Skip to content

Commit

Permalink
Merge branch 'main' into quiet-policy-check-improvement
Browse files Browse the repository at this point in the history
  • Loading branch information
jamengual authored Dec 31, 2024
2 parents c118111 + eaed61d commit 027071c
Show file tree
Hide file tree
Showing 45 changed files with 303 additions and 289 deletions.
16 changes: 15 additions & 1 deletion .github/workflows/atlantis-image.yml
Original file line number Diff line number Diff line change
Expand Up @@ -45,6 +45,11 @@ jobs:
needs: [changes]
if: needs.changes.outputs.should-run-build == 'true'
name: Build Image
permissions:
contents: read
id-token: write
packages: write
attestations: write
strategy:
matrix:
image_type: [alpine, debian]
Expand Down Expand Up @@ -129,6 +134,7 @@ jobs:
run: echo "RELEASE_VERSION=${{ startsWith(github.ref, 'refs/tags/') && '${GITHUB_REF#refs/*/}' || 'dev' }}" >> $GITHUB_ENV

- name: "Build ${{ env.PUSH == 'true' && 'and push' || '' }} ${{ env.DOCKER_REPO }} image"
id: build
if: contains(fromJson('["push", "pull_request"]'), github.event_name)
uses: docker/build-push-action@48aba3b46d1b1fec4febb7c5d0c644b249a11355 # v6
with:
Expand All @@ -147,6 +153,14 @@ jobs:
labels: ${{ steps.meta.outputs.labels }}
outputs: type=image,name=target,annotation-index.org.opencontainers.image.description=${{ fromJSON(steps.meta.outputs.json).labels['org.opencontainers.image.description'] }}

- name: "Sign and Attest Image"
if: env.PUSH == 'true'
uses: actions/attest-build-provenance@7668571508540a607bdfd90a87a560489fe372eb # v2.1.0
with:
subject-digest: ${{ steps.build.outputs.digest }}
subject-name: ghcr.io/${{ github.repository }}
push-to-registry: true

test:
needs: [changes]
if: needs.changes.outputs.should-run-build == 'true'
Expand Down Expand Up @@ -201,4 +215,4 @@ jobs:
image_type: [alpine, debian]
runs-on: ubuntu-24.04
steps:
- run: 'echo "No build required"'
- run: 'echo "No build required"'
6 changes: 3 additions & 3 deletions .github/workflows/codeql.yml
Original file line number Diff line number Diff line change
Expand Up @@ -77,7 +77,7 @@ jobs:

# Initializes the CodeQL tools for scanning.
- name: Initialize CodeQL
uses: github/codeql-action/init@df409f7d9260372bd5f19e5b04e83cb3c43714ae # v3
uses: github/codeql-action/init@48ab28a6f5dbc2a99bf1e0131198dd8f1df78169 # v3
with:
languages: ${{ matrix.language }}
# If you wish to specify custom queries, you can do so here or in a config file.
Expand All @@ -91,7 +91,7 @@ jobs:
# Autobuild attempts to build any compiled languages (C/C++, C#, Go, or Java).
# If this step fails, then you should remove it and run the build manually (see below)
- name: Autobuild
uses: github/codeql-action/autobuild@df409f7d9260372bd5f19e5b04e83cb3c43714ae # v3
uses: github/codeql-action/autobuild@48ab28a6f5dbc2a99bf1e0131198dd8f1df78169 # v3

# ℹ️ Command-line programs to run using the OS shell.
# 📚 See https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#jobsjob_idstepsrun
Expand All @@ -104,7 +104,7 @@ jobs:
# ./location_of_script_within_repo/buildscript.sh

- name: Perform CodeQL Analysis
uses: github/codeql-action/analyze@df409f7d9260372bd5f19e5b04e83cb3c43714ae # v3
uses: github/codeql-action/analyze@48ab28a6f5dbc2a99bf1e0131198dd8f1df78169 # v3
with:
category: "/language:${{matrix.language}}"

Expand Down
4 changes: 2 additions & 2 deletions .github/workflows/scorecard.yml
Original file line number Diff line number Diff line change
Expand Up @@ -43,14 +43,14 @@ jobs:
# Upload the results as artifacts (optional). Commenting out will disable uploads of run results in SARIF
# format to the repository Actions tab.
- name: 'Upload artifact'
uses: actions/upload-artifact@b4b15b8c7c6ac21ea08fcf65892d2ee8f75cf882 # v4.4.3
uses: actions/upload-artifact@6f51ac03b9356f520e9adb1b1b7802705f340c2b # v4.5.0
with:
name: SARIF file
path: results.sarif
retention-days: 5

# Upload the results to GitHub's code scanning dashboard.
- name: 'Upload to code-scanning'
uses: github/codeql-action/upload-sarif@aa578102511db1f4524ed59b8cc2bae4f6e88195 # v3.27.6
uses: github/codeql-action/upload-sarif@48ab28a6f5dbc2a99bf1e0131198dd8f1df78169 # v3.28.0
with:
sarif_file: results.sarif
2 changes: 1 addition & 1 deletion .github/workflows/test.yml
Original file line number Diff line number Diff line change
Expand Up @@ -48,7 +48,7 @@ jobs:
if: needs.changes.outputs.should-run-tests == 'true'
name: Tests
runs-on: ubuntu-24.04
container: ghcr.io/runatlantis/testing-env:latest@sha256:6851d4f5dd59bd739e655ad3dd462490f2b809e2cc775f73718e668b260f230c
container: ghcr.io/runatlantis/testing-env:latest@sha256:79991418aec4e5dcb1f18dc7b7bdf6ee37302a30a1e374c7bcf3eba9aadef68d
steps:
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4

Expand Down
4 changes: 2 additions & 2 deletions CHANGELOG.md
Original file line number Diff line number Diff line change
Expand Up @@ -200,7 +200,7 @@ Maintenance release for security patches with atlantis-base image
* docker: bump git-lfs and gosu dependencies by @hi-artem in /~https://github.com/runatlantis/atlantis/pull/2096
* fix(docker): fix base image for multi-platform build by @Tenzer in /~https://github.com/runatlantis/atlantis/pull/2099
* fix(docker): fix installation of git-lfs in armv7 image by @Tenzer in /~https://github.com/runatlantis/atlantis/pull/2100
* fix(docker): download Terraform and conftest versions maching image architecture by @Tenzer in /~https://github.com/runatlantis/atlantis/pull/2101
* fix(docker): download Terraform and conftest versions matching image architecture by @Tenzer in /~https://github.com/runatlantis/atlantis/pull/2101

# v0.18.3

Expand Down Expand Up @@ -237,7 +237,7 @@ Maintenance release for security patches with atlantis-base image
* build(deps): bump github.com/hashicorp/go-version from 1.3.0 to 1.4.0 by @dependabot in /~https://github.com/runatlantis/atlantis/pull/1987
* build(deps): bump go.uber.org/zap from 1.19.1 to 1.20.0 by @dependabot in /~https://github.com/runatlantis/atlantis/pull/1988
* docs: document `undiverged` apply requirement in more places by @fishpen0 in /~https://github.com/runatlantis/atlantis/pull/1992
* fix: fix autoplan when .terraform.lock.hcl is modifed by @gezb in /~https://github.com/runatlantis/atlantis/pull/1991
* fix: fix autoplan when .terraform.lock.hcl is modified by @gezb in /~https://github.com/runatlantis/atlantis/pull/1991
* feat: add XTerm JS to the server static files by @Ka1wa in /~https://github.com/runatlantis/atlantis/pull/1985
* feat: post workflow hooks by @tim775 in /~https://github.com/runatlantis/atlantis/pull/1990
* docs: add colon to policy checking yaml by @williamlord-wise in /~https://github.com/runatlantis/atlantis/pull/1996
Expand Down
4 changes: 2 additions & 2 deletions Dockerfile
Original file line number Diff line number Diff line change
@@ -1,11 +1,11 @@
# syntax=docker/dockerfile:1@sha256:93bfd3b68c109427185cd78b4779fc82b484b0b7618e36d0f104d4d801e66d25
# what distro is the image being built for
ARG ALPINE_TAG=3.21.0@sha256:21dc6063fd678b478f57c0e13f47560d0ea4eeba26dfc947b2a4f81f686b9f45
ARG DEBIAN_TAG=12.8-slim@sha256:1537a6a1cbc4b4fd401da800ee9480207e7dc1f23560c21259f681db56768f63
ARG DEBIAN_TAG=12.8-slim@sha256:d365f4920711a9074c4bcd178e8f457ee59250426441ab2a5f8106ed8fe948eb
ARG GOLANG_TAG=1.23.4-alpine@sha256:6c5c9590f169f77c8046e45c611d3b28fe477789acd8d3762d23d4744de69812

# renovate: datasource=github-releases depName=hashicorp/terraform versioning=hashicorp
ARG DEFAULT_TERRAFORM_VERSION=1.10.2
ARG DEFAULT_TERRAFORM_VERSION=1.10.3
# renovate: datasource=github-releases depName=opentofu/opentofu versioning=hashicorp
ARG DEFAULT_OPENTOFU_VERSION=1.8.7
# renovate: datasource=github-releases depName=open-policy-agent/conftest
Expand Down
2 changes: 1 addition & 1 deletion Dockerfile.dev
Original file line number Diff line number Diff line change
@@ -1,3 +1,3 @@
FROM ghcr.io/runatlantis/atlantis:latest@sha256:f9e0b6ff14b1313b169e4ca128a578fc719745f61114e468afab0d4cbcda575e
FROM ghcr.io/runatlantis/atlantis:latest@sha256:f95cdf8f42370abf68d9e095930de8812e3b2a0dd66c9ffc39a69c8f49727989
COPY atlantis /usr/local/bin/atlantis
WORKDIR /atlantis/src
4 changes: 2 additions & 2 deletions go.mod
Original file line number Diff line number Diff line change
Expand Up @@ -5,7 +5,7 @@ go 1.23.4
require (
code.gitea.io/sdk/gitea v0.19.0
github.com/Masterminds/sprig/v3 v3.3.0
github.com/alicebob/miniredis/v2 v2.33.0
github.com/alicebob/miniredis/v2 v2.34.0
github.com/bradleyfalzon/ghinstallation/v2 v2.12.0
github.com/briandowns/spinner v1.23.1
github.com/cactus/go-statsd-client/v5 v5.1.0
Expand Down Expand Up @@ -70,7 +70,7 @@ require (
github.com/ProtonMail/go-crypto v1.1.0-alpha.2 // indirect
github.com/ProtonMail/go-mime v0.0.0-20230322103455-7d82a3887f2f // indirect
github.com/ProtonMail/gopenpgp/v2 v2.7.5 // indirect
github.com/alicebob/gopher-json v0.0.0-20200520072559-a9ecdc9d1d3a // indirect
github.com/alicebob/gopher-json v0.0.0-20230218143504-906a9b012302 // indirect
github.com/apparentlymart/go-textseg/v15 v15.0.0 // indirect
github.com/aymerick/douceur v0.2.0 // indirect
github.com/beorn7/perks v1.0.1 // indirect
Expand Down
8 changes: 4 additions & 4 deletions go.sum
Original file line number Diff line number Diff line change
Expand Up @@ -59,10 +59,10 @@ github.com/alecthomas/template v0.0.0-20190718012654-fb15b899a751/go.mod h1:LOuy
github.com/alecthomas/units v0.0.0-20151022065526-2efee857e7cf/go.mod h1:ybxpYRFXyAe+OPACYpWeL0wqObRcbAqCMya13uyzqw0=
github.com/alecthomas/units v0.0.0-20190717042225-c3de453c63f4/go.mod h1:ybxpYRFXyAe+OPACYpWeL0wqObRcbAqCMya13uyzqw0=
github.com/alecthomas/units v0.0.0-20190924025748-f65c72e2690d/go.mod h1:rBZYJk541a8SKzHPHnH3zbiI+7dagKZ0cgpgrD7Fyho=
github.com/alicebob/gopher-json v0.0.0-20200520072559-a9ecdc9d1d3a h1:HbKu58rmZpUGpz5+4FfNmIU+FmZg2P3Xaj2v2bfNWmk=
github.com/alicebob/gopher-json v0.0.0-20200520072559-a9ecdc9d1d3a/go.mod h1:SGnFV6hVsYE877CKEZ6tDNTjaSXYUk6QqoIK6PrAtcc=
github.com/alicebob/miniredis/v2 v2.33.0 h1:uvTF0EDeu9RLnUEG27Db5I68ESoIxTiXbNUiji6lZrA=
github.com/alicebob/miniredis/v2 v2.33.0/go.mod h1:MhP4a3EU7aENRi9aO+tHfTBZicLqQevyi/DJpoj6mi0=
github.com/alicebob/gopher-json v0.0.0-20230218143504-906a9b012302 h1:uvdUDbHQHO85qeSydJtItA4T55Pw6BtAejd0APRJOCE=
github.com/alicebob/gopher-json v0.0.0-20230218143504-906a9b012302/go.mod h1:SGnFV6hVsYE877CKEZ6tDNTjaSXYUk6QqoIK6PrAtcc=
github.com/alicebob/miniredis/v2 v2.34.0 h1:mBFWMaJSNL9RwdGRyEDoAAv8OQc5UlEhLDQggTglU/0=
github.com/alicebob/miniredis/v2 v2.34.0/go.mod h1:kWShP4b58T1CW0Y5dViCd5ztzrDqRWqM3nksiyXk5s8=
github.com/apparentlymart/go-textseg/v15 v15.0.0 h1:uYvfpb3DyLSCGWnctWKGj857c6ew1u1fNQOlOtuGxQY=
github.com/apparentlymart/go-textseg/v15 v15.0.0/go.mod h1:K8XmNZdhEBkdlyDdvbmmsvpAG721bKi0joRfFdHIWJ4=
github.com/asaskevich/govalidator v0.0.0-20230301143203-a9d515a09cc2 h1:DklsrG3dyBCFEj5IhUbnKptjxatkF07cF2ak3yi77so=
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -52,7 +52,7 @@ Because I'm going to host the site on AWS services, I need requests to <www.runa

At this point, we've generated an SSL certificate for <www.runatlantis.io> and our website is available on the internet via its S3 url so can't we just CNAME to the S3 bucket and call it a day? Unfortunately not.

Since we generated our own certificate, we would need S3 to sign its responses using our certificiate. S3 doesn't support this and thus we need CloudFront. CloudFront supports using our own SSL cert and will just pull its data from the S3 bucket.
Since we generated our own certificate, we would need S3 to sign its responses using our certificate. S3 doesn't support this and thus we need CloudFront. CloudFront supports using our own SSL cert and will just pull its data from the S3 bucket.

# Terraform Time

Expand Down
4 changes: 2 additions & 2 deletions runatlantis.io/docs/custom-workflows.md
Original file line number Diff line number Diff line change
Expand Up @@ -298,7 +298,7 @@ workflows:
name: TF_IN_AUTOMATION
value: 'true'
- run:
# Allow for targetted plans/applies as not supported for Terraform wrappers by default
# Allow for targeted plans/applies as not supported for Terraform wrappers by default
command: terragrunt plan -input=false $(printf '%s' $COMMENT_ARGS | sed 's/,/ /g' | tr -d '\\') -no-color -out $PLANFILE
output: hide
- run: |
Expand Down Expand Up @@ -727,7 +727,7 @@ Full:
| multienv.command | string | none | yes | Name of the custom script to run |
| multienv.shell | string | "sh" | no | Name of the shell to use for command execution |
| multienv.shellArgs | string or []string | "-c" | no | Command line arguments to be passed to the shell. Cannot be set without `shell` |
| multienv.output | string | "show" | no | Setting output to "hide" will supress the message obout added environment variables |
| multienv.output | string | "show" | no | Setting output to "hide" will suppress the message obout added environment variables |

The output of the command execution must have the following format:
`EnvVar1Name=value1,EnvVar2Name=value2,EnvVar3Name=value3`
Expand Down
2 changes: 1 addition & 1 deletion runatlantis.io/docs/post-workflow-hooks.md
Original file line number Diff line number Diff line change
Expand Up @@ -11,7 +11,7 @@ back to the PR as a comment.
Post workflow hooks can only be specified in the Server-Side Repo Config under
the `repos` key.

## Atlantis Command Targetting
## Atlantis Command Targeting

By default, the workflow hook will run when any command is processed by Atlantis.
This can be modified by specifying the `commands` key in the workflow hook containing a comma delimited list
Expand Down
2 changes: 1 addition & 1 deletion runatlantis.io/docs/pre-workflow-hooks.md
Original file line number Diff line number Diff line change
Expand Up @@ -21,7 +21,7 @@ behavior can be changed by setting the [fail-on-pre-workflow-hook-error](server-
flag in the Atlantis server configuration.
:::

## Atlantis Command Targetting
## Atlantis Command Targeting

By default, the workflow hook will run when any command is processed by Atlantis.
This can be modified by specifying the `commands` key in the workflow hook containing a comma delimited list
Expand Down
2 changes: 1 addition & 1 deletion runatlantis.io/docs/repo-and-project-permissions.md
Original file line number Diff line number Diff line change
Expand Up @@ -157,7 +157,7 @@ checking if the external command exited with code `0` and if the last line
of output is `pass`.

```text
# Psuedo-code of Atlantis evaluation of external commands
# Pseudo-code of Atlantis evaluation of external commands
user_authorized =
external_command.exit_code == 0
Expand Down
2 changes: 1 addition & 1 deletion runatlantis.io/docs/repo-level-atlantis-yaml.md
Original file line number Diff line number Diff line change
Expand Up @@ -44,7 +44,7 @@ in your repo.
If you have many directories with Terraform configuration, each directory will
need to be defined.

This behavior can be overriden by setting `autodiscover.mode` to
This behavior can be overridden by setting `autodiscover.mode` to
`enabled` in which case Atlantis will still try to discover projects which were not
explicitly configured. If the directory of any discovered project conflicts with a
manually configured project, the manually configured project will take precedence.
Expand Down
6 changes: 3 additions & 3 deletions runatlantis.io/docs/server-configuration.md
Original file line number Diff line number Diff line change
Expand Up @@ -509,7 +509,7 @@ and set `--autoplan-modules` to `false`.

This will not work with `-d` yet and to use `-p` the repo projects must be defined in the repo `atlantis.yaml` file.

This will bypass `--restrict-file-list` if regex is used, normal commands will stil be blocked if necessary.
This will bypass `--restrict-file-list` if regex is used, normal commands will still be blocked if necessary.

::: warning SECURITY WARNING
It's not supposed to be used with `--disable-apply-all`.
Expand Down Expand Up @@ -1140,7 +1140,7 @@ This is useful when you have many projects and want to keep the pull request cle

`--restrict-file-list` will block plan requests from projects outside the files modified in the pull request.
This will not block plan requests with regex if using the `--enable-regexp-cmd` flag, in these cases commands
like `atlantis plan -p .*` will still work if used. normal commands will stil be blocked if necessary.
like `atlantis plan -p .*` will still work if used. normal commands will still be blocked if necessary.
Defaults to `false`.

### `--silence-allowlist-errors`
Expand Down Expand Up @@ -1342,7 +1342,7 @@ This flag is useful when having multiple projects that need to run a plan and ap
* [plugin_cache_dir concurrently discussion](/~https://github.com/hashicorp/terraform/issues/31964)
* [PR to improve the situation](/~https://github.com/hashicorp/terraform/pull/33479)

The effect of the race condition is more evident when using parallel configuration to run plan and apply, by disabling the use of plugin cache will impact in the performance when starting a new plan or apply, but in large atlantis deployments with multiple projects and shared modules the use of `--parallel_plan` and `--parallel_apply` is mandatory for an efficient managment of the PRs.
The effect of the race condition is more evident when using parallel configuration to run plan and apply, by disabling the use of plugin cache will impact in the performance when starting a new plan or apply, but in large atlantis deployments with multiple projects and shared modules the use of `--parallel_plan` and `--parallel_apply` is mandatory for an efficient management of the PRs.

### `--var-file-allowlist`

Expand Down
4 changes: 2 additions & 2 deletions server/controllers/events/events_controller_e2e_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -465,7 +465,7 @@ func TestGitHubWorkflow(t *testing.T) {
},
},
{
Description: "omitting apply from allow commands always takes presedence",
Description: "omitting apply from allow commands always takes precedence",
RepoDir: "simple-yaml",
ModifiedFiles: []string{"main.tf"},
AllowCommands: []command.Name{command.Plan},
Expand Down Expand Up @@ -845,7 +845,7 @@ func TestSimpleWorkflow_terraformLockFile(t *testing.T) {

if !c.LockFileTracked {
// replace the lock file generated by the previous init to simulate
// dependcies needing updating in a latter plan
// dependencies needing updating in a latter plan
runCmd(t, "", "cp", oldLockFilePath, fmt.Sprintf("%s/repos/runatlantis/atlantis-tests/2/default/.terraform.lock.hcl", atlantisWorkspace.DataDir))
}

Expand Down
4 changes: 2 additions & 2 deletions server/core/config/raw/global_cfg.go
Original file line number Diff line number Diff line change
Expand Up @@ -126,8 +126,8 @@ func (g GlobalCfg) ToValid(defaultCfg valid.GlobalCfg) valid.GlobalCfg {
applyReqs := defaultCfg.Repos[0].ApplyRequirements
var globalApplyReqs []string
for _, req := range applyReqs {
for _, nonOverrideableReq := range valid.NonOverrideableApplyReqs {
if req == nonOverrideableReq {
for _, nonOverridableReq := range valid.NonOverridableApplyReqs {
if req == nonOverridableReq {
globalApplyReqs = append(globalApplyReqs, req)
}
}
Expand Down
Loading

0 comments on commit 027071c

Please sign in to comment.