Here's what the Infrastructure Team delivered in Q2 2026 and what we're focusing on in Q3.
You can find the previous blog post of this series here.
Q2 2026 Accomplishments
GitHub Rulesets are now the default protections
We migrated the rust-lang/rust repository to
GitHub Rulesets
and finished moving off the legacy GitHub branch protections. Rulesets are
now the default way to configure protections for rust-lang repositories through
team.
GitHub apps are now enabled through team
We re-enabled
the ability to install GitHub apps in rust-lang repositories through team.
This improves the developer experience
for contributors and reduces the operational overload for Infrastructure Team members.
Shared Renovate Presets
Renovate is the tool the Infrastructure Team recommends to the Project for keeping dependencies and GitHub Actions up to date.
We created shared Renovate presets
to simplify the Renovate configurations of the rust-lang repositories.
These presets aim to get
the benefits of dependency updates while minimizing the number of PRs to review.
We also documented
how to adopt Renovate in repositories.
Code security for rust-lang repositories
As part of our security work, we enabled GitHub Secret Scanning
for all rust-lang repositories. We triaged all alerts tagged as leaked secrets
and confirmed that they were false positives.
In addition, in collaboration with the crates.io team, we started experimenting with Datadog Code Security to get additional visibility into security issues inferred directly from source files. We documented how to opt into this feature, and we want to try it with more repositories in the future. This work is a follow-up of the Rust Foundation partnership with Datadog.
New GitHub Actions runners powered by external hardware
We enabled new powerpc64 and RISC-V GitHub Actions runners for
rust-lang repositories. We also documented which external runners are powered
by external hardware and where they are used in rust-forge.
In addition, we created a new infrastructure guideline to help onboard external hardware into the Rust CI infrastructure.
Experiments with macos-26 on CI
We started experimenting with macos-26 in rust-lang/rust CI.
We created an additional CI job
and have been tracking how it performs. It's worth mentioning that GitHub will migrate
all macos-latest images to macos-26 in June and July.
CI dashboard available again
In December 2024, we created
a Datadog dashboard to track CI visibility for the
rust-lang/rust repository. It proved very
valuable, but we had to remove
it because its cost was not sustainable.
Now that the Rust Foundation is part of Datadog's Open Source Program, we enabled it again.
In the past, the dashboard helped us track the top failing jobs, slowest jobs, and overall pipeline duration over time. We expect it to be just as useful going forward.
Hardware Security Keys for critical infrastructure access
We introduced official support for hardware keys as part of the Rust infrastructure security processes. We created a policy mandating multi-factor authentication with hardware keys for people and teams with access to systems considered critical, and in partnership with Yubico we empowered Rust Project members with YubiKeys.
We also documented how Project members can configure these devices for existing use cases. We want to expand this support further, enabling new ways to use the keys.
Partnership with Canonical and Ubuntu Pro for EC2 instances
As a follow-up to Canonical joining the Rust Foundation in March, we got access to Ubuntu Pro licenses and applied them to our EC2 instances, including the instance running docs.rs.
We improved our Infrastructure as Code setup to apply these changes, so that Ubuntu Pro will be enabled by default even in future instances.
Faster mergeability checks in Bors
We switched from GitHub's REST API to the GraphQL API and cut Bors pull request mergeability check times from an average of 30 minutes to just 1 minute.
Add the concept of community reviews before PR assignment
As part of multiple discussions that happened during the 2026 All-hands, the Clippy team asked the Triagebot team to be able to delay the assignment of a reviewer until one or multiple community reviews were done.
That work was carried out in triagebot#2426 (docs) and has just been enabled in the Clippy repository.
Reintroduce delegation approval for merge queue repositories
When we switched our repositories to GitHub merge queues instead of bors (our custom merging bot), we lost the ability to delegate approval on behalf of the reviewer.
That functionality is quite useful when there are only some nits left and the reviewer feels confident about the author's ability to resolve them without having to re-review and approve the changes.
Work was carried out in triagebot#2412 and triagebot#2436 to add such functionality back. It's currently only enabled in the Clippy repository:
@rustbot delegate[=@handle]@rustbot merge
Continue supporting the moderation team with locking/unlocking of issues
As part of the effort to help the moderation team better moderate issues and pull requests in our different repositories and organizations, triagebot gained support for locking and unlocking an issue/PR from a GitHub command and Zulip DM.
Quality of life improvements in our range-diff viewer for GitHub PRs
We landed multiple quality of life improvements in our range-diff viewer for GitHub PRs.
Filtering of context-only hunks
As part of our range-diff, we try as much as possible to only show the relevant parts of a diff. Context changes (lines that changed on main only) are not relevant, and we made a significant effort to filter them out from the shown diff.
More details are available in triagebot#2398.
Commit messages diff
Our range-diff now shows the list of commits and diffs them with the previous ones.
New commits:
Warning against Unicode Bidi characters
Following what GitHub does when it detects Unicode Bidi characters in a PR diff, we now also warn since triagebot#2440.
Small tweaks to the triagebot
A new triagebot command to assign a priority value to regressions directly from Zulip, useful when doing triage. Example:
@**triagebot** assign-priority 123456 high
Minor tweaks (in b1e783a2 and 6611570e) to the triagebot backport and user-info commands, which now support shorter variants:
# Supported syntaxes for the `backport` command
@**triagebot** backport accept beta 123456
@**triagebot** backport accept beta
@**triagebot** backport accept
# Supported syntaxes for the `user-info` command
@**triagebot** user-info https://www.github.com/apiraino
@**triagebot** user-info apirainoQ3 2026 Plans
Finish leftover work from Q2
In Q3, we will continue working on some of the things we could not finish in Q2:
- Improve access controls for Rust infrastructure with SAML SSO.
- Modernize the docs.rs infrastructure.
Improve GitHub Actions security
We've been actively working on GitHub Actions security through our Outreachy mentorship program. This effort started in April when we adopted zizmor as a Static Application Security Testing solution for GitHub Actions in some of our repositories.
As a follow-up of one of our Rust All-Hands sessions, we started working on a
system to foster zizmor auditing and progressive adoption across the rust-lang
organization.
Move mailing lists from Mailgun to Google Groups to reduce spam
As a follow-up to setting up the Google Workspace for the Rust Project,
we want to evaluate whether Google Groups can reduce spam for existing mailing
lists, which are currently managed through Mailgun. We want to keep the same
developer experience by provisioning these new mailing lists through team.
If the results are satisfactory, we will also migrate existing lists.
Consolidate logs on Datadog
As part of our efforts to improve observability, we want to consolidate all log
management in Datadog. Next, we want to push logs from all services into
it, including those from our bots (triagebot, bors, etc).
Reduce reliance on external resources in CI
We want rust-lang/rust CI to depend less on third-party services during builds
and tests. When CI downloads required artifacts from external sources,
an outage in those services can cause failures unrelated to Rust itself.
To make CI more reliable, we plan to mirror more of those artifacts in the Rust project's CI mirrors.
Stricter networking access rules for crater agents
As discussed during the Rust All-Hands, we want to improve the security of crater agents by isolating their network access.
Start planning for GitHub REST API upgrade
The current GitHub REST API version ("2022-11-28") will be deprecated in about 2 years (see the GitHub announcement). We pinpointed it in our GitHub client and plan to start testing the new version ("2026-03-10") and see what it breaks.
Join us
If you're interested in contributing to Rust's infrastructure, have a look at the infra-team repository to learn more about us and reach out on Zulip.
We are always looking for new contributors!