cloudposse/atmos v1.218.0-rc.2

on GitHub

• Allow atmos describe affected --upload under GITHUB_EVENT_NAME=merge_group (previously gated to pull_request only).
• Resolve the diff base for merge-queue events from event.merge_group.base_sha, populate HeadSHA from event.merge_group.head_sha, and derive the target branch from event.merge_group.base_ref — with graceful fallback to GITHUB_BASE_REF when no event payload is available.
• Backfill the full settings.pro event schema in the configuration reference (pull_request, release, drift_detection) and add a new Merge Queue Support section documenting the optional settings.pro.merge_group.checks_requested.workflows block, the prerequisites, the resolution order, and the migration note.
• Rename ErrUploadRequiresPullRequestEvent → ErrUploadRequiresSupportedEvent and update the error message/hints to mention pull_request, pull_request_target, and merge_group.
• Add tests covering the merge_group event acceptance, payload-aware base resolution paths, and the opaque round-trip of settings.pro.{pull_request,release,drift_detection,merge_group} through StripAffectedForUpload.
• Add a feature blog post and a shipped milestone in the CI/CD initiative on the roadmap.

why

• Atmos Pro now subscribes to GitHub check_suite.requested webhooks and creates check runs on the synthetic SHAs GitHub produces when a PR enters a merge queue (gh-readonly-queue/<base>/pr-<N>-<sha>). For the check to conclude correctly when stacks are affected, the CLI must allow --upload under merge_group and resolve the diff base against the target-branch commit the synthetic merge was built on top of.
• Without this change, required "Atmos Pro" checks hang in Expected — Waiting for status to be reported on every queued PR until a delayed reconciler sweeps them, breaking required-checks workflows.
• The public settings.pro per-event schema was previously undocumented on atmos.tools — customers were copying shapes from test fixtures. Backfilling the full reference (and adding merge_group alongside it) addresses both gaps in one PR.
• settings.pro is opaque map[string]any end-to-end, so no struct changes are required for merge_group to round-trip; the new test locks that contract in to prevent a future struct-tightening from silently dropping the new block.

references

• GitHub merge queue documentation: https://docs.github.com/en/repositories/configuring-branches-and-merges-in-your-repository/configuring-pull-request-merges/managing-a-merge-queue
• Configuration reference: /cli/configuration/settings/pro#merge-queue-support
• Companion Atmos Pro server-side change subscribes to check_suite.requested for gh-readonly-queue/... head branches.

[!NOTE]
The Merge Queue Support section in pro.mdx (and the migration note in the blog post) contain an Atmos CLI ≥ X.Y.Z placeholder. Replace with the actual released version once this PR is tagged.

🤖 Generated with Claude Code

Summary by CodeRabbit

• New Features

  • Support for GitHub merge-queue (merge_group) uploads; uploads now accept pull_request, pull_request_target, and merge_group events
  • settings.pro.merge_group configuration (including checks_requested.workflows) is preserved through uploads

• Bug Fixes

  • Improved validation and clearer hints for unsupported CI event types

• Tests

  • Added unit tests covering merge_group upload validation and schema preservation

• Documentation

  • Added blog post, CLI docs, and roadmap entry describing merge-queue support and configuration

• Swizzle @theme/DocCard so each card's title renders as <div className={styles.cardTitle}> instead of <Heading as=\"h2\">. Visual styling is preserved because the CSS module rule (font-size: 1.2rem) targets the className, not the element.
• Change ActionCard's <h2>{title}</h2> to <div className=\"action-card__title\">{title}</div> and add explicit font tokens so the title still renders at h2 size.
• Mirrors the same pattern PR #2393 applied to Terminal, Screengrab, and File.

why

• Algolia DocSearch v3 indexes any article h2 as a page section (lvl2) — that's the default Docusaurus crawler template's selector. Decorative h2s emitted by these components were being indexed as if they were real headings.
• On /cli/configuration/auth/ the DocCardList "Related Commands" section emits ten <h2 class=\"cardTitle_*\">📄️ atmos auth login</h2>-style entries. Searches like atmos auth ranked these card titles above the actual /cli/commands/auth/usage page because they contained the literal query.
• On /cli/commands/auth/usage the ActionCard title <h2>Configure Authentication</h2> sat between the page H1 and the first real H2. That extra heading scrambled the crawler's hierarchy extractor, leaving the page with a single weak type:\"content\" record and no lvl1/lvl2 records — so it couldn't compete with the noisier configuration page.
• Card titles are navigational labels for a link, not section headings; a <div> is semantically more honest and removes the indexing hijack without forcing an atmos-specific deviation from the DocSearch v3 defaults.

references

• Builds on #2393 (single-H1-per-page fix for Terminal/Screengrab/File).
• Verified by querying the live Algolia index at `https://32YOERUX83-dsn.algolia.net/1/indexes/atmos.tools/query\` before and after the build. After the next crawl, the `atmos auth` page should emit proper `lvl1`/`lvl2` records and the configuration page's card list should no longer pollute results.
• Followup candidates (not in this PR): sweep the remaining decorative-h2 components (`KeyTakeaways`, `KeyPoints`, `NextSteps`, `Card`, `CardGroup`, `Step`, hardcoded `AISection`), and audit the 323 URLs the crawler reported as ignored in the last run.

Summary by CodeRabbit

• New Features

  • Added a documentation card component that shows docs links or category collections with smart linking and interactive hover behavior.

• Style

  • Improved action card title styling using a dedicated title class and refined design tokens.
  • Polished documentation card appearance with hover effects, transitions, and updated typography.

• Stop rendering decorative <h1> in Terminal, Screengrab, and File chrome components — replaced with semantic <div className="window-title|file-title"> and matching CSS selectors.
• Demote heading levels (h1→h2, h2→h3, …) in embedded README content rendered by EmbedExample, with an embeddedH1 class so the visual size is preserved.
• Demote stray # Heading markdown to ## in three docs pages: describe-affected.mdx, inheritance.mdx, mindset.mdx.

why

• Algolia DocSearch builds its sidebar/breadcrumbs from the page's H1 → H2 → H3 outline. Multiple H1s per page (one from the Docusaurus title, one from a Terminal window chrome, another from an embedded README) caused jumbled/duplicated search results.
• Valid HTML5 also expects a single H1 per page; this aligns the rendered DOM with that convention without changing any visible styling.

references

• Algolia DocSearch indexing rules: https://docsearch.algolia.com/docs/record-extractor

Summary by CodeRabbit

• Documentation

  • Adjusted heading levels, reordered section headings, and converted several top-level headings to second-level for clearer structure and to avoid duplicate page-level headings in embedded content.

• Style

  • Switched component title markup from top-level headings to classed containers and added styling to preserve visual hierarchy.
  • Shifted embedded content heading levels in rendering and updated terminal/embedded title styles for consistent appearance across themes.

Refactors the atmos auth command family from the legacy flat-file structure to the Command Registry pattern with unified flag handling via pkg/flags/StandardParser. As a side-effect of the refactor, this PR also resolves two long-standing flag-precedence bugs (#1973 and #2392) and adds regression tests so they cannot silently regress again.

• Migrated 11 auth files from cmd/auth_*.go to an organised cmd/auth/ package with a CommandProvider interface.
• Replaced direct viper.BindPFlag() / viper.BindEnv() calls with flags.NewStandardParser(...) + parser.BindToViper(...) (Forbidigo-compliant).
• Replaced DisableFlagParsing with the SeparatedArgs pattern for pass-through commands (auth shell, auth exec).
• Promoted auth user to a real subcommand package (cmd/auth/user/).

Why

• Eliminates Forbidigo violations: removes direct viper.BindPFlag() / viper.BindEnv() calls.
• Consistent flag precedence: every auth subcommand now goes through BuildConfigAndStacksInfo(cmd, v) so global flags (--base-path, --config, --config-path, --profile) are honoured uniformly.
• Enables the plugin architecture: commands self-register via CommandProvider.
• Better testability: helpers are isolated and mockable; coverage on cmd/auth rose from 33% → 47% in this PR.

Closes

Closes #1973 — --profile not applied for auth exec and auth shell

Root cause: the legacy executeAuthExecCommandCore / executeAuthShellCommandCore loaded the atmos config from cfg.InitCliConfig(newAuthConfigAndStacksInfo(cmd), false) — a helper that only read --base-path / --config / --config-path and dropped --profile on the floor. auth list / auth env / auth whoami happened to call a different helper that did read profile, hence the asymmetric bug.

Fix: both cmd/auth/exec.go and cmd/auth/shell.go now call BuildConfigAndStacksInfo(cmd, v) (a wrapper over flags.BuildConfigAndStacksInfo) which extracts all global flags including --profile into ConfigAndStacksInfo.ProfilesFromArg before cfg.InitCliConfig.

Regression tests:

• cmd/auth/exec_test.go::TestAuthExec_ProfileFlagAppliedToConfig
• cmd/auth/shell_test.go::TestAuthShell_ProfileFlagAppliedToConfig

Both cover single-profile, multi-profile, and no-profile cases.

Closes #2392 — --identity silently dropped on atmos terraform plan

Root cause: the bug as reported at v1.216.0 stemmed from --identity being parsed inconsistently between command families. Terraform commands relied solely on the legacy arg-walker parseIdentityFlag while auth/describe used a Cobra-flag-based path.

Fix: terraform commands now register --identity via the StandardParser (cmd/terraform/flags.go::registerIdentityFlags) and the legacy arg-walker still populates info.Identity for backwards compat — so both paths converge on the same value. setupTerraformAuth (in internal/exec/terraform_execute_helpers.go) passes info.Identity verbatim to the auth manager creator; pkg/auth.resolveIdentityName returns it as-is when non-empty, so the explicit flag value can never be overridden by a profile-default identity.

Regression tests:

• internal/exec/cli_utils_test.go::TestProcessCommandLineArgs_TerraformIdentityFlag_Issue2392 — replays the exact arg shape from the bug report (terraform plan account-map -s core-gbl-root --identity core-root/admin) and asserts info.Identity == "core-root/admin".
• internal/exec/terraform_execute_helpers_auth_test.go::TestSetupTerraformAuth_IdentityFlagPropagatesToAuthCreator — builds a merged auth config with both a default: true identity and a non-default identity and asserts setupTerraformAuth passes the explicit --identity value verbatim.
• internal/exec/terraform_execute_helpers_auth_test.go::TestSetupTerraformAuth_EmptyIdentity_AllowsAutoDetection — inverse guard: empty info.Identity must still allow auto-detect.

Testing

• go build ./..., go vet ./..., make lint — all clean.
• go test -short ./cmd/... ./internal/... ./pkg/... — all pass.
• Coverage on the refactored package: cmd/auth 33.0% → 47.6%, cmd/auth/user 35.6% → 51.0%.
• 39 new test functions added across the auth package, including five explicit regression tests for #1973 and #2392.

Summary by CodeRabbit

• New Features

  • Introduced a comprehensive auth command group with subcommands: login, logout, whoami, list, env, exec, shell, console, validate, and user configure.

• Improvements

  • Enhanced identity flag handling (equals/space forms, interactive select, disable/omit modes) and improved argument preprocessing/completions.
  • Better auth UX: cached credentials, safer environment output formats (bash/json/dotenv/GitHub), console/session options (destination, duration, issuer, print-only/no-open), and launch/run commands with authenticated environments.

• Documentation

  • Updated CLI docs and usage tips for identity placement, examples, and auth command usage.