Fix rustup cache

.env.testing-artifacts

@@ -1,5 +1,6 @@
-# Rust toolchain version (for rust:<version>-bookworm base image)
-RUST_VERSION=1.92
+# RUST_VERSION is intentionally NOT set here. The canonical source is
+# rust-toolchain.toml's `channel`; consumers derive it via
+# tools/scripts/get-rust-version.sh.
 
 # zcashd Git tag (https://github.com/zcash/zcash/releases)
 ZCASH_VERSION=6.12.1

.github/workflows/build-n-push-ci-image.yaml

@@ -2,11 +2,18 @@ name: Docker Image CI/CD
 
 on:
   workflow_dispatch:
+    inputs:
+      push:
+        description: 'Push the built image to DockerHub. Set false to verify a build on a feature branch without publishing.'
+        type: boolean
+        default: true
   push:
     branches:
       - '**'
     paths:
       - '.env.testing-artifacts'
+      - 'rust-toolchain.toml'
+      - 'tools/scripts/get-rust-version.sh'
       - 'integration-tests/test_environment/*'
 
 jobs:
@@ -30,6 +37,7 @@ jobs:
       id: taggen
       run: |
         source .env.testing-artifacts
+        RUST_VERSION=$(./tools/scripts/get-rust-version.sh)
         export RUST_VERSION ZCASH_VERSION ZEBRA_VERSION
         TAG=$(./tools/scripts/get-ci-image-tag.sh)
         echo "tag=$TAG" >> "$GITHUB_OUTPUT"
@@ -40,6 +48,7 @@ jobs:
         set -a
         source .env.testing-artifacts
         set +a
+        RUST_VERSION=$(./tools/scripts/get-rust-version.sh)
         echo "sha_short=$(git rev-parse --short HEAD)" >> "$GITHUB_OUTPUT"
         echo "RUST_VERSION=$RUST_VERSION" >> "$GITHUB_ENV"
         echo "ZCASH_VERSION=$ZCASH_VERSION" >> "$GITHUB_ENV"
@@ -64,7 +73,7 @@ jobs:
           zingodevops/zaino-ci:latest
           zingodevops/zaino-ci:${{ steps.versions.outputs.sha_short }}
           zingodevops/zaino-ci:${{ steps.taggen.outputs.tag }}
-        push: true
+        push: ${{ github.event_name != 'workflow_dispatch' || inputs.push }}
         build-args: |
           RUST_VERSION=${{ env.RUST_VERSION }}
           ZCASH_VERSION=${{ env.ZCASH_VERSION }}

.github/workflows/compute-tag.yml

@@ -21,6 +21,7 @@ jobs:
         id: taggen
         run: |
           source .env.testing-artifacts
+          RUST_VERSION=$(./tools/scripts/get-rust-version.sh)
           export RUST_VERSION ZCASH_VERSION ZEBRA_VERSION DOCKER_DIR_HASH
           TAG=$(./tools/scripts/get-ci-image-tag.sh)
           echo "TAG=$TAG"

.github/workflows/release.yaml

@@ -6,13 +6,19 @@ on:
       - '[0-9]+.[0-9]+.[0-9]+'
       - '[0-9]+.[0-9]+.[0-9]+-rc.[0-9]+'
   workflow_dispatch:
+    inputs:
+      push:
+        description: 'Push the built image to DockerHub. Set false to verify build on a feature branch without publishing.'
+        type: boolean
+        default: true
 
 jobs:
   docker:
     name: Docker images (build+push)
     runs-on: ubuntu-latest
     env:
-      PUSH_IMAGES: true
+      # Push only on tag-push events, or when workflow_dispatch with input.push=true.
+      PUSH_IMAGES: ${{ github.event_name != 'workflow_dispatch' || inputs.push }}
     steps:
       - uses: actions/checkout@v4
 
@@ -25,13 +31,19 @@ jobs:
           username: ${{ secrets.DOCKERHUB_USERNAME }}
           password: ${{ secrets.DOCKERHUB_ACCESS_TOKEN }}
 
+      - name: Determine Rust version from rust-toolchain.toml
+        run: |
+          echo "RUST_VERSION=$(./tools/scripts/get-rust-version.sh)" >> $GITHUB_ENV
+
       - name: Extract metadata for Docker (default image)
         id: meta-default
         uses: docker/metadata-action@v5
         with:
           images: ${{ secrets.DOCKERHUB_USERNAME }}/${{ vars.DOCKER_RELEASE_REPO || 'zaino' }}
           tags: |
             type=semver,pattern={{version}}
+            type=ref,event=branch
+            type=sha,prefix=,format=short
 
       - name: Build and Push Default Image
         uses: docker/build-push-action@v5
@@ -41,6 +53,8 @@ jobs:
           push: ${{ env.PUSH_IMAGES }}
           tags: ${{ steps.meta-default.outputs.tags }}
           labels: ${{ steps.meta-default.outputs.labels }}
+          build-args: |
+            RUST_VERSION=${{ env.RUST_VERSION }}
           cache-from: |
             type=registry,ref=${{ secrets.DOCKERHUB_USERNAME }}/${{ vars.DOCKER_RELEASE_REPO || 'zaino' }}:buildcache
             type=gha
@@ -57,11 +71,15 @@ jobs:
             suffix=-no-tls
           tags: |
             type=semver,pattern={{version}}
+            type=ref,event=branch
+            type=sha,prefix=,format=short
 
       - name: Build and Push No-TLS Image
         uses: docker/build-push-action@v5
         with:
-          build-args: NO_TLS=true
+          build-args: |
+            NO_TLS=true
+            RUST_VERSION=${{ env.RUST_VERSION }}
           context: .
           platforms: linux/amd64
           push: ${{ env.PUSH_IMAGES }}
@@ -78,6 +96,9 @@ jobs:
     needs: docker
     name: Create GitHub Release
     runs-on: ubuntu-latest
+    # Only create a GitHub release when triggered by a real semver tag push.
+    # workflow_dispatch (e.g. for verification on a feature branch) skips this.
+    if: startsWith(github.ref, 'refs/tags/')
     steps:
       - uses: actions/checkout@v4
         with:

Dockerfile

@@ -3,7 +3,11 @@
 ############################
 # Global build args
 ############################
-ARG RUST_VERSION=1.86.0
+# RUST_VERSION must be supplied via --build-arg. Canonical source is
+# rust-toolchain.toml's `channel`, surfaced by tools/scripts/get-rust-version.sh
+# — no default is set so a stale literal cannot drift from the workspace's
+# pinned toolchain. See README for the recommended build invocation.
+ARG RUST_VERSION
 ARG UID=1000
 ARG GID=1000
 ARG USER=container_user