docs: document the component `provision:` block (provision.backend, provision.workdir) @osterman (#2378)
## what- Add a new stack-config schema page at
website/docs/stacks/components/provision.mdxthat documents the entireprovision:block as a coherent feature, with sections forprovision.backend.enabled(terraform-only),provision.workdir.enabled(all four toolchains), toolchain defaults, component-level overrides, and global defaults viasettings.provision.workdir.{enabled,ttl}inatmos.yaml. - Add a
:::tipcallout towebsite/docs/stacks/components/terraform/backend.mdxclarifying thatbackend:(where state is stored) is distinct fromprovision.backend:(auto-create that location). - Cross-link
website/docs/components/terraform/backend-provisioning.mdxto the new schema page so the conceptual deep-dive points at the schema reference.
why
- The
provision:block (withprovision.backend.enabledandprovision.workdir.enabled) is functional and used in fixtures, but had no dedicated documentation page in Stack Configuration. The only references were a CLI command page (atmos terraform workdir), a passing mention incli/configuration/components/terraform.mdx, and the backend-provisioning conceptual page — none of which document the schema directly. - Closes a discoverability gap: a user reviewing the components sidebar saw entries for
*.metadata,ansible,helmfile,packer,terraform/backendand noticedprovisionwas missing entirely. - The added
:::tipon the backend page resolves long-standing confusion between thebackend:block (state location) and theprovision.backend:block (whether to bootstrap that location).
references
- Schema source:
pkg/schema/schema.go:402-414(ProvisionWorkdirSettings),pkg/provisioner/workdir/types.go:57-61(WorkdirConfig),pkg/provisioner/backend_hook.go:111-125(provision.backend.enabled). - Canonical fixture:
tests/fixtures/scenarios/workdir/stacks/catalog/workdir-defaults.yaml. - Verified with
cd website && npm run build(zero broken links; new page registered as the 544th content route).
Summary by CodeRabbit
-
New Features
- Added
list:CLI configuration for customizablecomponents,instances, andstacksoutput - Added global
settings.provisionandprovision.workdirdocs for workdir defaults/TTL
- Added
-
Documentation
- Added component provisioning docs (backend + workdir) and relocated backend provisioning links/site redirects
- Added telemetry configuration page with privacy guarantees
- Expanded VCS token injection docs; Bitbucket username standardized to
BITBUCKET_USERNAME
-
Chores
- Updated NOTICE license URL entries to
Unknown
- Updated NOTICE license URL entries to
docs: refresh CI page with native CI workflows; deprecate legacy GH Actions @osterman (#2373)
## what- Move six legacy Cloud Posse GitHub Action docs (
affected-stacks,atmos-terraform-plan/apply, drift detection/remediation, and the index) fromwebsite/docs/integrations/github-actions/towebsite/docs/deprecated/github-actions/, with:::warning Deprecatedbanners on each page pointing readers to/ci. - Rebuild
website/docs/ci/ci.mdxaround the two reference reposcloudposse-examples/atmos-native-ciandcloudposse-examples/atmos-native-ci-advanced— concrete excerpts for deploy-on-PR, deploy-on-merge, preview cleanup, and anatmos describe affected --format=matrixfan-out, plus a discreet pointer to the deprecated content. - Add client-redirects from all six legacy
/integrations/github-actions/*URLs to/ci, add a collapsed "Deprecated" sub-category at the bottom of the Resources sidebar, keepsetup-atmosandcomponent-updaterin the (now smaller) GitHub Actions sidebar entry, and repoint cross-links across docs, two blog posts, and the roadmap.
why
- Atmos now ships native CI integration (job summaries, output variables, status checks, planfile storage) directly in the CLI, so
atmos terraform plan/apply/deployalready produces the artifacts the wrapper actions used to provide — the legacy actions are no longer the recommended path for new projects. - The previous structure buried native CI behind a single page while giving the legacy actions a first-class sidebar section, conflicting with the recommendation in the legacy index page itself; this PR aligns navigation with the recommended path and makes the deprecated material reachable but de-emphasized.
references
cloudposse-examples/atmos-native-ci— basic example workflows excerpted in the new/cipagecloudposse-examples/atmos-native-ci-advanced— matrix workflow excerpted in the new/cipage
Summary by CodeRabbit
-
New Features
- describe affected --format=matrix now auto-writes matrix output to $GITHUB_OUTPUT in CI when enabled (explicit --output-file still wins); workflow examples updated.
-
Documentation
- Added a comprehensive "Native CI for GitHub Actions" guide, updated many docs and blog posts to use native CI wording, and published a blog post about the matrix auto-output behavior.
- Marked legacy GitHub Actions wrapper actions/pages as deprecated with warning guidance.
-
Chores
- Added legacy URL redirects and a new "Deprecated" docs section.
🚀 Enhancements
fix(describe-affected): resolve PR base via merge-base with shallow-clone self-heal @osterman (#2380)
## whatFix atmos describe affected reporting many more affected components
than the PR actually modified, specifically when the PR is out of
date with the target branch.
pkg/git/merge_base.goaddsMergeBaseWithAutoFetchthat runs a
targetedgit fetch origin <target>(and optionally one
--deepen=200) whenMergeBasecan't resolve. Bounded retries.pkg/ci/providers/github/base.go:resolvePRBasekeeps merge-base as
the primary strategy and drops the buggy last-resort path that
returnedrefs/remotes/origin/<target>(which downstream resolved
to the current tip of the target branch, producing the
false-positives). New last-resort isevent.pull_request.base.sha,
which is frozen at the last PR sync and never points to the
current tip.ExecuteDescribeAffectedWithTargetRefCheckoutaccepts a new
targetBranchparameter and self-heals viagit fetchwhen
worktree creation hits a missing target commit.- Adds
pkg/git/fetch.go(FetchRef,DeepenFetch) lifted from
PR #2285. NewTargetBranchfield onBaseResolutionand
DescribeAffectedCmdArgs.
why
A customer reported that atmos describe affected on an out-of-date
PR listed components the PR did not touch. The root cause was a
fallback path documented as "handles this gracefully" in the PRD
that, in practice, silently produced wrong results when the local
repo was a shallow checkout (the actions/checkout@v4 default).
Walkthrough and rationale are in
docs/fixes/2026-04-30-describe-affected-out-of-date-pr.md.
The user's suggestion — using pull_request.merge_commit_sha as
the base — would also work and is documented as a considered
alternative in the fixes doc. We chose merge-base + auto-fetch
because it preserves the existing PRD architecture, doesn't require
fetching M's parent separately, and works naturally with
actions/checkout@v4's default merge-ref checkout.
supersedes #2285
PR #2285 proposed promoting pull_request.base.sha to the primary
strategy. This PR keeps merge-base as primary (gold standard) and
uses base.sha only as a fallback that replaces the buggy
ref-tip path. The fetch helpers and signature plumbing are lifted
from #2285; credit to the original work.
tests
pkg/git/merge_base_test.go: new
TestMergeBaseWithAutoFetch_RecoversFromMissingRefbuilds an
origin/clone pair, deletesorigin/mainto simulate a shallow
CI checkout, and asserts the recovered SHA is the fork point —
not the current main tip.pkg/ci/providers/github/base_test.go:
TestResolveBase_PullRequest_OutOfDate_FallsBackToPayloadSHA
reproduces the customer scenario at unit-test level.internal/exec/describe_affected_test.go:TestResolveBaseFromCI
hardened to requiredescribe.SHAis populated and
describe.Refempty — guards against any future regression that
re-introduces the ref-tip fallback.
references
🤖 Generated with Claude Code
Summary by CodeRabbit
- Bug Fixes
- More reliable PR base resolution in CI: auto-fetch + one-step deepen for shallow checkouts, targeted ref retry when refs are missing, and safer fallback to event payload base SHA to reduce false positives.
- New Features
- Merge-base recovery with targeted fetch/deepen, worktree retry on missing commits, and explicit propagation of PR target branch for CI resolutions.
- Documentation
- Updated CI/base-resolution docs and troubleshooting note for out-of-date PRs.
- Tests
- New and expanded unit/integration tests covering recovery, fetch/deepen, and fallback paths.
fix: authbridge resolver reads auth context from manager's stackInfo, not caller's @MrZablah (#2379)
what- Fix !store.get failing with "AWS auth context not available" when a store backend is configured with an identity: field
- authbridge.Resolver now reads the post-authentication AWS/Azure/GCP context from the auth manager's own internal stackInfo (via GetStackInfo())
instead of the caller's stackInfo - Add regression test TestResolveAWSAuthContext_PointerMismatch that directly reproduces the pointer mismatch scenario
why
- pkg/auth.createAuthManagerInstance allocates its own *schema.ConfigAndStacksInfo for the auth manager — a different pointer than the info passed by
the terraform executor to authbridge.NewResolver - After AuthManager.Authenticate() succeeds, PostAuthenticate writes credential file paths and profile info into the manager's own
stackInfo.AuthContext.AWS, never the caller's info - The resolver was checking r.stackInfo.AuthContext.AWS (the caller's pointer, always nil) instead of r.authManager.GetStackInfo().AuthContext.AWS (the
manager's pointer, populated by auth) - Result: every !store.get call with an identity: configured would succeed at authentication but then immediately fail with "AWS auth context not
available"
references
- closes #2377
Summary by CodeRabbit
-
Bug Fixes
- Fixed auth context resolution so cloud-specific authentication is sourced from the auth manager rather than resolver-held data.
-
Chores
- Pinned Go toolchain to 1.26.2.
-
Tests
- Updated resolver tests to model manager-owned stack info separately and added a regression test for pointer-mismatch behavior.