oasisprotocol · peternose · Jan 10, 2026 · Jan 10, 2026 · Jan 10, 2026 · Jan 10, 2026
@@ -254,7 +254,7 @@ steps:
       # Needed as the trust-root test rebuilds the enclave with embedded trust root data.
       - cargo install --locked --path tools
       - export CFLAGS_x86_64_fortanix_unknown_sgx="-isystem/usr/include/x86_64-linux-gnu -mlvi-hardening -mllvm -x86-experimental-lvi-inline-asm-hardening"
-      - export CC_x86_64_fortanix_unknown_sgx=clang-11
+      - export CC_x86_64_fortanix_unknown_sgx=clang-18
       # Only run runtime scenarios as others do not use SGX.
       - >
         .buildkite/scripts/test_e2e.sh --timeout 20m

@@ -58,7 +58,7 @@ pushd $src_dir
 
             # Build SGX runtime.
             export CFLAGS_x86_64_fortanix_unknown_sgx="-isystem/usr/include/x86_64-linux-gnu -mlvi-hardening -mllvm -x86-experimental-lvi-inline-asm-hardening"
-            export CC_x86_64_fortanix_unknown_sgx=clang-11
+            export CC_x86_64_fortanix_unknown_sgx=clang-18
             unset OASIS_UNSAFE_SKIP_KM_POLICY
             CARGO_TARGET_DIR="${CARGO_TARGET_DIR}/sgx" cargo build --release --locked --target x86_64-fortanix-unknown-sgx
             CARGO_TARGET_DIR="${CARGO_TARGET_DIR}/sgx" cargo elf2sgxs --release

@@ -0,0 +1 @@
+rust: Bump Rust toolchain to 2026-01-01
@@ -20,7 +20,7 @@ env:
 
 jobs:
   prepare-dev-release:
-    runs-on: ubuntu-22.04
+    runs-on: ubuntu-24.04
     steps:
       - name: Checkout code
         uses: actions/checkout@v5

@@ -22,7 +22,7 @@ env:
 
 jobs:
   prepare-release:
-    runs-on: ubuntu-22.04
+    runs-on: ubuntu-24.04
     steps:
       - name: Checkout code
         uses: actions/checkout@v5

@@ -16,11 +16,12 @@ build-tools:
 	@$(ECHO) "$(MAGENTA)*** Building Rust tools...$(OFF)"
 	@CARGO_TARGET_DIR=target/default cargo install --locked --path tools
 
-# NOTE: We explictly set CARGO_TARGET_DIR as a workaround to avoid
+# NOTE: We explicitly set CARGO_TARGET_DIR as a workaround to avoid
 #       recompilations in newer cargo nightly builds.
 #       See https://github.com/oasisprotocol/oasis-core/pull/2673 for details.
 build-runtimes:
-	@CARGO_TARGET_ROOT=$(shell pwd)/target && for e in $(RUNTIMES); do \
+	@export CC_x86_64_fortanix_unknown_sgx=clang-18 && \
+	CARGO_TARGET_ROOT=$(shell pwd)/target && for e in $(RUNTIMES); do \
 		$(ECHO) "$(MAGENTA)*** Building runtime: $$e...$(OFF)"; \
 		(cd $$e && \
 			CARGO_TARGET_DIR=$${CARGO_TARGET_ROOT}/sgx cargo build --release --target x86_64-fortanix-unknown-sgx && \

@@ -1,4 +1,4 @@
-FROM ubuntu:22.04
+FROM ubuntu:24.04
 
 ARG MODE=dcap
 
@@ -11,12 +11,12 @@ ADD intel-sgx-deb.asc /etc/apt/trusted.gpg.d
 RUN echo "deb https://download.01.org/intel-sgx/sgx_repo/ubuntu $(lsb_release -cs) main" > /etc/apt/sources.list.d/intel-sgx.list
 
 RUN if [ "$MODE" = "dcap" ] ; then \
-        apt-get update -qq && apt-get install -qq sgx-aesm-service libsgx-aesm-ecdsa-plugin libsgx-aesm-quote-ex-plugin libsgx-dcap-default-qpl && \
-        sed -i 's|"pccs_url": ".*"|"pccs_url": "https://api.trustedservices.intel.com/sgx/certification/v4/"|' /etc/sgx_default_qcnl.conf; \
+    apt-get update -qq && apt-get install -qq sgx-aesm-service libsgx-aesm-ecdsa-plugin libsgx-aesm-quote-ex-plugin libsgx-dcap-default-qpl && \
+    sed -i 's|"pccs_url": ".*"|"pccs_url": "https://api.trustedservices.intel.com/sgx/certification/v4/"|' /etc/sgx_default_qcnl.conf; \
     elif [ "$MODE" = "epid" ]; then \
-        apt-get update -qq && apt-get install -qq sgx-aesm-service libsgx-aesm-launch-plugin libsgx-aesm-epid-plugin; \
+    apt-get update -qq && apt-get install -qq sgx-aesm-service libsgx-aesm-launch-plugin libsgx-aesm-epid-plugin; \
     else \
-        echo "Invalid mode: $MODE" && exit 1; \
+    echo "Invalid mode: $MODE" && exit 1; \
     fi
 
 ENV AESM_PATH=/opt/intel/sgx-aesm-service/aesm

@@ -1,4 +1,4 @@
-FROM ubuntu:22.04
+FROM ubuntu:24.04
 
 # Package versions.
 ARG GO_VERSION=1.25.3
@@ -10,7 +10,7 @@ ARG GOLANGCILINT_VERSION=2.6.0
 ARG GOCOVMERGE_VERSION=b5bfa59ec0adc420475f97f89b58045c721d761c
 ARG GOFUMPT_VERSION=v0.8.0
 ARG GOIMPORTS_VERSION=v0.36.0
-ARG RUST_NIGHTLY_VERSION=2025-06-23
+ARG RUST_NIGHTLY_VERSION=2026-01-01
 ARG JEMALLOC_VERSION=5.2.1
 ARG JEMALLOC_CHECKSUM=34330e5ce276099e2e8950d9335db5a875689a4c6a56751ef3b1d8c537f887f6
 
@@ -20,22 +20,27 @@ ARG LEGACY_GO_VERSION=1.20.2
 ARG DEBIAN_FRONTEND=noninteractive
 
 RUN apt-get update -qq && apt-get upgrade -qq && apt-get install -qq \
-    build-essential git gdb cmake clang-11 gcc-multilib \
+    build-essential git gdb cmake clang-18 gcc-multilib \
     curl wget unzip \
     pkg-config software-properties-common \
     python3 python3-pyelftools \
     # for gitlint
-    python3-pip \
+    python3-venv python3-pip \
     # for rust openssl
     libssl-dev libcurl4-openssl-dev \
     # for benchmarks
     python3-prometheus-client \
     # for seccomp Go bindings support
     libseccomp-dev \
     bubblewrap && \
-    apt-get autoclean && apt-get autoremove && rm -rf /var/cache/apt/archives/* && \
-    # for linting Git commits
-    pip install gitlint
+    apt-get autoclean && apt-get autoremove && rm -rf /var/cache/apt/archives/*
+
+# Create an isolated Python virtual environment.
+RUN python3 -m venv /venv
+ENV PATH="/venv/bin:$PATH"
+
+# Install gitlint inside the virtual environment for linting Git commits.
+RUN pip install gitlint
 
 ENV HOME="/root"
 ENV GOPATH="/go"

@@ -123,10 +123,10 @@ unsafe impl Send for Tree {}
 impl Tree {
     /// Construct a new tree instance using the given read syncer and options struct.
     pub fn new(read_syncer: Box<dyn ReadSync>, opts: &Options) -> Tree {
-        let root_type = if opts.root.is_none() {
-            opts.root_type.unwrap()
+        let root_type = if let Some(root) = opts.root {
+            root.root_type
         } else {
-            opts.root.unwrap().root_type
+            opts.root_type.unwrap()
         };
         let tree = Tree {
             cache: RefCell::new(LRUCache::new(

@@ -1,4 +1,4 @@
 [toolchain]
-channel = "nightly-2025-06-23"
+channel = "nightly-2026-01-01"
 targets = ["x86_64-fortanix-unknown-sgx"]
 components = ["clippy", "rustfmt"]