cloudposse/atmos v1.215.0-rc.4

on GitHub

• Added --format=github option to atmos auth env command
• Added --output flag for explicit file output (appends mode)
• Automatically detects $GITHUB_ENV environment variable when using github format
• Supports single-line values as KEY=value and multiline values with heredoc syntax

why

This eliminates the need for complex shell pipelines like atmos auth env ... | grep "^export " | sed 's/^export //' >> $GITHUB_ENV. Users can now directly output to GitHub Actions $GITHUB_ENV file with proper formatting and multiline value handling.

references

Closes issue related to GitHub Actions integration workflow simplification.

Summary by CodeRabbit

• New Features

  • GitHub Actions format for atmos auth env: Export credentials directly to $GITHUB_ENV with --format=github
  • New --output-file flag to redirect output to a file
  • Automatic $GITHUB_ENV detection when using GitHub format without explicit output file specification

• Documentation

  • Updated CLI help and documentation to reflect new format and flag options
  • Added blog post about GitHub Actions format integration

why

• Reduce secrets visibility

Summary by CodeRabbit

• Chores
  • Updated release infrastructure configuration for deployment automation.

• Bug fix: External MCP servers configured with both identity: and an env: block containing ATMOS_* variables (e.g. ATMOS_PROFILE, ATMOS_CLI_CONFIG_PATH, ATMOS_BASE_PATH) failed auth setup with identity not found. The parent's auth manager was built once from os.Environ() and never saw the server's env: block.
• Architectural cleanup driven by review feedback:
  • New foundational primitive env.SetWithRestore in pkg/env (atmos already has a dedicated env package; four other local save/set/restore variants exist and should consolidate to this in a follow-up).
  • New high-level primitive auth.CreateAndAuthenticateManagerWithEnvOverrides in pkg/auth that delegates env mutation to pkg/env and composes cfg.InitCliConfig + auth.CreateAndAuthenticateManagerWithAtmosConfig.
  • Thin MCP-specific adapter mcpclient.ScopedAuthProvider (~85 lines) that implements a new PerServerAuthProvider interface so WithAuthManager dispatches per-server.
  • Canonical Atmos env-var namespace constants (AtmosEnvVarNamespace, AtmosEnvVarPrefix) added to pkg/config/const.go with build-time invariant tests. Migrated five hardcoded \"ATMOS\" / \"ATMOS_\" literals scattered across cmd/root.go, cmd/auth_validate.go, pkg/auth, and pkg/ai/agent/codexcli to use them.
• Result for users: any external MCP server can now define ATMOS_PROFILE (or any other ATMOS_* variable) in its env: block and have it influence identity resolution — including configurations that run atmos mcp start itself as an external MCP server (the original report).

why

• The auth manager was being constructed once at command startup using the parent's os.Environ(). Server env: blocks were only applied to the spawned subprocess via cmd.Env, so the parent's identity lookup ran against the default profile and never saw ATMOS_PROFILE: managers (or any other override). The user's only workaround was exporting the variable in the shell before running atmos.
• The bug surfaces most visibly when a user configures atmos mcp start itself as an external MCP server (the original report), but it affects any external MCP server with both identity: and env: ATMOS_*: ....
• The fix lives entirely on the client side. The Atmos MCP server (cmd/mcp/server) was already correct: when spawned as a subprocess it inherits the merged env (os.Environ() + env: block) and cfg.InitCliConfig reads ATMOS_* from there.
• Why the architectural cleanup: review feedback flagged that (a) putting per-command auth factories in cmd/ is a slippery slope, (b) pkg/auth shouldn't re-implement env mutation when pkg/env already exists, and (c) defining what counts as an Atmos env variable inside any specific subsystem is the wrong layering. Each round of feedback pushed the primitives down to where they belong, and the result is significantly less code with cleaner layering.

layering after this PR

```
pkg/config ← AtmosEnvVarNamespace / AtmosEnvVarPrefix (single source of truth)
pkg/env ← SetWithRestore (foundational env primitive, no policy)
↑
pkg/auth ← CreateAndAuthenticateManagerWithEnvOverrides (composes pkg/env + cfg.InitCliConfig + auth)
↑
pkg/mcp/client ← ScopedAuthProvider (thin MCP adapter, ~85 lines)
↑
cmd/mcp/client, ← one-line consumers, zero auth-factory code
cmd/ai
```

test coverage

100% on every new function:

• `pkg/env/restore.go` → `SetWithRestore` (incl. setenv-error branch via injectable hook)
• `pkg/auth/manager_env_overrides.go` → `CreateAndAuthenticateManagerWithEnvOverrides` (incl. env-hook error branch via injectable hook), `filterAtmosOverrides` (table-driven)
• `pkg/mcp/client/scoped_auth.go` → `NewScopedAuthProvider`, `ForServer`, `PrepareShellEnvironment`
• `pkg/mcp/client/session.go` → `WithAuthManager` (incl. per-server dispatch branch)
• `cmd/mcp/client/start_options.go` → `buildAuthOption`, `mcpServersNeedAuth`
• `cmd/ai/init.go` → `resolveAuthProvider`
• `pkg/config/const_test.go` → invariant tests for the canonical constants

references

• closes #2283
• See `docs/fixes/2026-04-06-mcp-server-env-not-applied-to-auth-setup.md` for full root-cause analysis, the fixed flow diagram, the test plan, and a follow-up consolidation note for the four pre-existing local save/restore env helpers (`internal/exec.setEnvVarsWithRestore`, `pkg/auth/cloud/gcp.PreserveEnvironment/RestoreEnvironment`, `pkg/telemetry.PreserveCIEnvVars/RestoreCIEnvVars`, `pkg/auth/identities/aws.setupAWSEnv`) that should migrate to `env.SetWithRestore` in a separate PR.
• Related: `docs/fixes/2026-03-25-describe-affected-auth-identity-not-used.md` (another auth-context propagation fix in a different code path).
• Related PRD: `docs/prd/atmos-mcp-integrations.md` (overall MCP client architecture).

Summary by CodeRabbit

• New Features

  • Per-server authentication scoping for MCP so each server can use its own ATMOS env during auth.
  • Canonical ATMOS env namespace/prefix and safer env-override handling during auth setup.

• Bug Fixes

  • MCP server ATMOS env values are now applied during authentication setup.
  • Clearer error mapping when per-server auth is unavailable.

• Documentation

  • Added doc describing the auth env propagation fix and behavior.

• Tests

  • Extensive unit tests for per-server auth, env overrides/restoration, and related flows.