Skip to content

feat: versioning, release pipeline, and install-from-release#17

Merged
miguelgila merged 5 commits intomainfrom
versioning
Feb 18, 2026
Merged

feat: versioning, release pipeline, and install-from-release#17
miguelgila merged 5 commits intomainfrom
versioning

Conversation

@miguelgila
Copy link
Owner

@miguelgila miguelgila commented Feb 18, 2026

Summary

  • Version embedding: build.rs injects git hash + build date into both binaries (reaper-runtime 0.1.0 (abc1234 2026-02-18))
  • Release workflow: release.yml triggers on v* tags — builds static musl binaries (x86_64 + aarch64), signs checksums with cosign, publishes GitHub Release
  • Automated releases: auto-release.yml bumps patch on every PR merge to main (skip with skip-release label); manual-release.yml supports major/minor/patch from Actions UI
  • Install from release: install-reaper.sh --release v0.1.1 downloads pre-built binaries with checksum + cosign verification
  • Version compatibility check: shim validates that its version matches the runtime's version at startup

Test plan

  • cargo test passes (unit tests + version integration tests)
  • cargo clippy passes
  • Merge this PR and verify auto-release creates v0.1.1
  • Verify RELEASE_TOKEN secret is configured before merge

🤖 Generated with Claude Code

miguelgila and others added 4 commits February 18, 2026 12:14
@miguelgila @claude
feat: add versioning, release workflow, and install-from-release support
55be836 
- Add build.rs to inject git hash and build date into binaries at compile time
- Both binaries now report version: `reaper-runtime 0.1.0 (abc1234 2026-02-18)`
- Add --version flag to containerd-shim-reaper-v2 (reaper-runtime already had it via clap)
- Remove unused dummy `reaper` binary target and src/main.rs
- Add GitHub Actions release workflow (.github/workflows/release.yml):
  triggered by v* tags, builds x86_64+aarch64 static musl binaries,
  packages tarballs, generates SHA-256 checksums, creates GitHub Release
- Add --release flag to install-reaper.sh for downloading pre-built
  binaries from GitHub Releases with checksum verification
- Add docs/RELEASING.md with step-by-step release process
- Add docs/VERSIONING_PLAN.md tracking the design and implementation

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
@miguelgila @claude
feat: version compatibility check and cosign release signing
c4a6ab4 
Shim now calls `reaper-runtime --version` at startup and compares with
its own version string (includes git hash). On mismatch, all container
creation is refused with FAILED_PRECONDITION — surfaces clearly in
`kubectl describe pod`.

Release workflow signs checksums-sha256.txt with cosign keyless (GitHub
OIDC). Install script verifies the signature automatically when cosign
is available.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
@miguelgila @claude
test: add unit and integration tests for version compatibility check
b91f838 
Unit tests (10 new in shim):
- version_string format and content
- parse_runtime_version with/without prefix, whitespace, empty
- check_version_compatibility: match, mismatch, nonexistent binary, failing binary

Integration tests (4 new in tests/integration_version.rs):
- Both binaries report matching versions from same build
- Version output contains Cargo.toml version
- Version output contains valid git hash and build date
- Fake runtime script detected as version mismatch

Also refactors version check logic into testable functions:
parse_runtime_version() and check_version_compatibility().

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
@miguelgila @claude
feat: add automated release pipeline (auto-release on PR merge)
2fab85f 
Every PR merge to main triggers a patch release automatically via
auto-release.yml. Major/minor bumps are available via manual-release.yml
from the Actions UI. Both use a RELEASE_TOKEN PAT to ensure tag pushes
trigger the existing release.yml build/sign/publish workflow.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
@miguelgila miguelgila added the skip-release Do not auto-release when this PR merges label Feb 18, 2026
@miguelgila @claude
fix(ci): install tarpaulin via pre-built binary instead of cargo install
3a84154 
cargo-tarpaulin's dependency native-tls v0.2.17 fails to compile with
the latest Rust toolchain (missing Protocol::Tlsv13 match arm). Using
taiki-e/install-action downloads a pre-built binary, avoiding the issue.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
@codecov
Copy link

codecov bot commented Feb 18, 2026
edited
Loading

Codecov Report

❌ Patch coverage is 94.11765% with 1 line in your changes missing coverage. Please review.
✅ Project coverage is 86.20%. Comparing base (e994dda) to head (3a84154).
⚠️ Report is 1 commits behind head on main.

Files with missing lines Patch % Lines
src/bin/containerd-shim-reaper-v2/main.rs 94.11% 1 Missing ⚠️
Additional details and impacted files 
@@            Coverage Diff             @@
##             main      #17      +/-   ##
==========================================
+ Coverage   85.44%   86.20%   +0.76%     
==========================================
  Files           5        4       -1     
  Lines         158      174      +16     
==========================================
+ Hits          135      150      +15     
- Misses         23       24       +1

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:
  • ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

@miguelgila miguelgila merged commit 29262c2 into main Feb 18, 2026
9 checks passed
@miguelgila miguelgila deleted the versioning branch February 18, 2026 14:05
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

skip-release Do not auto-release when this PR merges

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@miguelgila