Merge branch 'main' into fix/vcs-status-custom-policy

.github/workflows/scorecard.yml

@@ -43,14 +43,14 @@ jobs:
       # Upload the results as artifacts (optional). Commenting out will disable uploads of run results in SARIF
       # format to the repository Actions tab.
       - name: 'Upload artifact'
-        uses: actions/upload-artifact@b4b15b8c7c6ac21ea08fcf65892d2ee8f75cf882 # v4.4.3
+        uses: actions/upload-artifact@6f51ac03b9356f520e9adb1b1b7802705f340c2b # v4.5.0
         with:
           name: SARIF file
           path: results.sarif
           retention-days: 5
 
       # Upload the results to GitHub's code scanning dashboard.
       - name: 'Upload to code-scanning'
-        uses: github/codeql-action/upload-sarif@aa578102511db1f4524ed59b8cc2bae4f6e88195 # v3.27.6
+        uses: github/codeql-action/upload-sarif@48ab28a6f5dbc2a99bf1e0131198dd8f1df78169 # v3.28.0
         with:
           sarif_file: results.sarif

.github/workflows/test.yml

@@ -48,7 +48,7 @@ jobs:
     if: needs.changes.outputs.should-run-tests == 'true'
     name: Tests
     runs-on: ubuntu-24.04
-    container: ghcr.io/runatlantis/testing-env:latest@sha256:0797cca916cee27d54c1375aa0395d212f0f73493170cdd0ed8d97cc003c4a72
+    container: ghcr.io/runatlantis/testing-env:latest@sha256:79991418aec4e5dcb1f18dc7b7bdf6ee37302a30a1e374c7bcf3eba9aadef68d
     steps:
       - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4
 

CHANGELOG.md

@@ -200,7 +200,7 @@ Maintenance release for security patches with atlantis-base image
 * docker: bump git-lfs and gosu dependencies by @hi-artem in https://github.com/runatlantis/atlantis/pull/2096
 * fix(docker): fix base image for multi-platform build by @Tenzer in https://github.com/runatlantis/atlantis/pull/2099
 * fix(docker): fix installation of git-lfs in armv7 image by @Tenzer in https://github.com/runatlantis/atlantis/pull/2100
-* fix(docker): download Terraform and conftest versions maching image architecture by @Tenzer in https://github.com/runatlantis/atlantis/pull/2101
+* fix(docker): download Terraform and conftest versions matching image architecture by @Tenzer in https://github.com/runatlantis/atlantis/pull/2101
 
 # v0.18.3
 
@@ -237,7 +237,7 @@ Maintenance release for security patches with atlantis-base image
 * build(deps): bump github.com/hashicorp/go-version from 1.3.0 to 1.4.0 by @dependabot in https://github.com/runatlantis/atlantis/pull/1987
 * build(deps): bump go.uber.org/zap from 1.19.1 to 1.20.0 by @dependabot in https://github.com/runatlantis/atlantis/pull/1988
 * docs: document `undiverged` apply requirement in more places by @fishpen0 in https://github.com/runatlantis/atlantis/pull/1992
-* fix: fix autoplan when .terraform.lock.hcl is modifed by @gezb in https://github.com/runatlantis/atlantis/pull/1991
+* fix: fix autoplan when .terraform.lock.hcl is modified by @gezb in https://github.com/runatlantis/atlantis/pull/1991
 * feat: add XTerm JS to the server static files by @Ka1wa in https://github.com/runatlantis/atlantis/pull/1985
 * feat: post workflow hooks by @tim775 in https://github.com/runatlantis/atlantis/pull/1990
 * docs: add colon to policy checking yaml by @williamlord-wise in https://github.com/runatlantis/atlantis/pull/1996

Dockerfile

@@ -1,11 +1,11 @@
 # syntax=docker/dockerfile:1@sha256:93bfd3b68c109427185cd78b4779fc82b484b0b7618e36d0f104d4d801e66d25
 # what distro is the image being built for
 ARG ALPINE_TAG=3.21.0@sha256:21dc6063fd678b478f57c0e13f47560d0ea4eeba26dfc947b2a4f81f686b9f45
-ARG DEBIAN_TAG=12.8-slim@sha256:1537a6a1cbc4b4fd401da800ee9480207e7dc1f23560c21259f681db56768f63
+ARG DEBIAN_TAG=12.8-slim@sha256:d365f4920711a9074c4bcd178e8f457ee59250426441ab2a5f8106ed8fe948eb
 ARG GOLANG_TAG=1.23.4-alpine@sha256:6c5c9590f169f77c8046e45c611d3b28fe477789acd8d3762d23d4744de69812
 
 # renovate: datasource=github-releases depName=hashicorp/terraform versioning=hashicorp
-ARG DEFAULT_TERRAFORM_VERSION=1.10.2
+ARG DEFAULT_TERRAFORM_VERSION=1.10.3
 # renovate: datasource=github-releases depName=opentofu/opentofu versioning=hashicorp
 ARG DEFAULT_OPENTOFU_VERSION=1.8.7
 # renovate: datasource=github-releases depName=open-policy-agent/conftest

go.mod

@@ -5,7 +5,7 @@ go 1.23.4
 require (
 	code.gitea.io/sdk/gitea v0.19.0
 	github.com/Masterminds/sprig/v3 v3.3.0
-	github.com/alicebob/miniredis/v2 v2.33.0
+	github.com/alicebob/miniredis/v2 v2.34.0
 	github.com/bradleyfalzon/ghinstallation/v2 v2.12.0
 	github.com/briandowns/spinner v1.23.1
 	github.com/cactus/go-statsd-client/v5 v5.1.0
@@ -70,7 +70,7 @@ require (
 	github.com/ProtonMail/go-crypto v1.1.0-alpha.2 // indirect
 	github.com/ProtonMail/go-mime v0.0.0-20230322103455-7d82a3887f2f // indirect
 	github.com/ProtonMail/gopenpgp/v2 v2.7.5 // indirect
-	github.com/alicebob/gopher-json v0.0.0-20200520072559-a9ecdc9d1d3a // indirect
+	github.com/alicebob/gopher-json v0.0.0-20230218143504-906a9b012302 // indirect
 	github.com/apparentlymart/go-textseg/v15 v15.0.0 // indirect
 	github.com/aymerick/douceur v0.2.0 // indirect
 	github.com/beorn7/perks v1.0.1 // indirect

go.sum

@@ -59,10 +59,10 @@ github.com/alecthomas/template v0.0.0-20190718012654-fb15b899a751/go.mod h1:LOuy
 github.com/alecthomas/units v0.0.0-20151022065526-2efee857e7cf/go.mod h1:ybxpYRFXyAe+OPACYpWeL0wqObRcbAqCMya13uyzqw0=
 github.com/alecthomas/units v0.0.0-20190717042225-c3de453c63f4/go.mod h1:ybxpYRFXyAe+OPACYpWeL0wqObRcbAqCMya13uyzqw0=
 github.com/alecthomas/units v0.0.0-20190924025748-f65c72e2690d/go.mod h1:rBZYJk541a8SKzHPHnH3zbiI+7dagKZ0cgpgrD7Fyho=
-github.com/alicebob/gopher-json v0.0.0-20200520072559-a9ecdc9d1d3a h1:HbKu58rmZpUGpz5+4FfNmIU+FmZg2P3Xaj2v2bfNWmk=
-github.com/alicebob/gopher-json v0.0.0-20200520072559-a9ecdc9d1d3a/go.mod h1:SGnFV6hVsYE877CKEZ6tDNTjaSXYUk6QqoIK6PrAtcc=
-github.com/alicebob/miniredis/v2 v2.33.0 h1:uvTF0EDeu9RLnUEG27Db5I68ESoIxTiXbNUiji6lZrA=
-github.com/alicebob/miniredis/v2 v2.33.0/go.mod h1:MhP4a3EU7aENRi9aO+tHfTBZicLqQevyi/DJpoj6mi0=
+github.com/alicebob/gopher-json v0.0.0-20230218143504-906a9b012302 h1:uvdUDbHQHO85qeSydJtItA4T55Pw6BtAejd0APRJOCE=
+github.com/alicebob/gopher-json v0.0.0-20230218143504-906a9b012302/go.mod h1:SGnFV6hVsYE877CKEZ6tDNTjaSXYUk6QqoIK6PrAtcc=
+github.com/alicebob/miniredis/v2 v2.34.0 h1:mBFWMaJSNL9RwdGRyEDoAAv8OQc5UlEhLDQggTglU/0=
+github.com/alicebob/miniredis/v2 v2.34.0/go.mod h1:kWShP4b58T1CW0Y5dViCd5ztzrDqRWqM3nksiyXk5s8=
 github.com/apparentlymart/go-textseg/v15 v15.0.0 h1:uYvfpb3DyLSCGWnctWKGj857c6ew1u1fNQOlOtuGxQY=
 github.com/apparentlymart/go-textseg/v15 v15.0.0/go.mod h1:K8XmNZdhEBkdlyDdvbmmsvpAG721bKi0joRfFdHIWJ4=
 github.com/asaskevich/govalidator v0.0.0-20230301143203-a9d515a09cc2 h1:DklsrG3dyBCFEj5IhUbnKptjxatkF07cF2ak3yi77so=

runatlantis.io/blog/2018/hosting-our-static-site-over-ssl-with-s3-acm-cloudfront-and-terraform.md

@@ -52,7 +52,7 @@ Because I'm going to host the site on AWS services, I need requests to <www.runa
 
 At this point, we've generated an SSL certificate for <www.runatlantis.io> and our website is available on the internet via its S3 url so can't we just CNAME to the S3 bucket and call it a day? Unfortunately not.
 
-Since we generated our own certificate, we would need S3 to sign its responses using our certificiate. S3 doesn't support this and thus we need CloudFront. CloudFront supports using our own SSL cert and will just pull its data from the S3 bucket.
+Since we generated our own certificate, we would need S3 to sign its responses using our certificate. S3 doesn't support this and thus we need CloudFront. CloudFront supports using our own SSL cert and will just pull its data from the S3 bucket.
 
 # Terraform Time
 

runatlantis.io/docs/custom-workflows.md

@@ -298,7 +298,7 @@ workflows:
           name: TF_IN_AUTOMATION
           value: 'true'
       - run:
-          # Allow for targetted plans/applies as not supported for Terraform wrappers by default
+          # Allow for targeted plans/applies as not supported for Terraform wrappers by default
           command: terragrunt plan -input=false $(printf '%s' $COMMENT_ARGS | sed 's/,/ /g' | tr -d '\\') -no-color -out $PLANFILE
           output: hide
       - run: |
@@ -727,7 +727,7 @@ Full:
 | multienv.command   | string                | none    | yes      | Name of the custom script to run                                                    |
 | multienv.shell     | string                | "sh"    | no       | Name of the shell to use for command execution                                      |
 | multienv.shellArgs | string or []string    | "-c"    | no       | Command line arguments to be passed to the shell. Cannot be set without `shell`     |
-| multienv.output    | string                | "show"  | no       | Setting output to "hide" will supress the message obout added environment variables |
+| multienv.output    | string                | "show"  | no       | Setting output to "hide" will suppress the message obout added environment variables |
 
 The output of the command execution must have the following format:
 `EnvVar1Name=value1,EnvVar2Name=value2,EnvVar3Name=value3`

runatlantis.io/docs/post-workflow-hooks.md

@@ -11,7 +11,7 @@ back to the PR as a comment.
 Post workflow hooks can only be specified in the Server-Side Repo Config under
 the `repos` key.
 
-## Atlantis Command Targetting
+## Atlantis Command Targeting
 
 By default, the workflow hook will run when any command is processed by Atlantis.
 This can be modified by specifying the `commands` key in the workflow hook containing a comma delimited list

runatlantis.io/docs/pre-workflow-hooks.md

@@ -21,7 +21,7 @@ behavior can be changed by setting the [fail-on-pre-workflow-hook-error](server-
 flag in the Atlantis server configuration.
 :::
 
-## Atlantis Command Targetting
+## Atlantis Command Targeting
 
 By default, the workflow hook will run when any command is processed by Atlantis.
 This can be modified by specifying the `commands` key in the workflow hook containing a comma delimited list

runatlantis.io/docs/repo-and-project-permissions.md

@@ -157,7 +157,7 @@ checking if the external command exited with code `0` and if the last line
 of output is `pass`.
 
 ```text
-# Psuedo-code of Atlantis evaluation of external commands
+# Pseudo-code of Atlantis evaluation of external commands
 
 user_authorized =
   external_command.exit_code == 0

runatlantis.io/docs/repo-level-atlantis-yaml.md

@@ -44,7 +44,7 @@ in your repo.
 If you have many directories with Terraform configuration, each directory will
 need to be defined.
 
-This behavior can be overriden by setting `autodiscover.mode` to
+This behavior can be overridden by setting `autodiscover.mode` to
 `enabled` in which case Atlantis will still try to discover projects which were not
 explicitly configured. If the directory of any discovered project conflicts with a
 manually configured project, the manually configured project will take precedence.

runatlantis.io/docs/server-configuration.md

@@ -509,7 +509,7 @@ and set `--autoplan-modules` to `false`.
 
   This will not work with `-d` yet and to use `-p` the repo projects must be defined in the repo `atlantis.yaml` file.
 
-  This will bypass `--restrict-file-list` if regex is used, normal commands will stil be blocked if necessary.
+  This will bypass `--restrict-file-list` if regex is used, normal commands will still be blocked if necessary.
 
   ::: warning SECURITY WARNING
   It's not supposed to be used with `--disable-apply-all`.
@@ -1140,7 +1140,7 @@ This is useful when you have many projects and want to keep the pull request cle
 
   `--restrict-file-list` will block plan requests from projects outside the files modified in the pull request.
   This will not block plan requests with regex if using the `--enable-regexp-cmd` flag, in these cases commands
-  like `atlantis plan -p .*` will still work if used. normal commands will stil be blocked if necessary.
+  like `atlantis plan -p .*` will still work if used. normal commands will still be blocked if necessary.
   Defaults to `false`.
 
 ### `--silence-allowlist-errors`
@@ -1342,7 +1342,7 @@ This flag is useful when having multiple projects that need to run a plan and ap
 * [plugin_cache_dir concurrently discussion](https://github.com/hashicorp/terraform/issues/31964)
 * [PR to improve the situation](https://github.com/hashicorp/terraform/pull/33479)
 
-The effect of the race condition is more evident when using parallel configuration to run plan and apply, by disabling the use of plugin cache will impact in the performance when starting a new plan or apply, but in large atlantis deployments with multiple projects and shared modules the use of `--parallel_plan` and `--parallel_apply` is mandatory for an efficient managment of the PRs.
+The effect of the race condition is more evident when using parallel configuration to run plan and apply, by disabling the use of plugin cache will impact in the performance when starting a new plan or apply, but in large atlantis deployments with multiple projects and shared modules the use of `--parallel_plan` and `--parallel_apply` is mandatory for an efficient management of the PRs.
 
 ### `--var-file-allowlist`
 

server/controllers/events/events_controller_e2e_test.go

@@ -465,7 +465,7 @@ func TestGitHubWorkflow(t *testing.T) {
 			},
 		},
 		{
-			Description:   "omitting apply from allow commands always takes presedence",
+			Description:   "omitting apply from allow commands always takes precedence",
 			RepoDir:       "simple-yaml",
 			ModifiedFiles: []string{"main.tf"},
 			AllowCommands: []command.Name{command.Plan},
@@ -845,7 +845,7 @@ func TestSimpleWorkflow_terraformLockFile(t *testing.T) {
 
 			if !c.LockFileTracked {
 				// replace the lock file generated by the previous init to simulate
-				// dependcies needing updating in a latter plan
+				// dependencies needing updating in a latter plan
 				runCmd(t, "", "cp", oldLockFilePath, fmt.Sprintf("%s/repos/runatlantis/atlantis-tests/2/default/.terraform.lock.hcl", atlantisWorkspace.DataDir))
 			}
 

server/core/config/raw/global_cfg.go

@@ -126,8 +126,8 @@ func (g GlobalCfg) ToValid(defaultCfg valid.GlobalCfg) valid.GlobalCfg {
 	applyReqs := defaultCfg.Repos[0].ApplyRequirements
 	var globalApplyReqs []string
 	for _, req := range applyReqs {
-		for _, nonOverrideableReq := range valid.NonOverrideableApplyReqs {
-			if req == nonOverrideableReq {
+		for _, nonOverridableReq := range valid.NonOverridableApplyReqs {
+			if req == nonOverridableReq {
 				globalApplyReqs = append(globalApplyReqs, req)
 			}
 		}

server/core/config/raw/repo_cfg.go

@@ -10,25 +10,25 @@ import (
 // DefaultEmojiReaction is the default emoji reaction for repos
 const DefaultEmojiReaction = ""
 
-// DefaultAbortOnExcecutionOrderFail being false is the default setting for abort on execution group failiures
-const DefaultAbortOnExcecutionOrderFail = false
+// DefaultAbortOnExecutionOrderFail being false is the default setting for abort on execution group failures
+const DefaultAbortOnExecutionOrderFail = false
 
 // RepoCfg is the raw schema for repo-level atlantis.yaml config.
 type RepoCfg struct {
-	Version                    *int                `yaml:"version,omitempty"`
-	Projects                   []Project           `yaml:"projects,omitempty"`
-	Workflows                  map[string]Workflow `yaml:"workflows,omitempty"`
-	PolicySets                 PolicySets          `yaml:"policies,omitempty"`
-	AutoDiscover               *AutoDiscover       `yaml:"autodiscover,omitempty"`
-	Automerge                  *bool               `yaml:"automerge,omitempty"`
-	ParallelApply              *bool               `yaml:"parallel_apply,omitempty"`
-	ParallelPlan               *bool               `yaml:"parallel_plan,omitempty"`
-	DeleteSourceBranchOnMerge  *bool               `yaml:"delete_source_branch_on_merge,omitempty"`
-	EmojiReaction              *string             `yaml:"emoji_reaction,omitempty"`
-	AllowedRegexpPrefixes      []string            `yaml:"allowed_regexp_prefixes,omitempty"`
-	AbortOnExcecutionOrderFail *bool               `yaml:"abort_on_execution_order_fail,omitempty"`
-	RepoLocks                  *RepoLocks          `yaml:"repo_locks,omitempty"`
-	SilencePRComments          []string            `yaml:"silence_pr_comments,omitempty"`
+	Version                   *int                `yaml:"version,omitempty"`
+	Projects                  []Project           `yaml:"projects,omitempty"`
+	Workflows                 map[string]Workflow `yaml:"workflows,omitempty"`
+	PolicySets                PolicySets          `yaml:"policies,omitempty"`
+	AutoDiscover              *AutoDiscover       `yaml:"autodiscover,omitempty"`
+	Automerge                 *bool               `yaml:"automerge,omitempty"`
+	ParallelApply             *bool               `yaml:"parallel_apply,omitempty"`
+	ParallelPlan              *bool               `yaml:"parallel_plan,omitempty"`
+	DeleteSourceBranchOnMerge *bool               `yaml:"delete_source_branch_on_merge,omitempty"`
+	EmojiReaction             *string             `yaml:"emoji_reaction,omitempty"`
+	AllowedRegexpPrefixes     []string            `yaml:"allowed_regexp_prefixes,omitempty"`
+	AbortOnExecutionOrderFail *bool               `yaml:"abort_on_execution_order_fail,omitempty"`
+	RepoLocks                 *RepoLocks          `yaml:"repo_locks,omitempty"`
+	SilencePRComments         []string            `yaml:"silence_pr_comments,omitempty"`
 }
 
 func (r RepoCfg) Validate() error {
@@ -69,9 +69,9 @@ func (r RepoCfg) ToValid() valid.RepoCfg {
 		emojiReaction = *r.EmojiReaction
 	}
 
-	abortOnExcecutionOrderFail := DefaultAbortOnExcecutionOrderFail
-	if r.AbortOnExcecutionOrderFail != nil {
-		abortOnExcecutionOrderFail = *r.AbortOnExcecutionOrderFail
+	abortOnExecutionOrderFail := DefaultAbortOnExecutionOrderFail
+	if r.AbortOnExecutionOrderFail != nil {
+		abortOnExecutionOrderFail = *r.AbortOnExecutionOrderFail
 	}
 
 	var autoDiscover *valid.AutoDiscover
@@ -84,19 +84,19 @@ func (r RepoCfg) ToValid() valid.RepoCfg {
 		repoLocks = r.RepoLocks.ToValid()
 	}
 	return valid.RepoCfg{
-		Version:                    *r.Version,
-		Projects:                   validProjects,
-		Workflows:                  validWorkflows,
-		AutoDiscover:               autoDiscover,
-		Automerge:                  automerge,
-		ParallelApply:              parallelApply,
-		ParallelPlan:               parallelPlan,
-		ParallelPolicyCheck:        parallelPlan,
-		DeleteSourceBranchOnMerge:  r.DeleteSourceBranchOnMerge,
-		AllowedRegexpPrefixes:      r.AllowedRegexpPrefixes,
-		EmojiReaction:              emojiReaction,
-		AbortOnExcecutionOrderFail: abortOnExcecutionOrderFail,
-		RepoLocks:                  repoLocks,
-		SilencePRComments:          r.SilencePRComments,
+		Version:                   *r.Version,
+		Projects:                  validProjects,
+		Workflows:                 validWorkflows,
+		AutoDiscover:              autoDiscover,
+		Automerge:                 automerge,
+		ParallelApply:             parallelApply,
+		ParallelPlan:              parallelPlan,
+		ParallelPolicyCheck:       parallelPlan,
+		DeleteSourceBranchOnMerge: r.DeleteSourceBranchOnMerge,
+		AllowedRegexpPrefixes:     r.AllowedRegexpPrefixes,
+		EmojiReaction:             emojiReaction,
+		AbortOnExecutionOrderFail: abortOnExecutionOrderFail,
+		RepoLocks:                 repoLocks,
+		SilencePRComments:         r.SilencePRComments,
 	}
 }