Support AWS IRSA to authenticate to S3 for snapshotting

Merge pull request #6041 from meilisearch/fix-workflow-injection
Remove risk of command injection
2025-12-16 17:36:58 +00:00 · 2025-12-10 18:37:28 +01:00 · 2025-12-09 17:04:58 +00:00 · 2025-12-09 17:06:41 +01:00 · 2025-12-09 13:55:08 +00:00 · 2025-12-09 14:33:04 +01:00
36 changed files with 209 additions and 177 deletions
--- a/.github/workflows/bench-manual.yml
+++ b/.github/workflows/bench-manual.yml
@@ -18,7 +18,7 @@ jobs:
    timeout-minutes: 180 # 3h
    steps:
      - uses: actions/checkout@v5
-      - uses: dtolnay/rust-toolchain@1.89
+      - uses: dtolnay/rust-toolchain@1.91.1
        with:
          profile: minimal

--- a/.github/workflows/bench-pr.yml
+++ b/.github/workflows/bench-pr.yml
@@ -66,7 +66,7 @@ jobs:
          fetch-depth: 0 # fetch full history to be able to get main commit sha
          ref: ${{ steps.comment-branch.outputs.head_ref }}

-      - uses: dtolnay/rust-toolchain@1.89
+      - uses: dtolnay/rust-toolchain@1.91.1

      - name: Run benchmarks on PR ${{ github.event.issue.id }}
        run: |
--- a/.github/workflows/bench-push-indexing.yml
+++ b/.github/workflows/bench-push-indexing.yml
@@ -12,7 +12,7 @@ jobs:
    timeout-minutes: 180 # 3h
    steps:
      - uses: actions/checkout@v5
-      - uses: dtolnay/rust-toolchain@1.89
+      - uses: dtolnay/rust-toolchain@1.91.1

      # Run benchmarks
      - name: Run benchmarks - Dataset ${BENCH_NAME} - Branch main - Commit ${{ github.sha }}
--- a/.github/workflows/benchmarks-manual.yml
+++ b/.github/workflows/benchmarks-manual.yml
@@ -18,7 +18,7 @@ jobs:
    timeout-minutes: 4320 # 72h
    steps:
      - uses: actions/checkout@v5
-      - uses: dtolnay/rust-toolchain@1.89
+      - uses: dtolnay/rust-toolchain@1.91.1
        with:
          profile: minimal

--- a/.github/workflows/benchmarks-pr.yml
+++ b/.github/workflows/benchmarks-pr.yml
@@ -44,7 +44,7 @@ jobs:
            exit 1
          fi

-      - uses: dtolnay/rust-toolchain@1.89
+      - uses: dtolnay/rust-toolchain@1.91.1
        with:
          profile: minimal

--- a/.github/workflows/benchmarks-push-indexing.yml
+++ b/.github/workflows/benchmarks-push-indexing.yml
@@ -16,7 +16,7 @@ jobs:
    timeout-minutes: 4320 # 72h
    steps:
      - uses: actions/checkout@v5
-      - uses: dtolnay/rust-toolchain@1.89
+      - uses: dtolnay/rust-toolchain@1.91.1
        with:
          profile: minimal

--- a/.github/workflows/benchmarks-push-search-geo.yml
+++ b/.github/workflows/benchmarks-push-search-geo.yml
@@ -15,7 +15,7 @@ jobs:
    runs-on: benchmarks
    steps:
      - uses: actions/checkout@v5
-      - uses: dtolnay/rust-toolchain@1.89
+      - uses: dtolnay/rust-toolchain@1.91.1
        with:
          profile: minimal

--- a/.github/workflows/benchmarks-push-search-songs.yml
+++ b/.github/workflows/benchmarks-push-search-songs.yml
@@ -15,7 +15,7 @@ jobs:
    runs-on: benchmarks
    steps:
      - uses: actions/checkout@v5
-      - uses: dtolnay/rust-toolchain@1.89
+      - uses: dtolnay/rust-toolchain@1.91.1
        with:
          profile: minimal

--- a/.github/workflows/benchmarks-push-search-wiki.yml
+++ b/.github/workflows/benchmarks-push-search-wiki.yml
@@ -15,7 +15,7 @@ jobs:
    runs-on: benchmarks
    steps:
      - uses: actions/checkout@v5
-      - uses: dtolnay/rust-toolchain@1.89
+      - uses: dtolnay/rust-toolchain@1.91.1
        with:
          profile: minimal

--- a/.github/workflows/flaky-tests.yml
+++ b/.github/workflows/flaky-tests.yml
@@ -3,7 +3,7 @@ name: Look for flaky tests
 on:
  workflow_dispatch:
  schedule:
-    - cron: '0 4 * * *' # Every day at 4:00AM
+    - cron: "0 4 * * *" # Every day at 4:00AM

 jobs:
  flaky:
@@ -23,7 +23,7 @@ jobs:
        run: |
          apt-get update && apt-get install -y curl
          apt-get install build-essential -y
-      - uses: dtolnay/rust-toolchain@1.89
+      - uses: dtolnay/rust-toolchain@1.91.1
      - name: Install cargo-flaky
        run: cargo install cargo-flaky
      - name: Run cargo flaky in the dumps
--- a/.github/workflows/fuzzer-indexing.yml
+++ b/.github/workflows/fuzzer-indexing.yml
@@ -12,7 +12,7 @@ jobs:
    timeout-minutes: 4320 # 72h
    steps:
      - uses: actions/checkout@v5
-      - uses: dtolnay/rust-toolchain@1.89
+      - uses: dtolnay/rust-toolchain@1.91.1

      # Run benchmarks
      - name: Run the fuzzer
--- a/.github/workflows/publish-apt-brew-pkg.yml
+++ b/.github/workflows/publish-apt-brew-pkg.yml
@@ -31,7 +31,7 @@ jobs:
          sudo rm -rf "/usr/share/dotnet" || true
          sudo rm -rf "/usr/local/lib/android" || true
          sudo rm -rf "/usr/local/share/boost" || true
-      - uses: dtolnay/rust-toolchain@1.89
+      - uses: dtolnay/rust-toolchain@1.91.1
      - name: Install cargo-deb
        run: cargo install cargo-deb
      - uses: actions/checkout@v5
--- a/.github/workflows/publish-release-assets.yml
+++ b/.github/workflows/publish-release-assets.yml
@@ -76,7 +76,7 @@ jobs:
    needs: check-version
    steps:
      - uses: actions/checkout@v5
-      - uses: dtolnay/rust-toolchain@1.89
+      - uses: dtolnay/rust-toolchain@1.91.1
      - name: Build
        run: cargo build --release --locked ${{ matrix.feature-flag }} ${{ matrix.extra-args }}
      # No need to upload binaries for dry run (cron or workflow_dispatch)
--- a/.github/workflows/sdks-tests.yml
+++ b/.github/workflows/sdks-tests.yml
@@ -25,14 +25,18 @@ jobs:
      - uses: actions/checkout@v5
      - name: Define the Docker image we need to use
        id: define-image
+        env:
+          EVENT_NAME: ${{ github.event_name }}
+          DOCKER_IMAGE_INPUT: ${{ github.event.inputs.docker_image }}
        run: |
-          event=${{ github.event_name }}
          echo "docker-image=nightly" >> $GITHUB_OUTPUT
-          if [[ $event == 'workflow_dispatch' ]]; then
-            echo "docker-image=${{ github.event.inputs.docker_image }}" >> $GITHUB_OUTPUT
+          if [[ "$EVENT_NAME" == 'workflow_dispatch' ]]; then
+            echo "docker-image=$DOCKER_IMAGE_INPUT" >> $GITHUB_OUTPUT
          fi
      - name: Docker image is ${{ steps.define-image.outputs.docker-image }}
-        run: echo "Docker image is ${{ steps.define-image.outputs.docker-image }}"
+        env:
+          DOCKER_IMAGE: ${{ steps.define-image.outputs.docker-image }}
+        run: echo "Docker image is $DOCKER_IMAGE"

 ##########
 ## SDKs ##
--- a/.github/workflows/test-suite.yml
+++ b/.github/workflows/test-suite.yml
@@ -34,7 +34,7 @@ jobs:
      - name: check free space after
        run: df -h
      - name: Setup test with Rust stable
-        uses: dtolnay/rust-toolchain@1.89
+        uses: dtolnay/rust-toolchain@1.91.1
      - name: Cache dependencies
        uses: Swatinem/rust-cache@v2.8.0
        with:
@@ -63,7 +63,7 @@ jobs:
      - uses: actions/checkout@v5
      - name: Cache dependencies
        uses: Swatinem/rust-cache@v2.8.0
-      - uses: dtolnay/rust-toolchain@1.89
+      - uses: dtolnay/rust-toolchain@1.91.1
      - name: Run cargo build without any default features
        uses: actions-rs/cargo@v1
        with:
@@ -87,7 +87,7 @@ jobs:
          sudo rm -rf "/usr/share/dotnet" || true
          sudo rm -rf "/usr/local/lib/android" || true
          sudo rm -rf "/usr/local/share/boost" || true
-      - uses: dtolnay/rust-toolchain@1.89
+      - uses: dtolnay/rust-toolchain@1.91.1
      - name: Run cargo build with almost all features
        run: |
          cargo build --workspace --locked --features "$(cargo xtask list-features --exclude-feature cuda,test-ollama)"
@@ -145,7 +145,7 @@ jobs:
          sudo rm -rf "/usr/share/dotnet" || true
          sudo rm -rf "/usr/local/lib/android" || true
          sudo rm -rf "/usr/local/share/boost" || true
-      - uses: dtolnay/rust-toolchain@1.89
+      - uses: dtolnay/rust-toolchain@1.91.1
      - name: Run cargo tree without default features and check lindera is not present
        run: |
          if cargo tree -f '{p} {f}' -e normal --no-default-features | grep -qz lindera; then
@@ -167,7 +167,7 @@ jobs:
          sudo rm -rf "/usr/share/dotnet" || true
          sudo rm -rf "/usr/local/lib/android" || true
          sudo rm -rf "/usr/local/share/boost" || true
-      - uses: dtolnay/rust-toolchain@1.89
+      - uses: dtolnay/rust-toolchain@1.91.1
      - name: Cache dependencies
        uses: Swatinem/rust-cache@v2.8.0
      - name: Build
@@ -187,7 +187,7 @@ jobs:
          sudo rm -rf "/usr/share/dotnet" || true
          sudo rm -rf "/usr/local/lib/android" || true
          sudo rm -rf "/usr/local/share/boost" || true
-      - uses: dtolnay/rust-toolchain@1.89
+      - uses: dtolnay/rust-toolchain@1.91.1
        with:
          components: clippy
      - name: Cache dependencies
@@ -209,7 +209,7 @@ jobs:
          sudo rm -rf "/usr/share/dotnet" || true
          sudo rm -rf "/usr/local/lib/android" || true
          sudo rm -rf "/usr/local/share/boost" || true
-      - uses: dtolnay/rust-toolchain@1.89
+      - uses: dtolnay/rust-toolchain@1.91.1
        with:
          components: rustfmt
      - name: Cache dependencies
@@ -235,7 +235,7 @@ jobs:
          sudo rm -rf "/usr/share/dotnet" || true
          sudo rm -rf "/usr/local/lib/android" || true
          sudo rm -rf "/usr/local/share/boost" || true
-      - uses: dtolnay/rust-toolchain@1.89
+      - uses: dtolnay/rust-toolchain@1.91.1
      - name: Cache dependencies
        uses: Swatinem/rust-cache@v2.8.0
      - name: Run declarative tests
--- a/.github/workflows/update-cargo-toml-version.yml
+++ b/.github/workflows/update-cargo-toml-version.yml
@@ -24,7 +24,7 @@ jobs:
          sudo rm -rf "/usr/share/dotnet" || true
          sudo rm -rf "/usr/local/lib/android" || true
          sudo rm -rf "/usr/local/share/boost" || true
-      - uses: dtolnay/rust-toolchain@1.89
+      - uses: dtolnay/rust-toolchain@1.91.1
      - name: Install sd
        run: cargo install sd
      - name: Update Cargo.toml file
--- a/crates/dump/src/reader/v2/settings.rs
+++ b/crates/dump/src/reader/v2/settings.rs
@@ -107,19 +107,14 @@ impl Settings<Unchecked> {
    }
 }

-#[derive(Debug, Clone, PartialEq)]
+#[derive(Default, Debug, Clone, PartialEq)]
 pub enum Setting<T> {
    Set(T),
    Reset,
+    #[default]
    NotSet,
 }

-impl<T> Default for Setting<T> {
-    fn default() -> Self {
-        Self::NotSet
-    }
-}
-
 impl<T> Setting<T> {
    pub const fn is_not_set(&self) -> bool {
        matches!(self, Self::NotSet)
--- a/crates/dump/src/reader/v3/settings.rs
+++ b/crates/dump/src/reader/v3/settings.rs
@@ -161,19 +161,14 @@ pub struct Facets {
    pub min_level_size: Option<NonZeroUsize>,
 }

-#[derive(Debug, Clone, PartialEq, Eq)]
+#[derive(Default, Debug, Clone, PartialEq, Eq)]
 pub enum Setting<T> {
    Set(T),
    Reset,
+    #[default]
    NotSet,
 }

-impl<T> Default for Setting<T> {
-    fn default() -> Self {
-        Self::NotSet
-    }
-}
-
 impl<T> Setting<T> {
    pub fn map<U, F>(self, f: F) -> Setting<U>
    where
--- a/crates/dump/src/reader/v4/meta.rs
+++ b/crates/dump/src/reader/v4/meta.rs
@@ -1,9 +1,7 @@
 use std::fmt::{self, Display, Formatter};
-use std::marker::PhantomData;
 use std::str::FromStr;

-use serde::de::Visitor;
-use serde::{Deserialize, Deserializer};
+use serde::Deserialize;
 use uuid::Uuid;

 use super::settings::{Settings, Unchecked};
@@ -82,59 +80,3 @@ impl Display for IndexUidFormatError {
 }

 impl std::error::Error for IndexUidFormatError {}
-
-/// A type that tries to match either a star (*) or
-/// any other thing that implements `FromStr`.
-#[derive(Debug)]
-#[cfg_attr(test, derive(serde::Serialize))]
-pub enum StarOr<T> {
-    Star,
-    Other(T),
-}
-
-impl<'de, T, E> Deserialize<'de> for StarOr<T>
-where
-    T: FromStr<Err = E>,
-    E: Display,
-{
-    fn deserialize<D>(deserializer: D) -> Result<Self, D::Error>
-    where
-        D: Deserializer<'de>,
-    {
-        /// Serde can't differentiate between `StarOr::Star` and `StarOr::Other` without a tag.
-        /// Simply using `#[serde(untagged)]` + `#[serde(rename="*")]` will lead to attempting to
-        /// deserialize everything as a `StarOr::Other`, including "*".
-        /// [`#[serde(other)]`](https://serde.rs/variant-attrs.html#other) might have helped but is
-        /// not supported on untagged enums.
-        struct StarOrVisitor<T>(PhantomData<T>);
-
-        impl<T, FE> Visitor<'_> for StarOrVisitor<T>
-        where
-            T: FromStr<Err = FE>,
-            FE: Display,
-        {
-            type Value = StarOr<T>;
-
-            fn expecting(&self, formatter: &mut Formatter) -> std::fmt::Result {
-                formatter.write_str("a string")
-            }
-
-            fn visit_str<SE>(self, v: &str) -> Result<Self::Value, SE>
-            where
-                SE: serde::de::Error,
-            {
-                match v {
-                    "*" => Ok(StarOr::Star),
-                    v => {
-                        let other = FromStr::from_str(v).map_err(|e: T::Err| {
-                            SE::custom(format!("Invalid `other` value: {}", e))
-                        })?;
-                        Ok(StarOr::Other(other))
-                    }
-                }
-            }
-        }
-
-        deserializer.deserialize_str(StarOrVisitor(PhantomData))
-    }
-}
--- a/crates/dump/src/reader/v4/settings.rs
+++ b/crates/dump/src/reader/v4/settings.rs
@@ -192,19 +192,14 @@ pub struct Facets {
    pub min_level_size: Option<NonZeroUsize>,
 }

-#[derive(Debug, Clone, PartialEq, Eq, Copy)]
+#[derive(Default, Debug, Clone, PartialEq, Eq, Copy)]
 pub enum Setting<T> {
    Set(T),
    Reset,
+    #[default]
    NotSet,
 }

-impl<T> Default for Setting<T> {
-    fn default() -> Self {
-        Self::NotSet
-    }
-}
-
 impl<T> Setting<T> {
    pub fn set(self) -> Option<T> {
        match self {
--- a/crates/dump/src/reader/v5/settings.rs
+++ b/crates/dump/src/reader/v5/settings.rs
@@ -47,20 +47,15 @@ pub struct Settings<T> {
    pub _kind: PhantomData<T>,
 }

-#[derive(Debug, Clone, PartialEq, Eq, Copy)]
+#[derive(Default, Debug, Clone, PartialEq, Eq, Copy)]
 #[cfg_attr(test, derive(serde::Serialize))]
 pub enum Setting<T> {
    Set(T),
    Reset,
+    #[default]
    NotSet,
 }

-impl<T> Default for Setting<T> {
-    fn default() -> Self {
-        Self::NotSet
-    }
-}
-
 impl<T> Setting<T> {
    pub fn set(self) -> Option<T> {
        match self {
--- a/crates/dump/src/reader/v5/tasks.rs
+++ b/crates/dump/src/reader/v5/tasks.rs
@@ -322,7 +322,7 @@ impl From<Task> for TaskView {
            _ => None,
        });

-        let duration = finished_at.zip(started_at).map(|(tf, ts)| (tf - ts));
+        let duration = finished_at.zip(started_at).map(|(tf, ts)| tf - ts);

        Self {
            uid: id,
--- a/crates/index-scheduler/src/scheduler/process_snapshot_creation.rs
+++ b/crates/index-scheduler/src/scheduler/process_snapshot_creation.rs
@@ -14,6 +14,34 @@ use crate::{Error, IndexScheduler, Result};

 const UPDATE_FILES_DIR_NAME: &str = "update_files";

+#[derive(Debug, Clone, serde::Deserialize)]
+struct StsCredentials {
+    #[serde(rename = "AccessKeyId")]
+    access_key_id: String,
+    #[serde(rename = "SecretAccessKey")]
+    secret_access_key: String,
+    #[serde(rename = "SessionToken")]
+    session_token: String,
+}
+
+#[derive(Debug, serde::Deserialize)]
+struct AssumeRoleWithWebIdentityResult {
+    #[serde(rename = "Credentials")]
+    credentials: StsCredentials,
+}
+
+#[derive(Debug, serde::Deserialize)]
+struct AssumeRoleWithWebIdentityResponse {
+    #[serde(rename = "AssumeRoleWithWebIdentityResult")]
+    result: AssumeRoleWithWebIdentityResult,
+}
+
+#[derive(Debug, serde::Deserialize)]
+struct StsResponse {
+    #[serde(rename = "AssumeRoleWithWebIdentityResponse")]
+    response: AssumeRoleWithWebIdentityResponse,
+}
+
 /// # Safety
 ///
 /// See [`EnvOpenOptions::open`].
@@ -231,6 +259,49 @@ impl IndexScheduler {
        Ok(tasks)
    }

+    #[cfg(unix)]
+    async fn assume_role_with_web_identity(
+        role_arn: &str,
+        web_identity_token_file: &str,
+    ) -> Result<StsCredentials, anyhow::Error> {
+        let token = fs::read_to_string(web_identity_token_file)
+            .map_err(|e| anyhow::anyhow!("Failed to read web identity token file: {}", e))?;
+
+        let form_data = [
+            ("Action", "AssumeRoleWithWebIdentity"),
+            ("Version", "2011-06-15"),
+            ("RoleArn", role_arn),
+            ("RoleSessionName", "meilisearch-snapshot-session"),
+            ("WebIdentityToken", &token),
+            ("DurationSeconds", "3600"),
+        ];
+
+        let client = reqwest::Client::new();
+        let response = client
+            .post("https://sts.amazonaws.com/")
+            .header("Accept", "application/json")
+            .header("Content-Type", "application/x-www-form-urlencoded")
+            .form(&form_data)
+            .send()
+            .await
+            .map_err(|e| anyhow::anyhow!("Failed to send STS request: {}", e))?;
+
+        let status = response.status();
+        let body = response
+            .text()
+            .await
+            .map_err(|e| anyhow::anyhow!("Failed to read STS response body: {}", e))?;
+
+        if !status.is_success() {
+            return Err(anyhow::anyhow!("STS request failed with status {}: {}", status, body));
+        }
+
+        let sts_response: StsResponse = serde_json::from_str(&body)
+            .map_err(|e| anyhow::anyhow!("Failed to deserialize STS response: {}", e))?;
+
+        Ok(sts_response.response.result.credentials)
+    }
+
    #[cfg(unix)]
    pub(super) async fn process_snapshot_to_s3(
        &self,
@@ -247,6 +318,8 @@ impl IndexScheduler {
            s3_snapshot_prefix,
            s3_access_key,
            s3_secret_key,
+            s3_role_arn,
+            s3_web_identity_token_file,
            s3_max_in_flight_parts,
            s3_compression_level: level,
            s3_signature_duration,
@@ -262,21 +335,37 @@ impl IndexScheduler {
        };

        let (reader, writer) = std::io::pipe()?;
-        let uploader_task = tokio::spawn(multipart_stream_to_s3(
-            s3_bucket_url,
-            s3_bucket_region,
-            s3_bucket_name,
-            s3_snapshot_prefix,
-            s3_access_key,
-            s3_secret_key,
-            s3_max_in_flight_parts,
-            s3_signature_duration,
-            s3_multipart_part_size,
-            must_stop_processing,
-            retry_backoff,
-            db_name,
-            reader,
-        ));
+        let uploader_task = tokio::spawn(async move {
+            let (s3_access_key, s3_secret_key, s3_token) = if !s3_role_arn.is_empty()
+                && !s3_web_identity_token_file.is_empty()
+            {
+                let StsCredentials { access_key_id, secret_access_key, session_token } =
+                    Self::assume_role_with_web_identity(&s3_role_arn, &s3_web_identity_token_file)
+                        .await
+                        .map_err(Error::Anyhow)?;
+                (access_key_id, secret_access_key, Some(session_token))
+            } else {
+                (s3_access_key, s3_secret_key, None)
+            };
+
+            multipart_stream_to_s3(
+                s3_bucket_url,
+                s3_bucket_region,
+                s3_bucket_name,
+                s3_snapshot_prefix,
+                s3_access_key,
+                s3_secret_key,
+                s3_token,
+                s3_max_in_flight_parts,
+                s3_signature_duration,
+                s3_multipart_part_size,
+                must_stop_processing,
+                retry_backoff,
+                db_name,
+                reader,
+            )
+            .await
+        });

        let index_scheduler = IndexScheduler::private_clone(self);
        let builder_task = tokio::task::spawn_blocking(move || {
@@ -430,6 +519,7 @@ async fn multipart_stream_to_s3(
    s3_snapshot_prefix: String,
    s3_access_key: String,
    s3_secret_key: String,
+    s3_token: Option<String>,
    s3_max_in_flight_parts: std::num::NonZero<usize>,
    s3_signature_duration: std::time::Duration,
    s3_multipart_part_size: u64,
@@ -456,7 +546,10 @@ async fn multipart_stream_to_s3(
        s3_bucket_url.parse().map_err(BucketError::ParseError).map_err(Error::S3BucketError)?;
    let bucket = Bucket::new(url, UrlStyle::Path, s3_bucket_name, s3_bucket_region)
        .map_err(Error::S3BucketError)?;
-    let credential = Credentials::new(s3_access_key, s3_secret_key);
+    let credential = match s3_token {
+        Some(token) => Credentials::new_with_token(s3_access_key, s3_secret_key, token),
+        None => Credentials::new(s3_access_key, s3_secret_key),
+    };

    // Note for the future (rust 1.91+): use with_added_extension, it's prettier
    let object_path = s3_snapshot_prefix.join(format!("{db_name}.snapshot"));
--- a/crates/meilisearch/src/analytics/segment_analytics.rs
+++ b/crates/meilisearch/src/analytics/segment_analytics.rs
@@ -1,7 +1,7 @@
 use std::any::TypeId;
 use std::collections::{HashMap, HashSet};
 use std::fs;
-use std::path::{Path, PathBuf};
+use std::path::Path;
 use std::sync::Arc;
 use std::time::{Duration, Instant};

@@ -344,14 +344,14 @@ impl Infos {
            experimental_no_edition_2024_for_dumps,
            experimental_vector_store_setting: vector_store_setting,
            gpu_enabled: meilisearch_types::milli::vector::is_cuda_enabled(),
-            db_path: db_path != PathBuf::from("./data.ms"),
+            db_path: db_path != Path::new("./data.ms"),
            import_dump: import_dump.is_some(),
-            dump_dir: dump_dir != PathBuf::from("dumps/"),
+            dump_dir: dump_dir != Path::new("dumps/"),
            ignore_missing_dump,
            ignore_dump_if_db_exists,
            import_snapshot: import_snapshot.is_some(),
            schedule_snapshot,
-            snapshot_dir: snapshot_dir != PathBuf::from("snapshots/"),
+            snapshot_dir: snapshot_dir != Path::new("snapshots/"),
            uses_s3_snapshots: s3_snapshot_options.is_some(),
            ignore_missing_snapshot,
            ignore_snapshot_if_db_exists,
--- a/crates/meilisearch/src/option.rs
+++ b/crates/meilisearch/src/option.rs
@@ -85,6 +85,8 @@ const MEILI_S3_BUCKET_NAME: &str = "MEILI_S3_BUCKET_NAME";
 const MEILI_S3_SNAPSHOT_PREFIX: &str = "MEILI_S3_SNAPSHOT_PREFIX";
 const MEILI_S3_ACCESS_KEY: &str = "MEILI_S3_ACCESS_KEY";
 const MEILI_S3_SECRET_KEY: &str = "MEILI_S3_SECRET_KEY";
+const MEILI_S3_ROLE_ARN: &str = "MEILI_S3_ROLE_ARN";
+const MEILI_S3_WEB_IDENTITY_TOKEN_FILE: &str = "MEILI_S3_WEB_IDENTITY_TOKEN_FILE";
 const MEILI_EXPERIMENTAL_S3_MAX_IN_FLIGHT_PARTS: &str = "MEILI_EXPERIMENTAL_S3_MAX_IN_FLIGHT_PARTS";
 const MEILI_EXPERIMENTAL_S3_COMPRESSION_LEVEL: &str = "MEILI_EXPERIMENTAL_S3_COMPRESSION_LEVEL";
 const MEILI_EXPERIMENTAL_S3_SIGNATURE_DURATION_SECONDS: &str =
@@ -942,7 +944,7 @@ impl TryFrom<&IndexerOpts> for IndexerConfig {
 // This group is a bit tricky but makes it possible to require all listed fields if one of them
 // is specified. It lets us keep an Option for the S3SnapshotOpts configuration.
 // <https://github.com/clap-rs/clap/issues/5092#issuecomment-2616986075>
-#[group(requires_all = ["s3_bucket_url", "s3_bucket_region", "s3_bucket_name", "s3_snapshot_prefix", "s3_access_key", "s3_secret_key"])]
+#[group(requires_all = ["s3_bucket_url", "s3_bucket_region", "s3_bucket_name", "s3_snapshot_prefix"])]
 pub struct S3SnapshotOpts {
    /// The S3 bucket URL in the format https://s3.<region>.amazonaws.com.
    #[clap(long, env = MEILI_S3_BUCKET_URL, required = false)]
@@ -974,6 +976,16 @@ pub struct S3SnapshotOpts {
    #[serde(default)]
    pub s3_secret_key: String,

+    /// The IAM role ARN for web identity authentication.
+    #[clap(long, env = MEILI_S3_ROLE_ARN, required = false)]
+    #[serde(default)]
+    pub s3_role_arn: String,
+
+    /// The path to the web identity token file for IAM role authentication.
+    #[clap(long, env = MEILI_S3_WEB_IDENTITY_TOKEN_FILE, required = false)]
+    #[serde(default)]
+    pub s3_web_identity_token_file: String,
+
    /// The maximum number of parts that can be uploaded in parallel.
    ///
    /// For more information, see <https://github.com/orgs/meilisearch/discussions/869>.
@@ -1017,6 +1029,8 @@ impl S3SnapshotOpts {
            s3_snapshot_prefix,
            s3_access_key,
            s3_secret_key,
+            s3_role_arn,
+            s3_web_identity_token_file,
            experimental_s3_max_in_flight_parts,
            experimental_s3_compression_level,
            experimental_s3_signature_duration_seconds,
@@ -1029,6 +1043,8 @@ impl S3SnapshotOpts {
        export_to_env_if_not_present(MEILI_S3_SNAPSHOT_PREFIX, s3_snapshot_prefix);
        export_to_env_if_not_present(MEILI_S3_ACCESS_KEY, s3_access_key);
        export_to_env_if_not_present(MEILI_S3_SECRET_KEY, s3_secret_key);
+        export_to_env_if_not_present(MEILI_S3_ROLE_ARN, s3_role_arn);
+        export_to_env_if_not_present(MEILI_S3_WEB_IDENTITY_TOKEN_FILE, s3_web_identity_token_file);
        export_to_env_if_not_present(
            MEILI_EXPERIMENTAL_S3_MAX_IN_FLIGHT_PARTS,
            experimental_s3_max_in_flight_parts.to_string(),
@@ -1059,12 +1075,24 @@ impl TryFrom<S3SnapshotOpts> for S3SnapshotOptions {
            s3_snapshot_prefix,
            s3_access_key,
            s3_secret_key,
+            s3_role_arn,
+            s3_web_identity_token_file,
            experimental_s3_max_in_flight_parts,
            experimental_s3_compression_level,
            experimental_s3_signature_duration_seconds,
            experimental_s3_multipart_part_size,
        } = other;

+        let has_access_key_auth = !s3_access_key.is_empty() && !s3_secret_key.is_empty();
+        let has_role_arn_auth = !s3_role_arn.is_empty() && !s3_web_identity_token_file.is_empty();
+
+        // Specify either one of the authentication options, but not both
+        if has_access_key_auth && has_role_arn_auth {
+            anyhow::bail!(
+                "Please use either MEILI_S3_ACCESS_KEY and MEILI_S3_SECRET_KEY, or MEILI_S3_ROLE_ARN and MEILI_S3_WEB_IDENTITY_TOKEN_FILE."
+            );
+        }
+
        Ok(S3SnapshotOptions {
            s3_bucket_url,
            s3_bucket_region,
@@ -1072,6 +1100,8 @@ impl TryFrom<S3SnapshotOpts> for S3SnapshotOptions {
            s3_snapshot_prefix,
            s3_access_key,
            s3_secret_key,
+            s3_role_arn,
+            s3_web_identity_token_file,
            s3_max_in_flight_parts: experimental_s3_max_in_flight_parts,
            s3_compression_level: experimental_s3_compression_level,
            s3_signature_duration: Duration::from_secs(experimental_s3_signature_duration_seconds),
--- a/crates/meilisearch/src/search/mod.rs
+++ b/crates/meilisearch/src/search/mod.rs
@@ -789,11 +789,12 @@ impl TryFrom<Value> for ExternalDocumentId {
    }
 }

-#[derive(Debug, Copy, Clone, PartialEq, Eq, Deserr, ToSchema, Serialize)]
+#[derive(Default, Debug, Copy, Clone, PartialEq, Eq, Deserr, ToSchema, Serialize)]
 #[deserr(rename_all = camelCase)]
 #[serde(rename_all = "camelCase")]
 pub enum MatchingStrategy {
    /// Remove query words from last to first
+    #[default]
    Last,
    /// All query words are mandatory
    All,
@@ -801,12 +802,6 @@ pub enum MatchingStrategy {
    Frequency,
 }

-impl Default for MatchingStrategy {
-    fn default() -> Self {
-        Self::Last
-    }
-}
-
 impl From<MatchingStrategy> for TermsMatchingStrategy {
    fn from(other: MatchingStrategy) -> Self {
        match other {
--- a/crates/meilisearch/tests/auth/tenant_token.rs
+++ b/crates/meilisearch/tests/auth/tenant_token.rs
@@ -187,7 +187,7 @@ macro_rules! compute_forbidden_search {

 #[actix_rt::test]
 async fn search_authorized_simple_token() {
-    let tenant_tokens = vec![
+    let tenant_tokens = [
        hashmap! {
            "searchRules" => json!({"*": {}}),
            "exp" => json!((OffsetDateTime::now_utc() + Duration::hours(1)).unix_timestamp())
@@ -239,7 +239,7 @@ async fn search_authorized_simple_token() {

 #[actix_rt::test]
 async fn search_authorized_filter_token() {
-    let tenant_tokens = vec![
+    let tenant_tokens = [
        hashmap! {
            "searchRules" => json!({"*": {"filter": "color = blue"}}),
            "exp" => json!((OffsetDateTime::now_utc() + Duration::hours(1)).unix_timestamp())
@@ -292,7 +292,7 @@ async fn search_authorized_filter_token() {

 #[actix_rt::test]
 async fn filter_search_authorized_filter_token() {
-    let tenant_tokens = vec![
+    let tenant_tokens = [
        hashmap! {
            "searchRules" => json!({"*": {"filter": "color = blue"}}),
            "exp" => json!((OffsetDateTime::now_utc() + Duration::hours(1)).unix_timestamp())
@@ -353,7 +353,7 @@ async fn filter_search_authorized_filter_token() {
 /// Tests that those Tenant Token are incompatible with the REFUSED_KEYS defined above.
 #[actix_rt::test]
 async fn error_search_token_forbidden_parent_key() {
-    let tenant_tokens = vec![
+    let tenant_tokens = [
        hashmap! {
            "searchRules" => json!({"*": {}}),
            "exp" => json!((OffsetDateTime::now_utc() + Duration::hours(1)).unix_timestamp())
@@ -389,7 +389,7 @@ async fn error_search_token_forbidden_parent_key() {

 #[actix_rt::test]
 async fn error_search_forbidden_token() {
-    let tenant_tokens = vec![
+    let tenant_tokens = [
        // bad index
        hashmap! {
            "searchRules" => json!({"products": {}}),
--- a/crates/meilisearch/tests/auth/tenant_token_multi_search.rs
+++ b/crates/meilisearch/tests/auth/tenant_token_multi_search.rs
@@ -680,7 +680,7 @@ async fn multi_search_authorized_simple_token() {

 #[actix_rt::test]
 async fn single_search_authorized_filter_token() {
-    let tenant_tokens = vec![
+    let tenant_tokens = [
        hashmap! {
            "searchRules" => json!({"*": {"filter": "color = blue"}}),
            "exp" => json!((OffsetDateTime::now_utc() + Duration::hours(1)).unix_timestamp())
@@ -733,7 +733,7 @@ async fn single_search_authorized_filter_token() {

 #[actix_rt::test]
 async fn multi_search_authorized_filter_token() {
-    let both_tenant_tokens = vec![
+    let both_tenant_tokens = [
        hashmap! {
            "searchRules" => json!({"sales": {"filter": "color = blue"}, "products": {"filter": "doggos.age <= 5"}}),
            "exp" => json!((OffsetDateTime::now_utc() + Duration::hours(1)).unix_timestamp())
@@ -842,7 +842,7 @@ async fn filter_single_search_authorized_filter_token() {

 #[actix_rt::test]
 async fn filter_multi_search_authorized_filter_token() {
-    let tenant_tokens = vec![
+    let tenant_tokens = [
        hashmap! {
            "searchRules" => json!({"sales": {"filter": "color = blue"}, "products": {"filter": "doggos.age <= 5"}}),
            "exp" => json!((OffsetDateTime::now_utc() + Duration::hours(1)).unix_timestamp())
@@ -900,7 +900,7 @@ async fn filter_multi_search_authorized_filter_token() {
 /// Tests that those Tenant Token are incompatible with the REFUSED_KEYS defined above.
 #[actix_rt::test]
 async fn error_single_search_token_forbidden_parent_key() {
-    let tenant_tokens = vec![
+    let tenant_tokens = [
        hashmap! {
            "searchRules" => json!({"*": {}}),
            "exp" => json!((OffsetDateTime::now_utc() + Duration::hours(1)).unix_timestamp())
@@ -941,7 +941,7 @@ async fn error_single_search_token_forbidden_parent_key() {
 /// Tests that those Tenant Token are incompatible with the REFUSED_KEYS defined above.
 #[actix_rt::test]
 async fn error_multi_search_token_forbidden_parent_key() {
-    let tenant_tokens = vec![
+    let tenant_tokens = [
        hashmap! {
            "searchRules" => json!({"*": {}}),
            "exp" => json!((OffsetDateTime::now_utc() + Duration::hours(1)).unix_timestamp())
--- a/crates/milli/src/search/mod.rs
+++ b/crates/milli/src/search/mod.rs
@@ -385,9 +385,10 @@ pub struct SearchResult {
    pub query_vector: Option<Embedding>,
 }

-#[derive(Debug, Clone, Copy, PartialEq, Eq)]
+#[derive(Default, Debug, Clone, Copy, PartialEq, Eq)]
 pub enum TermsMatchingStrategy {
    // remove last word first
+    #[default]
    Last,
    // all words are mandatory
    All,
@@ -395,12 +396,6 @@ pub enum TermsMatchingStrategy {
    Frequency,
 }

-impl Default for TermsMatchingStrategy {
-    fn default() -> Self {
-        Self::Last
-    }
-}
-
 impl From<MatchingStrategy> for TermsMatchingStrategy {
    fn from(other: MatchingStrategy) -> Self {
        match other {
--- a/crates/milli/src/update/index_documents/helpers/grenad_helpers.rs
+++ b/crates/milli/src/update/index_documents/helpers/grenad_helpers.rs
@@ -124,7 +124,7 @@ impl GrenadParameters {
    /// This should be called inside of a rayon thread pool,
    /// otherwise, it will take the global number of threads.
    pub fn max_memory_by_thread(&self) -> Option<usize> {
-        self.max_memory.map(|max_memory| (max_memory / rayon::current_num_threads()))
+        self.max_memory.map(|max_memory| max_memory / rayon::current_num_threads())
    }
 }

--- a/crates/milli/src/update/index_documents/mod.rs
+++ b/crates/milli/src/update/index_documents/mod.rs
@@ -54,11 +54,12 @@ pub struct DocumentAdditionResult {
    pub number_of_documents: u64,
 }

-#[derive(Debug, Clone, Copy, PartialEq, Eq, Hash, Serialize, Deserialize)]
+#[derive(Default, Debug, Clone, Copy, PartialEq, Eq, Hash, Serialize, Deserialize)]
 #[non_exhaustive]
 pub enum IndexDocumentsMethod {
    /// Replace the previous document with the new one,
    /// removing all the already known attributes.
+    #[default]
    ReplaceDocuments,

    /// Merge the previous version of the document with the new version,
@@ -66,12 +67,6 @@ pub enum IndexDocumentsMethod {
    UpdateDocuments,
 }

-impl Default for IndexDocumentsMethod {
-    fn default() -> Self {
-        Self::ReplaceDocuments
-    }
-}
-
 pub struct IndexDocuments<'t, 'i, 'a, FP, FA> {
    wtxn: &'t mut heed::RwTxn<'i>,
    index: &'i Index,
--- a/crates/milli/src/update/indexer_config.rs
+++ b/crates/milli/src/update/indexer_config.rs
@@ -49,6 +49,8 @@ pub struct S3SnapshotOptions {
    pub s3_snapshot_prefix: String,
    pub s3_access_key: String,
    pub s3_secret_key: String,
+    pub s3_role_arn: String,
+    pub s3_web_identity_token_file: String,
    pub s3_max_in_flight_parts: NonZeroUsize,
    pub s3_compression_level: u32,
    pub s3_signature_duration: Duration,
--- a/crates/milli/src/update/settings.rs
+++ b/crates/milli/src/update/settings.rs
@@ -48,10 +48,11 @@ use crate::{
    ChannelCongestion, FieldId, FilterableAttributesRule, Index, LocalizedAttributesRule, Result,
 };

-#[derive(Debug, Clone, PartialEq, Eq, Copy)]
+#[derive(Default, Debug, Clone, PartialEq, Eq, Copy)]
 pub enum Setting<T> {
    Set(T),
    Reset,
+    #[default]
    NotSet,
 }

@@ -71,12 +72,6 @@ where
    }
 }

-impl<T> Default for Setting<T> {
-    fn default() -> Self {
-        Self::NotSet
-    }
-}
-
 impl<T> Setting<T> {
    pub fn set(self) -> Option<T> {
        match self {
--- a/crates/milli/src/vector/embeddings.rs
+++ b/crates/milli/src/vector/embeddings.rs
@@ -67,7 +67,7 @@ impl<F> Embeddings<F> {
    ///
    /// If `embeddings.len() % self.dimension != 0`, then the append operation fails.
    pub fn append(&mut self, mut embeddings: Vec<F>) -> Result<(), Vec<F>> {
-        if embeddings.len() % self.dimension != 0 {
+        if !embeddings.len().is_multiple_of(self.dimension) {
            return Err(embeddings);
        }
        self.data.append(&mut embeddings);
--- a/crates/xtask/src/common/instance/release.rs
+++ b/crates/xtask/src/common/instance/release.rs
@@ -178,6 +178,7 @@ pub fn get_arch() -> anyhow::Result<&'static str> {
    #[cfg(not(all(target_os = "linux", target_arch = "aarch64")))]
    #[cfg(not(all(target_os = "linux", target_arch = "x86_64")))]
    #[cfg(not(all(target_os = "macos", target_arch = "aarch64")))]
+    #[cfg(not(all(target_os = "macos", target_arch = "x86_64")))]
    anyhow::bail!("unsupported platform")
 }

--- a/rust-toolchain.toml
+++ b/rust-toolchain.toml
@@ -1,3 +1,3 @@
 [toolchain]
-channel = "1.89.0"
+channel = "1.91.1"
 components = ["clippy"]
Author	SHA1	Message	Date
Paul de Nonancourt	ba0aef0287	Support AWS IRSA to authenticate to S3 for snapshotting	2025-12-10 18:37:28 +01:00
Clément Renault	26e368b116	Merge pull request #6041 from meilisearch/fix-workflow-injection Remove risk of command injection	2025-12-09 17:04:58 +00:00
curquiza	ba95ac0915	Remove risk of command injection	2025-12-09 17:06:41 +01:00
Clément Renault	75fcbfc2fe	Merge pull request #6039 from meilisearch/bump-rust-to-1-19-1 Move to Rust v1.91.1	2025-12-09 13:55:08 +00:00
Kerollmops	8c19b6d55e	Make the new Clippy happy	2025-12-09 14:33:04 +01:00
Kerollmops	08d0f05ece	Remove a warning	2025-12-09 13:58:37 +01:00
Kerollmops	4762e9afa0	Move to Rust v1.91.1	2025-12-09 13:52:46 +01:00
Clément Renault	12fcab91c5	Merge pull request #6037 from meilisearch/fix-intel-mac Fix macos-amd64 compilation	2025-12-08 13:21:51 +00:00
Louis Dureuil	792a72a23f	Add missing cfg	2025-12-08 13:22:01 +01:00