Skip to content

Releases: fermyon/spin

canary

27 Nov 18:48
666faa9
Compare
Choose a tag to compare
canary Pre-release
Pre-release

This is a "canary" release of the most recent commits on our main branch. Canary is not stable.
It is only intended for developers wishing to try out the latest features in Spin, some of which may not be fully implemented.

v3.0.0

08 Nov 01:00
v3.0.0
737778e
Compare
Choose a tag to compare

Spin v3.0.0

We're excited to announce the next major version of Spin! Welcome to Spin 3.0. 🚀

This release includes:

  • Component dependency support
  • Selective application deployments
  • Integration with the latest upstream WASI standards
  • A refactored runtime capability framework
  • And many other improvements, fixes and updates

Read on for more details below...

Breaking Changes ⚠️

Note that there are breaking changes included in this release that may affect some applications.

Please see our dedicated migration doc for more information.

Features ✨

Component Dependencies

Spin v3 ships with first-class support for declaring and using cross-language component dependencies in your Spin application.

Say you've authored an AWS S3 client in Rust and would like to use it in your Javascript-based Spin app -
you can now express the S3 component as a dependency and harness its functionality in your application code.
In a similar manner, components distributed by other developers can be added as dependencies, no matter the original language.
As long as they are available via a compatible registry reference or http url, you'll be able to declare them as dependencies in your app.

  • The Writing Apps doc has been updated with details around this new feature

Selective Deployments

To support real-world production deployments, Spin app developers can take the same app that they've run locally
and alter its deployment configuration when shipping to production infrastructure. For example, the API and frontends
might be deployed to edge nodes closer to end users while the database component might be deployed to a dedicated
VM in a certain cloud region.

Spin Factors

For platform engineers who want to host and customize Spin, the runtime capability code has been fully refactored
into what we call Spin Factors. These Factors allow for runtime implementations to select the capabilities they wish to provide,
without being tightly coupled to other capabilities or aspects of the Spin codebase they may not require.

Upstream WASI standards

Spin continues to incorporate the latest upstream WASI standards. A few notable updates in v3 include:

Other notable features

As always, thanks to contributors old and new for helping improve Spin on a daily basis! 🎉

Verifying the Release Signature

After downloading the v3.0.0 release of Spin, either via the artifact attached to this release corresponding to your OS/architecture combination or via the installation method of your choice, you are ready to verify the release signature.

First, install cosign. This is the tool we'll use to perform signature verification. Then run the following command:

cosign verify-blob \
    --signature spin.sig --certificate crt.pem \
    --certificate-identity https://github.com/fermyon/spin/.github/workflows/release.yml@refs/tags/v3.0.0 \
    --certificate-oidc-issuer https://token.actions.githubusercontent.com \
    --certificate-github-workflow-sha 737778e9d7dc1a7f590a398d2734ff0cc91002f0 \
    --certificate-github-workflow-repository fermyon/spin \
    spin

If the verification passed, you should see:

Verified OK

Full Changelog

Read more

v3.0.0-rc.1

05 Nov 01:01
v3.0.0-rc.1
12ef939
Compare
Choose a tag to compare
v3.0.0-rc.1 Pre-release
Pre-release

What's Changed

Read more

v2.7.0

31 Jul 21:08
v2.7.0
a111517
Compare
Choose a tag to compare

Spin v2.7.0

The v2.7.0 release of Spin brings a number of features, improvements, and bug fixes.

Some highlights in v2.7.0 at a glance:

✨ Features

  • Added support for client certificate-based authentication and custom root CA in outbound requests for HTTP triggers, with a new client_tls runtime configuration option. (PR #2596 )
  • Azure CosmosDB key value implementation support for workload identity (PR #2566) Thanks, @devigned, for your first contribution 💟

🌐 Spin Governance and Documentation

  • Governance Updates: Implemented a new SIP for governance changes and updated documentation to reflect substantial changes in project governance procedures. ( PR #2593)
  • Documentation Enhancements: Revised release-process.md to include a notes template, and added MAINTAINERS.md for clarity on project maintainers. (PR #2622, PR #2683)
  • Code of Conduct: Integrated Fermyon's Code of Conduct into the project's documentation. (PR #2691)

🧪 Better Test Coverage

  • Expanded Test Coverage: Added key-value and Redis tests to conformance checks to ensure broader validation of functionalities. (PR #2591, PR #2603)
  • TCP Runtime Tests Fixes: Resolved issues with TCP runtime tests to ensure accurate performance assessment. (PR #2608)
  • Template Manager Testing: Improved the test setups for TemplateManagers, including deduplicating test code to streamline testing processes. (PR #2657)

🩹 Fixes and Improvement

  • CI Fixes: Addressed issues with CI integration tests and updated dependencies for conformance testing to stabilize the build process. (PR #2614, PR #2669)
  • Rust and Clippy Compatibility: Applied changes to maintain compatibility with Rust 1.79, 1.80 and address Clippy lint warnings. (PR #2569, PR #2680)
  • Improved error handling to provide clearer messages for registry component issues and refined the behavior of the spin new command. (PR #2634)
  • Follow OCI standards by inferring predefined annotation when pushed to the registry (PR #2618)
  • Better handling when the file path is outside root (PR #2574) and if the file is missing (PR #2674)
  • Improve OTel error logging #2572

As always, thanks to contributors old and new for helping improve Spin on a daily basis! 🎉

Verifying the Release Signature

After downloading the release of Spin, either via the artifact attached to this release corresponding to your OS/architecture combination or via the installation method of your choice, you are ready to verify the release signature.

First, install cosign. This is the tool we'll use to perform signature verification. Then run the following command:

cosign verify-blob \
    --signature spin.sig --certificate crt.pem \
    --certificate-identity https://github.com/fermyon/spin/.github/workflows/release.yml@refs/tags/v2.7.0 \
    --certificate-oidc-issuer https://token.actions.githubusercontent.com \
    --certificate-github-workflow-sha a11151706449fa1ba39bfe96597fe1041438dc67 \
    --certificate-github-workflow-repository fermyon/spin \
    spin

If the verification passed, you should see:

Verified OK

Full Changelog

New Contributors

Full Changelog: v2.6.0...v2.7.0

v2.6.0

20 Jun 18:35
v2.6.0
a4ddd39
Compare
Choose a tag to compare

Spin 2.6.0

The 2.6.0 release of Spin brings a number of features, improvements and bug fixes. There are also a few notable deprecations and breaking changes.

🚀 Some highlights in 2.6.0 at a glance

  • Dynamic detection of support for Wasmtime's pooling allocator: #2508
  • Components in a Spin App manifest can now be referenced by registry: #2524
  • Spin can now run a wasm file as a Spin App without requiring a manifest: #2479
  • Spin's listening address can now be overidden via SPIN_HTTP_LISTEN_ADDR: #2547
  • Spin's data directory can now be overidden via SPIN_DATA_DIR: #2568

🐞 Notable fixes

  • Validation of the Spin App manifest at build-time: #2527
  • Validation of variable keys at build-time: #2530
  • Ensure the Spin application name is in kebab-case: #2531 (Thank you @brehen!)
  • Fixes issues around spin watch build exclusions: #2554

💅 Miscellaneous

  • Wasmtime has been upgraded to 21.0.1: #2531

⚠️ Deprecations

  • Wasm modules compiled with wasi-sdk version < 19 are likely to contain a critical memory safety bug.
    Spin has deprecated execution of these modules and they will stop working in a future release.
    For more information, see: #2552

🚨 Breaking changes

  • The upgrade to wasmtime 21 includes a breaking change to how headers are handled.
    Spin app guest modules can no longer set the Host header on outbound requests: #2575

As always, thanks to contributors old and new for helping improve Spin on a daily basis! 🎉

Verifying the Release Signature

After downloading the 2.6.0 release of Spin, either via the artifact attached to this release corresponding to your OS/architecture combination or via the installation method of your choice, you are ready to verify the release signature.

First, install cosign. This is the tool we'll use to perform signature verification. Then run the following command:

cosign verify-blob \
    --signature spin.sig --certificate crt.pem \
    --certificate-identity https://github.com/fermyon/spin/.github/workflows/release.yml@refs/tags/v2.6.0 \
    --certificate-oidc-issuer https://token.actions.githubusercontent.com \
    --certificate-github-workflow-sha a4ddd3921d9ea3d694774858408e918f3e5cec60 \
    --certificate-github-workflow-repository fermyon/spin \
    spin

If the verification passed, you should see:

Verified OK

Full changelog

  • ref(*): Standardize on using tracing::* instead of tracing::log::* by @calebschoepp in #2498
  • fix(docs): update release process to remove spin-macro consideration by @kate-goldenring in #2500
  • Bump version to v2.6.0-pre0 by @kate-goldenring in #2499
  • ref(telemetry): Provide the abililty to turn off the tracing-log compat layer in tracing-subscriber dep of telemetry by @calebschoepp in #2501
  • spin templates install: allow --repo by @itowlson in #2504
  • spin templates install: allow repo name instead of URL by @itowlson in #2505
  • Dynamically detect support for Wasmtime's pooling allocator by @alexcrichton in #2508
  • Update Wasmtime to 20.0.2 by @alexcrichton in #2512
  • Lift http handler type discovery up a layer by @alexcrichton in #2373
  • feat(oci/client.rs): add registry_from_input helper by @vdice in #2513
  • Update to Wasmtime 21.0.0 by @alexcrichton in #2521
  • feat(telemetry): Add a compatibility layer that emits app logs as tracing events. by @calebschoepp in #2511
  • Try to load manifest during spin build by @itowlson in #2527
  • Load components from a registry by @itowlson in #2524
  • ref(oci/client): update unpack_archive_layer to take cache; make pub by @vdice in #2523
  • Run a Wasm file as an application without a manifest by @itowlson in #2479
  • Validate variable keys as part of schema by @itowlson in #2530
  • fix(templates/../spin.toml): skewer spin application name like a kebab by @brehen in #2531
  • spin build: build inline components by @itowlson in #2533
  • feat(telemetry): Send logs to OTel collector directly using OTel libraries by @calebschoepp in #2516
  • Upgrade to wasmtime 21.0.1 by @lann in #2538
  • chore(loader): bump wasm-pkg-tools by @vdice in #2539
  • feat(oci): add env var to force use of archive layers on push by @vdice in #2540
  • allow overriding listen addr using env variable by @rajatjindal in #2547
  • Strip trailing slash in allowed_outbound_hosts config. by @rylev in #2548
  • fix StoreBuilder::inherit_limited_network by @dicej in #2541
  • Fix exclusions in build.watch getting applied to all components by @itowlson in #2554
  • Don't prompt to install templates if not interactive by @itowlson in #2558
  • Run conformance tests by @rylev in #2542
  • Update conformance test by @rylev in #2562
  • Override local data directory via env variable by @itowlson in #2568
  • [Backport v2.6] Add deprecation warning for uncomponentizable modules by @vdice in #2578
  • chore(release): bumps for 2.6 release by @vdice in #2573

New Contributors

Full Changelog: v2.5.1...v2.6.0

v2.5.1

14 May 18:35
v2.5.1
cba6773
Compare
Choose a tag to compare

Spin 2.5.1

This is a patch release to disable a tracing-subscriber crate feature that was breaking spin_telemetry support in downstream projects.

Verifying the Release Signature 🔏

After downloading the v2.5.1 release of Spin, either via the artifact attached to this release corresponding to your OS/architecture combination or via the installation method of your choice, you are ready to verify the release signature.

First, install cosign. This is the tool we'll use to perform signature verification. Then run the following command:

cosign verify-blob \
    --signature spin.sig --certificate crt.pem \
    --certificate-identity https://github.com/fermyon/spin/.github/workflows/release.yml@refs/tags/v2.5.1 \
    --certificate-oidc-issuer https://token.actions.githubusercontent.com \
    --certificate-github-workflow-repository fermyon/spin \
    spin

If the verification passed, you should see:

Verified OK

Full Changelog: v2.5.0...v2.5.1

v2.5.0

08 May 20:31
v2.5.0
83eb68d
Compare
Choose a tag to compare

Spin v2.5

The v2.5 release of Spin brings a number of features, improvements and bug fixes.

Some highlights in v2.5.0 at a glance:

  • Support for application-internal private endpoints, which allows you to avoid exposing internal components on public routes while still splitting them out to their own microservices. #2418
  • Spin now allows you to specify routes with more granularity #2464
  • Improved support for OpenTelemetry #2463
  • Azure Key Vault Application Variable Provider #2472

As always, thanks to contributors old and new for helping improve Spin on a daily basis! 🎉

Verifying the Release Signature

After downloading the 2.5.0 release of Spin, either via the artifact attached to this release corresponding to your OS/architecture combination or via the installation method of your choice, you are ready to verify the release signature.

First, install cosign. This is the tool we'll use to perform signature verification. Then run the following command:

cosign verify-blob \
    --signature spin.sig --certificate crt.pem \
    --certificate-identity https://github.com/fermyon/spin/.github/workflows/release.yml@refs/tags/v2.5.0 \
    --certificate-oidc-issuer https://token.actions.githubusercontent.com \
    --certificate-github-workflow-repository fermyon/spin \
    spin

If the verification passed, you should see:

Verified OK

What's Changed

New Contributors

Full Changelog: v2.4.3...v2.5.0

v2.4.3

08 May 15:15
v2.4.3
ed8a665
Compare
Choose a tag to compare

Spin 2.4.3

This is a security patch release to resolve GHSA-f3h7-gpjj-wcvh

Fix: ed8a665

Verifying the Release Signature 🔏

After downloading the v2.4.3 release of Spin, either via the artifact attached to this release corresponding to your OS/architecture combination or via the installation method of your choice, you are ready to verify the release signature.

First, install cosign. This is the tool we'll use to perform signature verification. Then run the following command:

cosign verify-blob \
    --signature spin.sig --certificate crt.pem \
    --certificate-identity https://github.com/fermyon/spin/.github/workflows/release.yml@refs/tags/v2.4.3 \
    --certificate-oidc-issuer https://token.actions.githubusercontent.com \
    --certificate-github-workflow-repository fermyon/spin \
    spin

If the verification passed, you should see:

Verified OK

Addendum: Due to #2502, the spin-v2.4.3-macos-amd64.tar.gz archive has been rebuilt, signed and uploaded manually.

The user identity that signed the artifact is @vdice via GitHub OAuth, so the full verification command is as follows:

cosign verify-blob \
  --signature spin.sig \
  --certificate crt.pem \
  --certificate-identity [email protected] \
  --certificate-oidc-issuer https://github.com/login/oauth \
  spin

Full Changelog: v2.4.2...v2.4.3

v2.4.2

04 Apr 01:42
v2.4.2
340378e
Compare
Choose a tag to compare

Spin 2.4.2

This is a patch release to fix a bug that was found in the outgoing-mqtt host component implementation when publishing messages with a QoS level of 2.

Verifying the Release Signature 🔏

After downloading the v2.4.2 release of Spin, either via the artifact attached to this release corresponding to your OS/architecture combination or via the installation method of your choice, you are ready to verify the release signature.

First, install cosign. This is the tool we'll use to perform signature verification. Then run the following command:

cosign verify-blob \
    --signature spin.sig --certificate crt.pem \
    --certificate-identity https://github.com/fermyon/spin/.github/workflows/release.yml@refs/tags/v2.4.2 \
    --certificate-oidc-issuer https://token.actions.githubusercontent.com \
    --certificate-github-workflow-repository fermyon/spin \
    spin

If the verification passed, you should see:

Verified OK

Full Changelog: v2.4.1...v2.4.2

v2.4.1

02 Apr 21:49
v2.4.1
59d17f7
Compare
Choose a tag to compare

Spin 2.4.1

This is a patch release to fix a bug that was found in the outgoing-mqtt host component implementation.

Verifying the Release Signature 🔏

After downloading the v2.4.1 release of Spin, either via the artifact attached to this release corresponding to your OS/architecture combination or via the installation method of your choice, you are ready to verify the release signature.

First, install cosign. This is the tool we'll use to perform signature verification. Then run the following command:

cosign verify-blob \
    --signature spin.sig --certificate crt.pem \
    --certificate-identity https://github.com/fermyon/spin/.github/workflows/release.yml@refs/tags/v2.4.1 \
    --certificate-oidc-issuer https://token.actions.githubusercontent.com \
    --certificate-github-workflow-repository fermyon/spin \
    spin

If the verification passed, you should see:

Verified OK

Full Changelog: v2.4.0...v2.4.1