ci: pin RustFS to 1.0.0-beta.8

beta.4+ refuses the rustfsadmin/rustfsadmin test credentials unless RUSTFS_ALLOW_INSECURE_DEFAULT_CREDENTIALS=true is set — acceptable for the ephemeral CI container and the local bootstrap script (which already passed it). The three S3 suites were validated against the beta.8 binary locally before this bump. The pin stays explicit, never `latest`, so future upgrades remain deliberate. Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
2026-06-12 01:45:14 +02:00 · 2026-06-10 18:44:05 +03:00 · 2026-06-10 18:44:05 +03:00 · 711e04a161
commit 711e04a161
parent af6a1096b0
2 changed files with 14 additions and 17 deletions
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@ -306,14 +306,12 @@ jobs:
            . -> target

      - name: Start RustFS
-        # Pinned to 1.0.0-beta.3 (2026-05-14) — the last known-good tag.
-        # `rustfs/rustfs:latest` (1.0.0-beta.4, 2026-05-21) added a
-        # credentials-policy check that refuses to start when
-        # AWS_ACCESS_KEY_ID/SECRET_ACCESS_KEY are values it considers
-        # "default" (rustfsadmin/rustfsadmin in our case). Bumping to
-        # beta.4+ requires either rotating those creds to less-default
-        # values or setting RUSTFS_ALLOW_INSECURE_DEFAULT_CREDENTIALS=true
-        # — deliberate work, not an emergency. Pin first; upgrade later.
+        # Pinned to 1.0.0-beta.8 (2026-06-10). beta.4+ refuses "default"
+        # credentials (rustfsadmin/rustfsadmin) unless
+        # RUSTFS_ALLOW_INSECURE_DEFAULT_CREDENTIALS=true is set — fine for
+        # an ephemeral CI container. The three S3 suites were validated
+        # against the beta.8 binary locally before this bump. Keep the pin
+        # explicit (never `latest`) so upgrades are deliberate.
        run: |
          docker rm -f rustfs >/dev/null 2>&1 || true
          docker run -d \
@ -322,7 +320,8 @@ jobs:
            -p 9001:9001 \
            -e RUSTFS_ACCESS_KEY="${AWS_ACCESS_KEY_ID}" \
            -e RUSTFS_SECRET_KEY="${AWS_SECRET_ACCESS_KEY}" \
-            rustfs/rustfs:1.0.0-beta.3 \
+            -e RUSTFS_ALLOW_INSECURE_DEFAULT_CREDENTIALS=true \
+            rustfs/rustfs:1.0.0-beta.8 \
            /data

      - name: Install AWS CLI
--- a/scripts/local-rustfs-bootstrap.sh
+++ b/scripts/local-rustfs-bootstrap.sh
@ -6,14 +6,12 @@ SOURCE_REF="${SOURCE_REF:-main}"
 RELEASE_CHANNEL="${RELEASE_CHANNEL:-edge}"
 WORKDIR="${WORKDIR:-$PWD/.omnigraph-rustfs-demo}"
 RUSTFS_CONTAINER_NAME="${RUSTFS_CONTAINER_NAME:-omnigraph-rustfs-demo}"
-# Pinned to 1.0.0-beta.3 (2026-05-14) — the last known-good tag, matching CI
-# (.github/workflows/ci.yml). `rustfs/rustfs:latest` (1.0.0-beta.4, 2026-05-21)
-# added a credentials-policy check that refuses to start when the access/secret
-# keys are values it considers "default" (rustfsadmin/rustfsadmin here). This
-# script still works on beta.4+ because it passes
-# RUSTFS_ALLOW_INSECURE_DEFAULT_CREDENTIALS=true below — so overriding
-# RUSTFS_IMAGE to a newer tag is safe.
-RUSTFS_IMAGE="${RUSTFS_IMAGE:-rustfs/rustfs:1.0.0-beta.3}"
+# Pinned to 1.0.0-beta.8 (2026-06-10), matching CI (.github/workflows/ci.yml).
+# beta.4+ has a credentials-policy check that refuses to start when the
+# access/secret keys are values it considers "default" (rustfsadmin/rustfsadmin
+# here); this script passes RUSTFS_ALLOW_INSECURE_DEFAULT_CREDENTIALS=true
+# below, so overriding RUSTFS_IMAGE to another tag is safe.
+RUSTFS_IMAGE="${RUSTFS_IMAGE:-rustfs/rustfs:1.0.0-beta.8}"
 RUSTFS_DATA_DIR="${RUSTFS_DATA_DIR:-$WORKDIR/rustfs-data}"
 BUCKET="${BUCKET:-omnigraph-local}"
 PREFIX="${PREFIX:-repos/context}"