From 711e04a161655c95c7a46e7f9a13bd64cb6a7473 Mon Sep 17 00:00:00 2001 From: aaltshuler Date: Wed, 10 Jun 2026 18:44:05 +0300 Subject: [PATCH] ci: pin RustFS to 1.0.0-beta.8 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit beta.4+ refuses the rustfsadmin/rustfsadmin test credentials unless RUSTFS_ALLOW_INSECURE_DEFAULT_CREDENTIALS=true is set — acceptable for the ephemeral CI container and the local bootstrap script (which already passed it). The three S3 suites were validated against the beta.8 binary locally before this bump. The pin stays explicit, never `latest`, so future upgrades remain deliberate. Co-Authored-By: Claude Fable 5 --- .github/workflows/ci.yml | 17 ++++++++--------- scripts/local-rustfs-bootstrap.sh | 14 ++++++-------- 2 files changed, 14 insertions(+), 17 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 1ea6c37..15e6d11 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -306,14 +306,12 @@ jobs: . -> target - name: Start RustFS - # Pinned to 1.0.0-beta.3 (2026-05-14) — the last known-good tag. - # `rustfs/rustfs:latest` (1.0.0-beta.4, 2026-05-21) added a - # credentials-policy check that refuses to start when - # AWS_ACCESS_KEY_ID/SECRET_ACCESS_KEY are values it considers - # "default" (rustfsadmin/rustfsadmin in our case). Bumping to - # beta.4+ requires either rotating those creds to less-default - # values or setting RUSTFS_ALLOW_INSECURE_DEFAULT_CREDENTIALS=true - # — deliberate work, not an emergency. Pin first; upgrade later. + # Pinned to 1.0.0-beta.8 (2026-06-10). beta.4+ refuses "default" + # credentials (rustfsadmin/rustfsadmin) unless + # RUSTFS_ALLOW_INSECURE_DEFAULT_CREDENTIALS=true is set — fine for + # an ephemeral CI container. The three S3 suites were validated + # against the beta.8 binary locally before this bump. Keep the pin + # explicit (never `latest`) so upgrades are deliberate. run: | docker rm -f rustfs >/dev/null 2>&1 || true docker run -d \ @@ -322,7 +320,8 @@ jobs: -p 9001:9001 \ -e RUSTFS_ACCESS_KEY="${AWS_ACCESS_KEY_ID}" \ -e RUSTFS_SECRET_KEY="${AWS_SECRET_ACCESS_KEY}" \ - rustfs/rustfs:1.0.0-beta.3 \ + -e RUSTFS_ALLOW_INSECURE_DEFAULT_CREDENTIALS=true \ + rustfs/rustfs:1.0.0-beta.8 \ /data - name: Install AWS CLI diff --git a/scripts/local-rustfs-bootstrap.sh b/scripts/local-rustfs-bootstrap.sh index c4fdcbe..2425c77 100755 --- a/scripts/local-rustfs-bootstrap.sh +++ b/scripts/local-rustfs-bootstrap.sh @@ -6,14 +6,12 @@ SOURCE_REF="${SOURCE_REF:-main}" RELEASE_CHANNEL="${RELEASE_CHANNEL:-edge}" WORKDIR="${WORKDIR:-$PWD/.omnigraph-rustfs-demo}" RUSTFS_CONTAINER_NAME="${RUSTFS_CONTAINER_NAME:-omnigraph-rustfs-demo}" -# Pinned to 1.0.0-beta.3 (2026-05-14) — the last known-good tag, matching CI -# (.github/workflows/ci.yml). `rustfs/rustfs:latest` (1.0.0-beta.4, 2026-05-21) -# added a credentials-policy check that refuses to start when the access/secret -# keys are values it considers "default" (rustfsadmin/rustfsadmin here). This -# script still works on beta.4+ because it passes -# RUSTFS_ALLOW_INSECURE_DEFAULT_CREDENTIALS=true below — so overriding -# RUSTFS_IMAGE to a newer tag is safe. -RUSTFS_IMAGE="${RUSTFS_IMAGE:-rustfs/rustfs:1.0.0-beta.3}" +# Pinned to 1.0.0-beta.8 (2026-06-10), matching CI (.github/workflows/ci.yml). +# beta.4+ has a credentials-policy check that refuses to start when the +# access/secret keys are values it considers "default" (rustfsadmin/rustfsadmin +# here); this script passes RUSTFS_ALLOW_INSECURE_DEFAULT_CREDENTIALS=true +# below, so overriding RUSTFS_IMAGE to another tag is safe. +RUSTFS_IMAGE="${RUSTFS_IMAGE:-rustfs/rustfs:1.0.0-beta.8}" RUSTFS_DATA_DIR="${RUSTFS_DATA_DIR:-$WORKDIR/rustfs-data}" BUCKET="${BUCKET:-omnigraph-local}" PREFIX="${PREFIX:-repos/context}"