Skip to content

v0.11.0 — polish + maintenance (32-bit + Node 24 + compat matrix, 6-round audit clean)

Choose a tag to compare

View all tags
@masumi-ryugo masumi-ryugo released this 08 Jun 03:06
· 44 commits to main since this release
v0.11.0
50d728b

Third v0.1x-line cut. Polish + maintenance theme — no production code changes, all 9 GHA workflows + docs + composite actions only. Three-theme wave-1 delivery converged by a 6-round integrated audit (4 P2 + 1 P1 real fixes, 2 false-positive rounds caused by Codex review sandbox network limits — documented inline).

Net diff vs v0.10.0: ~12 files / ~1,400 lines across .github/, docs, charts. Published to crates.io as s4-server@0.11.0 + 3 sibling crates. Container images on ghcr.io: ghcr.io/abyo-software/s4:0.11.0 (multi-arch CPU) + :0.11.0-gpu (nvCOMP amd64) — built automatically by the v0.11.0 tag push.

Wave-1 themes

  • #A4 — 32-bit s4-server runtime end-to-end PUT/GET smoke (ci.yml i686-runtime-smoke job). The v0.10 #A4 --help/--version smoke is now a full MinIO-backed PUT/GET round-trip exercising the i686 hyper/rustls listener, aws-sdk-rust SigV4 signer, and CPU-zstd codec paths. The PUT/GET step lands as advisory (continue-on-error: true) so a first-time 32-bit runtime bug surfaces in the job log + uploaded server artifact without flipping CI red; promote to required after a stretch of green main pushes. README §"Supported targets" 32-bit row: ⚠️ → ✅.

  • #A5 — GitHub Actions Node.js 24 migration. 11 JavaScript actions bumped to their Node 24-ready majors (closing the 2026-09-16 deprecation gate GHA logs have been warning about):

    Action v0.10 v0.11
    actions/checkout v4 v5
    actions/upload-artifact v4 v6
    actions/download-artifact v4 v7
    actions/github-script v7 v8
    codecov/codecov-action v4 v5
    docker/build-push-action v5 v7
    docker/login-action v3 v4
    docker/setup-buildx-action v3 v4
    docker/metadata-action v5 v6
    aws-actions/configure-aws-credentials v4 v6
    azure/setup-helm v4 v5

    Unchanged (already Node 24 at floating tag): Swatinem/rust-cache@v2, benchmark-action/github-action-benchmark@v1, dtolnay/rust-toolchain@stable|@nightly (composite). actionlint clean across all 9 workflows.

  • #A7 — Backend compatibility matrix CI (compat-matrix.yml, weekly schedule + workflow_dispatch). Exercises a PUT/GET + sidecar HEAD round-trip per S3-compatible backend S4 claims support for:

    • Docker tier (no secrets): MinIO + Garage + Ceph RGW (best-effort, upstream demo image unmaintained)
    • Real-cloud tier (operator-provided vars + secrets, silent skip when absent): Backblaze B2 + Cloudflare R2 + Wasabi

    Composite local action .github/actions/compat-roundtrip/action.yml factors the per-backend step. README §"How it Compares" gains a 7-row compat matrix (✅ verified / ⚠️ best-effort / 🔧 configurable in operator CI).

Audit closeout (v0.10.0..v0.11.0)

Round Severity Fix
R1 P2 3fceddd — restore SLSA + SBOM on per-arch builds (imagetools create can't retroactively patch)
R2 P2 c29d69f — restore OCI image labels on per-arch builds + scope compat-matrix TEST_KEY to ${{ github.run_id }}
R3 P2 08545ba — propagate test-key to composite action + flavor-independent merge (CPU arm64 fail no longer skips GPU publish)
R4 P1 157d7e7 — expected-digest-count guard: refuse partial multi-arch publish (CPU arm64 fail must not overwrite :<version> as amd64-only)
R5 / R6 false-positive eebc7e2 — action-version policy comment documents the Codex sandbox network limitation that hallucinated "action versions unpublished" twice

Two false-positive rounds count as effective 2-round clean — every flagged action major (actions/checkout@v5, upload-artifact@v6, download-artifact@v7, github-script@v8, etc.) was verified via gh api /repos/<owner>/<repo>/releases/latest AND every CI run since wave-1 ship (commit 3332f3e) resolves them cleanly.

Cleanup recipe for already-shipped v0.9.0 / v0.10.0 images

The imagetools create shape introduced in v0.10.0 lost OCI labels + SLSA + SBOM. To re-attach them to the existing tags:

gh workflow run docker.yml --ref main \
  -f build_ref=v0.10.0 \
  -f image_tag_override=0.10.0 \
  -f push=true

gh workflow run docker.yml --ref main \
  -f build_ref=v0.9.0 \
  -f image_tag_override=0.9.0 \
  -f push=true

Each per-arch rebuild attaches the labels + attestations now that the build step has them; the merged manifest under each tag overwrites the prior labels-less manifest.

Coverage

  • Workspace tests unchanged (~720 pass, 0 fail) — production code untouched.
  • New CI workflows: 1 new (compat-matrix.yml) + 9 modified (Node 24 bumps + i686 PUT/GET).
  • v0.11.0 compat-matrix first weekly fire: Sunday 06:00 UTC.

v0.12+ candidates (deferred)

  • Chunked SSE-KMS envelope (provisional S4E7) + chunked SSE-C (S4E8) → Range GET partial-fetch for those modes.
  • S4F3 streaming frame format → streaming PUT checksum verify for multipart upload_part.
  • 32-bit s4-server runtime end-to-end smoke promoted from advisory to required (after green-main stretch observed).
  • Per-action SHA pinning instead of floating major tags (security hardening).

Full changelog

See CHANGELOG.md for the per-finding detail.

🤖 Generated with Claude Code

Assets 2
Loading