Skip to content

v1.223.0-rc.9

Pre-release
Pre-release

Choose a tag to compare

@cloudposse-releaser cloudposse-releaser released this 13 Jul 01:05
86edc83
feat(vendor): vendor update/diff, archived-repo checks, component.yaml Erik Osterman (Cloud Posse) (@osterman) (#2715) ## what
  • Add atmos vendor update — checks every Git-backed source in vendor.yaml (and standalone component.yaml/component.yml manifests) for a newer version, honoring each source's constraints (semver range, excluded versions, no_prereleases), and writes the new version in place using the format-preserving pkg/yaml engine. Supports --check (dry run), --pull (fetch after updating), --component, --tags, --outdated, and --component-manifests.
  • Add atmos vendor diff — shows the Git diff between two versions (tags, branches, or commits) of a vendored component with no local checkout.
  • Detect archived upstream GitHub repositories (pkg/github/archived.go, pkg/vendoring/archived.go) and surface that status during update checks.
  • Add a spinner/progress UI (cmd/vendor/update_spinner.go) and a tabular update report (cmd/vendor/update_report.go) for vendor update's output.
  • Fix vendor.base_path/--chdir resolution so vendor update/diff/get/set no longer fail to find vendor.yaml when atmos.yaml configures a non-default vendor.base_path.
  • Supporting changes: pkg/io/streams.go masking, cmd/version/formatters.go, pkg/toolchain/info.go, errors/errors.go, plus new pkg/vendoring/resolve.go and pkg/vendoring/component_files.go to unify component resolution across vendor.yaml and component.yaml sources.
  • Adds a blog post (website/blog/2026-07-09-vendor-diff-and-update.mdx) and roadmap milestone update.

why

  • Bumping a vendored component's pinned version previously meant three manual steps: checking upstream tags yourself, cloning the repo somewhere to diff two versions, and hand-editing the version field in vendor.yaml while risking a stripped comment or mangled YAML anchor.
  • These commands close that loop using the existing format-preserving pkg/yaml engine (the same one behind atmos config|stack|vendor get|set|delete), and extend it to repos that only use per-component component.yaml manifests.

references

  • Blog: website/blog/2026-07-09-vendor-diff-and-update.mdx

Summary by CodeRabbit

  • New Features
    • atmos vendor update now includes archived-source detection, enhanced update-table reporting, and a TTY progress UI; --pull now batches and resets state more reliably.
    • Added --component-manifests and --type/-t (defaulting to terraform), plus component-manifest spec.source.constraints support.
    • atmos vendor diff adds --type/-t and falls back to per-component component.yaml/component.yml when vendor.yaml doesn’t declare the component.
  • Bug Fixes
    • Improved vendoring discovery/precedence, table sizing, truncation safety, filtering, and component vs mixin failure reporting.
    • More reliable terminal output handling during progress rendering.
  • Documentation
    • Updated vendor diff/update docs and added blog/docs for constraints and component-resolution behavior.
chore(security): resolve all open Dependabot and CodeQL alerts Erik Osterman (Cloud Posse) (@osterman) (#2717) ## what

Drives every outstanding GitHub security finding on this repo to zero: all 84 open Dependabot alerts (6 Go, 78 npm) and all 11 open CodeQL alerts.

Go modules (6 alerts, all high):

GitHub Actions (folds in #2699):

  • actions/setup-python v6.3.0, chrnorm/deployment-status v2.0.4, cloudposse/github-action-pre-commit v4.1.0, github/codeql-action v4.36.2, hashicorp/setup-packer pin refresh

Website (78 npm alerts, folds in #2690):

  • Docusaurus 3.9.2 → 3.10.x plus the rest of the website-group direct-dependency bumps
  • New pnpm.overrides block pinning every alerted transitive dependency out of its vulnerable range (shell-quote critical, node-forge, mermaid, dompurify, lodash/lodash-es, ws, minimatch, webpack, serialize-javascript, uuid, and more) — every override is scoped to the affected major version so unrelated majors are untouched
  • Landing Hero: react-icons 5.6 removed SiAmazonwebservices (Simple Icons trademark cleanup); switched to Font Awesome's FaAws

CodeQL (11 alerts):

  • Fixes all 8 go/allocation-size-overflow alerts by sizing allocations with a single len() term instead of a len(a)+len(b) sum (capacity hints only; behavior unchanged): pkg/yaml, pkg/secrets, pkg/merge, pkg/emulator, pkg/ci, internal/exec
  • The 3 go/weak-sensitive-data-hashing alerts were dismissed on GitHub as false positives: the flagged SHA-256 usage derives cache filenames / dedup keys (content addressing), not password storage

why

  • Every push reported dozens of open vulnerabilities/CVEs; this clears the board in one pass
  • Dependency alerts auto-close once the default branch's manifests leave the vulnerable ranges; the CodeQL allocation alerts close on the next main analysis

references

  • Supersedes and closes: #2690, #2699, #2605, #2580
  • Verified: go build ./..., targeted package tests, atmos lint changed, pre-commit hooks, and cd website && pnpm run build all pass; every Dependabot alert range was re-checked against the regenerated go.mod/pnpm-lock.yaml and none still match

[!NOTE]
Zero user-visible behavior change — dependency bumps and allocation-capacity hints only.

Summary by CodeRabbit

  • Improvements

    • Refreshed the website’s AWS landing icon.
    • Updated Terraform/OpenTofu example lockfiles to match the intended tooling/registry.
  • New Features

    • Added an automated security-remediation skill with a post-command trigger to help address Dependabot and code-scanning alerts on the current branch.
  • Maintenance

    • Pinned and standardized many CI workflow action versions for more consistent runs.
    • Strengthened SHA pinning verification by detecting unpinned third-party actions.
    • Updated CI dependency license allowlists/references and bumped key Go/website dependencies.
  • Quality

    • Raised Codecov targets to 85%.

🚀 Enhancements

fix: run parallel/matrix, shell, and exec steps through the step registry Erik Osterman (Cloud Posse) (@osterman) (#2703) ## what
  • Wire parallel and matrix control steps into the pkg/runner/step registry through a reverse-registered ControlRunner seam (mirroring the emulator seam), so they execute from custom commands and lifecycle hooks, not only atmos workflow. Interactive (TTY) child steps are rejected, since they cannot run concurrently.
  • Register the exec step type in the registry so type: exec works outside the legacy workflow executor too.
  • Run the registry shell handler and parallel/matrix shell children through the in-process mvdan/sh interpreter with secret masking, replacing a host sh -c invocation; thread a context so fail-fast cancellation reaches running scripts.
  • Delete the dormant, duplicate workflow Executor engine and its adapters/mocks (zero production callers), preserving the still-live helpers that were co-located in those files (BuildConditionContext, CheckAndGenerateWorkflowStepNames).

why

  • parallel, matrix, and exec were recognized/validated step types whose handlers only ever worked inside atmos workflow; through the registry (hooks, custom commands) they returned a "requires workflow executor context" error. This closes that registry gap.
  • The registry shell path shelled out to the host sh -c, so it applied no secret masking (a leak risk) and broke on Windows. Unifying on the same mvdan/sh interpreter the workflow already used makes every shell step masked, cross-platform, and exit-code-correct.
  • Two execution engines existed side by side; the newer pkg/workflow.Executor had no production callers and was pure split-brain maintenance risk. Removing it (~6.8k lines) leaves one dispatcher.

references

  • Branch: osterman/parallel-step-registry-gap

Summary by CodeRabbit

  • New Features
    • Added support for exec workflow steps (with exit_code reporting).
    • Parallel and matrix steps now run through a shared execution path that captures each child’s output into workflow variables.
    • Workflow steps now get automatic names when omitted.
  • Improvements
    • Non-interactive shell steps now use a consistent in-process execution approach and respect cancellation.
    • Shell working-directory handling is more consistent across platforms.
    • Workflow condition evaluation now builds richer, merged context from workflow, step, and command-line inputs.
    • Parallel/matrix now rejects interactive (TTY-requiring) child steps with a clear validation error.
fix(downloader): authenticate !include GitHub raw-content fetches Erik Osterman (Cloud Posse) (@osterman) (#2706) ## what
  • !include https://raw.githubusercontent.com/... (and GitHub archive/release URLs) now authenticate with a GitHub token when one is available (GITHUB_TOKEN/ATMOS_GITHUB_TOKEN/ATMOS_PRO_GITHUB_TOKEN/gh auth token), reusing Atmos's existing pkg/http.GitHubAuthenticatedTransport (already used by the Terraform registry cache and toolchain downloaders).
  • Added (*http.DefaultClient).HTTPClient() so callers needing the concrete *http.Client (like go-getter's HttpGetter.Client field) can get one without duplicating transport/redirect-stripping setup.
  • Non-GitHub HTTP(S) sources, and GitHub sources with no token configured, are unaffected — behavior only changes when both conditions (GitHub host + token present) are true.

why

  • The !include YAML function's HTTP(S) downloads went out fully unauthenticated via go-getter's stock HttpGetter, subject to GitHub's much lower anonymous per-IP rate limit on raw.githubusercontent.com, regardless of whether a token was available.
  • pkg/downloader/file_downloader.go already pre-checks GitHub's rate limit using an authenticated client before fetching, but that check and the actual download were disconnected — the download itself never carried the token, so the pre-check didn't reflect (or prevent) the limit the real request actually hit.
  • This surfaced as intermittent bad response code: 429 failures in CI for tests exercising !include against a real GitHub raw URL (e.g. tests/yaml_functions_include_test.go), unrelated to whatever PR happened to be running at the time.

references

  • Discovered while investigating unrelated CI flakiness on #2705.

Summary by CodeRabbit

  • Bug Fixes
    • GitHub raw-content and archive downloads now use token-based authentication when available to reduce intermittent rate-limit errors.
    • Terraform now returns consistent “invalid flag value” errors for --failure-mode and --log-order.
  • Documentation
    • Added documentation describing the GitHub raw-download authentication fix and how to run the related tests.
  • Tests
    • Added coverage for accessing the underlying stdlib HTTP client and updated Terraform validation expectations.
  • Refactor
    • Standardized Terraform subcommand strings used for concurrency support.
Audit missing casts: fix version-track bug, backfill demo embeds Erik Osterman (Cloud Posse) (@osterman) (#2707) This branch started as an audit of which examples and changelog posts were missing a recorded cast demo. That audit surfaced a real correctness bug along the way, plus a few rough edges in the supporting cast/secret tooling — all fixed here alongside the actual backfill.

what

  • Fix a real engine bug: a stack's top-level version: {track: ...} assertion was silently dropped during stack compilation, so !version <name> / {{ .version.* }} in component vars always resolved against the global default track instead of the stack's own asserted track.
  • Rename examples/demo-version-tracker to examples/version-tracker and add a second, independent story to it: dev/prod tracks across three real ecosystems (toolchain, oci, github-actions) feeding a stack's component vars via !version/{{ .version.* }}, using atmos version track set/get instead of ad-hoc file edits. Record and wire in its cast (tracks-and-vars.cast).
  • Widen the credential-free skip list used by every atmos secret * subcommand so resolving where to read/write a secret no longer requires sibling components' terraform state or store contents to already exist.
  • Give session-mode cast recordings a themed default prompt instead of leaking the real shell's PS1 (hostname/cwd), and drop the now-redundant manual PS1 override from the interactive-workflows cast.
  • Make quick-start-advanced's !terraform.state catalog references tolerate not-yet-deployed sibling components (// "pending" fallback), and turn its list-instances cast into a real emulator-backed deploy/teardown recording.
  • Backfill cast embeds across ~28 existing changelog blog posts (<CastPlayer> + a link to the full example), converting the two posts that used the heavier EmbedExample bundle to the same lightweight pattern for consistency.
  • Codify in the atmos-asciicast and pull-request skills that a feature's changelog blog post should embed its cast going forward, so this doesn't drift out of date again.

why

  • The version-track bug meant the documented "stacks can assert their own track" capability never actually worked — anyone using it got silently wrong versions with no error. Auditing which examples were missing casts surfaced the gap; fixing it properly (with real end-to-end regression coverage, verified to fail without the fix) was safer than shipping an example that demonstrated broken behavior.
  • The atmos secret * and quick-start-advanced fixes remove a class of failures where resolving secrets or listing/describing components required unrelated sibling infrastructure to already be deployed — brittle in CI, emulator, and first-run scenarios.
  • Blog posts without a working demo undersell what shipped; embedding the existing cast recordings makes the changelog self-verifying and more useful to readers, and the skill update keeps future posts from shipping without one.

references

  • N/A

Summary by CodeRabbit

  • New Features
    • Added an Atmos Version Tracker example with independent dev/prod tracks, plus new cast fixtures.
    • Stack manifests now support a top-level version section; atmos version track get --show can print a single field.
  • Bug Fixes
    • Improved secret/credential-free handling and Terraform state tolerance/refresh behavior.
    • Improved cast recording/replay reliability and CastPlayer theming/prompt defaults.
    • S3 backend now honors identity endpoint overrides and supports use_path_style.
  • Documentation
    • Updated docs and blog posts to embed interactive cast previews via CastPlayer, including a featured-casts experience.
  • Tests / CI
    • Expanded version-tracking, cast-validation, and CastPlayer replay test coverage; improved example/fixture CI reliability.