From adf3572b9a776ad328d4d6edf5e23d3928a2344d Mon Sep 17 00:00:00 2001
From: Mauro Ezequiel Moltrasio <mmoltras@redhat.com>
Date: Mon, 12 Jan 2026 12:47:53 +0100
Subject: [PATCH 1/2] feat: use stable rust toolchain

After hitting a small problem with MintMaker not being able to install
the version of the rust compiler we were enforcing, we have decided to
take a chance and start using the stable version of the toolchain as
default. The stable version of the toolchain will be used in CI for
building, testing and linting, as well as for building the upstream
image.

Since future releases of rust may break compilation of our code in
unexpected ways (new linting, more strict lifetime enforcement, etc..),
the existing CI pipeline has been extended to run using the nightly
toolchain. This toolchain is 2 minor versions ahead of the latest stable
release, so it should give us enough time to sort any issues that may
arise before the breaking change gets stabilized.

The release process documentation has been updated to pin the rust
version on release branches and disable cargo updates from MintMaker,
since these will break the same way they are broken now on main.

No changes are needed on the konflux Containerfile, because the version
used for those builds are already handled via the RPM lockfile.
---
 .github/workflows/ci.yml |  7 +++++--
 Containerfile            |  6 ++++--
 Makefile                 |  1 +
 constants.mk             |  2 ++
 docs/release.md          | 24 ++++++++++++++++++++++--
 rust-toolchain.toml      |  2 --
 6 files changed, 34 insertions(+), 8 deletions(-)
 delete mode 100644 rust-toolchain.toml

diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index 2e12ad37..26b43b2e 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -31,6 +31,9 @@ jobs:
         arch:
           - amd64
           - arm64
+        rust-version:
+          - stable
+          - nightly
     steps:
     - uses: actions/checkout@v4
       with:
@@ -43,7 +46,7 @@ jobs:
           libbpf-dev \
           protobuf-compiler
 
-        rustup component add clippy
+        rustup +${{ matrix.rust-version }} component add clippy
 
     - shell: python
       id: args
@@ -67,7 +70,7 @@ jobs:
           ~/.cargo/git/db/
           target/
         key: ${{ runner.os }}-${{ runner.arch }}-cargo-${{ steps.args.outputs.args }}-${{ hashFiles('**/Cargo.lock') }}
-    - run: cargo ${{ matrix.args }}
+    - run: cargo +${{ matrix.rust-version }} ${{ matrix.args }}
 
   format-check:
     runs-on: ubuntu-24.04
diff --git a/Containerfile b/Containerfile
index e01c58ed..712d4304 100644
--- a/Containerfile
+++ b/Containerfile
@@ -1,12 +1,14 @@
 FROM quay.io/centos/centos:stream9 AS builder
 
+ARG RUST_VERSION=stable
+
 RUN dnf install --enablerepo=crb -y \
         clang \
         libbpf-devel \
         protobuf-compiler \
         protobuf-devel && \
         curl --proto '=https' --tlsv1.2 -sSf https://sh.rustup.rs | \
-            sh -s -- -y --default-toolchain 1.84 --profile minimal
+            sh -s -- -y --default-toolchain $RUST_VERSION --profile minimal
 
 ENV PATH=/root/.cargo/bin:${PATH}
 
@@ -14,7 +16,7 @@ WORKDIR /app
 
 COPY . .
 
-FROM builder as build
+FROM builder AS build
 
 ARG FACT_VERSION
 RUN --mount=type=cache,target=/root/.cargo/registry \
diff --git a/Makefile b/Makefile
index 8d606af9..1fe10ddc 100644
--- a/Makefile
+++ b/Makefile
@@ -16,6 +16,7 @@ image:
 	docker build \
 		-f Containerfile \
 		--build-arg FACT_VERSION=$(FACT_VERSION) \
+		--build-arg RUST_VERSION=$(RUST_VERSION) \
 		-t $(FACT_IMAGE_NAME) \
 		$(CURDIR)
 
diff --git a/constants.mk b/constants.mk
index 3940a821..31203033 100644
--- a/constants.mk
+++ b/constants.mk
@@ -1,3 +1,5 @@
+RUST_VERSION ?= stable
+
 FACT_TAG ?= $(shell git describe --always --tags --abbrev=10 --dirty)
 FACT_VERSION ?= $(FACT_TAG)
 FACT_REGISTRY ?= quay.io/stackrox-io/fact
diff --git a/docs/release.md b/docs/release.md
index 7f3642d2..1748fd6b 100644
--- a/docs/release.md
+++ b/docs/release.md
@@ -38,14 +38,20 @@ to create the git resources for Konflux before proceeding.
 
 1.  Set the following environment variables:
 
-    *   `STACKROX_SUFFIX`: The major and minor versions of ACS that will use this `fact` version (e.g., `4-10`).
-    *   `FACT_RELEASE`: The release version you set in the previous section.
+    *   `STACKROX_SUFFIX`: The major and minor versions of ACS that will
+        use this `fact` version (e.g., `4-10`).
+    *   `FACT_RELEASE`: The release version you set in the previous
+        section.
     *   `FACT_PATCH`: The patch version for this release (e.g., `0`).
+    *   `RUST_VERSION`: The version of the rust compiler that will be
+        used with this release, usually the latest stable rust version.
+        (e.g., `1.88`).
 
     ```sh
     export STACKROX_SUFFIX=4-10
     export FACT_RELEASE=0.2
     export FACT_PATCH=0
+    export RUST_VERSION=1.88
     ```
 
 1.  On the release branch, run the following commands to update the
@@ -63,6 +69,20 @@ Konflux build configuration and the application version.
         fact/Cargo.toml
     ```
 
+1.  Run the following command to pin the Rust version to be used.
+
+    ```sh
+    sed -i -e "/^RUST_VERSION / s/stable/${RUST_VERSION}/" \
+        Makefile
+    ```
+
+1.  Run the following command to stop mintmaker from attempting to
+    update our crate dependencies.
+
+    ```sh
+    sed -i -e "/\"cargo\",/d" .github/renovate.json5
+    ```
+
 1. Create a new branch for these changes and push it to the repository.
     ```sh
     git checkout -b "release/konflux-resources-${FACT_RELEASE}"
diff --git a/rust-toolchain.toml b/rust-toolchain.toml
deleted file mode 100644
index 9db33c0e..00000000
--- a/rust-toolchain.toml
+++ /dev/null
@@ -1,2 +0,0 @@
-[toolchain]
-channel = "1.84"

From fe163c1b191010c8638158c83039453c2ffd2b77 Mon Sep 17 00:00:00 2001
From: Mauro Ezequiel Moltrasio <mmoltras@redhat.com>
Date: Mon, 12 Jan 2026 13:01:43 +0100
Subject: [PATCH 2/2] build(ci): re-use runners for build, lint and test steps

---
 .github/workflows/ci.yml | 28 +++++++++-------------------
 1 file changed, 9 insertions(+), 19 deletions(-)

diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index 26b43b2e..d9257856 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -24,10 +24,6 @@ jobs:
     strategy:
       fail-fast: false
       matrix:
-        args:
-          - build --release
-          - clippy -- -D warnings
-          - test
         arch:
           - amd64
           - arm64
@@ -48,19 +44,6 @@ jobs:
 
         rustup +${{ matrix.rust-version }} component add clippy
 
-    - shell: python
-      id: args
-      run: |
-        import os
-
-        # Remove the hyphens from arguments like --release, then join
-        # all words with hyphens to have a key that is valid for GHA
-        # caching.
-        args='${{ matrix.args }}'.replace('-', '').split()
-        args='-'.join(args)
-        with open(os.environ.get('GITHUB_OUTPUT'), 'a') as f:
-          f.write(f'args={args}')
-
     - uses: actions/cache@v4
       with:
         path: |
@@ -69,8 +52,15 @@ jobs:
           ~/.cargo/registry/cache/
           ~/.cargo/git/db/
           target/
-        key: ${{ runner.os }}-${{ runner.arch }}-cargo-${{ steps.args.outputs.args }}-${{ hashFiles('**/Cargo.lock') }}
-    - run: cargo +${{ matrix.rust-version }} ${{ matrix.args }}
+        key: ${{ runner.os }}-${{ runner.arch }}-cargo-${{ matrix.rust-version }}-${{ hashFiles('**/Cargo.lock') }}
+
+    - name: Build
+      run: cargo +${{ matrix.rust-version }} build --release
+    - name: Lint
+      run: cargo +${{ matrix.rust-version }} clippy -- -D warnings
+    - name: Test
+      run: cargo +${{ matrix.rust-version }} test
+
 
   format-check:
     runs-on: ubuntu-24.04