Skip to content

v0.22.0

Latest
Latest

Choose a tag to compare

View all tags
@github-actions github-actions released this 18 May 19:19
v0.22.0
2f685bd
This commit was signed with the committer’s verified signature.
NiklasRosenstein Niklas Rosenstein
SSH Key Fingerprint: zSnX8WRjWh8tLkjPf/Y/mYepjr/rPVMLmg9qTvEH8lM
Verified
Learn about vigilant mode.

Release Notes

This release adds JFrog Artifactory and AWS S3 as first-class extensions, introduces per-deployment resource configuration, hardens authentication security, and overhauls the documentation site.

New Features

  • JFrog Artifactory registry support — mint scoped, short-lived credentials for image push and Kubernetes pull secrets via JFrog's access token API or a Vault plugin. Separate push/pull TTLs, per-project scope isolation, and pull credential caching included.
  • AWS S3 bucket extension — automatically provisions a dedicated S3 bucket and scoped IAM credentials per project, injected as environment variables. Supports DeletionBlocked state when a bucket is non-empty, with opt-in force_empty_bucket for safe teardown.
  • Configurable deployment replicas and resources — set replicas, cpu, and memory in rise.toml or via --replicas/--cpu/--memory CLI flags. Admins can set per-environment min/max constraints; values are validated at deployment time.
  • Starlight documentation sites — user and engineering docs now live at docs/user and docs/engineering with improved structure and navigation.
  • rise backend rise-toml-schema CLI command — generates the rise-toml-v1.schema.json directly; the old /api/v1/schema/rise-toml/v1 endpoint now redirects (301) to /docs/schemas/rise-toml-v1.schema.json.

Bug Fixes

  • Auth: cookies scoped to exact host — cookies no longer carry a Domain attribute, preventing cross-subdomain leakage between the Rise API and app subdomains. Ingress auth flows now always redirect through /.rise/auth/complete on the app's own domain.
  • Auth: ingress JWTs now carry the correct aud claim — private-app JWTs previously used the Rise server URL as audience; they now use the app's own URL. API middleware rejects RS256 ingress tokens, preventing them from authenticating API calls.
  • AWS error detection — replaced brittle string-matching on formatted error types with typed AWS SDK error variants across S3 and RDS extension providers.

⚠️ Breaking Changes

  • cookie_domain setting repurposed — this field no longer sets the Domain attribute on new cookies. It is now used only to clear stale domain-scoped cookies during migration. Existing configs continue to work, but cross-subdomain cookie sharing via cookie_domain is no longer supported.
  • Legacy Metacontroller adoption code removed — the legacy_adopt_existing_resources_to_metacontroller backend setting and adoptExistingResources Helm value have been removed. Clusters that still rely on this one-time migration path must complete the migration before upgrading.
  • Registry credentials endpoint moved — credentials are now fetched from GET /projects/{name}/deployments/{id}/registry-credentials (scoped to Pending/Building/Pushing states) instead of the old project-scoped endpoint. Older CLI versions fall back to credentials in CreateDeploymentResponse, which is now deprecated.

Dependency Updates

Routine updates to tokio, openssl, aws-sdk-s3/s3-js, jsonwebtoken, tailwindcss 4.3, vite 8, react 19.2, pack 0.40.6, gunicorn 26, and several other crates and npm packages.

Download rise-deploy 0.22.0

File Platform Checksum
rise-deploy-aarch64-apple-darwin.tar.xz Apple Silicon macOS checksum
rise-deploy-x86_64-apple-darwin.tar.xz Intel macOS checksum
rise-deploy-x86_64-unknown-linux-gnu.tar.xz x64 Linux checksum
Assets 12
Loading