Skip to content

v1.223.1-rc.1

Pre-release
Pre-release

Choose a tag to compare

@cloudposse-releaser cloudposse-releaser released this 18 Jul 00:59
e6ad3a3
refactor: Replace CSV-based YAML function argument parsing Erik Osterman (Cloud Posse) (@osterman) (#1834) ## what
  • Eliminated painful CSV-based quote escaping in !terraform.state and !terraform.output functions
  • Implemented a simple, grammar-aware function argument parser that exploits semantic properties of component/stack naming
  • Updated documentation with clean syntax examples and YAML block scalar demonstrations

why

The CSV parser was the wrong tool for this job. It required double-quote escaping ("") to include JSON literals in expressions, creating ugly, hard-to-read YAML. The new parser uses a lightweight heuristic: component and stack names never contain spaces and never start with special characters (., |, [, {, ", '), while expressions always do. This enables clean, readable syntax without escaping.

references

  • Addresses usability pain point for complex YAML function expressions
  • Part of ongoing effort to improve YAML function syntax

Summary by CodeRabbit

  • New Features
    • Added consistent, grammar-aware argument parsing for YAML functions, including Terraform state/output, env, random, include, and store.
    • Terraform functions now default to the current stack when none is provided.
    • Syntax errors are clearer and position-aware.
  • Documentation
    • Updated Terraform function examples to use cleaner quoting (including YAML block-scalar examples for complex defaults).
  • Bug Fixes
    • Corrected Terraform-backed default expressions in quick-start examples (proper fallbacks and lookup behavior).
  • Tests / CI
    • Added parser coverage checks and Terraform example syntax validation to automated test runs.
feat(toolchain): parallel installs with safe locking Erik Osterman (Cloud Posse) (@osterman) (#2758) ## what
  • Install independent toolchain packages concurrently (default four), with parent-owned terminal rendering, lifecycle states, and byte-progress display.
  • Add context-aware cross-process and in-process reader/writer locks for assets, installs, latest markers, lockfiles, .tool-versions, and uninstall mutations.
  • Materialize legacy Cosign evidence locally, route it to compatible Cosign v2.6.1, serialize verifier execution, and retry only pre-verdict transport/process failures.
  • Restore full package IDs in uninstall results and keep automatic dependency installs on the configured toolchain path.

why

  • Parallel workers previously exposed shared verifier and mutable-file races; this keeps installs fast while preserving UI and data integrity.
  • OpenTofu releases still publish legacy certificate/signature evidence, and Cosign v3 both deprecates that path and intermittently rejects valid Rekor evidence.

references

  • N/A

Summary by CodeRabbit

  • New Features
    • Parallel, bounded toolchain installs with --max-concurrency/toolchain.max_concurrency (requires ≥ 1), plus enhanced batch progress and download progress reporting.
    • Improved Cosign verification for legacy certificate/signature option formats.
  • Bug Fixes
    • Safer concurrent installs/verifications via cross-process locking for caches, downloads, .tool-versions, and tool lockfiles; serialized trust repair and improved macOS retry classification.
    • More reliable batch failure reporting and clearer tool-spec messaging.
  • Documentation
    • Updated CLI/config docs, plus added a release blog post and roadmap entry.
  • Chores
    • Ignore local .tool-versions.lock files.
fix(ci): prevent broken GitHub Action symlinks Erik Osterman (Cloud Posse) (@osterman) (#2760) ## what
  • Remove the stale atmos-gitops Claude skill symlink.
  • Add a repository-wide verifier for Git-tracked symlinks, run in PR/main CI and pre-commit.
  • Add atmos fix symlinks to run the verifier from any repository subdirectory.
  • Standardize repository-root custom commands on working_directory: !repo-root ..
  • Upgrade every CI bootstrap pin to Atmos 1.223.0, which supports that YAML tag.
  • Require the verifier status on main.

why

  • A dangling symlink prevented GitHub Actions from staging the Atmos action repository before atmos plan could start.
  • Checking all tracked symlinks protects every action consumer from the same class of packaging failure.
  • A consistent, supported working-directory mechanism avoids duplicated shell root-resolution and lets every CI workflow load the custom-command configuration.

It caused problems like this:

Download action repository 'actions/checkout@v6' (SHA:df4cb1c069e1874edd31b4311f1884172cec0e10)
Download action repository 'cloudposse/atmos@v1' (SHA:1c00575b4be0393764fd202c4f0fb8efaf2411a0)
Error: Could not find file '/home/runner/_work/_actions/_temp_abab9a8a-faa8-41be-b57a-2d057d929d26/_staging/atmos-1c00575b4be0393764fd202c4f0fb8efaf2411a0/.claude/skills/atmos-gitops'.

references

  • No issue; fixes the broken cloudposse/atmos@v1 action staging path.

Summary by CodeRabbit

  • New Features

    • Added checks to verify that tracked symbolic links resolve correctly.
    • Added an atmos fix symlinks command for manually running the validation.
    • Added automatic validation during commits and continuous integration checks.
  • Improvements

    • Standardized repository-root execution for development and build commands.
    • Updated automated workflows to use Atmos bootstrap version 1.223.0.
    • Clarified build script usage and behavior.
Clarify Component Updater and correct changelog chronology Erik Osterman (Cloud Posse) (@osterman) (#2753) ## what
  • Document Atmos's native Component Updater around atmos vendor update and atmos vendor diff.
  • Move the legacy Component Updater GitHub Action reference into deprecated documentation with a migration notice.
  • Align changelog post frontmatter and filenames to publication dates, and render timeline dates in UTC.

why

  • Make the native vendor-update workflow discoverable while clearly deprecating the legacy action.
  • Prevent stale source filenames and viewer timezones from showing an incorrect changelog chronology.

references

Consolidate atmos-manifest schema, publish per-release pins Erik Osterman (Cloud Posse) (@osterman) (#2749) ## what
  • Consolidates the two hand-maintained atmos-manifest JSON Schema copies (the website copy at atmos.tools and the copy embedded in the CLI binary) into a single source of truth: the embedded schema.
  • The website copy is no longer committed — it's gitignored and generated at build time from the embedded schema.
  • Every Atmos release now publishes an immutable, version-pinned schema snapshot (atmos.tools/schemas/atmos/atmos-manifest/<version>/atmos-manifest.json) alongside the existing floating 1.0 copy.
  • Adds atmos stack schema [output-path], a real CLI subcommand that prints/writes the embedded schema, replacing a throwaway go run ./tools/gen-schema script used only during development.
  • Removes hardcoded schemas.atmos.manifest version pins from examples/fixtures that weren't demonstrating custom-schema usage.

why

  • The published schema was a single mutable file — upgrading the atmos binary could silently change what a pinned atmos.yaml validates against, with no way to pin to "the schema as of release X."
  • The website and embedded schema copies had quietly drifted apart (missing dependencies, generate, provision, source, and dozens of workflow step fields in one or the other), so validation behavior differed depending on which copy you hit.
  • Schema export deserves a discoverable, real CLI command instead of an internal-only script nobody would find.

references

  • Closes #2592
  • Blog posts: versioned-manifest-schema, atmos-stack-schema-command

🚀 Enhancements

fix(toolchain): expose onedir command-dependency tools on step PATH Brian Ojeda (@sgtoj) (#2759) ## what
  • Fix onedir (multi-file) tools declared in a custom command's dependencies.tools (e.g. nodejs/node, npm/cli, aws-cli) not being reachable from the command's steps — they previously failed with executable file not found in $PATH (exit 127).
  • BuildToolchainPATH now resolves each dependency's PATH entries through the same onedir-aware logic as atmos toolchain env, adding the nested .pkg/.../bin directory(ies) recorded in .atmos-onedir.json instead of the bare version directory.
  • Add toolchain.EntrypointDirsForVersion as the single source of truth for onedir entrypoint-directory resolution, shared by atmos toolchain env, the dependency PATH builder (custom commands, hooks, terraform/helmfile/packer, ansible), and ToolchainEnvironment.
  • Make ToolchainEnvironment dirs (ToolchainDirs() / PrependToPath()) onedir-complete — every entrypoint directory, not just the primary binary's.
  • Flat single-binary tools are unchanged (still their version dir); a not-installed tool falls back to the bare version dir (preserves existing behavior).

why

  • Onedir installs (#2750) keep executables nested under .pkg/.../bin per .atmos-onedir.json, but the command-dependency PATH builder still prepended the bare version dir, so node/npm/aws-cli were never on PATH for steps.
  • atmos toolchain env already resolved these correctly; the command-dependency path simply wasn't reusing that resolution. Unifying both behind one helper makes onedir tools generally usable as command/hook/component dependencies.
  • This is the remaining gap after #2750 (onedir installs) and #2754 (onedir symlink materialization); this change is solely about how onedir command-dependency tools are exposed on PATH.

references

  • Builds on #2750 (multi-file "onedir" installs) and #2754 (onedir symlink entrypoints).
  • Repro: a custom command with dependencies.tools: { nodejs/node: v24.18.0 } whose step runs node --version now succeeds; a single-binary control (kubectl) keeps resolving.
Testing
  • New unit tests, with all net-new code covered (EntrypointDirsForVersion 100%, BuildToolchainPATH 100%, collectToolchainDirs 94.7%, addEntrypointDirs 100%):
    • TestEntrypointDirsForVersion_* (pkg/toolchain): onedir multi-dir, flat, not-installed.
    • TestBuildToolchainPATH_Onedir (pkg/dependencies): asserts exec.LookPath resolves the nested onedir entrypoint, flat kubectl still resolves, and a shared onedir dir is deduplicated. Verified this fails on pre-fix code and passes after.
    • TestNewEnvironment_OnedirDirs (pkg/dependencies): env.dirs onedir-complete, dedup + absolutize, primary-dir fallback.
  • go build ./..., go vet, custom golangci-lint (patch-scoped), and gofumpt are clean; consumer packages (hooks, ansible, helm, terraform/output) pass.
  • Cross-platform: .exe handling + filepath.Join. A Windows acceptance subset for ./pkg/toolchain/... and ./pkg/dependencies/... passed, including TestBuildToolchainPATH_Onedir, TestEntrypointDirsForVersion_*, and TestNewEnvironment_OnedirDirs.

Summary by CodeRabbit

  • New Features
    • Improved tool discovery for onedir-style installations.
    • Automatically prepends required entrypoint directories to the toolchain PATH, deduplicated and normalized (absolute, order preserved).
    • Preserves flat-install behavior by falling back to the tool’s primary binary directory.
  • Bug Fixes
    • Ensures executable resolution from onedir layouts works reliably; returns PATH unchanged when no resolved directories are available (including for empty PATH input).
  • Tests
    • Added coverage for onedir entrypoint directory behavior and BuildToolchainPATH edge cases (empty PATH handling).