canary

This is a "canary" release of the most recent commits on our main branch. Canary is not stable.
It is only intended for developers wishing to try out the latest features in Spin, some of which may not be fully implemented.

v3.0.0

Spin v3.0.0

We're excited to announce the next major version of Spin! Welcome to Spin 3.0. 🚀

This release includes:

• Component dependency support
• Selective application deployments
• Integration with the latest upstream WASI standards
• A refactored runtime capability framework
• And many other improvements, fixes and updates

Read on for more details below...

Breaking Changes ⚠️

Note that there are breaking changes included in this release that may affect some applications.

Please see our dedicated migration doc for more information.

Features ✨

Component Dependencies

Spin v3 ships with first-class support for declaring and using cross-language component dependencies in your Spin application.

Say you've authored an AWS S3 client in Rust and would like to use it in your Javascript-based Spin app -
you can now express the S3 component as a dependency and harness its functionality in your application code.
In a similar manner, components distributed by other developers can be added as dependencies, no matter the original language.
As long as they are available via a compatible registry reference or http url, you'll be able to declare them as dependencies in your app.

• The Writing Apps doc has been updated with details around this new feature

Selective Deployments

To support real-world production deployments, Spin app developers can take the same app that they've run locally
and alter its deployment configuration when shipping to production infrastructure. For example, the API and frontends
might be deployed to edge nodes closer to end users while the database component might be deployed to a dedicated
VM in a certain cloud region.

• For more information and some examples, please see the Running Apps doc

Spin Factors

For platform engineers who want to host and customize Spin, the runtime capability code has been fully refactored
into what we call Spin Factors. These Factors allow for runtime implementations to select the capabilities they wish to provide,
without being tightly coupled to other capabilities or aspects of the Spin codebase they may not require.

• Here is the Spin Factors SIP (Spin Improvement Proposal)

Upstream WASI standards

Spin continues to incorporate the latest upstream WASI standards. A few notable updates in v3 include:

• wasi-config added in #2869
• wasi-keyvalue added in #2895 (Big thank you to @devigned!)

Other notable features

• Postgres date-time types
• Spin CLI Docker images (ref: Spintainer support in SpinKube)
• Multiple commands for component build
• Run spin commands from project sub-directories
• spin plugins inspect

As always, thanks to contributors old and new for helping improve Spin on a daily basis! 🎉

Verifying the Release Signature

After downloading the v3.0.0 release of Spin, either via the artifact attached to this release corresponding to your OS/architecture combination or via the installation method of your choice, you are ready to verify the release signature.

First, install cosign. This is the tool we'll use to perform signature verification. Then run the following command:

cosign verify-blob \
    --signature spin.sig --certificate crt.pem \
    --certificate-identity https://github.com/fermyon/spin/.github/workflows/release.yml@refs/tags/v3.0.0 \
    --certificate-oidc-issuer https://token.actions.githubusercontent.com \
    --certificate-github-workflow-sha 737778e9d7dc1a7f590a398d2734ff0cc91002f0 \
    --certificate-github-workflow-repository fermyon/spin \
    spin

If the verification passed, you should see:

Verified OK

Full Changelog

• Eliminate use of unsafe in factors by @rylev in #2611
• factors: Make instance state fields again by @lann in #2620
• factors: Add spin-factors-test crate by @lann in #2621
• factors: Improve tests by @lann in #2626
• factors: Add TestEnvironment::default_manifest_extend by @lann in #2628
• Add a llm-factors by @rylev in #2630
• factors: Add Error type by @lann in #2639
• Add some more documentation to factors by @rylev in #2636
• Llm factor host impl test by @rylev in #2635
• Remove Factor::runtime_config_json_schema by @lann in #2641
• factor: Add key value Redis factor by @kate-goldenring in #2646
• factors: Enhance Factor doc comments by @lann in #2647
• factors: Break up the Error::RuntimeFactorError monopoly by @lann in #2645
• factors: Add RuntimeFactors::prepare by @lann in #2650
• Factor sqlite by @rylev in #2648
• factors: Enhance OutboundNetworkingFactor by @lann in #2653
• factors: Support old WASI -rc interfaces by @lann in #2631
• Add runtime config impl that Spin uses to factor-sqlite by @rylev in #2652
• factors: Manage single ResourceTable in RuntimeFactors InstanceState by @lann in #2654
• Outbound pg factor by @calebschoepp in #2632
• factors: Allow instance state to be nested in store data by @lann in #2659
• factors: handle default kv store resolution by @kate-goldenring in #2656
• Outbound redis factors by @me-diru in #2655
• fix: change the func impl to reflect trait by @me-diru in #2660
• Ensure allowed sqlite databases are configured by @rylev in #2658
• factors: Pare down spin-core and spin-app by @lann in #2661
• factors: Add basic CI by @lann in #2664
• Remove toml assumption by @rylev in #2665
• Add environment variables provider by @rylev in #2670
• factors: key value tests, doc comments, and Azure factor by @kate-goldenring in #2666
• Abstract pg client by @calebschoepp in #2651
• Runtime Config Independent of Serialization by @rylev in #2685
• factors: Update runtime config and tests by @lann in #2686
• Make VariablesFactor non-generic by @rylev in #2688
• Non generic KeyValueFactor by @rylev in #2687
• Add spin-factors-executor by @lann in #2692
• Factors: Vault variable provider by @rylev in #2689
• update node version for integration test by @karthik2804 in #2698
• chore(*): post-v2.7.0 version bumps by @vdice in #2699
• Factors trigger by @lann in #2693
• factors: Split HttpHandlerExecutor into SpinHttpExecutor and WasiHttpExecutor by @lann in #2701
• remove Fermyon specific plugins from scope of Spin project by @michelleN in #2702
• Update broken dep in example by @rylev in #2710
• No connection reuse in SQLite Factor by @rylev in #2709
• factor-outbound-networking: Add support for client TLS by @lann in #2703
• Run v0.1.0 of the conformance tests by @rylev in #2697
• add ROADMAP.md by @michelleN in #2706
• Update roadmap formatting by @michelleN in #2713
• simplify break condition for epoch ticker thread by @benbrandt in #2717
• remove *.md docs from gh build workflow by @michelleN in #2718
• Factors RuntimeConfig Support by @rylev in #2711
• [Factors] Key-Value in Trigger2 by @rylev in #2715
• Set initial key-values by @rylev in #2716
• Factors outbound http by @lann in #2704
• Enable environmental authentication for Azure Key Vault var provider by @devigned in #2678
• [Factors] Integrate sqlite into Trigger2 by @rylev in https://github....

v3.0.0-rc.1

What's Changed

• Eliminate use of unsafe in factors by @rylev in #2611
• factors: Make instance state fields again by @lann in #2620
• factors: Add spin-factors-test crate by @lann in #2621
• factors: Improve tests by @lann in #2626
• factors: Add TestEnvironment::default_manifest_extend by @lann in #2628
• Add a llm-factors by @rylev in #2630
• factors: Add Error type by @lann in #2639
• Add some more documentation to factors by @rylev in #2636
• Llm factor host impl test by @rylev in #2635
• Remove Factor::runtime_config_json_schema by @lann in #2641
• factor: Add key value Redis factor by @kate-goldenring in #2646
• factors: Enhance Factor doc comments by @lann in #2647
• factors: Break up the Error::RuntimeFactorError monopoly by @lann in #2645
• factors: Add RuntimeFactors::prepare by @lann in #2650
• Factor sqlite by @rylev in #2648
• factors: Enhance OutboundNetworkingFactor by @lann in #2653
• factors: Support old WASI -rc interfaces by @lann in #2631
• Add runtime config impl that Spin uses to factor-sqlite by @rylev in #2652
• factors: Manage single ResourceTable in RuntimeFactors InstanceState by @lann in #2654
• Outbound pg factor by @calebschoepp in #2632
• factors: Allow instance state to be nested in store data by @lann in #2659
• factors: handle default kv store resolution by @kate-goldenring in #2656
• Outbound redis factors by @me-diru in #2655
• fix: change the func impl to reflect trait by @me-diru in #2660
• Ensure allowed sqlite databases are configured by @rylev in #2658
• factors: Pare down spin-core and spin-app by @lann in #2661
• factors: Add basic CI by @lann in #2664
• Remove toml assumption by @rylev in #2665
• Add environment variables provider by @rylev in #2670
• factors: key value tests, doc comments, and Azure factor by @kate-goldenring in #2666
• Abstract pg client by @calebschoepp in #2651
• Runtime Config Independent of Serialization by @rylev in #2685
• factors: Update runtime config and tests by @lann in #2686
• Make VariablesFactor non-generic by @rylev in #2688
• Non generic KeyValueFactor by @rylev in #2687
• Add spin-factors-executor by @lann in #2692
• Factors: Vault variable provider by @rylev in #2689
• update node version for integration test by @karthik2804 in #2698
• chore(*): post-v2.7.0 version bumps by @vdice in #2699
• Factors trigger by @lann in #2693
• factors: Split HttpHandlerExecutor into SpinHttpExecutor and WasiHttpExecutor by @lann in #2701
• remove Fermyon specific plugins from scope of Spin project by @michelleN in #2702
• Update broken dep in example by @rylev in #2710
• No connection reuse in SQLite Factor by @rylev in #2709
• factor-outbound-networking: Add support for client TLS by @lann in #2703
• Run v0.1.0 of the conformance tests by @rylev in #2697
• add ROADMAP.md by @michelleN in #2706
• Update roadmap formatting by @michelleN in #2713
• simplify break condition for epoch ticker thread by @benbrandt in #2717
• remove *.md docs from gh build workflow by @michelleN in #2718
• Factors RuntimeConfig Support by @rylev in #2711
• [Factors] Key-Value in Trigger2 by @rylev in #2715
• Set initial key-values by @rylev in #2716
• Factors outbound http by @lann in #2704
• Enable environmental authentication for Azure Key Vault var provider by @devigned in #2678
• [Factors] Integrate sqlite into Trigger2 by @rylev in #2719
• factors: Get spin up working by @lann in #2725
• [Factors] Azure Key Vault Variables by @rylev in #2724
• set max_core_instance_size in pooling config by @dicej in #2721
• [Factors] Integrate outbound Redis by @rylev in #2726
• [Factors] Change how incoming-request.authority is set. by @rylev in #2723
• Land the outbound-mysql factor by @calebschoepp in #2727
• Add outbound MQTT factor by @karthik2804 in #2722
• update maintainers file formatting by @michelleN in #2720
• feat(docker): add spin cli Dockerfiles; add build/push to release.yml by @vdice in #2700
• [Factors] Don't trap when outbound http request is not allowed by @rylev in #2733
• Allow multiple commands in a component build section by @itowlson in #2729
• [Factors] in-process runtime and conformance tests by @rylev in #2732
• Switch back to the old sync version of HostOutputStream. by @rylev in #2738
• factors: Update outbound networking by @lann in #2737
• [Factors] Integrate mqtt in trigger2 by @rylev in #2739
• factors: Implement spin outbound http by @lann in #2740
• [Factors] Integrate pg & mysql into trigger2 by @rylev in #2743
• [Factors] Integrate llm factor by @rylev in #2742
• Update GOVERNANCE.md by @michelleN in #2745
• factors: Reorganize some http trigger code by @lann in #2744
• Fix runtime tests by @rylev in #2746
• Also allow getting authority from the request URI's authority. by @rylev in #2747
• Get rid of old non-factors code by @rylev in #2749
• Put local llm behind feature flags like they used to be. by @rylev in #2748
• Factors redis trigger by @lann in #2750
• It's just trigger and http-trigger - no 2 for you by @rylev in #2751
• factors: Fix tests / CI by @lann in #2754
• Fix checking of cidr ranges by @rylev in #2752
• Handle State Directory by @rylev in #2757
• Build fixes by @rylev in #2759
• Replace tempdir with tempfile by @lann in #2760
• Fix more factors tests by @lann in #2764
• Initial key values by @calebschoepp in #2761
• factors: Fix toml key tracking by @lann in #2765
• [factors] More CI fixes by @rylev in #2768
• Turn llm feature on by default. by @rylev in #2769
• Fix LlmCompute::into_engine type inference by @lann in #2771
• [Factors] Fix logging by @rylev in #2770
• Relax buggy wasi-sdk heuristic by @lann in #2772
• Fix subtle runtime config issues by @rylev in #2773
• Update recommended extensions to point at the replacement for crates -- dependi by @calebschoepp in #2758
• Spin Factors by @lann in #2753
• Spin Factors SIP by @lann in #2518
• Implementation of Component Dependencies by @fibonacci1729 in #2673
• Component Dependencies SIP by @fibonacci1729 in #2543
• Add taplo.toml and format tomls by @lann in #2767
• A few fixes after yesterday's mergepalooza by @fibonacci1729 in #2782
• Sqlite Cleanup by @rylev in #2777
• Ad...

v2.7.0

Spin v2.7.0

The v2.7.0 release of Spin brings a number of features, improvements, and bug fixes.

Some highlights in v2.7.0 at a glance:

✨ Features

• Added support for client certificate-based authentication and custom root CA in outbound requests for HTTP triggers, with a new client_tls runtime configuration option. (PR #2596 )
• Azure CosmosDB key value implementation support for workload identity (PR #2566) Thanks, @devigned, for your first contribution 💟

🌐 Spin Governance and Documentation

• Governance Updates: Implemented a new SIP for governance changes and updated documentation to reflect substantial changes in project governance procedures. ( PR #2593)
• Documentation Enhancements: Revised release-process.md to include a notes template, and added MAINTAINERS.md for clarity on project maintainers. (PR #2622, PR #2683)
• Code of Conduct: Integrated Fermyon's Code of Conduct into the project's documentation. (PR #2691)

🧪 Better Test Coverage

• Expanded Test Coverage: Added key-value and Redis tests to conformance checks to ensure broader validation of functionalities. (PR #2591, PR #2603)
• TCP Runtime Tests Fixes: Resolved issues with TCP runtime tests to ensure accurate performance assessment. (PR #2608)
• Template Manager Testing: Improved the test setups for TemplateManagers, including deduplicating test code to streamline testing processes. (PR #2657)

🩹 Fixes and Improvement

• CI Fixes: Addressed issues with CI integration tests and updated dependencies for conformance testing to stabilize the build process. (PR #2614, PR #2669)
• Rust and Clippy Compatibility: Applied changes to maintain compatibility with Rust 1.79, 1.80 and address Clippy lint warnings. (PR #2569, PR #2680)
• Improved error handling to provide clearer messages for registry component issues and refined the behavior of the spin new command. (PR #2634)
• Follow OCI standards by inferring predefined annotation when pushed to the registry (PR #2618)
• Better handling when the file path is outside root (PR #2574) and if the file is missing (PR #2674)
• Improve OTel error logging #2572

As always, thanks to contributors old and new for helping improve Spin on a daily basis! 🎉

Verifying the Release Signature

After downloading the release of Spin, either via the artifact attached to this release corresponding to your OS/architecture combination or via the installation method of your choice, you are ready to verify the release signature.

First, install cosign. This is the tool we'll use to perform signature verification. Then run the following command:

cosign verify-blob \
    --signature spin.sig --certificate crt.pem \
    --certificate-identity https://github.com/fermyon/spin/.github/workflows/release.yml@refs/tags/v2.7.0 \
    --certificate-oidc-issuer https://token.actions.githubusercontent.com \
    --certificate-github-workflow-sha a11151706449fa1ba39bfe96597fe1041438dc67 \
    --certificate-github-workflow-repository fermyon/spin \
    spin

If the verification passed, you should see:

Verified OK

Full Changelog

• Add deprecation warning for uncomponentizable modules by @lann in #2571
• Update README with Spin Project meeting information by @mikkelhegn in #2576
• fix: add error message when file path outside root by @me-diru in #2574
• Fix warnings introduced by new Rust 1.79 release by @rylev in #2569
• Fix typo in meeting info by @itowlson in #2581
• Improve OTel error logging by @calebschoepp in #2572
• chore(*): post-2.6.0 release bumps by @vdice in #2586
• Upgrade to wasmtime 22.0.0 by @lann in #2587
• Bump wasm-pkg-loader to 0.4.1 by @fibonacci1729 in #2588
• Remove duplicate crate definitions in Cargo.lock by @rylev in #2592
• docs(Makefile): fix comment typos by @vdice in #2594
• Update from's help output for the up subcommand by @tpmccallum in #2595
• Conformance Tests Update by @rylev in #2591
• Update conformance to include Redis and SQLite tests by @rylev in #2603
• Fix broken TCP runtime tests. by @rylev in #2608
• add support for client certs by @rajatjindal in #2596
• Infer predefined annotations when pushing to registry by @itowlson in #2618
• add SIP for governance.md by @michelleN in #2593
• docs(releasing): update release-process.md; add notes template by @vdice in #2622
• Better error if component from registry has regrettable version by @itowlson in #2634
• Improve non-interactive behaviour of spin new by @itowlson in #2643
• Fixes watch rebuild loop if empty watch by @itowlson in #2642
• Deduplicate template tests by @itowlson in #2657
• Update conformance test version by @rylev in #2615
• Break circular dependency between http and testing crates by @itowlson in #2668
• Fix CI issue in integration tests by updating conformance-test dependency by @rylev in #2669
• Bump rustls from 0.22.3 to 0.22.4 by @dependabot in #2614
• Allow sqlite migrations for non-default databases. by @rylev in #2610
• Run conformance tests as part of runtime tests by @rylev in #2663
• Revert "Run conformance tests as part of runtime tests" by @rylev in #2671
• Add support for workload identity in the Azure CosmosDB Key/Value impl by @devigned in #2566
• Tell user which file we failed to read by @itowlson in #2674
• Summarise plugins list by @itowlson in #2662
• Retry running conformance tests as part of runtime tests by @rylev in #2675
• Changes need to make Rust and Clippy happy on Rust 1.80 by @rylev in #2680
• trigger: Tweak wording of AOT compilation code by @lann in #2682
• add MAINTAINERS.md by @michelleN in #2683
• [COC]: Embed content from Fermyon COC by @endocrimes in #2691
• Bump versions for v2.7 release by @me-diru in #2694

New Contributors

• @devigned made their first contribution in #2566

Full Changelog: v2.6.0...v2.7.0

v2.6.0

Spin 2.6.0

The 2.6.0 release of Spin brings a number of features, improvements and bug fixes. There are also a few notable deprecations and breaking changes.

🚀 Some highlights in 2.6.0 at a glance

• Dynamic detection of support for Wasmtime's pooling allocator: #2508
• Components in a Spin App manifest can now be referenced by registry: #2524
• Spin can now run a wasm file as a Spin App without requiring a manifest: #2479
• Spin's listening address can now be overidden via SPIN_HTTP_LISTEN_ADDR: #2547
• Spin's data directory can now be overidden via SPIN_DATA_DIR: #2568

🐞 Notable fixes

• Validation of the Spin App manifest at build-time: #2527
• Validation of variable keys at build-time: #2530
• Ensure the Spin application name is in kebab-case: #2531 (Thank you @brehen!)
• Fixes issues around spin watch build exclusions: #2554

💅 Miscellaneous

• Wasmtime has been upgraded to 21.0.1: #2531

⚠️ Deprecations

• Wasm modules compiled with wasi-sdk version < 19 are likely to contain a critical memory safety bug.
  Spin has deprecated execution of these modules and they will stop working in a future release.
  For more information, see: #2552

🚨 Breaking changes

• The upgrade to wasmtime 21 includes a breaking change to how headers are handled.
  Spin app guest modules can no longer set the Host header on outbound requests: #2575

As always, thanks to contributors old and new for helping improve Spin on a daily basis! 🎉

Verifying the Release Signature

After downloading the 2.6.0 release of Spin, either via the artifact attached to this release corresponding to your OS/architecture combination or via the installation method of your choice, you are ready to verify the release signature.

First, install cosign. This is the tool we'll use to perform signature verification. Then run the following command:

cosign verify-blob \
    --signature spin.sig --certificate crt.pem \
    --certificate-identity https://github.com/fermyon/spin/.github/workflows/release.yml@refs/tags/v2.6.0 \
    --certificate-oidc-issuer https://token.actions.githubusercontent.com \
    --certificate-github-workflow-sha a4ddd3921d9ea3d694774858408e918f3e5cec60 \
    --certificate-github-workflow-repository fermyon/spin \
    spin

If the verification passed, you should see:

Verified OK

Full changelog

• ref(*): Standardize on using tracing::* instead of tracing::log::* by @calebschoepp in #2498
• fix(docs): update release process to remove spin-macro consideration by @kate-goldenring in #2500
• Bump version to v2.6.0-pre0 by @kate-goldenring in #2499
• ref(telemetry): Provide the abililty to turn off the tracing-log compat layer in tracing-subscriber dep of telemetry by @calebschoepp in #2501
• spin templates install: allow --repo by @itowlson in #2504
• spin templates install: allow repo name instead of URL by @itowlson in #2505
• Dynamically detect support for Wasmtime's pooling allocator by @alexcrichton in #2508
• Update Wasmtime to 20.0.2 by @alexcrichton in #2512
• Lift http handler type discovery up a layer by @alexcrichton in #2373
• feat(oci/client.rs): add registry_from_input helper by @vdice in #2513
• Update to Wasmtime 21.0.0 by @alexcrichton in #2521
• feat(telemetry): Add a compatibility layer that emits app logs as tracing events. by @calebschoepp in #2511
• Try to load manifest during spin build by @itowlson in #2527
• Load components from a registry by @itowlson in #2524
• ref(oci/client): update unpack_archive_layer to take cache; make pub by @vdice in #2523
• Run a Wasm file as an application without a manifest by @itowlson in #2479
• Validate variable keys as part of schema by @itowlson in #2530
• fix(templates/../spin.toml): skewer spin application name like a kebab by @brehen in #2531
• spin build: build inline components by @itowlson in #2533
• feat(telemetry): Send logs to OTel collector directly using OTel libraries by @calebschoepp in #2516
• Upgrade to wasmtime 21.0.1 by @lann in #2538
• chore(loader): bump wasm-pkg-tools by @vdice in #2539
• feat(oci): add env var to force use of archive layers on push by @vdice in #2540
• allow overriding listen addr using env variable by @rajatjindal in #2547
• Strip trailing slash in allowed_outbound_hosts config. by @rylev in #2548
• fix StoreBuilder::inherit_limited_network by @dicej in #2541
• Fix exclusions in build.watch getting applied to all components by @itowlson in #2554
• Don't prompt to install templates if not interactive by @itowlson in #2558
• Run conformance tests by @rylev in #2542
• Update conformance test by @rylev in #2562
• Override local data directory via env variable by @itowlson in #2568
• [Backport v2.6] Add deprecation warning for uncomponentizable modules by @vdice in #2578
• chore(release): bumps for 2.6 release by @vdice in #2573

New Contributors

• @brehen made their first contribution in #2531

Full Changelog: v2.5.1...v2.6.0

v2.5.1

Spin 2.5.1

This is a patch release to disable a tracing-subscriber crate feature that was breaking spin_telemetry support in downstream projects.

Verifying the Release Signature 🔏

After downloading the v2.5.1 release of Spin, either via the artifact attached to this release corresponding to your OS/architecture combination or via the installation method of your choice, you are ready to verify the release signature.

First, install cosign. This is the tool we'll use to perform signature verification. Then run the following command:

cosign verify-blob \
    --signature spin.sig --certificate crt.pem \
    --certificate-identity https://github.com/fermyon/spin/.github/workflows/release.yml@refs/tags/v2.5.1 \
    --certificate-oidc-issuer https://token.actions.githubusercontent.com \
    --certificate-github-workflow-repository fermyon/spin \
    spin

If the verification passed, you should see:

Verified OK

Full Changelog: v2.5.0...v2.5.1

v2.5.0

Spin v2.5

The v2.5 release of Spin brings a number of features, improvements and bug fixes.

Some highlights in v2.5.0 at a glance:

• Support for application-internal private endpoints, which allows you to avoid exposing internal components on public routes while still splitting them out to their own microservices. #2418
• Spin now allows you to specify routes with more granularity #2464
• Improved support for OpenTelemetry #2463
• Azure Key Vault Application Variable Provider #2472

As always, thanks to contributors old and new for helping improve Spin on a daily basis! 🎉

Verifying the Release Signature

After downloading the 2.5.0 release of Spin, either via the artifact attached to this release corresponding to your OS/architecture combination or via the installation method of your choice, you are ready to verify the release signature.

First, install cosign. This is the tool we'll use to perform signature verification. Then run the following command:

cosign verify-blob \
    --signature spin.sig --certificate crt.pem \
    --certificate-identity https://github.com/fermyon/spin/.github/workflows/release.yml@refs/tags/v2.5.0 \
    --certificate-oidc-issuer https://token.actions.githubusercontent.com \
    --certificate-github-workflow-repository fermyon/spin \
    spin

If the verification passed, you should see:

Verified OK

What's Changed

• chore(release): update versions for v2.5.0-pre0 by @kate-goldenring in #2400
• ci: Run macos builds on M1 by @lann in #2404
• Improved rumqttc event loop check. by @suneetnangia in #2362
• Add recent SIPs to the index document by @tschneidereit in #2403
• chore(trigger-http): bump tls-listener by @vdice in #2409
• feat(oci): deduplicate layers prior to push; archive if needed by @vdice in #2395
• feat(oci): set token expiration for oci client by @vdice in #2417
• feat: add support for setting the pushed oci image manifest annotations by @rgl in #2254
• feat(*): Add tracing to some more host components by @calebschoepp in #2398
• use template from v2.0 branch of spin-python-sdk in test by @dicej in #2421
• Fix outbound-mqtt bug with QoS 2 by @fibonacci1729 in #2420
• Rationalise plugin install prompts by @itowlson in #2412
• Warn when sending bare 404 response by @itowlson in #2410
• Private endpoints by @itowlson in #2418
• Accept runtime config in either JSON or TOML by @lann in #2427
• build(deps): bump h2 from 0.3.24 to 0.3.26 by @dependabot in #2430
• ci(dispatch.yml): dispatch to fermyon/homebrew-tap by @vdice in #2428
• ci(release): fix dispatch conditional by @vdice in #2434
• chore(spin-timer): bump whoami per GHSA-w5w5-8vfh-xcjq by @vdice in #2431
• chore(*): bump h2 per GHSA-q6cp-qfwq-4gcv by @vdice in #2432
• ci(build/release): restore mac amd64 builds by @vdice in #2435
• Trace some more host components by @calebschoepp in #2437
• Trace db host components by @calebschoepp in #2439
• style(linting): Fix some linting rules by @calebschoepp in #2442
• Update Rust templates and bump Spin SDK version from 2.2.0 to 3.0.1 by @ThorstenHans in #2445
• Option to suppress plugin on-run compatibility warnings by @itowlson in #2426
• Review new dependencies for known vulnerabilities by @itowlson in #2440
• Add that Python SDK does support Redis Trigger by @tpmccallum in #2429
• ci(build.yml): gate dependency review on PRs only by @vdice in #2450
• ref(*): Refactor host components to avoid returning Result<Result> if they don't trap by @calebschoepp in #2433
• Don't print plugin prerelease warning in middle of help by @itowlson in #2452
• Trigger tracing by @calebschoepp in #2441
• Allow template to have tmpl extension by @rylev in #2456
• Summarise runtime config by @itowlson in #2453
• Bikeshed private endpoint UI by @itowlson in #2451
• Add Redis components to existing app by @itowlson in #2446
• ref(outbound-http): Add a small hack to improve the tracing of outbound http requests through spin core by @calebschoepp in #2459
• Check for illegal file name when copying single file by @itowlson in #2460
• feat(telemetry): Make telemetry support http/protobuf protocol in addition to grpc protocol by @calebschoepp in #2463
• Refactor expressions Resolver to provide sync API by @rylev in #2458
• fixed logic in spin doctor to display 'No problems found' properly by @garikAsplund in #2466
• Setup a docker compose file that creates an o11y stack for Spin to use by @calebschoepp in #2465
• chore(crates): address lint errs when rust is at 1.77+ by @vdice in #2474
• added local_addr() to listeners to display random port numbers by @garikAsplund in #2473
• Don't attempt to cancel workflow if lints fail by @itowlson in #2476
• Taking a first crack at implementing metrics by @calebschoepp in #2475
• Add SIP for configuring and emitting observability by @calebschoepp in #2303
• Granular route matching by @itowlson in #2464
• Fix watch not picking up manifest changes by @itowlson in #2481
• feat: Add Azure Key Vault Variable Provider by @ThorstenHans in #2472
• core: Add note to find_host_component_handle docs by @lann in #2484
• telemetry: Nicen layer return types by @lann in #2488
• Fix incorrect base passed in service chaining by @itowlson in #2489
• Fix 1.78 lints by @itowlson in #2491
• Update version for v2.5.0 release by @kate-goldenring in #2497

New Contributors

• @rgl made their first contribution in #2254
• @garikAsplund made their first contribution in #2466

Full Changelog: v2.4.3...v2.5.0

v2.4.3

Spin 2.4.3

This is a security patch release to resolve GHSA-f3h7-gpjj-wcvh

Fix: ed8a665

Verifying the Release Signature 🔏

After downloading the v2.4.3 release of Spin, either via the artifact attached to this release corresponding to your OS/architecture combination or via the installation method of your choice, you are ready to verify the release signature.

First, install cosign. This is the tool we'll use to perform signature verification. Then run the following command:

cosign verify-blob \
    --signature spin.sig --certificate crt.pem \
    --certificate-identity https://github.com/fermyon/spin/.github/workflows/release.yml@refs/tags/v2.4.3 \
    --certificate-oidc-issuer https://token.actions.githubusercontent.com \
    --certificate-github-workflow-repository fermyon/spin \
    spin

If the verification passed, you should see:

Verified OK

Addendum: Due to #2502, the spin-v2.4.3-macos-amd64.tar.gz archive has been rebuilt, signed and uploaded manually.

The user identity that signed the artifact is @vdice via GitHub OAuth, so the full verification command is as follows:

cosign verify-blob \
  --signature spin.sig \
  --certificate crt.pem \
  --certificate-identity [email protected] \
  --certificate-oidc-issuer https://github.com/login/oauth \
  spin

Full Changelog: v2.4.2...v2.4.3

v2.4.2

Spin 2.4.2

This is a patch release to fix a bug that was found in the outgoing-mqtt host component implementation when publishing messages with a QoS level of 2.

Verifying the Release Signature 🔏

After downloading the v2.4.2 release of Spin, either via the artifact attached to this release corresponding to your OS/architecture combination or via the installation method of your choice, you are ready to verify the release signature.

First, install cosign. This is the tool we'll use to perform signature verification. Then run the following command:

cosign verify-blob \
    --signature spin.sig --certificate crt.pem \
    --certificate-identity https://github.com/fermyon/spin/.github/workflows/release.yml@refs/tags/v2.4.2 \
    --certificate-oidc-issuer https://token.actions.githubusercontent.com \
    --certificate-github-workflow-repository fermyon/spin \
    spin

If the verification passed, you should see:

Verified OK

Full Changelog: v2.4.1...v2.4.2

v2.4.1

Spin 2.4.1

This is a patch release to fix a bug that was found in the outgoing-mqtt host component implementation.

Verifying the Release Signature 🔏

After downloading the v2.4.1 release of Spin, either via the artifact attached to this release corresponding to your OS/architecture combination or via the installation method of your choice, you are ready to verify the release signature.

First, install cosign. This is the tool we'll use to perform signature verification. Then run the following command:

cosign verify-blob \
    --signature spin.sig --certificate crt.pem \
    --certificate-identity https://github.com/fermyon/spin/.github/workflows/release.yml@refs/tags/v2.4.1 \
    --certificate-oidc-issuer https://token.actions.githubusercontent.com \
    --certificate-github-workflow-repository fermyon/spin \
    spin

If the verification passed, you should see:

Verified OK

Full Changelog: v2.4.0...v2.4.1