canary

This is a "canary" release of the most recent commits on our main branch. Canary is not stable.
It is only intended for developers wishing to try out the latest features in Spin, some of which may not be fully implemented.

v2.5.1

Spin 2.5.1

This is a patch release to disable a tracing-subscriber crate feature that was breaking spin_telemetry support in downstream projects.

Verifying the Release Signature 🔏

After downloading the v2.5.1 release of Spin, either via the artifact attached to this release corresponding to your OS/architecture combination or via the installation method of your choice, you are ready to verify the release signature.

First, install cosign. This is the tool we'll use to perform signature verification. Then run the following command:

cosign verify-blob \
    --signature spin.sig --certificate crt.pem \
    --certificate-identity https://github.com/fermyon/spin/.github/workflows/release.yml@refs/tags/v2.5.1 \
    --certificate-oidc-issuer https://token.actions.githubusercontent.com \
    --certificate-github-workflow-repository fermyon/spin \
    spin

If the verification passed, you should see:

Verified OK

Full Changelog: v2.5.0...v2.5.1

v2.5.0

Spin v2.5

The v2.5 release of Spin brings a number of features, improvements and bug fixes.

Some highlights in v2.5.0 at a glance:

• Support for application-internal private endpoints, which allows you to avoid exposing internal components on public routes while still splitting them out to their own microservices. #2418
• Spin now allows you to specify routes with more granularity #2464
• Improved support for OpenTelemetry #2463
• Azure Key Vault Application Variable Provider #2472

As always, thanks to contributors old and new for helping improve Spin on a daily basis! 🎉

Verifying the Release Signature

After downloading the 2.5.0 release of Spin, either via the artifact attached to this release corresponding to your OS/architecture combination or via the installation method of your choice, you are ready to verify the release signature.

First, install cosign. This is the tool we'll use to perform signature verification. Then run the following command:

cosign verify-blob \
    --signature spin.sig --certificate crt.pem \
    --certificate-identity https://github.com/fermyon/spin/.github/workflows/release.yml@refs/tags/v2.5.0 \
    --certificate-oidc-issuer https://token.actions.githubusercontent.com \
    --certificate-github-workflow-repository fermyon/spin \
    spin

If the verification passed, you should see:

Verified OK

What's Changed

• chore(release): update versions for v2.5.0-pre0 by @kate-goldenring in #2400
• ci: Run macos builds on M1 by @lann in #2404
• Improved rumqttc event loop check. by @suneetnangia in #2362
• Add recent SIPs to the index document by @tschneidereit in #2403
• chore(trigger-http): bump tls-listener by @vdice in #2409
• feat(oci): deduplicate layers prior to push; archive if needed by @vdice in #2395
• feat(oci): set token expiration for oci client by @vdice in #2417
• feat: add support for setting the pushed oci image manifest annotations by @rgl in #2254
• feat(*): Add tracing to some more host components by @calebschoepp in #2398
• use template from v2.0 branch of spin-python-sdk in test by @dicej in #2421
• Fix outbound-mqtt bug with QoS 2 by @fibonacci1729 in #2420
• Rationalise plugin install prompts by @itowlson in #2412
• Warn when sending bare 404 response by @itowlson in #2410
• Private endpoints by @itowlson in #2418
• Accept runtime config in either JSON or TOML by @lann in #2427
• build(deps): bump h2 from 0.3.24 to 0.3.26 by @dependabot in #2430
• ci(dispatch.yml): dispatch to fermyon/homebrew-tap by @vdice in #2428
• ci(release): fix dispatch conditional by @vdice in #2434
• chore(spin-timer): bump whoami per GHSA-w5w5-8vfh-xcjq by @vdice in #2431
• chore(*): bump h2 per GHSA-q6cp-qfwq-4gcv by @vdice in #2432
• ci(build/release): restore mac amd64 builds by @vdice in #2435
• Trace some more host components by @calebschoepp in #2437
• Trace db host components by @calebschoepp in #2439
• style(linting): Fix some linting rules by @calebschoepp in #2442
• Update Rust templates and bump Spin SDK version from 2.2.0 to 3.0.1 by @ThorstenHans in #2445
• Option to suppress plugin on-run compatibility warnings by @itowlson in #2426
• Review new dependencies for known vulnerabilities by @itowlson in #2440
• Add that Python SDK does support Redis Trigger by @tpmccallum in #2429
• ci(build.yml): gate dependency review on PRs only by @vdice in #2450
• ref(*): Refactor host components to avoid returning Result<Result> if they don't trap by @calebschoepp in #2433
• Don't print plugin prerelease warning in middle of help by @itowlson in #2452
• Trigger tracing by @calebschoepp in #2441
• Allow template to have tmpl extension by @rylev in #2456
• Summarise runtime config by @itowlson in #2453
• Bikeshed private endpoint UI by @itowlson in #2451
• Add Redis components to existing app by @itowlson in #2446
• ref(outbound-http): Add a small hack to improve the tracing of outbound http requests through spin core by @calebschoepp in #2459
• Check for illegal file name when copying single file by @itowlson in #2460
• feat(telemetry): Make telemetry support http/protobuf protocol in addition to grpc protocol by @calebschoepp in #2463
• Refactor expressions Resolver to provide sync API by @rylev in #2458
• fixed logic in spin doctor to display 'No problems found' properly by @garikAsplund in #2466
• Setup a docker compose file that creates an o11y stack for Spin to use by @calebschoepp in #2465
• chore(crates): address lint errs when rust is at 1.77+ by @vdice in #2474
• added local_addr() to listeners to display random port numbers by @garikAsplund in #2473
• Don't attempt to cancel workflow if lints fail by @itowlson in #2476
• Taking a first crack at implementing metrics by @calebschoepp in #2475
• Add SIP for configuring and emitting observability by @calebschoepp in #2303
• Granular route matching by @itowlson in #2464
• Fix watch not picking up manifest changes by @itowlson in #2481
• feat: Add Azure Key Vault Variable Provider by @ThorstenHans in #2472
• core: Add note to find_host_component_handle docs by @lann in #2484
• telemetry: Nicen layer return types by @lann in #2488
• Fix incorrect base passed in service chaining by @itowlson in #2489
• Fix 1.78 lints by @itowlson in #2491
• Update version for v2.5.0 release by @kate-goldenring in #2497

New Contributors

• @rgl made their first contribution in #2254
• @garikAsplund made their first contribution in #2466

Full Changelog: v2.4.3...v2.5.0

v2.4.3

Spin 2.4.3

This is a security patch release to resolve GHSA-f3h7-gpjj-wcvh

Fix: ed8a665

Verifying the Release Signature 🔏

After downloading the v2.4.3 release of Spin, either via the artifact attached to this release corresponding to your OS/architecture combination or via the installation method of your choice, you are ready to verify the release signature.

First, install cosign. This is the tool we'll use to perform signature verification. Then run the following command:

cosign verify-blob \
    --signature spin.sig --certificate crt.pem \
    --certificate-identity https://github.com/fermyon/spin/.github/workflows/release.yml@refs/tags/v2.4.3 \
    --certificate-oidc-issuer https://token.actions.githubusercontent.com \
    --certificate-github-workflow-repository fermyon/spin \
    spin

If the verification passed, you should see:

Verified OK

Addendum: Due to #2502, the spin-v2.4.3-macos-amd64.tar.gz archive has been rebuilt, signed and uploaded manually.

The user identity that signed the artifact is @vdice via GitHub OAuth, so the full verification command is as follows:

cosign verify-blob \
  --signature spin.sig \
  --certificate crt.pem \
  --certificate-identity vaughn.dice@fermyon.com \
  --certificate-oidc-issuer https://github.com/login/oauth \
  spin

Full Changelog: v2.4.2...v2.4.3

v2.4.2

Spin 2.4.2

This is a patch release to fix a bug that was found in the outgoing-mqtt host component implementation when publishing messages with a QoS level of 2.

Verifying the Release Signature 🔏

After downloading the v2.4.2 release of Spin, either via the artifact attached to this release corresponding to your OS/architecture combination or via the installation method of your choice, you are ready to verify the release signature.

First, install cosign. This is the tool we'll use to perform signature verification. Then run the following command:

cosign verify-blob \
    --signature spin.sig --certificate crt.pem \
    --certificate-identity https://github.com/fermyon/spin/.github/workflows/release.yml@refs/tags/v2.4.2 \
    --certificate-oidc-issuer https://token.actions.githubusercontent.com \
    --certificate-github-workflow-repository fermyon/spin \
    spin

If the verification passed, you should see:

Verified OK

Full Changelog: v2.4.1...v2.4.2

v2.4.1

Spin 2.4.1

This is a patch release to fix a bug that was found in the outgoing-mqtt host component implementation.

Verifying the Release Signature 🔏

After downloading the v2.4.1 release of Spin, either via the artifact attached to this release corresponding to your OS/architecture combination or via the installation method of your choice, you are ready to verify the release signature.

First, install cosign. This is the tool we'll use to perform signature verification. Then run the following command:

cosign verify-blob \
    --signature spin.sig --certificate crt.pem \
    --certificate-identity https://github.com/fermyon/spin/.github/workflows/release.yml@refs/tags/v2.4.1 \
    --certificate-oidc-issuer https://token.actions.githubusercontent.com \
    --certificate-github-workflow-repository fermyon/spin \
    spin

If the verification passed, you should see:

Verified OK

Full Changelog: v2.4.0...v2.4.1

v2.4.0

Spin v2.4

The v2.4 release of Spin brings a number of features, improvements and bug fixes.

Some highlights in v2.4.0 at a glace:

• experimental support for the OpenTelemetry (OTEL) observability standard (#2348). When configured Spin will now emit traces of your Spin App as an OTEL signal.
• service chaining (#2305) to remove the overhead of network requests when Spin app components call each other.

If curious about the vision for service chaining and other efforts, check out the SIP (Spin Improvement Proposal) directory. Perhaps it will spark an idea for a SIP of your own!

As always, thanks to contributors old and new for helping improve Spin on a daily basis! 🎉

Verifying the Release Signature

After downloading the 2.4.0 release of Spin, either via the artifact attached to this release corresponding to your OS/architecture combination or via the installation method of your choice, you are ready to verify the release signature.

First, install cosign. This is the tool we'll use to perform signature verification. Then run the following command:

cosign verify-blob \
    --signature spin.sig --certificate crt.pem \
    --certificate-identity https://github.com/fermyon/spin/.github/workflows/release.yml@refs/tags/v2.4.0 \
    --certificate-oidc-issuer https://token.actions.githubusercontent.com \
    --certificate-github-workflow-repository fermyon/spin \
    spin

If the verification passed, you should see:

Verified OK

What's Changed

• fix cross-rs cmake config and update cargo config for static build targets by @rajatjindal in #2307
• feat(oci): update dkregistry dep to support ACR login by @vdice in #2308
• fix push-templates-tag grep pattern by @dicej in #2313
• Subdomain wildcards by @itowlson in #2314
• chore(release): Bump version to 2.4.0-pre0 by @lann in #2312
• point Go templates to v2.2.0 instead of main by @dicej in #2317
• Tweak spin-loader to be able to run in Wasm by @rylev in #2304
• fix(example): update variables example to use constant time comparison by @kate-goldenring in #2311
• fix(cmd/up): --help takes precedence over --build by @endocrimes in #2324
• fix(oci/config): ensure unique OCI image config by @radu-matei in #2322
• Feature/mqtt publisher by @suneetnangia in #2287
• feat(loader): support loading AOT compiled components by @kate-goldenring in #2318
• Use the bundled version of paho and remove vendored openssl by @rylev in #2328
• Use rumqttc instead of paho-mqtt by @itowlson in #2330
• Variables in redis.address and allowed_outbound_hosts by @itowlson in #2299
• allow redis trigger to connect to multiple servers by @karthik2804 in #2242
• outbound-networking: Don't pass &Arc unnecessarily by @lann in #2342
• Fixed issue around swallowing mqtt publish errors. by @suneetnangia in #2344
• Service chaining SIP by @itowlson in #2290
• Enable templating of Redis trigger channel by @itowlson in #2346
• Remove credentials before printing Redis subscriptions by @itowlson in #2349
• set host header on self outbound requests by @karthik2804 in #2298
• handle connection errors on redis-trigger init by @karthik2804 in #2350
• Because I can never remember if it's --temp or --tmp by @itowlson in #2357
• Inherit workspace metadata by @fibonacci1729 in #2351
• update spin-timer mio version to 0.8.11 by @dicej in #2359
• add ability to specify env vars for spin build in test runner by @karthik2804 in #2360
• Seize control of the means of producing 404s by @itowlson in #2363
• Fix build when RUSTFLAGS is set for native builds by @alexcrichton in #2365
• core: Remove unnecessary Arc from (Module)InstancePre by @lann in #2367
• Refactor TriggerExecutor to have associated types for instances by @alexcrichton in #2366
• added no_vcs flag by @thesuhas in #2370
• Add missing wasi:random/insecure{,_seed} interfaces by @alexcrichton in #2374
• Remove unused dependency that was causing a cycle by @itowlson in #2375
• nit: fix label on openssl setup by @rajatjindal in #2372
• use ubuntu 20.04 for PR workflow to make it consistent with release workflow by @rajatjindal in #2378
• ci: Include os-release in cache key by @lann in #2383
• Less worse error if file mount source doesn't exist by @itowlson in #2384
• Service chaining by @itowlson in #2305
• update cosign-installer and cosign version by @rajatjindal in #2385
• testing-framework: Add HEALTHCHECK to vault.Dockerfile by @lann in #2382
• More forgiving caching by @itowlson in #2377
• Create assets directory from fileserver template by @itowlson in #2387
• feat(*): Implement the skeleton of an OTEL observability system by @calebschoepp in #2348
• Remove dead code newly discovered by Rust 1.77.0 by @rylev in #2389
• Allow spin-expressions and spin-outbound-networking to compile to wasm by @rylev in #2390
• Fix spin add static-fileserver putting the asset directory in the wrong place by @itowlson in #2388
• Update libsql to latest version by @rylev in #2394
• chore(release): update version for 2.4 release by @kate-goldenring in #2399

New Contributors

• @thesuhas made their first contribution in #2370

Full Changelog: v2.3.1...v2.4.0

v2.3.1

Spin 2.3.1

This is a patch release of Spin to enable fuller functionality in the Spin containerd shim.

Changes

• #2322 updates the OCI crate to set the digest of the locked Spin application in the OCI image config to ensure that image config digests are updated when Spin apps are updated. This resolves an issue with the Spin containerd shim serving outdated content due to the image config digest not updating.
• #2318 add support for loading precompiled Spin applications. This can provide performance improvements for users of the crate, such as the Spin containerd shim.

Verifying the Release Signature 🔏

After downloading the v2.3.1 release of Spin, either via the artifact attached to this release corresponding to your OS/architecture combination or via the installation method of your choice, you are ready to verify the release signature.

First, install cosign. This is the tool we'll use to perform signature verification. Then run the following command:

cosign verify-blob \
    --signature spin.sig --certificate crt.pem \
    --certificate-identity https://github.com/fermyon/spin/.github/workflows/release.yml@refs/tags/v2.3.1 \
    --certificate-oidc-issuer https://token.actions.githubusercontent.com \
    --certificate-github-workflow-repository fermyon/spin \
    spin

If the verification passed, you should see:

Verified OK

Full Changelog: v2.3.0...v2.3.1

v2.3.0

Spin 2.3.0

The 2.3.0 release of Spin brings a number of features, improvements and bug fixes.

Some highlights in 2.3.0 at a glance:

• Runtime upgraded to Wasmtime 18
• The Rust and Go SDKs have moved into their own repositories:
  • https://github.com/fermyon/spin-rust-sdk
  • https://github.com/fermyon/spin-go-sdk
• Multi-trigger improvements:
  • spin add can now add components with different trigger types (#2269)
  • Better handling of trigger-specific flags in spin up (#2266)
• spin registry login now supports Azure Container Registry

As always, thanks to contributors old and new for helping improve Spin on a daily basis! 🎉

Verifying the Release Signature

After downloading the 2.3.0 release of Spin, either via the artifact attached to this release corresponding to your OS/architecture combination or via the installation method of your choice, you are ready to verify the release signature.

First, install cosign. This is the tool we'll use to perform signature verification. Then run the following command:

cosign verify-blob \
    --signature spin.sig --certificate crt.pem \
    --certificate-identity https://github.com/fermyon/spin/.github/workflows/release.yml@refs/tags/v2.3.0 \
    --certificate-oidc-issuer https://token.actions.githubusercontent.com \
    --certificate-github-workflow-sha ee6706c8df54243c0689e648548217d142ff037a \
    --certificate-github-workflow-repository fermyon/spin \
    spin

If the verification passed, you should see:

Verified OK

What's Changed

• chore(*): post-2.2.0 release bumps by @vdice in #2264
• Move wasi-http integration tests over to new testing framework by @rylev in #2247
• Enable spin add to add different trigger types by @itowlson in #2269
• Rename spin-redis-engine -> spin-trigger-redis by @lann in #2271
• Fix test components build by @lann in #2272
• Multi-trigger: ask triggers which flags they can accept by @itowlson in #2266
• update spin-timer deps by @dicej in #2273
• tests: Migrate wagi test to integration test suite by @lann in #2274
• update python tests to use componentize-py template by @karthik2804 in #2275
• Update template to use PHP 8.2 by @technosophos in #2276
• Make sure runtime tests run in CI by @rylev in #2268
• Migrate spin inbound-http test to integration test suite by @lann in #2277
• In process runtime tests by @rylev in #2281
• unify WIT files by @dicej in #2283
• Upgrade wasmtime to 17.0.1 by @lann in #2288
• move Rust and Go SDKs to their own repos by @dicej in #2289
• Upgrade to wasmtime 18 by @rylev in #2291
• update plugin install prompt to deal with line wrapping by @karthik2804 in #2295
• Put back the test-crate make target by @itowlson in #2297
• Bring spin-componentize in tree by @rylev in #2294
• fix(manifest): support kebab case labels by @kate-goldenring in #2300
• chore(release): Spin v2.3 version bumps by @lann in #2302
• [Backport v2.3] feat(oci): update dkregistry dep to support ACR login by @lann in #2310

Full Changelog: v2.2.0...v2.3.0

v2.2.0

Spin 2.2.0

This release of Spin brings a number of features, improvements and bug fixes.

Some highlights in v2.2.0 at a glance:

• Initial multi-trigger support has been added to Spin, thanks to new contributor @carlokok!
  • We'll still be working on this feature post-2.2.0 and will add docs/examples to the Developer site once stabilized.
• Spin has been updated to use Wasmtime 17 and WASI 0.2.0
• The Websockets SIP has been merged
• Massive testing improvements from @rylev, including restructuring for gains in efficiency, devex and de-duplication
  • See the main tracking issue for overarching goals
  • PRs to note:
    • #2217
    • #2223
    • #2228
    • #2180
  • If curious, start familiarizing yourself with the new framework(s) here

Additional features worth mentioning:

• A new set_header method on the http Request object: #2187
• The active channel is now printed for Redis trigger apps: #2232
• Addition of a Spin app example using Hashicorp Vault for variables: #2241
• Some helpful logging when wasm components are slow to load: #2226 by new contributor @Archisman-Mridha!

As always, thanks to contributors old and new for helping improve Spin on a daily basis! 🎉

Verifying the Release Signature

After downloading the v2.2.0 release of Spin, either via the artifact attached to this release corresponding to your OS/architecture combination or via the installation method of your choice, you are ready to verify the release signature.

First, install cosign. This is the tool we'll use to perform signature verification. Then run the following command:

cosign verify-blob \
    --signature spin.sig --certificate crt.pem \
    --certificate-identity https://github.com/fermyon/spin/.github/workflows/release.yml@refs/tags/v2.2.0 \
    --certificate-oidc-issuer https://token.actions.githubusercontent.com \
    --certificate-github-workflow-sha eebfae1d6de6a166da16ec8858332f4cc3b6c557 \
    --certificate-github-workflow-repository fermyon/spin \
    spin

If the verification passed, you should see:

Verified OK

What's Changed

• Remove redundant variables test by @rylev in #2172
• allowed_outbound_host CIDR and IPv6 support by @rylev in #2174
• bump version to 2.2.0-pre0 by @dicej in #2177
• docs(release-process): small amendment by @vdice in #2183
• Port sqlite-libsql to new libsql client by @itowlson in #2148
• Mutable access to request headers by @itowlson in #2187
• print error msg when plugin binary is missing by @rajatjindal in #2189
• fix statically linked build issue for aarch by @rajatjindal in #2179
• remove workspace/all-targets from cross build cmd by @rajatjindal in #2192
• Runtime tests services by @rylev in #2180
• Update readme to latest template syntax by @tpmccallum in #2178
• Stop testing kv and sqlite twice by @rylev in #2195
• Rename 'Test Spin SDK - Rust' to 'Test Spin' by @rylev in #2197
• remove Send and Sync bounds from Rust SDK router by @dicej in #2198
• Add macro for generating runtime tests automatically by @rylev in #2196
• Patched build.rs to run on systems without rustup. Added flake for ni… by @benwis in #2199
• Remove unused files by @rylev in #2194
• Docker Service for runtime tests by @rylev in #2193
• Wasi HTTP runtime test by @rylev in #2201
• chore(flake): Fix Darwin dependency on Accelerate by @endocrimes in #2204
• Test that variables and components can be added in the same template by @itowlson in #2207
• ignore asset globs from being watched when using direct-mounts by @karthik2804 in #2203
• update configure aws creds action to v4 by @rajatjindal in #2191
• Add random port support to Python services by @rylev in #2206
• Remove redundant headers-env-routes-test by @rylev in #2208
• feat(cli.rs): allow setting app log dir via SPIN_LOG_DIR env var by @vdice in #2209
• ci(release): consolidate GH release logic by @vdice in #2185
• Abstract the runtime used in runtime tests so that it's not hardcoded as Spin by @rylev in #2211
• Don't pass services when constructing Spin instance in runtime test by @rylev in #2214
• Update libsql to a crates.io reference by @itowlson in #2215
• Generalize runtime testing framework to be a general testing Spin framework by @rylev in #2217
• Update test to new Cloud plugin help text by @itowlson in #2219
• ci(templates): update rust templates automation to use the crates.io versions by @vdice in #2221
• update to Wasmtime 17 and WASI 0.2.0-rc-2023-12-05 by @dicej in #2222
• E2E testing using testing framework by @rylev in #2223
• Move rest of e2e tests over to new testing framework by @rylev in #2224
• Provide feedback if it takes a while to download a remote component on spin up by @Archisman-Mridha in #2226
• Warn instead of trace when errors happen in the spin_redis_engine by @karthik2804 in #2231
• Move more integration tests to use the testing framework by @rylev in #2228
• print active channels on redis trigger by @karthik2804 in #2232
• SIP 016 - Inbound WebSocket Support by @dicej in #2212
• bump PoolingAllocationConfig::max_core_instances_per_component to 200 by @dicej in #2234
• Bump h2 from 0.3.22 to 0.3.24 by @dependabot in #2233
• Bump shlex from 1.2.0 to 1.3.0 by @dependabot in #2239
• Bump zerocopy from 0.7.29 to 0.7.32 by @dependabot in #2210
• feat(up): Spawn multiple trigger commands by @carlokok in #2213
• temporarily switch to Wasmtime commit 0b632023 by @dicej in #2243
• cargo cfg: fix build on aarch64-linux by @endocrimes in #2240
• logging: Emit wasmtime-wasi-http WARN logs by default by @lann in #2244
• Add vault variable example by @tpmccallum in #2241
• trigger-http: Log TLS startup errors instead of propagating by @lann in #2230
• update to Wasmtime 17 and WASI 0.2.0 by @dicej in #2250
• Include trigger type in trigger options help header by @itowlson in #2256
• Cancel external triggers if one of multiple fails on start by @itowlson in #2248
• Fix regrettable trigger help heading when no app by @itowlson in #2258
• Allow only common trigger options in multi-trigger apps by @itowlson in #2257
• chore(release): Spin v2.2 version bumps by @vdice in #2260

New Contributors

• @benwis made their first contribution in #2199
• @Archisman-Mridha made their first contribution in #2226
• @carlokok made their first contribution in #2213

Full Changelog: v2.1.0...v2.2.0