Sienna Meridian Satterwhite
41df3c2dfd
Workspace version goes from 1.8.1 → 1.9.0. Internal crate deps that carry an explicit version (wfe-buildkit-protos, wfe-containerd-protos, wfe in wfe-deno) are bumped to match. CHANGELOG.md documents the release under `## [1.9.0] - 2026-04-07`: * wfectl CLI with 17 subcommands * wfectl validate (local YAML compile, no round-trip) * Human-friendly workflow names (instance sequencing + definition display name) * wfe-server full feature set (kubernetes + deno + buildkit + containerd + rustlang) on a debian base * wfe-ci builder Dockerfile * /bin/bash for run scripts * ensure_store_exists called on host start * SubWorkflowStep parent data inheritance * workflows.yaml restructured for YAML 1.1 shallow-merge semantics
wfe-containerd
Containerd container runner executor for WFE.
What it does
wfe-containerd runs containers via nerdctl as workflow steps. It pulls images, manages registry authentication, and executes containers with configurable networking, resource limits, volume mounts, and TLS settings. Output is captured and parsed for ##wfe[output key=value] directives, following the same convention as the shell executor.
Quick start
Add a containerd step to your YAML workflow:
workflow:
id: container-pipeline
version: 1
steps:
- name: run-tests
type: containerd
config:
image: node:20-alpine
run: npm test
network: none
memory: 512m
cpu: "1.0"
timeout: 5m
env:
NODE_ENV: test
volumes:
- source: /workspace
target: /app
readonly: true
Enable the feature in wfe-yaml:
[dependencies]
wfe-yaml = { version = "1.0.0", features = ["containerd"] }
Configuration
| Field | Type | Default | Description |
|---|---|---|---|
image |
String |
required | Container image to run |
run |
String |
- | Shell command (uses sh -c) |
command |
Vec<String> |
- | Command array (mutually exclusive with run) |
env |
HashMap |
{} |
Environment variables |
volumes |
Vec<VolumeMount> |
[] |
Volume mounts |
working_dir |
String |
- | Working directory inside container |
user |
String |
65534:65534 |
User/group to run as (nobody by default) |
network |
String |
none |
Network mode: none, host, or bridge |
memory |
String |
- | Memory limit (e.g. 512m, 1g) |
cpu |
String |
- | CPU limit (e.g. 1.0, 0.5) |
pull |
String |
if-not-present |
Pull policy: always, if-not-present, never |
containerd_addr |
String |
/run/containerd/containerd.sock |
Containerd socket address |
tls |
TlsConfig |
- | TLS configuration for containerd connection |
registry_auth |
HashMap |
{} |
Registry authentication per registry hostname |
timeout |
String |
- | Execution timeout (e.g. 30s, 5m) |
Output parsing
The step captures stdout and stderr. Lines matching ##wfe[output key=value] are extracted as workflow outputs. Raw stdout, stderr, and exit code are also available under {step_name}.stdout, {step_name}.stderr, and {step_name}.exit_code.
Security defaults
- Runs as nobody (
65534:65534) by default - Network disabled (
none) by default - Containers are always
--rm(removed after execution)