Skip to content

v1.223.0-rc.10

Pre-release
Pre-release

Choose a tag to compare

@cloudposse-releaser cloudposse-releaser released this 14 Jul 00:58
f7da938
fix(jit): support oci:// sources in JIT auto-provisioning zack-is-cool (#2747) ## what
  • JIT auto-provisioning (before.terraform.init hook, e.g. atmos terraform plan <component> -s <stack>) now supports oci:// component sources, matching what atmos vendor pull already supported.
  • Relocated the OCI-fetch implementation (image pull, auth precedence, tar extraction) from internal/exec into a new shared pkg/oci package, so both the legacy vendor-pull path and the JIT auto-provisioner can reach it without an import cycle.
  • pkg/provisioner/source.VendorSource now branches on vendor.IsOCIURI(uri) and calls oci.ProcessImage instead of go-getter for oci:// sources.
  • Added support for OpenTofu's native "install modules from OCI registries" format (artifactType: application/vnd.opentofu.modulepkg, a ZIP-archive layer) — real registries publishing modules this way previously failed with archive/tar: invalid tar header because the puller assumed every layer was a tar+gzip stream.
  • OCI pulls are now bounded by a timeout (10 minutes, matching the existing go-getter path) instead of being able to hang indefinitely on a slow/unresponsive registry.
  • Zip extraction is capped against decompression-bomb amplification (bounded archive and per-entry sizes).
  • Added an in-process fake OCI registry test helper (pkg/oci/ocitest, both tar and zip layouts) so the new tests are fully hermetic — no real network or registry dependency.
  • Added end-to-end regression tests reproducing the reported scenario and the OpenTofu module-package scenario.

why

  • A component with provision.workdir.enabled: true and an oci:// source fails when JIT-provisioned with go-getter's own error, download not supported for scheme 'oci', even though the identical source works fine with atmos vendor pull.
  • While validating the fix against a real registry, a second real-world gap surfaced: registries distributing modules in OpenTofu's native OCI format use ZIP layers, which the puller couldn't extract at all.
  • Code review (CodeRabbit) flagged that the OCI pull path had no timeout, unlike its sibling go-getter path, and that zip extraction had no size bound — both addressed here.

references

Closes #2716

Summary by CodeRabbit

  • New Features
    • Added an exported OCI image processing entry point and enabled OCI-native downloading for component, mixin, and vendor sources (oci://).
    • Added ZIP-aware OCI layer extraction and improved in-process OCI test registries (tar and ZIP layouts).
    • Enabled oci:// sources for JIT auto-provisioning.
  • Bug Fixes
    • Bounded OCI processing with a 10-minute timeout, improved GHCR authentication fallback, and refined layer-extraction error reporting and recognized artifact types (Terraform/OpenTofu).
  • Tests
    • Added/expanded coverage for safe tar/ZIP extraction, OCI registry round-trips, ZIP media type handling, and oci:// vendor/JIT success and failure cases.
  • Documentation
    • Published a blog post and updated the roadmap for oci:// JIT support.
feat(terraform): add --all/--affected bulk execution to terraform init Erik Osterman (Cloud Posse) (@osterman) (#2742) ## what
  • Add --all, --affected, --max-concurrency, --failure-mode, and --log-order flags to atmos terraform init, matching the bulk-execution flags already on apply/plan/destroy.
  • Fix the scheduler's supportsTerraformConcurrency gate, which silently capped --max-concurrency to 1 for any subcommand it didn't explicitly recognize (including init).
  • init keeps the natural forward dependency order (prerequisites before dependents), unlike destroy, which reverses the graph.
  • Add unit test coverage for the new flags and the concurrency/ordering behavior, plus a new "Graph-backed Bulk Init" docs section and a changelog post.

why

  • --all/--affected landed on apply/plan/destroy when Terraform bulk execution moved onto the scheduler-backed dependency graph (#2466), but init was left out.
  • Reinitializing every component after a provider upgrade, or bootstrapping a new environment, required scripting a loop over components by hand.

references

Summary by CodeRabbit

  • New Features

    • Added bulk execution support to terraform init with --all and --affected.
    • Added configurable concurrency, failure handling, and log ordering through --max-concurrency, --failure-mode, and --log-order.
    • Initialization now follows forward dependency order, processing prerequisites before dependents.
    • Added environment variable equivalents for the new options.
  • Documentation

    • Added usage guidance and examples for bulk Terraform initialization.
feat(claude): autonomous PR merge-readiness automation Erik Osterman (Cloud Posse) (@osterman) (#2718) ## What

Builds a full autonomous PR merge-readiness system for Claude Code sessions in this repo, layered up from an initial hourly rebase-and-CodeRabbit loop into a complete one-shot/recurring check-and-fix pipeline:

  • pr-maintenance-loop skill — schedules the check hourly via Claude Code's native CronCreate/ScheduleWakeup primitives (not GitHub Actions, no external service). Calls CronCreate directly rather than the generic /loop skill, since this loop is inherently tied to the local git/gh session (signing key, checkout state) and has no cloud-compatible equivalent.
  • fix-all skill — the one-shot merge-readiness pass pr-maintenance-loop runs every cycle: sync with origin/main, check CI, resolve CodeRabbit threads, patch-scoped lint, patch-scoped test/coverage, and a final readiness check that announces (via the say skill's audible nudge, plus a written summary) once the PR needs nothing but human final review. That readiness check also reconciles the PR title/description against the patch's full accumulated scope before announcing, using a narrowly-scoped gh pr edit --title/--body-file permission (labels/reviewers/base/milestone stay denied and human-owned).
  • lint / test-coverage skills — patch-aware (--new-from-rev=origin/main) lint and test/coverage checks reused both standalone and from fix-all.
  • say skill — a macOS audible nudge (say) for every human-attention exit path, plus the one positive "ready for final review" case.
  • New agentslint-fix, test-coverage-fix, merge-conflict-resolve, and coderabbit-review (existing, reused) do the actual fixing/resolving work each skill delegates to.
  • atmos fix custom commands (.atmos.d/fix.yaml) — sync/ci/threads/comments/lint/coverage/tests/--all, the mechanical half each skill step wraps.
  • .claude/settings.json — the real enforcement boundary: a narrow allow/deny list covering exactly the git/gh/go commands this automation needs, with explicit denies for force-push, git reset --hard/clean, gh pr merge/close/edit --base/--add-reviewer/--milestone/--add-label, and edits to .github/workflows/**, Makefile, go.mod, go.sum.
  • CLAUDE.md — points every future session/worktree at the loop.

Why

PR maintenance chores — rebasing against main, responding to CodeRabbit threads, keeping lint/coverage green, and knowing when a PR is actually ready for a human's final pass — currently need manual attention every cycle. This automates the full loop hourly in any worktree, using only the local git/gh session already in use (no new external service or secrets), while keeping merge fully human-gated, treating all PR/CodeRabbit content as untrusted data rather than instructions, and giving an explicit audible+written signal once a PR is genuinely ready for review instead of leaving that judgment call to whoever happens to check next.

References

None — internal Claude Code tooling change, no linked issue.

Summary by CodeRabbit

  • New Features

    • Added commands for synchronizing branches, checking CI, reviewing threads, fixing lint issues, and measuring patch coverage.
    • Added an optional hourly PR maintenance loop and one-time merge-readiness workflow.
    • Added automated handling for eligible review comments and merge conflicts.
  • Documentation

    • Added guidance for maintenance workflows, linting, test coverage, notifications, and available automation agents.
  • Security

    • Added safeguards restricting tool actions and blocking destructive or sensitive operations.

🚀 Enhancements

fix(git): support self-hosted Git hosts in describe affected dp89 (#2543)

What

Self-hosted Git hosts (GitHub Enterprise Server, GitLab self-managed, Bitbucket Server, etc.) currently fail atmos describe affected with:

Error: repository host '<host>' not supported

The error originates in GetRepoInfo (pkg/git/git.go) and the --upload path in internal/exec/describe_affected.go. Both call into kubescape/go-git-url, which only recognizes github.com, gitlab.com, and Azure DevOps. Any other host is rejected before atmos's local diff logic gets a chance to run — even though the parsed RepoHost / RepoOwner / RepoName metadata is only consumed by the --upload to Atmos Pro, not by the local affected-stack computation itself.

This PR adds ParseGenericGitURL, a fallback parser covering the URL shapes Git itself supports (http(s)://, ssh://, and scp-style). It's wired through a small shared helper, ParseRepoURL, used by both call sites:

  1. Try the canonical parser first.
  2. If it fails, fall back to the generic parser.
  3. If both fail (a genuinely malformed URL like not-a-valid-url), surface the canonical error so existing error semantics are preserved.

Why

  • atmos describe affected is the documented mechanism for matrix-fan-out CI plans, but it's unusable on self-hosted Git today — even though the feature doesn't actually need the parsed metadata.
  • Other users have hit the same limitation (see the SweetOps thread under References), but it isn't tracked as an upstream issue, and there's no config option, env var, or flag to bypass the parser.
  • The fallback only executes when the canonical parser fails, so every existing code path is byte-for-byte unchanged for github.com / gitlab.com / Azure DevOps users. No new config, no new env var, no new flag, and no new dependency — the fallback uses only net/url and regexp from the standard library.

Scope of behavior change

URL type Before After
github.com / gitlab.com / Azure DevOps ✅ works ✅ works (same path)
gitlab.example.com (kubescape substring match) ✅ works ✅ works (same path)
GHES / GitLab self-managed / Bitbucket Server ❌ errors ✅ works (fallback)
Genuinely malformed (not-a-valid-url) ❌ errors ❌ errors (preserved)

All six pre-existing TestGetRepoInfo cases continue to pass without modification.

Test plan

go test -count=1 ./pkg/git/...
go vet ./pkg/git/... ./internal/exec/...
gofmt -l pkg/git/git.go pkg/git/git_test.go internal/exec/describe_affected.go

All three pass cleanly. Four new regression tests in pkg/git/git_test.go cover the shapes the canonical parser rejects:

  • GHES over SSH
  • GHES over HTTPS
  • Nested-path HTTPS on a non-recognized host
  • ssh:// with an explicit port

References

  • SweetOps thread reporting the same error: https://www.linen.dev/s/sweetops/t/26768542/i-am-trying-to-run-atmos-describe-affected-using-a-self-host
  • Affected call sites:
    • pkg/git/git.goGetRepoInfo (used by internal/exec/describe_affected_helpers.go and internal/exec/pro.go)
    • internal/exec/describe_affected.gouploadableQuery (the --upload path to Atmos Pro)
fix(io): migrate fmt.Fprintf/Println anti-patterns to pkg/ui, pkg/data Erik Osterman (Cloud Posse) (@osterman) (#2713) ## what
  • Migrate every remaining raw fmt.Fprintf/fmt.Fprintln/fmt.Println call outside pkg/io/pkg/ui to the sanctioned ui.*/data.* API across ~40 files (AI permission prompts, devcontainer/kubeconfig debug diagnostics, CI annotations/log groups, the Cobra root command, pkg/manifest, pkg/runner/step cast recording, and more).
  • Delete the pure print-forwarding shims in pkg/utils (PrintMessage, PrintfMessageToTUI, PrintfMarkdown*) and migrate all ~50 call sites directly onto data.*/ui.*, consolidating onto the already-established ui.Markdown/ui.MarkdownMessage renderer instead of a second, bespoke one.
  • Add data.WriteUnmasked/WriteUnmaskedf, an explicit escape hatch for the one legitimate case where masking must not apply (atmos auth env / atmos env emitting real credential values for shell eval).
  • Add ui.MarkdownNoWrap/MarkdownMessageNoWrap for deterministic, snapshot-stable single-line notices (used by the telemetry disclosure).
  • Fix RootCmd's default output writer to route through the masked I/O context instead of raw os.Stdout, and extract the oversized Cobra help/usage closures into named helpers while there.
  • Correct pkg/devcontainer's ShowConfig/List output to the data channel (primary command output) instead of the UI channel, and update the affected CLI golden snapshots to match.

why

  • CLAUDE.md bans raw fmt.Fprintf/fmt.Println outside pkg/io/pkg/ui because it bypasses secret masking, TTY/color degradation, and --cast recording. Several call sites found in this audit (AI permission prompts, devcontainer/kubeconfig debug output, CI annotations, the Cobra help writer) genuinely bypassed masking entirely.
  • The pkg/utils print helpers were pure forwarding shims duplicating pkg/ui/pkg/data, adding an unnecessary second code path for callers to reason about; deleting them and routing directly through the canonical API reduces pkg/utils's surface area per this repo's ongoing effort to empty that package out.
  • atmos auth env/atmos env need one legitimate, explicit way to emit unmasked output (the whole point of those commands is exporting real credentials for eval), so a dedicated WriteUnmasked API makes that intent explicit instead of ad hoc fmt.Print calls.

references

Summary by CodeRabbit

  • New Features

    • Added deterministic no-wrap Markdown rendering for support/telemetry-style notices.
    • Improved CLI help/pager and interactive help flows for more consistent output.
    • Updated consent/permission prompts to handle non-interactive terminals more safely.
  • Bug Fixes

    • Improved error propagation when output writing fails across commands and formats.
    • Improved handling of masked vs unmasked output for sensitive data and environment exports.
  • Style

    • Standardized user-facing messaging (info/success/warning) for a more consistent CLI experience.
  • Tests

    • Expanded and stabilized UI/output test coverage, including snapshot updates.