chore(rust): bump toolchain stage to rust:1-alpine3.23 (Rust 1.95) for Alpine 3.20 EOL

[davidkonigsberg]

Description

Linear ticket: N/A (Vanta finding follow-up)

Follow-up to #15804, which carved out the Rust toolchain bump because clearing the ALPINE_LINUX_3_20 Vanta finding requires a Rust minor-version bump (not just a base-image bump). The official rust image never published a 1.82-alpine3.23 variant — verified via docker manifest inspect rust:1.82-alpine3.23 ("no such manifest"), so we have to move off the 1.82 line entirely to get onto an Alpine 3.23 base.

Bumps the Rust toolchain stage in both Rust generator Dockerfiles from rust:1.82-alpine3.20 (Alpine 3.20 went EOL 2026-05-01) to the floating rust:1-alpine3.23 tag, which currently resolves to:

rustc 1.95.0 (59807616e 2026-04-14)

Floating to rust:1 (rather than pinning a patch) is consistent with how the rest of the Dockerfiles handle minor-version churn on toolchain images, and consistent with what #15804 did for other Rust references.

This clears the ALPINE_LINUX_3_20 Vanta finding on the rust-sdk-generator and rust-model-generator containers.

Changes Made

• generators/rust/sdk/Dockerfile: FROM rust:1.82-alpine3.20 AS rust → FROM rust:1-alpine3.23 AS rust (everything else — node:22.22-alpine3.23 final stage, npm patch dance, rustup component add rustfmt, etc. — left untouched).
• generators/rust/model/Dockerfile: same one-line change in its rust build stage.
• generators/rust/sdk/changes/unreleased/bump-rust-toolchain-base-image.yml: chore changelog entry. Per release-config.json, the rust folder maps to generators/rust/sdk/changes, which covers both rust-sdk and rust-model for changelog purposes.

Out of scope (intentionally not touched):

• node:22.22-alpine3.23 final base stage in either Dockerfile.
• Other generators.
• Node-bundled OpenSSL CVEs (blocked on upstream Node ≥22.x patches bundling OpenSSL 3.5.6, currently only in Node 26.x).
• --available on apk upgrade lines — already standardized in chore(deps): bump generator/seed base images to clear repeatable CVEs #15804.

Testing

The Rust toolchain isn't just a runtime dep — it's used by the generator to format generated SDKs (rustup component add rustfmt, then the generator runs rustfmt on output). A Rust minor-version bump can change rustfmt output, so I ran the full rust-sdk seed suite end-to-end:

pnpm install --frozen-lockfile
pnpm seed:build
node --enable-source-maps packages/seed/dist/cli.cjs test --generator rust-sdk --skip-scripts

Result: 130/130 test cases passed, and git diff seed/rust-sdk showed no rustfmt-output diffs vs. the committed snapshots. The only diffs were in .fern/metadata.json files (invokedBy: "ci" → "manual", ciProvider removed) — that's environmental noise from running locally vs. in CI, not from the toolchain bump. Reverted those metadata-only diffs and did not commit them.

So rustfmt output is byte-identical between Rust 1.82 and Rust 1.95 for everything our Rust generator produces today. No seed snapshots were regenerated/committed.

• pnpm run check clean (biome, 4541 files, no fixes applied)
• Full seed:test --generator rust-sdk run: 130/130 passed, zero rustfmt-output diffs vs. committed snapshots
• docker pull rust:1-alpine3.23 && docker run --rm rust:1-alpine3.23 rustc --version → rustc 1.95.0 (59807616e 2026-04-14)
• Manual testing completed
• Unit tests added/updated (N/A — Dockerfile / changelog only; covered by existing seed regression suite)

Reviewer notes / things worth a closer look

• Floating rust:1 tag: intentional — matches the convention in chore(deps): bump generator/seed base images to clear repeatable CVEs #15804 and how other toolchain images handle minor churn. If you'd rather pin to rust:1.95-alpine3.23 for reproducibility, happy to change it. (Tradeoff: floating means future Rust minor releases roll in silently on rebuild; the seed suite is the safety net.)
• rust-model wasn't separately exercised: rust-model only uses the toolchain stage to extract rustfmt (same rustup component add rustfmt), and rust-sdk's seed suite exercises that exact rustfmt binary end-to-end with zero diffs, so a separate rust-model run wouldn't add coverage. Flag if you'd like it run anyway.
• Changelog landing in rust/sdk/changes: per release-config.json, that's the canonical location for the rust group; the changelog summary explicitly mentions both generators so the entry surfaces correctly when either ships.

Link to Devin session: https://app.devin.ai/sessions/ffe20a51bdb94632b00a6f51076319db
Requested by: @davidkonigsberg

[devin-ai-integration]

🤖 Devin AI Engineer

I'll be helping with this pull request! Here's what you should know:

✅ I will automatically:

• Address comments on this PR. Add '(aside)' to your comment to have me ignore it.
• Look at CI failures and help fix them

Note: I can only respond to comments from users who have write access to this repository.

⚙️ Control Options:

• Disable automatic comment and CI monitoring

[claude]

Claude Code Review

This repository is configured for manual code reviews. Comment @claude review to trigger a review and subscribe this PR to future pushes, or @claude review once for a one-time review.

_{Tip: disable this comment in your organization's Code Review settings.}

[github-actions]

SDK Generation Benchmark Results

Comparing PR branch against median of 5 nightly run(s) on main (latest: 2026-05-08T04:59:46Z).

Full benchmark table (click to expand)

Generator	Spec	main (generator)	main (E2E)	PR (generator)	Delta
rust-sdk	square	157s (n=5)	157s (n=5)	119s	-38s (-24.2%)

main (generator): generator-only time via --skip-scripts (includes Docker image build, container startup, IR parsing, and code generation — this is the same Docker-based flow customers use via fern generate). main (E2E): full customer-observable time including build/test scripts (nightly baseline, informational). Delta is computed against generator-only baseline.
⚠️ = generation exited with a non-zero exit code (timing may not reflect a successful run).
Baseline from nightly runs on main (latest: 2026-05-08T04:59:46Z). Trigger benchmark-baseline to refresh.
Last updated: 2026-05-08 15:33 UTC

[davidkonigsberg]

Doesnt' improve things.