github cloudposse/atmos v1.198.0-rc.2
on GitHub

pre-release17 hours ago
fix: Reduce template processing log noise by changing to trace level @osterman (#1737) ## Summary

Changed three log statements in ProcessTmplWithDatasources from Debug to Trace level to reduce log noise when processing templates. These logs were generating hundreds of repetitive lines during operations like atmos list instances.

Changes

  • Initial template processing log → Trace level
  • Per-evaluation loop log → Trace level (most noisy)
  • Template completion log → Trace level
  • Added logKeyTemplate constant to satisfy linter

These detailed template processing logs are more appropriate at Trace level since they provide very granular execution details that are typically only needed for deep debugging.

Test Plan

  • Code compiles without errors
  • All tests pass (TestProcessTmplWithDatasourcesGomplate)
  • Linter passes (golangci-lint)
  • Pre-commit hooks pass
  • No golden snapshots contain these log messages (verified)

🤖 Generated with Claude Code

Summary by CodeRabbit

  • Chores
    • Internal logging adjusted to improve diagnostic tracing and consistency; log entries now use more granular trace-level output for template processing paths.

Note: This release contains internal improvements with no user-facing changes. All existing functionality remains unchanged.

🚀 Enhancements

Fix vendor authentication: token injection bugs, credential precedence, and YAML templating @osterman (#1647) ## what

This PR fixes multiple critical issues in the Git vendoring and authentication system:

Token Injection Infrastructure Fixes (New)

  1. inject_*_token settings completely ignored: The Detect() method logged InjectGithubToken but never checked it before calling injectToken(), making the setting useless
  2. Missing defaults for Bitbucket/GitLab: Only GitHub had inject_github_token: true as default; Bitbucket and GitLab defaulted to false, breaking authentication
  3. Poor code testability: Monolithic Detect() method with nested conditionals made it difficult to test and maintain
  4. Extracted pure helper functions: Added shouldInjectTokenForHost(), isSupportedHost(), and needsTokenInjection() for better testability
  5. Comprehensive test coverage: Added 60+ test cases covering all token injection scenarios

Original Vendor.yaml Fixes

  1. Token fallback regression: Fixed CustomGitDetector to properly fall back to GITHUB_TOKEN when ATMOS_GITHUB_TOKEN is not set
  2. User credential precedence: Ensured user-provided credentials in URLs always take precedence over automatic token injection
  3. OCI authentication: Fixed OCI registry authentication to respect Docker credentials before falling back to environment tokens
  4. Credential masking: Changed credential masking from "xxx" to "***" for clarity and professional appearance
  5. YAML parser upgrade documentation: Documented breaking changes in nested quote handling due to YAML parser v3 upgrade

GHCR Authentication Breaking Change

  1. GitHub username required for GHCR: GHCR authentication now requires both github_username and a token (ATMOS_GITHUB_TOKEN/GITHUB_TOKEN). This fixes authentication failures where token-as-username was incorrectly assumed to work.
  2. Username environment variable binding: Added support for ATMOS_GITHUB_USERNAME, GITHUB_ACTOR, and GITHUB_USERNAME environment variables with proper precedence
  3. GitHub Actions compatibility: GITHUB_ACTOR is automatically used when running in GitHub Actions CI

Test Coverage Improvements

  1. GHCR authentication tests: Added 380 lines of comprehensive tests achieving 100% coverage for getGHCRAuth() (previously 0%)
    • 8 test functions with 36+ test cases
    • Tests cover token precedence, username requirements, whitespace handling, special characters, auth source formatting, and consistency
    • Discovered and fixed whitespace handling bug during testing
  2. Config loading tests: Added 211 lines of tests for github_username environment variable precedence
    • 5 test functions with 20+ test cases
    • Verifies ATMOS_GITHUB_USERNAME > GITHUB_ACTOR > GITHUB_USERNAME precedence order
    • Tests GitHub Actions compatibility and override behavior
    • All tests use t.Setenv() for automatic cleanup per lintroller rules

why

Token Injection Infrastructure Issues (New)

Settings Ignored Bug:
The code would inject tokens regardless of the inject_github_token setting. Users couldn't disable token injection even if they wanted to use alternative authentication methods. This was a critical oversight where the setting existed but was never actually checked.

Missing Defaults Bug:
Bitbucket and GitLab token injection defaulted to false (bool zero value), causing authentication failures for users with private repositories on these platforms. Only GitHub worked out-of-the-box, creating an inconsistent user experience.

Testability Issues:
The Detect() method had high cognitive complexity with mixed concerns (URL parsing, host validation, token injection, query manipulation). This made it difficult to test edge cases in isolation, leading to bugs slipping through code review.

Original Vendor.yaml Issues

Token Fallback Issue:
Users running Atmos v1.194.1+ experienced fatal: could not read Username for 'https://github.com': No such device or address errors when vendoring from private repositories, even with GITHUB_TOKEN set. The resolveToken logic only checked ATMOS_GITHUB_TOKEN when inject_github_token was true (default), never falling back to GITHUB_TOKEN.

User Credential Precedence Issue:
When users explicitly provided credentials in their vendor.yaml URLs (e.g., https://user:token@github.com/repo), Atmos would still inject tokens, potentially overwriting user credentials or causing authentication conflicts.

OCI Authentication Issue:
OCI registry authentication wasn't respecting Docker credentials stored in ~/.docker/config.json, causing unnecessary authentication failures when valid credentials were available.

Credential Masking Issue:
The masking used "xxx" which has unfortunate associations. Changed to use "REDACTED" internally with post-processing to "***" for output, avoiding URL encoding issues while maintaining traditional credential masking appearance.

GHCR Authentication Breaking Change

Username Requirement:
GHCR (GitHub Container Registry at ghcr.io) requires both username and password for authentication. The previous implementation incorrectly assumed token-as-username would work, causing authentication failures. This breaking change ensures proper GHCR authentication by requiring users to configure github_username via environment variables (ATMOS_GITHUB_USERNAME, GITHUB_ACTOR, or GITHUB_USERNAME) or the atmos.yaml settings.

GitHub Actions Compatibility:
In GitHub Actions, the GITHUB_ACTOR environment variable is automatically set. The new implementation automatically picks this up, making GHCR authentication work out-of-the-box in CI without additional configuration.

Test Coverage Rationale

Critical Gap Addressed:
The GHCR authentication changes represented a breaking change with 0% test coverage. This created significant risk for users relying on GHCR for OCI vendoring. The new comprehensive test suite:

  • Validates all authentication paths and edge cases
  • Discovered and fixed a whitespace handling bug before it reached users
  • Ensures the breaking change works correctly across all environments
  • Provides confidence for future maintenance and refactoring

references

  • Closes #1900 - Original issue reporting token fallback regression
  • Related to the YAML parser v3 upgrade that changed quote handling behavior
  • Fixes authentication issues reported by users in Slack (see commit history for context)

Summary by CodeRabbit

  • New Features

    • Token-injection toggles for GitLab and Bitbucket; GitHub username setting exposed for registry auth.

  • Improvements

    • Unified credential precedence for Git/OCI (user creds → env tokens → Docker/registry creds → anonymous).
    • Host-aware token injection that preserves user-specified credentials and stronger log redaction of secrets.

  • Documentation

    • Expanded docs on credential precedence, token-injection settings, template evaluation, and YAML quoting.

  • Tests

    • Extensive unit and end-to-end tests and fixtures covering token injection, template parsing, GHCR auth, and masking.
Add `omitempty` tag for atlantis generate repo-config @albertorm95 (#1749) ## what

Add the omitempty tag to the JSON, YAML, and mapstructure tags, so when not defined in the template the generated terraform_version, apply_requirements and delete_source_branch_on_merge attributes are omitted.

why

terraform_version

Atlantis have the capability to discover the Terraform version to use base on the root module required_version.

With the current implementation you are forced to write a terraform version otherwise the generated repo-config is terraform_version = ""

apply_requirements

Allowing apply_requirements to be omitted in the repo-config allow the Atlantis Server-side config to work.

The current implementation generates apply_requirements = [] which makes Atlantis think that there is a overwritten apply_requirements which is not, just omitting it from the repo-config solves this issue.

This has enforced us to setup this config on the Server-side: 

   allowed_overrides:
      - apply_requirements
      - delete_source_branch_on_merge

delete_source_branch_on_merge

Basically same scenario as apply_requirements if present in repo-config then you need to explicitly allow it on the allowed_overrides list.

Currently when omitted the output is: delete_source_branch_on_merge: false, which is the actual default in Atlantis when the configuration is not present at all.

references

https://www.runatlantis.io/docs/terraform-versions.html#via-terraform-config
https://www.runatlantis.io/docs/server-side-repo-config.html#:~:text=Custom%20Workflows.-,delete_source_branch_on_merge,-bool

Behaviours

# atmos.yaml
integrations:
  atlantis:
    path: "atlantis.yaml"
    config_templates:
      config-1:
        version: 3
        parallel_plan: true
    project_templates:
      project-1:
        name: "{namespace}-{tenant}-{stage}-{environment}_{component}"
        workspace: "{workspace}"
        dir: "{component-path}"
        workflow: atmos-terraform
        autoplan:
          enabled: true
          when_modified:
            - "**/*.tf"

Current behaviour

# atlantis.yaml
version: 3
automerge: false
delete_source_branch_on_merge: false <-----
parallel_plan: true
parallel_apply: false
allowed_regexp_prefixes: []
projects:
  - name: foo
    workspace:foo
    workflow: atmos-terraform
    dir: components/terraform/dynamodb
    terraform_version: "" <-----
    delete_source_branch_on_merge: false <-----
    autoplan:
      enabled: true
      when_modified:
        - '**/*.tf'
    apply_requirements: [] <-----

Wanted behaviour

# atlantis.yaml
version: 3
automerge: false
parallel_plan: true
parallel_apply: false
allowed_regexp_prefixes: []
projects:
  - name: foo
    workspace:foo
    workflow: atmos-terraform
    dir: components/terraform/dynamodb
    autoplan:
      enabled: true
      when_modified:
        - '**/*.tf'

Summary by CodeRabbit

  • Bug Fixes
    • Configuration exports now properly omit empty Terraform version fields when serializing, resulting in cleaner and more readable configuration output. This behavior is now consistently applied across all supported configuration formats for improved user experience.
Check out latest releases or
releases around cloudposse/atmos v1.198.0-rc.2

Don't miss a new atmos release

NewReleases is sending notifications on new releases.

Get notifications