cloudposse/atmos v1.215.0-rc.6

on GitHub

Changes

• pkg/config/utils.go: Parse ATMOS_CI_COMMENTS_ENABLED in processEnvVars(), overriding atmosConfig.CI.Comments.Enabled when set. Follows the same pattern as ATMOS_VERSION_CHECK_ENABLED. Invalid values emit a warning and leave the config unchanged.
• pkg/config/utils_test.go: Tests covering true/false/1/0 values, unset behavior (YAML value preserved), and invalid input (config unchanged in both directions).
• website/docs/cli/configuration/ci/comments.mdx: Document the new env var in the config reference and a dedicated Environment Variables section.
• website/docs/cli/configuration/ci/index.mdx: Add ATMOS_CI_COMMENTS_ENABLED to the CI environment variables table.

Usage

# atmos.yaml — default enabled for most workflows
ci:
  comments:
    enabled: true

# GitHub Actions — disable comments in a specific workflow
- name: Plan (no comments)
  env:
    ATMOS_CI_COMMENTS_ENABLED: "false"
  run: atmos terraform plan ...

The env var takes precedence over the YAML value when set; when unset, the YAML value is used unchanged.

• Added ATMOS_CI_GITHUB_TOKEN environment variable with highest priority in CI token resolution (ATMOS_CI_GITHUB_TOKEN > GITHUB_TOKEN > GH_TOKEN)
• Added actionable error hints when GitHub Status API returns 404 or 403, explaining token permission requirements and suggesting ATMOS_CI_GITHUB_TOKEN
• Switched createCheckRun/updateCheckRun error wrapping from fmt.Errorf to the error builder pattern to preserve hint metadata through the error chain

why

• Users running Atmos in GitHub Actions with a GitHub App token (e.g., for Terraform managing GitHub repos) get 404 errors on commit status updates because the App token lacks statuses: write permission
• The workflow's default GITHUB_TOKEN has the right permission via the permissions: block, but there was no way to use a separate token for CI operations vs Terraform
• The raw 404 error gave no guidance on what went wrong or how to fix it — users with statuses: write in their workflow were confused why it wasn't working

references

• Follows existing ATMOS_CI_* naming convention (ATMOS_CI_OUTPUT, ATMOS_CI_SUMMARY, ATMOS_CI_SHA, etc.)

Summary by CodeRabbit

• New Features

  • Added support for a dedicated CI GitHub token (ATMOS_CI_GITHUB_TOKEN) with highest precedence over GITHUB_TOKEN and GH_TOKEN.

• Bug Fixes

  • Improved GitHub API error reporting to include actionable hints for permission/authentication failures (notably 403/404).

• Documentation

  • Published blog post and updated roadmap describing the new CI token and guidance.

• Tests

  • Expanded coverage to validate token precedence and error-hint behavior.

• Fixes SAML browser storage state failing to save on Windows — the directory at ~/.aws/saml2aws/ was missing because the previous symlink-based strategy requires privileges most Windows users don't have
• Replaces the symlink-based storage directory strategy with plain directory creation on all platforms — no special privileges required
• Handles legacy symlink migration: detects and removes stale symlinks from previous Atmos versions, preserving any existing storageState.json from the symlink target
• Removes ~70 lines of dead symlink code (symlink creation, staging, restore, validation)
• Adds comprehensive cross-platform tests for the new directory-based storage strategy and legacy migration
• Adds fix doc with full end-to-end auth flow analysis explaining the two independent storage systems (AWS credentials vs Playwright browser session state)

why

• Root cause: the previous symlink strategy created ~/.aws/saml2aws as a symlink to an XDG cache directory. On Windows, os.Symlink requires Developer Mode or admin privileges — without these, the symlink creation failed silently and the directory was simply absent. The upstream saml2aws library then failed to write storageState.json because the parent directory did not exist ("The system cannot find the path specified")
• Impact is browser session reuse only: storageState.json contains Playwright browser session data (cookies for re-authentication). It is NOT part of the AWS credential pipeline — credentials are stored separately in INI files under ~/.config/atmos/aws/{provider}/credentials using filepath.Join (correct on all platforms). Without the fix, users must re-authenticate in the browser every time instead of reusing a saved session
• The fix creates a plain directory at the path saml2aws expects using os.MkdirAll with filepath.Join — works on all platforms, no special privileges required. Legacy symlinks from previous versions are detected and migrated (preserving existing session state)
• Upstream bug: saml2aws also constructs the storage path using fmt.Sprintf with hardcoded forward slashes instead of filepath.Join, producing mixed separators on Windows. Go's os package normalizes these internally, so once the directory exists the path resolves correctly

references

• Fix doc: docs/fixes/2026-04-10-auth-windows-path-issues.md (full root-cause analysis, auth flow trace, impact assessment)
• Upstream bug: github.com/versent/saml2aws/v2/pkg/provider/browser/browser.go:118 — uses fmt.Sprintf with hardcoded forward slashes instead of filepath.Join
• Related: saml-driver-install branch / PR #1747 — the branch where the symlink strategy was originally implemented
• Related: docs/prd/saml-browser-driver-integration.md — SAML browser driver integration PRD

Summary by CodeRabbit

• Bug Fixes

  • Fixed Windows failures saving browser session state during SAML authentication by ensuring a real, platform-correct storage directory and automatic migration of existing setups.
  • Improved cross-platform robustness and preserved existing session state where present.

• Documentation

  • Added a detailed guide describing the issue, root cause, and migration strategy.

• Tests

  • Added cross-platform tests verifying idempotent directory creation, state preservation, and migration behavior.

Fixes SAML authentication failing with "please install the driver (v1.47.2) and browsers first" error when download_browser_driver: true is configured.

why

Root cause: The DownloadBrowser flag was set on saml2aws IDPAccount config but NOT on LoginDetails, which is what saml2aws actually checks when deciding whether to download drivers.

Additionally, the code was using incorrect Playwright cache directory paths (ms-playwright-go instead of ms-playwright), causing driver detection to fail.

Changes

Code Changes

• Set LoginDetails.DownloadBrowser in createLoginDetails() to match shouldDownloadBrowser() logic
• Corrected Playwright cache directory paths from ms-playwright-go to ms-playwright (actual playwright-go location)
• Enhanced driver detection to verify actual browser binaries exist (not just empty version directories)

Testing

• Added comprehensive integration test that downloads real Chromium drivers (~140 MB) and validates installation
• Unit tests verify LoginDetails.DownloadBrowser is set correctly across all scenarios
• Driver detection tests verify empty directories don't register as valid installations

Documentation

• Removed broken manual installation command (go run playwright install)
• Added warning about manual installation requiring advanced knowledge of playwright-go internals
• Clarified cache directory locations and why PATH is not required
• Emphasized download_browser_driver: true as the recommended approach

references

• Fixes the issue where SAML authentication with download_browser_driver: true still fails
• Related to playwright-go embedded library behavior vs standalone playwright CLI tool
• Playwright cache locations: https://playwright.dev/docs/browsers#managing-browser-binaries

Summary by CodeRabbit

• New Features

  • Opt-in automatic Playwright browser driver downloads for AWS SAML auth (download_browser_driver); new browser_type and browser_executable_path config options; improved cross-platform driver detection, XDG-compliant storage with symlink handling; Logrus routed into Atmos logging; new sentinel error for invalid browser executables.

• Documentation

  • Expanded guides for auto-download workflow, custom browser config, platform cache paths, examples, and heavy integration test instructions.

• Tests

  • Added unit and integration tests covering driver detection, download/install flow, storage/symlink behavior, and logging adapter; CI gate to enable integrations.