prep release: v1.29.0

[Geal]

Note

When approved, this PR will merge into the 1.29.0 branch which will — upon being approved itself — merge into main.

Things to review in this PR:

• Changelog correctness (There is a preview below, but it is not necessarily the most up to date. See the Files Changed for the true reality.)
• Version bumps
• That it targets the right release branch (1.29.0 in this case!).

---

🚀 Features

GraphOS Enterprise: authorization directives (PR #3397, PR #3662)

We introduce two new directives, requiresScopes and @authenticated, that define authorization policies for fields and types in the supergraph schema.

They are defined as follows:

scalar federation__Scope
directive @requiresScopes(scopes: [[federation__Scope!]!]!) on OBJECT | FIELD_DEFINITION | INTERFACE | SCALAR | ENUM

directive @authenticated on OBJECT | FIELD_DEFINITION | INTERFACE | SCALAR | ENUM

The implementation hooks into the request lifecycle at multiple steps:

• In query analysis, we extract the list of scopes necessary to authorize the query.
• In a supergraph plugin, we calculate the authorization status and put it in the request context:
  • for @requiresScopes, this is the intersection of the query's required scopes and the scopes provided in the request token
  • for @authenticated, it is is_authenticated or not
• In the query planning phase, we filter the query to remove unauthorized fields before proceeding with query planning.
• At the subgraph level, if query deduplication is active, the authorization status is used to group queries together.
• At the execution service level, the response is first formatted according to the filtered query, which removed any unauthorized information, then to the shape of the original query, which propagates nulls as needed.
• At the execution service level, errors are added to the response indicating which fields were removed because they were not authorized.

By @Geal in #3397 #3662

🐛 Fixes

Update deno, so we can generate docs again (Issue #3305)

Router docs failed to build on crates.io because of a documentation compile error in Deno.
This updates Deno to the latest version, which allows us to generate crates.io documentation again.

By @o0Ignition0o in #3626

Fix config metrics path and test for subscription callbacks (Issue #3687)

Detection of subscription callbacks has been fixed for internal Apollo metrics. This has no user facing impact.

By @BrynCooke in #3688

GraphQL response processing must happen under the execution span (PR #3732)

Previously, any event in processing would be reported under the supergraph span, or any plugin span (like rhai) happening in between

By @Geal in #3732

🛠 Maintenance

Uplink connections now reuse reqwest client (Issue #3333)

Previously uplink requests created a new reqwest client each time, this may cause CPU spikes especially on OSX.
A single client will now be shared between requests of the same type.

By @BrynCooke in #3703

Add a metric tracking authorization usage (PR #3660)

The new metric is a counter called apollo.router.operations.authorization and contains the following boolean attributes:

• filtered: the query has one or more filtered fields
• requires_scopes: the query uses fields or types tagged with the @requiresScopes directive
• authenticated: the query uses fields or types tagged with the @authenticated directive

By @Geal in #3660

Remove unneeded schema parsing steps (PR #3547)

We need access to a parsed schema in various parts of the router, sometimes before the point where it is actually parsed and integrated with the rest of the configuration, so it was parsed multiple times to mitigate that. Some architecture changes made these parsing steps obsolete so they were removed.

By @Geal in #3547

[router-perf]

CI performance tests

• step - Basic stress test that steps up the number of users over time
• events_without_dedup - Stress test for events with a lot of users and deduplication DISABLED
• xlarge-request - Stress test with 10 MB request payload
• xxlarge-request - Stress test with 100 MB request payload
• events_big_cap_high_rate - Stress test for events with a lot of users, deduplication enabled and high rate event with a big queue capacity
• const - Basic stress test that runs with a constant number of users
• reload - Reload test over a long period of time at a constant rate of users
• large-request - Stress test with a 1 MB request payload
• events - Stress test for events with a lot of users and deduplication ENABLED
• step-jemalloc-tuning - Clone of the basic stress test for jemalloc tuning
• no-graphos - Basic stress test, no GraphOS.