Merge branch 'main' into f/henriklundstrom/fix-required-checks-minus-…

…apply

.circleci/config.yml

@@ -9,7 +9,7 @@ jobs:
         # that flag starts the download asynchronously so we'd have a race
         # condition.
         # renovate: datasource=github-releases depName=hashicorp/terraform versioning=hashicorp
-        TERRAFORM_VERSION: 1.7.5
+        TERRAFORM_VERSION: 1.8.3
     steps:
     - checkout
     - run: make build-service

.editorconfig

@@ -0,0 +1,12 @@
+root = true
+
+[*]
+charset = utf-8
+end_of_line = lf
+trim_trailing_whitespace = true
+insert_final_newline = true
+
+[*.md]
+indent_style = space
+indent_size = 3
+trim_trailing_whitespace = false

.github/labeler.yml

@@ -40,6 +40,6 @@ provider/gitlab:
 
 website:
 - changed-files:
-  - any-glob-to-any-file: 'runatlantis.io/.vuepress/**/*'
+  - any-glob-to-any-file: 'runatlantis.io/.vitepress/**/*'
   - any-glob-to-any-file: 'package.json'
   - any-glob-to-any-file: 'pnpm-lock.yaml'

.github/renovate.json5

@@ -1,108 +1,111 @@
 {
   extends: [
-    "config:base",
-    "schedule:daily",
+    'config:best-practices',
+    ':separateMultipleMajorReleases',
+    'schedule:daily',
   ],
-  commitMessageSuffix: " in {{packageFile}}",
+  commitMessageSuffix: ' in {{packageFile}}',
   dependencyDashboardAutoclose: true,
   automerge: true,
-  baseBranches: ["main", "/^release\-.*/"],
+  baseBranches: [
+    'main',
+    '/^release-.*/',
+  ],
   platformAutomerge: true,
-  labels: ["dependencies"],
+  labels: [
+    'dependencies',
+  ],
   postUpdateOptions: [
-    "gomodTidy",
-    "gomodUpdateImportPaths",
-    "pnpmDedupe",
+    'gomodTidy',
+    'gomodUpdateImportPaths',
+    'pnpmDedupe',
   ],
-  // needed so e2e tests do not stomp over each other
   prHourlyLimit: 1,
-  lockFileMaintenance: {
-    enabled: true,
-  },
+  osvVulnerabilityAlerts: true,
   vulnerabilityAlerts: {
     enabled: true,
     labels: [
-      "security",
+      'security',
     ],
   },
   packageRules: [
-    // For vuepress
     {
-      "matchPackageNames": ["vuepress", "@vuepress/client", "@vuepress/markdown", "@vuepress/utils"],
-      "groupName": "vuepress",
-      "allowedVersions": "!/pre.*$/",
+      "matchFileNames": ["package.json"],
+      "enabled": false
     },
-    // e2e test depends on testing/Dockefile testing-image which has conftest specific version.
-    // to upgrade conftest versions, we need following PRs.
-    // 1. update testing/Dockerfile conftest version
-    // 2. update testing-env tag
-    // 3. update e2e conftest version
-    // This will allow conftest version updates in testing/Dockefile
     {
-      matchPaths: ["testing/**"],
-      matchPackagePatterns: ["conftest"],
-      additionalBranchPrefix: "{{baseDir}}-",
-      groupName: "conftest-testing",
-      /*
-      prBodyNotes: [
-        ":warning: Upgrade testing-env conftest and then upgrade other conftest versions for e2e :warning:",
+      matchFileNames: [
+        'testing/**',
       ],
-      */
+      matchPackagePatterns: [
+        'conftest',
+      ],
+      additionalBranchPrefix: '{{packageFileDir}}-',
+      groupName: 'conftest-testing',
     },
     {
-      ignorePaths: ["testing/**"],
-      matchPackagePatterns: ["github-actions"],
-      groupName: "github-",
+      ignorePaths: [
+        'testing/**',
+      ],
+      matchPackagePatterns: [
+        'github-actions',
+      ],
+      groupName: 'github-',
     },
-    /*
-    // This tag is currently latest so we can skip this check for now unless we need to pin it again.
     {
-      // we need to upgrade testing-env on ci quickly
-      matchPackageNames: ["ghcr.io/runatlantis/testing-env"],
-      groupName: "testing-env-ci-test",
-      schedule: ["every 1 hour after 00:00 and before 23:59 every day"],
+      matchDatasources: [
+        'docker',
+      ],
+      matchPackageNames: [
+        'node',
+        'cimg/node',
+      ],
+      versioning: 'node',
     },
-    */
     {
-      // use LTS node version for node docker image
-      matchDatasources: ["docker"],
-      matchPackageNames: ["node", "cimg/node"],
-      versioning: "node",
+      matchPackageNames: [
+        'go',
+        'golang',
+      ],
+      versioning: 'go',
+      groupName: 'go'
     },
   ],
-  // https://docs.renovatebot.com/modules/manager/regex/
-  regexManagers: [
+  customManagers: [
     {
-      fileMatch: ["(^|/)Dockerfile$", "(^|/)Dockerfile\\.[^/]*$"],
+      customType: 'regex',
+      fileMatch: [
+        '(^|/)Dockerfile$',
+        '(^|/)Dockerfile\\.[^/]*$',
+      ],
       matchStrings: [
-        // example:
-        // renovate: datasource=github-releases depName=hashicorp/terraform versioning=hashicorp
-        // ENV DEFAULT_TERRAFORM_VERSION=x.x.x
-        "renovate: datasource=(?<datasource>.*?) depName=(?<depName>.*?)( versioning=(?<versioning>.*?))?\\sENV .*?_VERSION=(?<currentValue>.*)\\s",
+        'renovate: datasource=(?<datasource>.*?) depName=(?<depName>.*?)( versioning=(?<versioning>.*?))?\\sENV .*?_VERSION=(?<currentValue>.*)\\s',
       ],
-      versioningTemplate: "{{#if versioning}}{{{versioning}}}{{else}}semver{{/if}}",
+      versioningTemplate: '{{#if versioning}}{{{versioning}}}{{else}}semver{{/if}}',
       extractVersionTemplate: '^v(?<version>\\d+\\.\\d+\\.\\d+)',
     },
     {
-      fileMatch: [".*go$"],
+      customType: 'regex',
+      fileMatch: [
+        '.*go$',
+      ],
       matchStrings: [
-        // example:
-        // const ConftestVersion = "x.x.x" // renovate: datasource=github-releases depName=open-policy-agent/conftest
-        "\\sconst .*Version = \"(?<currentValue>.*)\"\\s// renovate: datasource=(?<datasource>.*?) depName=(?<depName>.*?)( versioning=(?<versioning>.*?))?\\s",
+        '\\sconst .*Version = "(?<currentValue>.*)"\\s// renovate: datasource=(?<datasource>.*?) depName=(?<depName>.*?)( versioning=(?<versioning>.*?))?\\s',
       ],
-      versioningTemplate: "{{#if versioning}}{{{versioning}}}{{else}}semver{{/if}}",
+      versioningTemplate: '{{#if versioning}}{{{versioning}}}{{else}}semver{{/if}}',
       extractVersionTemplate: '^v(?<version>\\d+\\.\\d+\\.\\d+)',
     },
     {
-      fileMatch: [".circleci/config.yml$"],
+      customType: 'regex',
+      fileMatch: [
+        '.circleci/config.yml$',
+        '^\\.github/workflows/[^/]+\\.ya?ml$',
+      ],
       matchStrings: [
-        // example:
-        // # renovate: datasource=github-releases depName=hashicorp/terraform versioning=hashicorp
-        // TRRAFORM_VERSION: x.x.x
-        "renovate: datasource=(?<datasource>.*?) depName=(?<depName>.*?)( versioning=(?<versioning>.*?))?\\s.*?_VERSION: (?<currentValue>.*)\\s",
+        'renovate: datasource=(?<datasource>.*?) depName=(?<depName>.*?)( versioning=(?<versioning>.*?))?\\s.*?_VERSION: (?<currentValue>.*)\\s',
       ],
-      versioningTemplate: "{{#if versioning}}{{{versioning}}}{{else}}semver{{/if}}",
+      versioningTemplate: '{{#if versioning}}{{{versioning}}}{{else}}semver{{/if}}',
       extractVersionTemplate: '^v(?<version>\\d+\\.\\d+\\.\\d+)',
     },
-  ]
+  ],
 }

.github/workflows/atlantis-image.yml

@@ -12,6 +12,11 @@ on:
     branches:
       - 'main'
       - 'release-**'
+    types:
+      - opened
+      - reopened
+      - synchronize
+      - ready_for_review
   workflow_dispatch:
 
 concurrency:
@@ -25,8 +30,8 @@ jobs:
     if: github.event.pull_request.draft == false
     runs-on: ubuntu-22.04
     steps:
-      - uses: actions/checkout@v4
-      - uses: dorny/paths-filter@v3
+      - uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # v4
+      - uses: dorny/paths-filter@de90cc6fb38fc0963ad72b210f1f284cd68cea36 # v3
         id: changes
         with:
           filters: |
@@ -52,22 +57,22 @@ jobs:
       PUSH: ${{ github.event_name != 'pull_request' && (github.ref == 'refs/heads/main' || startsWith(github.ref, 'refs/tags/')) }}
 
     steps:
-    - uses: actions/checkout@v4
+    - uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # v4
 
     # Lint the Dockerfile first before setting anything up
     - name: Lint Dockerfile
-      uses: hadolint/hadolint-action@v3.1.0
+      uses: hadolint/hadolint-action@54c9adbab1582c2ef04b2016b760714a4bfde3cf # v3.1.0
       with:
         dockerfile: "Dockerfile"
 
     - name: Set up QEMU
-      uses: docker/setup-qemu-action@v3
+      uses: docker/setup-qemu-action@68827325e0b33c7199eb31dd4e31fbe9023e06e3 # v3
       with:
         image: tonistiigi/binfmt:latest
         platforms: arm64,arm
 
     - name: Set up Docker Buildx
-      uses: docker/setup-buildx-action@v3
+      uses: docker/setup-buildx-action@d70bba72b1f3fd22344832f00baa16ece964efeb # v3
       # https://github.com/docker/build-push-action/issues/761#issuecomment-1575006515
       with:
         driver-opts: |
@@ -81,7 +86,7 @@ jobs:
     # if it's v0.10.0 and debian, it will do v0.10.0-debian, latest-debian
     - name: Docker meta
       id: meta
-      uses: docker/metadata-action@v5
+      uses: docker/metadata-action@8e5442c4ef9f78752691e2d8f8d19755c6f78e81 # v5
       env:
         SUFFIX: ${{ format('-{0}', matrix.image_type) }}
       with:
@@ -113,7 +118,7 @@ jobs:
           # Suffix is not used here since there's no way to disable it above
 
     - name: Login to Packages Container registry
-      uses: docker/login-action@v3
+      uses: docker/login-action@e92390c5fb421da1463c202d546fed0ec5c39f20 # v3
       with:
         registry: ghcr.io
         username: ${{ github.actor }}
@@ -126,7 +131,7 @@ jobs:
 
     - name: "Build ${{ env.PUSH == 'true' && 'and push' || '' }} ${{ env.DOCKER_REPO }} image"
       if: contains(fromJson('["push", "pull_request"]'), github.event_name)
-      uses: docker/build-push-action@v5
+      uses: docker/build-push-action@2cdde995de11925a030ce8070c3d77a52ffcf1c0 # v5
       with:
         cache-from: type=gha
         cache-to: type=gha,mode=max

.github/workflows/codeql.yml

@@ -37,8 +37,8 @@ jobs:
     if: github.event.pull_request.draft == false
     runs-on: ubuntu-22.04
     steps:
-      - uses: actions/checkout@v4
-      - uses: dorny/paths-filter@v3
+      - uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # v4
+      - uses: dorny/paths-filter@de90cc6fb38fc0963ad72b210f1f284cd68cea36 # v3
         id: changes
         with:
           filters: |
@@ -67,11 +67,11 @@ jobs:
 
     steps:
     - name: Checkout repository
-      uses: actions/checkout@v4
+      uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # v4
 
     # Initializes the CodeQL tools for scanning.
     - name: Initialize CodeQL
-      uses: github/codeql-action/init@v3
+      uses: github/codeql-action/init@b7cec7526559c32f1616476ff32d17ba4c59b2d6 # v3
       with:
         languages: ${{ matrix.language }}
         # If you wish to specify custom queries, you can do so here or in a config file.
@@ -85,7 +85,7 @@ jobs:
     # Autobuild attempts to build any compiled languages  (C/C++, C#, Go, or Java).
     # If this step fails, then you should remove it and run the build manually (see below)
     - name: Autobuild
-      uses: github/codeql-action/autobuild@v3
+      uses: github/codeql-action/autobuild@b7cec7526559c32f1616476ff32d17ba4c59b2d6 # v3
 
     # ℹ️ Command-line programs to run using the OS shell.
     # 📚 See https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#jobsjob_idstepsrun
@@ -98,7 +98,7 @@ jobs:
     #   ./location_of_script_within_repo/buildscript.sh
 
     - name: Perform CodeQL Analysis
-      uses: github/codeql-action/analyze@v3
+      uses: github/codeql-action/analyze@b7cec7526559c32f1616476ff32d17ba4c59b2d6 # v3
       with:
         category: "/language:${{matrix.language}}"
 

.github/workflows/labeler.yml

@@ -16,4 +16,4 @@ jobs:
     if: github.event.pull_request.draft == false
     runs-on: ubuntu-22.04
     steps:
-      - uses: actions/labeler@v5
+      - uses: actions/labeler@8558fd74291d67161a8a78ce36a881fa63b766a9 # v5

.github/workflows/lint.yml

@@ -22,8 +22,8 @@ jobs:
     if: github.event.pull_request.draft == false
     runs-on: ubuntu-22.04
     steps:
-      - uses: actions/checkout@v4
-      - uses: dorny/paths-filter@v3
+      - uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # v4
+      - uses: dorny/paths-filter@de90cc6fb38fc0963ad72b210f1f284cd68cea36 # v3
         id: changes
         with:
           filters: |
@@ -39,15 +39,15 @@ jobs:
     name: Linting
     runs-on: ubuntu-22.04
     steps:
-    - uses: actions/checkout@v4
+    - uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # v4
 
     # need to setup go toolchain explicitly
-    - uses: actions/setup-go@v5
+    - uses: actions/setup-go@cdcb36043654635271a94b9a6d1392de5bb323a7 # v5
       with:
         go-version-file: go.mod
 
     - name: golangci-lint
-      uses: reviewdog/action-golangci-lint@v2
+      uses: reviewdog/action-golangci-lint@00311c26a97213f93f2fd3a3524d66762e956ae0 # v2
       with:
         tool_name: golangci-lint
 

.github/workflows/pr-lint.yml

@@ -15,6 +15,6 @@ jobs:
     name: Validate PR title
     runs-on: ubuntu-22.04
     steps:
-      - uses: amannn/action-semantic-pull-request@v5
+      - uses: amannn/action-semantic-pull-request@e9fabac35e210fea40ca5b14c0da95a099eff26f # v5
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}

.github/workflows/pr-size-labeler.yml

@@ -0,0 +1,28 @@
+name: pr-size
+
+on: [pull_request]
+
+jobs:
+  labeler:
+    runs-on: ubuntu-latest
+    name: Label the PR size
+    steps:
+      - uses: codelytv/pr-size-labeler@54ef36785e9f4cb5ecf1949cfc9b00dbb621d761 # v1
+        with:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          xs_label: 'size/xs'
+          xs_max_size: '10'
+          s_label: 'size/s'
+          s_max_size: '200'
+          m_label: 'size/m'
+          m_max_size: '1000'
+          l_label: 'size/l'
+          l_max_size: '10000'
+          xl_label: 'size/xl'
+          fail_if_xl: 'false'
+          message_if_xl: >
+            This PR exceeds the recommended size of 1000 lines.
+            Please make sure you are NOT addressing multiple issues with one PR.
+            Note this PR might be rejected due to its size.
+          github_api_url: 'https://api.github.com'
+          files_to_ignore: ''