wfe/CHANGELOG.md

Changelog

All notable changes to this project will be documented in this file.

[1.9.0] - 2026-04-07

Added

• wfectl: New command-line client for wfe-server with 17 subcommands (login, logout, whoami, register, validate, definitions, run, get, list, cancel, suspend, resume, publish, watch, logs, search-logs). Supports OAuth2 PKCE login flow via Ory Hydra, direct bearer-token auth, and configurable output formats (table/JSON).
• wfectl validate: Local YAML validation command that compiles workflow files in-process via wfe-yaml with the full executor feature set (rustlang, buildkit, containerd, kubernetes, deno). No server round-trip or auth required — instant feedback before push.
• Human-friendly workflow names: WorkflowInstance now has a name field (unique alongside the UUID primary key). The host auto-assigns {definition_id}-{N} using a per-definition monotonic counter, with optional caller override via start_workflow_with_name / StartWorkflowRequest.name. All gRPC read/mutate APIs accept either the UUID or the human name interchangeably. WorkflowDefinition now has an optional display name declared in YAML (e.g. name: "Continuous Integration") that surfaces in listings.
• wfe-server: Full executor feature set enabled in the shipped binary — kubernetes, deno, buildkit, containerd, rustlang step types all compiled in.
• wfe-server: Dockerfile switched from rust:alpine to rust:1-bookworm + debian:bookworm-slim runtime because deno_core's bundled v8 only ships glibc binaries.
• wfe-ci: New Dockerfile.ci builder image with rust stable, cargo-nextest, cargo-llvm-cov, sccache, buildctl, kubectl, tea, git. Used as the base image for kubernetes-executed CI steps.
• wfe-kubernetes: run: scripts now execute under /bin/bash -c instead of /bin/sh -c so workflows can rely on set -o pipefail, process substitution, arrays, and other bashisms dash doesn't support.

Fixed

• wfe: WorkflowHost::start() now calls persistence.ensure_store_exists(), which was previously defined but never invoked — the Postgres/SQLite schema was never auto-created on startup, causing relation "wfc.workflows" does not exist errors on first run.
• wfe-core: SubWorkflowStep now inherits the parent workflow's data when no explicit inputs are set, so child workflows see the same top-level fields (e.g. $REPO_URL, $COMMIT_SHA) without every type: workflow step having to re-declare them.
• workflows.yaml: Restructured all step references from <<: *ci_step / <<: *ci_long (which relied on YAML 1.1 shallow merge over-writing the config: block) to inner-config merges of the form config: {<<: *ci_config, ...}. Secret env vars moved into the shared ci_env anchor so individual steps don't fight the shallow merge.

[1.8.1] - 2026-04-06

Added

• wfe-server: gRPC reflection support via tonic-reflection
• wfe-server: Schema endpoints: /schema/workflow.json (JSON Schema), /schema/workflow.yaml (YAML Schema), /schema/workflow.proto (raw proto)
• wfe-yaml: Auto-generated JSON Schema from schemars derives on all YAML types
• wfe-server: Dockerfile for multi-stage alpine build with all executor features
• wfe-server: Comprehensive configuration reference (README.md)

Fixed

• wfe-yaml: Added missing license, repository, homepage fields to Cargo.toml
• wfe-buildkit-protos: Removed vendored Go repos (166MB -> 356K), kept only .proto files
• wfe-containerd-protos: Removed vendored Go repos (53MB -> 216K), kept only .proto files
• Filesystem loop warnings from circular symlinks in vendored Go modules eliminated
• Pinned icu_calendar <2.2 to work around temporal_rs/deno_core incompatibility

[1.8.0] - 2026-04-06

Added

• wfe-kubernetes: New crate -- Kubernetes executor for running workflow steps as K8s Jobs
  • Namespace-per-workflow isolation with automatic cleanup
  • Job manifest builder with env, resources, pull policy, node selector support
  • Pod log streaming to LogSink with real-time output capture
  • ##wfe[output key=value] parsing from Job stdout
  • Timeout handling with Job cleanup on expiry
  • KubernetesServiceProvider: provisions infrastructure services as K8s Pods + Services with DNS resolution and readiness polling
  • 100% test coverage on service provider, 91% overall crate coverage
• wfe-core: ServiceDefinition, ServicePort, ReadinessProbe, ServiceEndpoint types for declaring infrastructure services
• wfe-core: ServiceProvider trait for pluggable service provisioning
• wfe-core: services field on WorkflowDefinition for declaring required services
• wfe: Capability-based workflow routing -- hosts check can_execute() before accepting workflows
  • Verifies all step types are registered in the StepRegistry
  • Verifies ServiceProvider is configured and can provision required services
  • Re-queues workflows that can't be handled by this host
• wfe: Service lifecycle in dequeue loop -- provision before execution, teardown after completion/failure
• wfe: use_service_provider() on WorkflowHostBuilder
• wfe-containerd: ContainerdServiceProvider for running services via containerd gRPC API on host network
• wfe-yaml: services: block in workflow YAML definitions with readiness probes (exec, tcp, http)
• wfe-yaml: kubernetes/k8s step type with lazy client creation

[1.7.0] - 2026-04-05

Added

• wfe-deno: New crate -- Deno/JS/TS bindings for the WFE workflow engine
  • Full API surface via 23 deno_core ops: host lifecycle, workflow management, fluent builder, step registration, event publishing
  • Channel-based execution bridge: JS step functions called from tokio executor via mpsc/oneshot channels
  • High-level JS API classes: WorkflowHost, WorkflowBuilder, ExecutionResult
  • 52 tests (26 unit + 26 integration), 93% line coverage
• wfe-core: WorkflowBuilder.steps and last_step fields now public

[1.6.3] - 2026-04-05

Fixed

• wfe-core: Propagate step_name into execution pointers when advancing to next steps, compensation steps, and parallel branch children
• wfe: Set step_name on initial execution pointer when starting a workflow instance

[1.6.2] - 2026-04-05

Added

• wfe-core: WorkflowBuilder::add_step_typed() for adding named, configured steps in parallel branch closures
• wfe-core: WorkflowBuilder::wire_outcome() now public for custom graph wiring

[1.6.1] - 2026-04-05

Added

• wfe-core: StepBuilder::config() for attaching arbitrary JSON configuration to individual steps, readable at runtime via context.step.step_config

[1.6.0] - 2026-04-01

Added

• wfe-server: Headless workflow server (single binary)
  • gRPC API with 13 RPCs: workflow CRUD, lifecycle streaming, log streaming, log search
  • HTTP webhooks: GitHub and Gitea with HMAC-SHA256 verification, configurable triggers
  • OIDC/JWT authentication with JWKS discovery and asymmetric algorithm allowlist
  • Static bearer token auth with constant-time comparison
  • Lifecycle event broadcasting via WatchLifecycle server-streaming RPC
  • Real-time log streaming via StreamLogs with follow mode and history replay
  • Full-text log search via OpenSearch with SearchLogs RPC
  • Layered config: CLI flags > env vars > TOML file
• wfe-server-protos: gRPC service definitions (tonic 0.14, server + client stubs)
• wfe-core: LogSink trait for real-time step output streaming
• wfe-core: Lifecycle publisher wired into executor (StepStarted, StepCompleted, Error, Completed, Terminated)
• wfe: use_log_sink() on WorkflowHostBuilder
• wfe-yaml: Shell step streaming mode with tokio::select! interleaved stdout/stderr

Security

• JWT algorithm confusion prevention: derive algorithm from JWK, reject symmetric algorithms
• Constant-time static token comparison via subtle crate
• OIDC issuer HTTPS validation to prevent SSRF
• Fail-closed on OIDC discovery failure (server won't start with broken auth)
• Authenticated generic webhook endpoint
• 2MB webhook payload size limit
• Config parse errors fail loudly (no silent fallback to open defaults)
• Blocked sensitive env var injection (PATH, LD_PRELOAD, etc.) from workflow data
• Security regression tests for all critical and high findings

Fixed

• Shell step streaming path now respects timeout_ms with child.kill() on timeout
• LogSink properly threaded from WorkflowHostBuilder through executor to StepExecutionContext
• LogStore.with_search() wired in server main.rs for OpenSearch indexing
• OpenSearch index_chunk returns Err on HTTP failure instead of swallowing it
• Webhook publish failures return 500 instead of 200

[1.5.0] - 2026-03-29

Added

• wfe-rustlang: New crate with Rust toolchain step executors
  • Cargo steps: cargo-build, cargo-test, cargo-check, cargo-clippy, cargo-fmt, cargo-doc, cargo-publish
  • External tool steps with auto-install: cargo-audit, cargo-deny, cargo-nextest, cargo-llvm-cov
  • Rustup steps: rust-install, rustup-toolchain, rustup-component, rustup-target
  • cargo-doc-mdx: generates MDX documentation from rustdoc JSON output using the rustdoc-types crate
• wfe-yaml: rustlang feature flag enabling all cargo/rustup step types
• wfe-yaml: Schema fields for Rust steps (package, features, toolchain, profile, output_dir, etc.)
• wfe-containerd: Remote daemon support via WFE_IO_DIR environment variable
• wfe-containerd: Image chain ID resolution from content store for proper rootfs snapshots
• wfe-containerd: Docker-default Linux capabilities for root containers
• Lima wfe-test VM config (Alpine + containerd + BuildKit, TCP socat proxy)
• Containerd integration tests running Rust toolchain in containers

Fixed

• wfe-containerd: Empty rootfs — snapshot parent now resolved from image chain ID instead of empty string
• wfe-containerd: FIFO deadlock with remote daemons — replaced with regular file I/O
• wfe-containerd: sh: not found — use absolute /bin/sh path in OCI process spec
• wfe-containerd: setgroups: Operation not permitted — grant capabilities when running as UID 0

Changed

• Lima wfe-test VM uses Alpine apk packages instead of GitHub release binaries
• Container tests use TCP proxy (http://127.0.0.1:2500) instead of Unix socket forwarding
• CI pipeline (workflows.yaml) updated with wfe-rustlang in test, package, and publish steps

879 tests. 88.8% coverage on wfe-rustlang.

[1.4.0] - 2026-03-26

Added

• Type-safe when: conditions on workflow steps with compile-time validation
• Full boolean combinator set: all (AND), any (OR), none (NOR), one_of (XOR), not (NOT)
• Task file includes with cycle detection
• Self-hosting CI pipeline (workflows.yaml) demonstrating all features
• readFile() op for deno runtime
• Auto-typed ##wfe[output] annotations (bool, number conversion)
• Multi-workflow YAML files, SubWorkflow step type, typed input/output schemas
• HostContext for programmatic child workflow invocation
• BuildKit image builder and containerd container runner as standalone crates
• gRPC clients generated from official upstream proto files (tonic 0.14)

Fixed

• Pipeline coverage step produces valid JSON, deno reads it with readFile()
• Host context field added to container executor test contexts
• .outputs. paths resolved flat for child workflows
• Pointer status conversion for Skipped in postgres provider

629 tests. 87.7% coverage.

[1.0.0] - 2026-03-23

Added

• wfe-core: Workflow engine with step primitives, executor, fluent builder API
• wfe: WorkflowHost, registry, sync runner, and purger
• wfe-sqlite: SQLite persistence provider
• wfe-postgres: PostgreSQL persistence provider
• wfe-opensearch: OpenSearch search index provider
• wfe-valkey: Valkey provider for locks, queues, and lifecycle events
• wfe-yaml: YAML workflow definitions with shell and deno executors
• wfe-yaml: Deno JS/TS runtime with sandboxed permissions, HTTP ops, npm support via esm.sh
• OpenTelemetry tracing support behind otel feature flag
• In-memory test support providers