Merge remote-tracking branch 'upstream/main' into bb-comments-remove

.github/renovate.json5

@@ -21,6 +21,7 @@
  'pnpmDedupe',
  ],
  prHourlyLimit: 1,
+ minimumReleaseAge: '5 days',
  osvVulnerabilityAlerts: true,
  vulnerabilityAlerts: {
  enabled: true,

.github/workflows/atlantis-image.yml

@@ -30,7 +30,7 @@ jobs:
  if: github.event.pull_request.draft == false
  runs-on: ubuntu-22.04
  steps:
- - uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # v4
+ - uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4
  - uses: dorny/paths-filter@de90cc6fb38fc0963ad72b210f1f284cd68cea36 # v3
  id: changes
  with:
@@ -57,7 +57,7 @@ jobs:
  PUSH: ${{ github.event_name != 'pull_request' && (github.ref == 'refs/heads/main' || startsWith(github.ref, 'refs/tags/')) }}
 
  steps:
- - uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # v4
+ - uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4
 
  # Lint the Dockerfile first before setting anything up
  - name: Lint Dockerfile
@@ -148,6 +148,51 @@ jobs:
  labels: ${{ steps.meta.outputs.labels }}
  outputs: type=image,name=target,annotation-index.org.opencontainers.image.description=${{ fromJSON(steps.meta.outputs.json).labels['org.opencontainers.image.description'] }}
 
+ test:
+ needs: [changes]
+ if: needs.changes.outputs.should-run-build == 'true'
+ name: Test Image With Goss
+ runs-on: ubuntu-22.04
+ strategy:
+ matrix:
+ image_type: [alpine, debian]
+ env:
+ # Set docker repo to either the fork or the main repo where the branch exists
+ DOCKER_REPO: ghcr.io/${{ github.repository }}
+
+ steps:
+ - uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4
+
+ - name: Set up Docker Buildx
+ uses: docker/setup-buildx-action@d70bba72b1f3fd22344832f00baa16ece964efeb # v3
+ # https://github.com/docker/build-push-action/issues/761#issuecomment-1575006515
+ with:
+ driver-opts: |
+ image=moby/buildkit:v0.13.2
+
+ - name: "Build and load into Docker"
+ if: contains(fromJson('["push", "pull_request"]'), github.event_name)
+ uses: docker/build-push-action@2cdde995de11925a030ce8070c3d77a52ffcf1c0 # v5
+ with:
+ cache-from: type=gha
+ cache-to: type=gha,mode=max
+ context: .
+ build-args: |
+ ATLANTIS_BASE_TAG_TYPE=${{ matrix.image_type }}
+ push: false
+ load: true
+ tags: "${{ env.DOCKER_REPO }}:goss-test"
+ target: ${{ matrix.image_type }}
+
+ - name: "Setup Goss"
+ uses: e1himself/goss-installation-action@fbb6fb55d3e59c96045b2500eeb8ce0995d99ac1 # v1.2.1
+ with:
+ version: "v0.4.7"
+
+ - name: Execute Goss tests
+ run: |
+ dgoss run --rm ${{ env.DOCKER_REPO }}:goss-test bash -c 'while true; do sleep 1; done;'
+
  skip-build:
  needs: [changes]
  if: needs.changes.outputs.should-run-build == 'false'

.github/workflows/codeql.yml

@@ -37,7 +37,7 @@ jobs:
  if: github.event.pull_request.draft == false
  runs-on: ubuntu-22.04
  steps:
- - uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # v4
+ - uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4
  - uses: dorny/paths-filter@de90cc6fb38fc0963ad72b210f1f284cd68cea36 # v3
  id: changes
  with:
@@ -67,7 +67,7 @@ jobs:
 
  steps:
  - name: Checkout repository
- uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # v4
+ uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4
 
  # Initializes the CodeQL tools for scanning.
  - name: Initialize CodeQL

.github/workflows/lint.yml

@@ -22,7 +22,7 @@ jobs:
  if: github.event.pull_request.draft == false
  runs-on: ubuntu-22.04
  steps:
- - uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # v4
+ - uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4
  - uses: dorny/paths-filter@de90cc6fb38fc0963ad72b210f1f284cd68cea36 # v3
  id: changes
  with:
@@ -39,7 +39,7 @@ jobs:
  name: Linting
  runs-on: ubuntu-22.04
  steps:
- - uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # v4
+ - uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4
 
  # need to setup go toolchain explicitly
  - uses: actions/setup-go@cdcb36043654635271a94b9a6d1392de5bb323a7 # v5

.github/workflows/release.yml

@@ -11,7 +11,7 @@ jobs:
  goreleaser:
  runs-on: ubuntu-22.04
  steps:
- - uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # v4
+ - uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4
  with:
  submodules: true
 

.github/workflows/renovate-config.yml

@@ -16,6 +16,6 @@ jobs:
  validate:
  runs-on: ubuntu-22.04
  steps:
- - uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # v4
+ - uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4
  - uses: actions/setup-node@60edb5dd545a775178f52524783378180af0d1f8 # v4
  - run: npx --package renovate -c 'renovate-config-validator'

.github/workflows/test.yml

@@ -26,7 +26,7 @@ jobs:
  if: github.event.pull_request.draft == false
  runs-on: ubuntu-22.04
  steps:
- - uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # v4
+ - uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4
  - uses: dorny/paths-filter@de90cc6fb38fc0963ad72b210f1f284cd68cea36 # v3
  id: changes
  with:
@@ -43,7 +43,7 @@ jobs:
  runs-on: ubuntu-22.04
  container: ghcr.io/runatlantis/testing-env:latest@sha256:346fd2028603d7c9369f709023ef993faf60a70ef4c91963f5baa7454196df32
  steps:
- - uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # v4
+ - uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4
 
  # need to setup go toolchain explicitly
  - uses: actions/setup-go@cdcb36043654635271a94b9a6d1392de5bb323a7 # v5
@@ -104,14 +104,14 @@ jobs:
  e2e-github:
  runs-on: ubuntu-latest
  # dont run e2e tests on forked PRs
- if: github.repository == 'runatlantis/atlantis'
+ if: github.event.pull_request.head.repo.fork == false
  env:
  TERRAFORM_VERSION: 1.8.3
  ATLANTISBOT_GITHUB_USERNAME: ${{ secrets.ATLANTISBOT_GITHUB_USERNAME }}
  ATLANTISBOT_GITHUB_TOKEN: ${{ secrets.ATLANTISBOT_GITHUB_TOKEN }}
  NGROK_AUTH_TOKEN: ${{ secrets.ATLANTISBOT_NGROK_AUTH_TOKEN }}
  steps:
- - uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # v4
+ - uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4
  - uses: actions/setup-go@cdcb36043654635271a94b9a6d1392de5bb323a7 # v5
  with:
  go-version-file: go.mod

.github/workflows/testing-env-image.yml

@@ -22,7 +22,7 @@ jobs:
  if: github.event.pull_request.draft == false
  runs-on: ubuntu-22.04
  steps:
- - uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # v4
+ - uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4
  - uses: dorny/paths-filter@de90cc6fb38fc0963ad72b210f1f284cd68cea36 # v3
  id: changes
  with:
@@ -37,7 +37,7 @@ jobs:
  name: Build Testing Env Image
  runs-on: ubuntu-22.04
  steps:
- - uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # v4
+ - uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4
 
  - name: Set up QEMU
  uses: docker/setup-qemu-action@68827325e0b33c7199eb31dd4e31fbe9023e06e3 # v3

.github/workflows/website.yml

@@ -26,7 +26,7 @@ jobs:
  if: github.event.pull_request.draft == false
  runs-on: ubuntu-22.04
  steps:
- - uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # v4
+ - uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4
  - uses: dorny/paths-filter@de90cc6fb38fc0963ad72b210f1f284cd68cea36 # v3
  id: changes
  with:
@@ -46,7 +46,7 @@ jobs:
  name: Website Link Check
  runs-on: ubuntu-latest
  steps:
- - uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # v4
+ - uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4
 
  - name: markdown-lint
  uses: DavidAnson/markdownlint-cli2-action@b4c9feab76d8025d1e83c653fa3990936df0e6c8 # v16

.tool-versions

@@ -1 +1 @@
-pnpm 9.1.1
+pnpm 9.1.2

Dockerfile

@@ -1,8 +1,8 @@
 # syntax=docker/dockerfile:1@sha256:a57df69d0ea827fb7266491f2813635de6f17269be881f696fbfdf2d83dda33e
 # what distro is the image being built for
 ARG ALPINE_TAG=3.19.1@sha256:c5b1261d6d3e43071626931fc004f70149baeba2c8ec672bd4f27761f8e1ad6b
-ARG DEBIAN_TAG=12.5-slim@sha256:804194b909ef23fb995d9412c9378fb3505fe2427b70f3cc425339e48a828fca
-ARG GOLANG_TAG=1.22.1-alpine
+ARG DEBIAN_TAG=12.5-slim@sha256:3d5df92588469a4c503adbead0e4129ef3f88e223954011c2169073897547cac
+ARG GOLANG_TAG=1.22.3-alpine@sha256:a52ec26b648564b6cef8adf7bea14348b499a32d08de3943823150ad268f0d77
 
 # renovate: datasource=github-releases depName=hashicorp/terraform versioning=hashicorp
 ARG DEFAULT_TERRAFORM_VERSION=1.8.3

cmd/server.go

@@ -76,9 +76,9 @@ const (
  DisableUnlockLabelFlag = "disable-unlock-label"
  DiscardApprovalOnPlanFlag = "discard-approval-on-plan"
  EmojiReaction = "emoji-reaction"
+ EnableDiffMarkdownFormat = "enable-diff-markdown-format"
  EnablePolicyChecksFlag = "enable-policy-checks"
  EnableRegExpCmdFlag = "enable-regexp-cmd"
- EnableDiffMarkdownFormat = "enable-diff-markdown-format"
  ExecutableName = "executable-name"
  FailOnPreWorkflowHookError = "fail-on-pre-workflow-hook-error"
  HideUnchangedPlanComments = "hide-unchanged-plan-comments"
@@ -90,6 +90,7 @@ const (
  GHAppKeyFlag = "gh-app-key"
  GHAppKeyFileFlag = "gh-app-key-file"
  GHAppSlugFlag = "gh-app-slug"
+ GHInstallationIDFlag = "gh-installation-id"
  GHOrganizationFlag = "gh-org"
  GHWebhookSecretFlag = "gh-webhook-secret" // nolint: gosec
  GHAllowMergeableBypassApply = "gh-allow-mergeable-bypass-apply" // nolint: gosec
@@ -157,7 +158,7 @@ const (
  DefaultCheckoutDepth = 0
  DefaultBitbucketBaseURL = bitbucketcloud.BaseURL
  DefaultDataDir = "~/.atlantis"
- DefaultEmojiReaction = "eyes"
+ DefaultEmojiReaction = ""
  DefaultExecutableName = "atlantis"
  DefaultMarkdownTemplateOverridesDir = "~/.markdown_templates"
  DefaultGHHostname = "github.com"
@@ -275,7 +276,7 @@ var stringFlags = map[string]stringFlag{
  defaultValue: "",
  },
  EmojiReaction: {
- description: "Emoji Reaction to use to react to comments",
+ description: "Emoji Reaction to use to react to comments.",
  defaultValue: DefaultEmojiReaction,
  },
  ExecutableName: {
@@ -459,6 +460,7 @@ var boolFlags = map[string]boolFlag{
  description: "Disable atlantis auto planning feature",
  defaultValue: false,
  },
+
  DisableRepoLockingFlag: {
  description: "Disable atlantis locking repos",
  },
@@ -618,6 +620,13 @@ var int64Flags = map[string]int64Flag{
  description: "GitHub App Id. If defined, initializes the GitHub client with app-based credentials",
  defaultValue: 0,
  },
+ GHInstallationIDFlag: {
+ description: "GitHub Installation Id. If defined, initializes the GitHub client with app-based credentials " +
+ "using this specific GitHub Application Installation ID, otherwise it attempts to auto-detect it. " +
+ "Note that this value must be set if you want to have one App and multiple installations of that same " +
+ "application.",
+ defaultValue: 0,
+ },
 }
 
 // ValidLogLevels are the valid log levels that can be set

cmd/server_test.go

@@ -91,6 +91,7 @@ var testFlags = map[string]interface{}{
  GHAppKeyFlag: "",
  GHAppKeyFileFlag: "",
  GHAppSlugFlag: "atlantis",
+ GHInstallationIDFlag: int64(0),
  GHOrganizationFlag: "",
  GHWebhookSecretFlag: "secret",
  GiteaBaseURLFlag: "http://localhost",
@@ -746,6 +747,21 @@ func TestExecute_GithubApp(t *testing.T) {
  Equals(t, int64(1), passedConfig.GithubAppID)
 }
 
+func TestExecute_GithubAppWithInstallationID(t *testing.T) {
+ t.Log("Should pass the installation ID to the config.")
+ c := setup(map[string]interface{}{
+ GHAppKeyFlag: testdata.GithubPrivateKey,
+ GHAppIDFlag: "1",
+ GHInstallationIDFlag: "2",
+ RepoAllowlistFlag: "*",
+ }, t)
+ err := c.Execute()
+ Ok(t, err)
+
+ Equals(t, int64(1), passedConfig.GithubAppID)
+ Equals(t, int64(2), passedConfig.GithubInstallationID)
+}
+
 func TestExecute_GiteaUser(t *testing.T) {
  t.Log("Should remove the @ from the gitea username if it's passed.")
  c := setup(map[string]interface{}{

go.mod

@@ -1,6 +1,6 @@
 module github.com/runatlantis/atlantis
 
-go 1.22.1
+go 1.22.3
 
 require (
  code.gitea.io/sdk/gitea v0.17.1
@@ -47,19 +47,15 @@ require (
  github.com/xanzy/go-gitlab v0.102.0
  go.etcd.io/bbolt v1.3.10
  go.uber.org/zap v1.27.0
- golang.org/x/term v0.19.0
- golang.org/x/text v0.14.0
+ golang.org/x/term v0.20.0
+ golang.org/x/text v0.15.0
  gopkg.in/yaml.v3 v3.0.1
 )
 
 require (
  github.com/agext/levenshtein v1.2.3
  github.com/asaskevich/govalidator v0.0.0-20230301143203-a9d515a09cc2 // indirect
- github.com/go-playground/locales v0.14.1 // indirect
- github.com/go-playground/universal-translator v0.18.1 // indirect
  github.com/hashicorp/hcl/v2 v2.20.1
- github.com/inconshreveable/mousetrap v1.1.0 // indirect
- github.com/leodido/go-urn v1.4.0 // indirect
  github.com/shurcooL/graphql v0.0.0-20220606043923-3cf50f8a0a29 // indirect
  go.uber.org/atomic v1.11.0 // indirect
 )
@@ -82,6 +78,8 @@ require (
  github.com/fsnotify/fsnotify v1.7.0 // indirect
  github.com/gabriel-vasile/mimetype v1.4.3 // indirect
  github.com/go-fed/httpsig v1.1.0 // indirect
+ github.com/go-playground/locales v0.14.1 // indirect
+ github.com/go-playground/universal-translator v0.18.1 // indirect
  github.com/golang-jwt/jwt/v4 v4.5.0 // indirect
  github.com/golang/protobuf v1.5.3 // indirect
  github.com/google/go-cmp v0.6.0 // indirect
@@ -92,15 +90,17 @@ require (
  github.com/gookit/gsr v0.1.0 // indirect
  github.com/gookit/slog v0.5.5 // indirect
  github.com/gorilla/css v1.0.0 // indirect
- github.com/hashicorp/errwrap v1.1.0 // indirect
+ github.com/hashicorp/errwrap v1.0.0 // indirect
  github.com/hashicorp/go-cleanhttp v0.5.2 // indirect
  github.com/hashicorp/go-retryablehttp v0.7.4 // indirect
  github.com/hashicorp/go-safetemp v1.0.0 // indirect
  github.com/hashicorp/hcl v1.0.0 // indirect
  github.com/huandu/xstrings v1.4.0 // indirect
  github.com/imdario/mergo v0.3.16 // indirect
+ github.com/inconshreveable/mousetrap v1.1.0 // indirect
  github.com/klauspost/compress v1.17.0 // indirect
  github.com/kr/text v0.2.0 // indirect
+ github.com/leodido/go-urn v1.4.0 // indirect
  github.com/magiconair/properties v1.8.7 // indirect
  github.com/mattn/go-colorable v0.1.13 // indirect
  github.com/mattn/go-isatty v0.0.20 // indirect
@@ -131,15 +131,15 @@ require (
  github.com/yuin/gopher-lua v1.1.1 // indirect
  github.com/zclconf/go-cty v1.14.4 // indirect
  go.uber.org/multierr v1.11.0 // indirect
- golang.org/x/crypto v0.22.0 // indirect
+ golang.org/x/crypto v0.23.0 // indirect
  golang.org/x/exp v0.0.0-20231006140011-7918f672742d // indirect
- golang.org/x/mod v0.13.0 // indirect
- golang.org/x/net v0.23.0 // indirect
+ golang.org/x/mod v0.17.0 // indirect
+ golang.org/x/net v0.25.0 // indirect
  golang.org/x/oauth2 v0.15.0 // indirect
- golang.org/x/sync v0.5.0 // indirect
- golang.org/x/sys v0.19.0 // indirect
+ golang.org/x/sync v0.7.0 // indirect
+ golang.org/x/sys v0.20.0 // indirect
  golang.org/x/time v0.5.0 // indirect
- golang.org/x/tools v0.14.0 // indirect
+ golang.org/x/tools v0.21.0 // indirect
  google.golang.org/appengine v1.6.7 // indirect
  google.golang.org/protobuf v1.33.0 // indirect
  gopkg.in/ini.v1 v1.67.0 // indirect