrahul1001 pushed a commit that referenced this pull request Apr 15, 2026
@github-actions @potiuk @vatsrahul1001
[v3-2-test] Install rustup and cargo in CI and prod build images (#64725
0860c23 
) (#64729)

Verify rustup-init binary with SHA256 checksum instead of curl-pipe-sh

Download the rustup-init binary directly and verify its SHA256 checksum
before execution, instead of piping the shell installer script through sh.

Pin rustup-init to version 1.29.0 with hardcoded SHA256 checksums for
amd64 and arm64, matching the existing cosign verification pattern.
This prevents a compromised server from serving a tampered binary with
a matching checksum.
(cherry picked from commit 1b28933)

Co-authored-by: Jarek Potiuk <jarek@potiuk.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@potiuk potiuk Awaiting requested review from potiuk potiuk is a code owner

@ashb ashb Awaiting requested review from ashb ashb is a code owner

@gopidesupavan gopidesupavan Awaiting requested review from gopidesupavan gopidesupavan is a code owner

@amoghrajesh amoghrajesh Awaiting requested review from amoghrajesh amoghrajesh is a code owner

@jscheffl jscheffl Awaiting requested review from jscheffl jscheffl is a code owner

@bugraoz93 bugraoz93 Awaiting requested review from bugraoz93 bugraoz93 is a code owner

@jason810496 jason810496 Awaiting requested review from jason810496 jason810496 is a code owner

@kaxil kaxil Awaiting requested review from kaxil kaxil is a code owner

Assignees

No one assigned

Labels

area:dev-tools area:production-image Production image improvements and fixes backport-to-v3-2-test Mark PR with this label to backport to v3-2-test branch changelog:skip Changes that should be skipped from the changelog (CI, tests, etc..)

Projects

None yet

Milestone

Airflow 3.2.1

Development

Successfully merging this pull request may close these issues.

2 participants

@potiuk @vatsrahul1001