spin
Spin is the open source developer tool for building and running serverless applications powered by WebAssembly.
APACHE-2.0 License
Bot releases are visible (Hide)
This is a "canary" release of the most recent commits on our main branch. Canary is not stable.
It is only intended for developers wishing to try out the latest features in Spin, some of which may not be fully implemented.
Published by github-actions[bot] about 2 months ago
This is a "canary" release of the most recent commits on our main branch. Canary is not stable.
It is only intended for developers wishing to try out the latest features in Spin, some of which may not be fully implemented.
Published by github-actions[bot] about 2 months ago
This is a "canary" release of the most recent commits on our main branch. Canary is not stable.
It is only intended for developers wishing to try out the latest features in Spin, some of which may not be fully implemented.
Published by github-actions[bot] about 2 months ago
This is a "canary" release of the most recent commits on our main branch. Canary is not stable.
It is only intended for developers wishing to try out the latest features in Spin, some of which may not be fully implemented.
Published by github-actions[bot] 2 months ago
This is a "canary" release of the most recent commits on our main branch. Canary is not stable.
It is only intended for developers wishing to try out the latest features in Spin, some of which may not be fully implemented.
Published by github-actions[bot] 3 months ago
Spin v2.7.0
The v2.7.0 release of Spin brings a number of features, improvements, and bug fixes.
Some highlights in v2.7.0 at a glance:
โจ Features
- Added support for client certificate-based authentication and custom root CA in outbound requests for HTTP triggers, with a new
client_tlsruntime configuration option. (PR #2596 ) - Azure CosmosDB key value implementation support for workload identity (PR #2566) Thanks, @devigned, for your first contribution ๐
๐ Spin Governance and Documentation
- Governance Updates: Implemented a new SIP for governance changes and updated documentation to reflect substantial changes in project governance procedures. ( PR #2593)
-
Documentation Enhancements: Revised
release-process.mdto include a notes template, and addedMAINTAINERS.mdfor clarity on project maintainers. (PR #2622, PR #2683) - Code of Conduct: Integrated Fermyon's Code of Conduct into the project's documentation. (PR #2691)
๐งช Better Test Coverage
- Expanded Test Coverage: Added key-value and Redis tests to conformance checks to ensure broader validation of functionalities. (PR #2591, PR #2603)
- TCP Runtime Tests Fixes: Resolved issues with TCP runtime tests to ensure accurate performance assessment. (PR #2608)
-
Template Manager Testing: Improved the test setups for
TemplateManagers, including deduplicating test code to streamline testing processes. (PR #2657)
๐ฉน Fixes and Improvement
- CI Fixes: Addressed issues with CI integration tests and updated dependencies for conformance testing to stabilize the build process. (PR #2614, PR #2669)
- Rust and Clippy Compatibility: Applied changes to maintain compatibility with Rust 1.79, 1.80 and address Clippy lint warnings. (PR #2569, PR #2680)
- Improved error handling to provide clearer messages for registry component issues and refined the behavior of the
spin newcommand. (PR #2634) - Follow OCI standards by inferring predefined annotation when pushed to the registry (PR #2618)
- Better handling when the file path is outside root (PR #2574) and if the file is missing (PR #2674)
- Improve OTel error logging #2572
As always, thanks to contributors old and new for helping improve Spin on a daily basis! ๐
Verifying the Release Signature
After downloading the release of Spin, either via the artifact attached to this release corresponding to your OS/architecture combination or via the installation method of your choice, you are ready to verify the release signature.
First, install cosign. This is the tool we'll use to perform signature verification. Then run the following command:
cosign verify-blob \
--signature spin.sig --certificate crt.pem \
--certificate-identity https://github.com/fermyon/spin/.github/workflows/release.yml@refs/tags/v2.7.0 \
--certificate-oidc-issuer https://token.actions.githubusercontent.com \
--certificate-github-workflow-sha a11151706449fa1ba39bfe96597fe1041438dc67 \
--certificate-github-workflow-repository fermyon/spin \
spin
If the verification passed, you should see:
Verified OK
Full Changelog
- Add deprecation warning for uncomponentizable modules by @lann in https://github.com/fermyon/spin/pull/2571
- Update README with Spin Project meeting information by @mikkelhegn in https://github.com/fermyon/spin/pull/2576
- fix: add error message when file path outside root by @me-diru in https://github.com/fermyon/spin/pull/2574
- Fix warnings introduced by new Rust 1.79 release by @rylev in https://github.com/fermyon/spin/pull/2569
- Fix typo in meeting info by @itowlson in https://github.com/fermyon/spin/pull/2581
- Improve OTel error logging by @calebschoepp in https://github.com/fermyon/spin/pull/2572
- chore(*): post-2.6.0 release bumps by @vdice in https://github.com/fermyon/spin/pull/2586
- Upgrade to wasmtime 22.0.0 by @lann in https://github.com/fermyon/spin/pull/2587
- Bump wasm-pkg-loader to 0.4.1 by @fibonacci1729 in https://github.com/fermyon/spin/pull/2588
- Remove duplicate crate definitions in Cargo.lock by @rylev in https://github.com/fermyon/spin/pull/2592
- docs(Makefile): fix comment typos by @vdice in https://github.com/fermyon/spin/pull/2594
- Update from's help output for the up subcommand by @tpmccallum in https://github.com/fermyon/spin/pull/2595
- Conformance Tests Update by @rylev in https://github.com/fermyon/spin/pull/2591
- Update conformance to include Redis and SQLite tests by @rylev in https://github.com/fermyon/spin/pull/2603
- Fix broken TCP runtime tests. by @rylev in https://github.com/fermyon/spin/pull/2608
- add support for client certs by @rajatjindal in https://github.com/fermyon/spin/pull/2596
- Infer predefined annotations when pushing to registry by @itowlson in https://github.com/fermyon/spin/pull/2618
- add SIP for governance.md by @michelleN in https://github.com/fermyon/spin/pull/2593
- docs(releasing): update release-process.md; add notes template by @vdice in https://github.com/fermyon/spin/pull/2622
- Better error if component from registry has regrettable version by @itowlson in https://github.com/fermyon/spin/pull/2634
- Improve non-interactive behaviour of
spin newby @itowlson in https://github.com/fermyon/spin/pull/2643 - Fixes watch rebuild loop if empty watch by @itowlson in https://github.com/fermyon/spin/pull/2642
- Deduplicate template tests by @itowlson in https://github.com/fermyon/spin/pull/2657
- Update conformance test version by @rylev in https://github.com/fermyon/spin/pull/2615
- Break circular dependency between
httpandtestingcrates by @itowlson in https://github.com/fermyon/spin/pull/2668 - Fix CI issue in integration tests by updating conformance-test dependency by @rylev in https://github.com/fermyon/spin/pull/2669
- Bump rustls from 0.22.3 to 0.22.4 by @dependabot in https://github.com/fermyon/spin/pull/2614
- Allow sqlite migrations for non-default databases. by @rylev in https://github.com/fermyon/spin/pull/2610
- Run conformance tests as part of runtime tests by @rylev in https://github.com/fermyon/spin/pull/2663
- Revert "Run conformance tests as part of runtime tests" by @rylev in https://github.com/fermyon/spin/pull/2671
- Add support for workload identity in the Azure CosmosDB Key/Value impl by @devigned in https://github.com/fermyon/spin/pull/2566
- Tell user which file we failed to read by @itowlson in https://github.com/fermyon/spin/pull/2674
- Summarise plugins list by @itowlson in https://github.com/fermyon/spin/pull/2662
- Retry running conformance tests as part of runtime tests by @rylev in https://github.com/fermyon/spin/pull/2675
- Changes need to make Rust and Clippy happy on Rust 1.80 by @rylev in https://github.com/fermyon/spin/pull/2680
- trigger: Tweak wording of AOT compilation code by @lann in https://github.com/fermyon/spin/pull/2682
- add MAINTAINERS.md by @michelleN in https://github.com/fermyon/spin/pull/2683
- [COC]: Embed content from Fermyon COC by @endocrimes in https://github.com/fermyon/spin/pull/2691
- Bump versions for v2.7 release by @me-diru in https://github.com/fermyon/spin/pull/2694
New Contributors
- @devigned made their first contribution in https://github.com/fermyon/spin/pull/2566
Full Changelog: https://github.com/fermyon/spin/compare/v2.6.0...v2.7.0
Published by github-actions[bot] 3 months ago
This is a "canary" release of the most recent commits on our main branch. Canary is not stable.
It is only intended for developers wishing to try out the latest features in Spin, some of which may not be fully implemented.
Published by github-actions[bot] 4 months ago
This is a "canary" release of the most recent commits on our main branch. Canary is not stable.
It is only intended for developers wishing to try out the latest features in Spin, some of which may not be fully implemented.
Published by github-actions[bot] 4 months ago
This is a "canary" release of the most recent commits on our main branch. Canary is not stable.
It is only intended for developers wishing to try out the latest features in Spin, some of which may not be fully implemented.
Published by github-actions[bot] 4 months ago
This is a "canary" release of the most recent commits on our main branch. Canary is not stable.
It is only intended for developers wishing to try out the latest features in Spin, some of which may not be fully implemented.
Published by github-actions[bot] 4 months ago
Spin 2.6.0
The 2.6.0 release of Spin brings a number of features, improvements and bug fixes. There are also a few notable deprecations and breaking changes.
๐ Some highlights in 2.6.0 at a glance
- Dynamic detection of support for Wasmtime's pooling allocator: https://github.com/fermyon/spin/pull/2508
- Components in a Spin App manifest can now be referenced by registry: https://github.com/fermyon/spin/pull/2524
- Spin can now run a wasm file as a Spin App without requiring a manifest: https://github.com/fermyon/spin/pull/2479
- Spin's listening address can now be overidden via
SPIN_HTTP_LISTEN_ADDR: https://github.com/fermyon/spin/pull/2547 - Spin's data directory can now be overidden via
SPIN_DATA_DIR: https://github.com/fermyon/spin/pull/2568
๐ Notable fixes
- Validation of the Spin App manifest at build-time: https://github.com/fermyon/spin/pull/2527
- Validation of variable keys at build-time: https://github.com/fermyon/spin/pull/2530
- Ensure the Spin application name is in kebab-case: https://github.com/fermyon/spin/pull/2531 (Thank you @brehen!)
- Fixes issues around
spin watchbuild exclusions: https://github.com/fermyon/spin/pull/2554
๐ Miscellaneous
- Wasmtime has been upgraded to 21.0.1: https://github.com/fermyon/spin/pull/2531
โ ๏ธ Deprecations
- Wasm modules compiled with wasi-sdk version < 19 are likely to contain a critical memory safety bug.
Spin has deprecated execution of these modules and they will stop working in a future release.
For more information, see: https://github.com/fermyon/spin/issues/2552
๐จ Breaking changes
- The upgrade to wasmtime 21 includes a breaking change to how headers are handled.
Spin app guest modules can no longer set theHostheader on outbound requests: https://github.com/fermyon/spin/issues/2575
As always, thanks to contributors old and new for helping improve Spin on a daily basis! ๐
Verifying the Release Signature
After downloading the 2.6.0 release of Spin, either via the artifact attached to this release corresponding to your OS/architecture combination or via the installation method of your choice, you are ready to verify the release signature.
First, install cosign. This is the tool we'll use to perform signature verification. Then run the following command:
cosign verify-blob \
--signature spin.sig --certificate crt.pem \
--certificate-identity https://github.com/fermyon/spin/.github/workflows/release.yml@refs/tags/v2.6.0 \
--certificate-oidc-issuer https://token.actions.githubusercontent.com \
--certificate-github-workflow-sha a4ddd3921d9ea3d694774858408e918f3e5cec60 \
--certificate-github-workflow-repository fermyon/spin \
spin
If the verification passed, you should see:
Verified OK
Full changelog
- ref(*): Standardize on using tracing::* instead of tracing::log::* by @calebschoepp in https://github.com/fermyon/spin/pull/2498
- fix(docs): update release process to remove
spin-macroconsideration by @kate-goldenring in https://github.com/fermyon/spin/pull/2500 - Bump version to v2.6.0-pre0 by @kate-goldenring in https://github.com/fermyon/spin/pull/2499
- ref(telemetry): Provide the abililty to turn off the tracing-log compat layer in tracing-subscriber dep of telemetry by @calebschoepp in https://github.com/fermyon/spin/pull/2501
-
spin templates install: allow--repoby @itowlson in https://github.com/fermyon/spin/pull/2504 -
spin templates install: allow repo name instead of URL by @itowlson in https://github.com/fermyon/spin/pull/2505 - Dynamically detect support for Wasmtime's pooling allocator by @alexcrichton in https://github.com/fermyon/spin/pull/2508
- Update Wasmtime to 20.0.2 by @alexcrichton in https://github.com/fermyon/spin/pull/2512
- Lift http handler type discovery up a layer by @alexcrichton in https://github.com/fermyon/spin/pull/2373
- feat(oci/client.rs): add registry_from_input helper by @vdice in https://github.com/fermyon/spin/pull/2513
- Update to Wasmtime 21.0.0 by @alexcrichton in https://github.com/fermyon/spin/pull/2521
- feat(telemetry): Add a compatibility layer that emits app logs as tracing events. by @calebschoepp in https://github.com/fermyon/spin/pull/2511
- Try to load manifest during
spin buildby @itowlson in https://github.com/fermyon/spin/pull/2527 - Load components from a registry by @itowlson in https://github.com/fermyon/spin/pull/2524
- ref(oci/client): update unpack_archive_layer to take cache; make pub by @vdice in https://github.com/fermyon/spin/pull/2523
- Run a Wasm file as an application without a manifest by @itowlson in https://github.com/fermyon/spin/pull/2479
- Validate variable keys as part of schema by @itowlson in https://github.com/fermyon/spin/pull/2530
- fix(templates/../spin.toml): skewer spin application name like a kebab by @brehen in https://github.com/fermyon/spin/pull/2531
-
spin build: build inline components by @itowlson in https://github.com/fermyon/spin/pull/2533 - feat(telemetry): Send logs to OTel collector directly using OTel libraries by @calebschoepp in https://github.com/fermyon/spin/pull/2516
- Upgrade to wasmtime 21.0.1 by @lann in https://github.com/fermyon/spin/pull/2538
- chore(loader): bump wasm-pkg-tools by @vdice in https://github.com/fermyon/spin/pull/2539
- feat(oci): add env var to force use of archive layers on push by @vdice in https://github.com/fermyon/spin/pull/2540
- allow overriding listen addr using env variable by @rajatjindal in https://github.com/fermyon/spin/pull/2547
- Strip trailing slash in
allowed_outbound_hostsconfig. by @rylev in https://github.com/fermyon/spin/pull/2548 - fix
StoreBuilder::inherit_limited_networkby @dicej in https://github.com/fermyon/spin/pull/2541 - Fix exclusions in
build.watchgetting applied to all components by @itowlson in https://github.com/fermyon/spin/pull/2554 - Don't prompt to install templates if not interactive by @itowlson in https://github.com/fermyon/spin/pull/2558
- Run conformance tests by @rylev in https://github.com/fermyon/spin/pull/2542
- Update conformance test by @rylev in https://github.com/fermyon/spin/pull/2562
- Override local data directory via env variable by @itowlson in https://github.com/fermyon/spin/pull/2568
- [Backport v2.6] Add deprecation warning for uncomponentizable modules by @vdice in https://github.com/fermyon/spin/pull/2578
- chore(release): bumps for 2.6 release by @vdice in https://github.com/fermyon/spin/pull/2573
New Contributors
- @brehen made their first contribution in https://github.com/fermyon/spin/pull/2531
Full Changelog: https://github.com/fermyon/spin/compare/v2.5.1...v2.6.0
Published by github-actions[bot] 5 months ago
This is a "canary" release of the most recent commits on our main branch. Canary is not stable.
It is only intended for developers wishing to try out the latest features in Spin, some of which may not be fully implemented.
Published by github-actions[bot] 5 months ago
This is a "canary" release of the most recent commits on our main branch. Canary is not stable.
It is only intended for developers wishing to try out the latest features in Spin, some of which may not be fully implemented.
Published by github-actions[bot] 5 months ago
Spin 2.5.1
This is a patch release to disable a tracing-subscriber crate feature that was breaking spin_telemetry support in downstream projects.
Verifying the Release Signature ๐
After downloading the v2.5.1 release of Spin, either via the artifact attached to this release corresponding to your OS/architecture combination or via the installation method of your choice, you are ready to verify the release signature.
First, install cosign. This is the tool we'll use to perform signature verification. Then run the following command:
cosign verify-blob \
--signature spin.sig --certificate crt.pem \
--certificate-identity https://github.com/fermyon/spin/.github/workflows/release.yml@refs/tags/v2.5.1 \
--certificate-oidc-issuer https://token.actions.githubusercontent.com \
--certificate-github-workflow-repository fermyon/spin \
spin
If the verification passed, you should see:
Verified OK
Full Changelog: https://github.com/fermyon/spin/compare/v2.5.0...v2.5.1
Published by github-actions[bot] 5 months ago
This is a "canary" release of the most recent commits on our main branch. Canary is not stable.
It is only intended for developers wishing to try out the latest features in Spin, some of which may not be fully implemented.
Published by github-actions[bot] 6 months ago
Spin v2.5
The v2.5 release of Spin brings a number of features, improvements and bug fixes.
Some highlights in v2.5.0 at a glance:
- Support for application-internal private endpoints, which allows you to avoid exposing internal components on public routes while still splitting them out to their own microservices. https://github.com/fermyon/spin/pull/2418
- Spin now allows you to specify routes with more granularity https://github.com/fermyon/spin/pull/2464
- Improved support for OpenTelemetry https://github.com/fermyon/spin/pull/2463
- Azure Key Vault Application Variable Provider https://github.com/fermyon/spin/pull/2472
As always, thanks to contributors old and new for helping improve Spin on a daily basis! ๐
Verifying the Release Signature
After downloading the 2.5.0 release of Spin, either via the artifact attached to this release corresponding to your OS/architecture combination or via the installation method of your choice, you are ready to verify the release signature.
First, install cosign. This is the tool we'll use to perform signature verification. Then run the following command:
cosign verify-blob \
--signature spin.sig --certificate crt.pem \
--certificate-identity https://github.com/fermyon/spin/.github/workflows/release.yml@refs/tags/v2.5.0 \
--certificate-oidc-issuer https://token.actions.githubusercontent.com \
--certificate-github-workflow-repository fermyon/spin \
spin
If the verification passed, you should see:
Verified OK
What's Changed
- chore(release): update versions for v2.5.0-pre0 by @kate-goldenring in https://github.com/fermyon/spin/pull/2400
- ci: Run macos builds on M1 by @lann in https://github.com/fermyon/spin/pull/2404
- Improved rumqttc event loop check. by @suneetnangia in https://github.com/fermyon/spin/pull/2362
- Add recent SIPs to the index document by @tschneidereit in https://github.com/fermyon/spin/pull/2403
- chore(trigger-http): bump tls-listener by @vdice in https://github.com/fermyon/spin/pull/2409
- feat(oci): deduplicate layers prior to push; archive if needed by @vdice in https://github.com/fermyon/spin/pull/2395
- feat(oci): set token expiration for oci client by @vdice in https://github.com/fermyon/spin/pull/2417
- feat: add support for setting the pushed oci image manifest annotations by @rgl in https://github.com/fermyon/spin/pull/2254
- feat(*): Add tracing to some more host components by @calebschoepp in https://github.com/fermyon/spin/pull/2398
- use template from
v2.0branch ofspin-python-sdkin test by @dicej in https://github.com/fermyon/spin/pull/2421 - Fix outbound-mqtt bug with QoS 2 by @fibonacci1729 in https://github.com/fermyon/spin/pull/2420
- Rationalise plugin install prompts by @itowlson in https://github.com/fermyon/spin/pull/2412
- Warn when sending bare 404 response by @itowlson in https://github.com/fermyon/spin/pull/2410
- Private endpoints by @itowlson in https://github.com/fermyon/spin/pull/2418
- Accept runtime config in either JSON or TOML by @lann in https://github.com/fermyon/spin/pull/2427
- build(deps): bump h2 from 0.3.24 to 0.3.26 by @dependabot in https://github.com/fermyon/spin/pull/2430
- ci(dispatch.yml): dispatch to fermyon/homebrew-tap by @vdice in https://github.com/fermyon/spin/pull/2428
- ci(release): fix dispatch conditional by @vdice in https://github.com/fermyon/spin/pull/2434
- chore(spin-timer): bump whoami per GHSA-w5w5-8vfh-xcjq by @vdice in https://github.com/fermyon/spin/pull/2431
- chore(*): bump h2 per GHSA-q6cp-qfwq-4gcv by @vdice in https://github.com/fermyon/spin/pull/2432
- ci(build/release): restore mac amd64 builds by @vdice in https://github.com/fermyon/spin/pull/2435
- Trace some more host components by @calebschoepp in https://github.com/fermyon/spin/pull/2437
- Trace db host components by @calebschoepp in https://github.com/fermyon/spin/pull/2439
- style(linting): Fix some linting rules by @calebschoepp in https://github.com/fermyon/spin/pull/2442
- Update Rust templates and bump Spin SDK version from 2.2.0 to 3.0.1 by @ThorstenHans in https://github.com/fermyon/spin/pull/2445
- Option to suppress plugin on-run compatibility warnings by @itowlson in https://github.com/fermyon/spin/pull/2426
- Review new dependencies for known vulnerabilities by @itowlson in https://github.com/fermyon/spin/pull/2440
- Add that Python SDK does support Redis Trigger by @tpmccallum in https://github.com/fermyon/spin/pull/2429
- ci(build.yml): gate dependency review on PRs only by @vdice in https://github.com/fermyon/spin/pull/2450
- ref(*): Refactor host components to avoid returning Result<Result> if they don't trap by @calebschoepp in https://github.com/fermyon/spin/pull/2433
- Don't print plugin prerelease warning in middle of help by @itowlson in https://github.com/fermyon/spin/pull/2452
- Trigger tracing by @calebschoepp in https://github.com/fermyon/spin/pull/2441
- Allow template to have tmpl extension by @rylev in https://github.com/fermyon/spin/pull/2456
- Summarise runtime config by @itowlson in https://github.com/fermyon/spin/pull/2453
- Bikeshed private endpoint UI by @itowlson in https://github.com/fermyon/spin/pull/2451
- Add Redis components to existing app by @itowlson in https://github.com/fermyon/spin/pull/2446
- ref(outbound-http): Add a small hack to improve the tracing of outbound http requests through spin core by @calebschoepp in https://github.com/fermyon/spin/pull/2459
- Check for illegal file name when copying single file by @itowlson in https://github.com/fermyon/spin/pull/2460
- feat(telemetry): Make telemetry support http/protobuf protocol in addition to grpc protocol by @calebschoepp in https://github.com/fermyon/spin/pull/2463
- Refactor expressions
Resolverto provide sync API by @rylev in https://github.com/fermyon/spin/pull/2458 - fixed logic in spin doctor to display 'No problems found' properly by @garikAsplund in https://github.com/fermyon/spin/pull/2466
- Setup a docker compose file that creates an o11y stack for Spin to use by @calebschoepp in https://github.com/fermyon/spin/pull/2465
- chore(crates): address lint errs when rust is at 1.77+ by @vdice in https://github.com/fermyon/spin/pull/2474
- added local_addr() to listeners to display random port numbers by @garikAsplund in https://github.com/fermyon/spin/pull/2473
- Don't attempt to cancel workflow if lints fail by @itowlson in https://github.com/fermyon/spin/pull/2476
- Taking a first crack at implementing metrics by @calebschoepp in https://github.com/fermyon/spin/pull/2475
- Add SIP for configuring and emitting observability by @calebschoepp in https://github.com/fermyon/spin/pull/2303
- Granular route matching by @itowlson in https://github.com/fermyon/spin/pull/2464
- Fix
watchnot picking up manifest changes by @itowlson in https://github.com/fermyon/spin/pull/2481 - feat: Add Azure Key Vault Variable Provider by @ThorstenHans in https://github.com/fermyon/spin/pull/2472
- core: Add note to find_host_component_handle docs by @lann in https://github.com/fermyon/spin/pull/2484
- telemetry: Nicen layer return types by @lann in https://github.com/fermyon/spin/pull/2488
- Fix incorrect base passed in service chaining by @itowlson in https://github.com/fermyon/spin/pull/2489
- Fix 1.78 lints by @itowlson in https://github.com/fermyon/spin/pull/2491
- Update version for v2.5.0 release by @kate-goldenring in https://github.com/fermyon/spin/pull/2497
New Contributors
- @rgl made their first contribution in https://github.com/fermyon/spin/pull/2254
- @garikAsplund made their first contribution in https://github.com/fermyon/spin/pull/2466
Full Changelog: https://github.com/fermyon/spin/compare/v2.4.3...v2.5.0
Published by github-actions[bot] 6 months ago
Spin 2.4.3
This is a security patch release to resolve https://github.com/fermyon/spin/security/advisories/GHSA-f3h7-gpjj-wcvh
Fix: ed8a665fb92e23402f8c321573d353b84f8c29aa
Verifying the Release Signature ๐
After downloading the v2.4.3 release of Spin, either via the artifact attached to this release corresponding to your OS/architecture combination or via the installation method of your choice, you are ready to verify the release signature.
First, install cosign. This is the tool we'll use to perform signature verification. Then run the following command:
cosign verify-blob \
--signature spin.sig --certificate crt.pem \
--certificate-identity https://github.com/fermyon/spin/.github/workflows/release.yml@refs/tags/v2.4.3 \
--certificate-oidc-issuer https://token.actions.githubusercontent.com \
--certificate-github-workflow-repository fermyon/spin \
spin
If the verification passed, you should see:
Verified OK
Addendum: Due to https://github.com/fermyon/spin/issues/2502, the spin-v2.4.3-macos-amd64.tar.gz archive has been rebuilt, signed and uploaded manually.
The user identity that signed the artifact is @vdice via GitHub OAuth, so the full verification command is as follows:
cosign verify-blob \
--signature spin.sig \
--certificate crt.pem \
--certificate-identity [email protected] \
--certificate-oidc-issuer https://github.com/login/oauth \
spin
Full Changelog: https://github.com/fermyon/spin/compare/v2.4.2...v2.4.3
Published by github-actions[bot] 6 months ago
This is a "canary" release of the most recent commits on our main branch. Canary is not stable.
It is only intended for developers wishing to try out the latest features in Spin, some of which may not be fully implemented.
Published by github-actions[bot] 6 months ago
This is a "canary" release of the most recent commits on our main branch. Canary is not stable.
It is only intended for developers wishing to try out the latest features in Spin, some of which may not be fully implemented.
Published by github-actions[bot] 6 months ago
This is a "canary" release of the most recent commits on our main branch. Canary is not stable.
It is only intended for developers wishing to try out the latest features in Spin, some of which may not be fully implemented.