feat(stacks): template variables in import paths from earlier imports @osterman (#2554)
## what- Render Go templates in stack
import:paths (local paths and a remote import's Git?ref=) against thesettings/vars/envaccumulated from imports listed earlier in the same manifest, plus the import's owncontext. - A single variable (e.g.
settings.context.deployment_repo_version, set once in a_defaults) can now pin both a remote catalog import's ref and the componentsource.version. - Only the import path string is rendered; imported file content templating and its deferral are unchanged. Missing values are a hard error (with hints) unless
ignore_missing_template_valuesis set;skip_templates_processingor a disabled templating engine leaves the path literal. - Adds the
ErrImportPathTemplatesentinel, a fixture scenario + unit tests, docs ("Referencing Earlier Imports in Import Paths"), a changelog blog post, and a roadmap milestone.
why
- Keep
devandprodin one repo while isolating prod from dev changes: dev uses local catalogs/sources, prod imports a versioned catalog and pins the component source to an immutable ref — both driven by one variable. - Previously the component
source.versiontemplate worked (resolved late, at component processing) but the import?ref=had to be hard-coded, because imports are resolved before that context exists. This closes that gap so both come from the same variable.
references
- Docs:
/stacks/imports#referencing-earlier-imports-in-import-paths - Builds on remote stack imports (#2528) and the git context YAML functions (#2537)
Summary by CodeRabbit
-
New Features
- Import paths now support Go-template rendering, letting paths reference settings, vars, and env from earlier imports in the same manifest.
-
Bug Fixes
- Templating failures in import paths now surface a clear error; options added to ignore or skip unresolved import templates.
-
Documentation
- Added docs and a blog post with examples and operational guidance for templated import paths.
🚀 Enhancements
fix(auth): make github/sts compose with default GitHub token injection @osterman (#2557)
## what- Stop Atmos's go-getter token injection from silently shadowing
github/sts-minted GitHub tokens:CustomGitDetectornow skips URL token injection when a liveGIT_CONFIG_*insteadOfrewrite already matches the URL's host/owner, so git's rewrite (carrying the correct least-privilege token) wins. - Make the
ATMOS_PRO_GITHUB_TOKENbridge consistent:resolveTokenfalls back to the live env var (which the broker sets after startup), mirroringpkg/http/client.go. - Default
token_envtoATMOS_PRO_GITHUB_TOKEN(was empty) so a single-owner mint reachesgh/REST and Atmos's in-process git path automatically. - Replace the ad-hoc
{owner}placeholder with Atmos's standard Go-template syntax ({{ .owner }}, plus.host); update docs, PRD, and add adocs/fixes/write-up.
why
- A real CI job resolving a remote
import:from a second private repo failed withremote: Repository not found— the minted token was correct, but the ambientGITHUB_TOKENwas being injected into the URL ahead of it, defeating git'sinsteadOfrewrite. The only fix was thesettings.inject_github_token: falseworkaround. - These changes make
github/sts(introduced in #2546) compose with the defaultsettings.inject_github_token: true, so it "just works" with no workaround. Reproduced first with a simulated-broker e2e test, then fixed.
references
- Fixes the
github/stsfeature shipped in #2546 docs/fixes/2026-06-01-github-sts-token-injection-shadowing.md(root cause, fix, and why this is a fix doc rather than a changelog entry)docs/prd/atmos-pro-sts.md
Summary by CodeRabbit
-
Bug Fixes
- Prevented minted GitHub tokens from being silently overridden by detecting broker-provided git URL rewrites and skipping ambient token injection.
-
New Features
- token_env accepts Go-template names (e.g., GH_TOKEN_{{ .owner }}) and defaults to ATMOS_PRO_GITHUB_TOKEN when appropriate.
- Token resolution prefers a live exported broker token before falling back to configured values; minted tokens are not logged.
-
Documentation
- Clarified github/sts token_env semantics, templating, multi-owner behavior, and URL-rewrite interactions.
-
Tests
- Added/expanded tests for token-env defaults, templating, precedence, and insteadOf handling.
-
Chores
- Made license NOTICE generation produce deterministic URLs.
fix(auth): report missing exec binary instead of "atmos requires a subcommand" @osterman (#2559)
## what- Fix
atmos auth exec -- <command>reporting the misleading "The command atmos requires a subcommand" when the executable after--(e.g.uvx) is not found onPATH. - The missing executable is now reported clearly via the error builder: the command name, the underlying cause, a PATH hint, and exit code
127. - Internally, Cobra's "unknown command" conversion now uses the
ErrUnknownSubcommandsentinel, and the root handler intercepts that (via a new testableunknownSubcommandhelper) instead of the overloadedErrCommandNotFound.
why
auth execand the registry executor both wrapped the sharedErrCommandNotFoundsentinel, so a missing user binary was indistinguishable from an unknown Atmos subcommand and got masked as root usage output — hiding the real cause.- Separating the two sentinels gives accurate errors for both cases (genuine unknown subcommands still show root usage with suggestions; missing executables now say "command not found" with a hint), and also fixes the same latent masking for
pkg/hookscommand lookups.
references
- Regression from the
atmos auth→ command-registry migration (#1919) combined with the registry executor's Cobra-error conversion (#1643).
Summary by CodeRabbit
-
Bug Fixes
- Clearer "command not found" errors with install guidance and enforced exit code 127.
- Distinguish missing external executables from unknown subcommands so help is shown only for genuine unknown subcommands.
-
Tests
- Added/updated tests to guard error-classification behaviors and prevent regressions.
-
Documentation
- Adjusted BSD dependency listing to mark the URL as Unknown.
fix: allow --use-version artifact downloads without GitHub token @osterman (#2212)
## what- Allow unauthenticated artifact downloads for public repositories via
--use-versionflag - Metadata fetching (PR info, workflow runs, artifact listing) and artifact downloads now work without authentication on public repos per GitHub API docs
- Replace upfront
GetGitHubTokenOrError()gate with optionalGetGitHubToken()inInstallFromPR()andInstallFromSHA() - Skip
Authorizationheader when token is unavailable indownloadPRArtifact() - Add smart HTTP error handling with
buildDownloadHTTPError()to distinguish auth failures from rate limiting
why
- Users without GitHub token environment variables couldn't install PR artifacts, even for public repositories
- Rate limit errors (429) were reported generically as "HTTP 429" with no actionable context
- Need to properly surface rate limit information (60/hr for unauthenticated, 5,000/hr for authenticated) to guide users
references
- Fixes the issue where
atmos --use-version=2129fails with "authentication failed" when noGITHUB_TOKENis set - GitHub API documentation confirms artifact downloads work without authentication for public repositories
Summary by CodeRabbit
-
New Features
- Added optional unauthenticated access for public GitHub artifacts (subject to rate limits)
- New ATMOS_GITHUB_CLI env var to control/disable CLI-based token retrieval
-
Bug Fixes
- Clearer handling and messaging for auth vs rate-limit errors, with improved hints and retry info
- GitHub token is now optional for artifact operations (falls back to anonymous when available)
-
Tests
- Expanded tests for artifact downloads and HTTP auth/rate-limit scenarios
-
Documentation
- Documented ATMOS_GITHUB_CLI usage and behavior
fix(version): honor ATMOS_USE_VERSION env var for version re-exec @osterman (#2556)
## what- Honor the documented
ATMOS_USE_VERSIONenvironment variable so Atmos actually switches to (and downloads, if needed) the requested version during early re-exec. resolveRequestedVersionnow readsATMOS_USE_VERSION, with precedenceATMOS_VERSION_USE>ATMOS_USE_VERSION>ATMOS_VERSION>version.use.cmd/root.goalso honorsATMOS_USE_VERSIONfrom the environment so version-management commands (e.g.atmos version) re-exec on it just like the--use-versionflag.- Add a table case and a precedence test covering the new behavior.
why
ATMOS_USE_VERSIONis advertised as the primary env var (docs atwebsite/docs/cli/environment-variables.mdxand the flag bindingWithEnvVars("use-version", "ATMOS_USE_VERSION")), but the re-exec resolver never read it — it only checked the internalATMOS_VERSION_USE(set solely by the CLI flag), theATMOS_VERSIONalias, andversion.useconfig.- An env-populated flag is not marked
Changed()and maps to viper keyuse-versionrather thanversion.use, soATMOS_USE_VERSIONfell through every code path — setting it was a complete no-op. - This surfaced in CI where
ATMOS_USE_VERSIONwas set foratmos describe affected --uploadbut Atmos ran the already-installed version instead of switching. This brings the code in line with the existing documentation.
references
- Docs already describe the intended behavior:
website/docs/cli/environment-variables.mdx
Summary by CodeRabbit
-
New Features
- Added support for the ATMOS_USE_VERSION environment variable as an alternative to the --use-version CLI flag.
- Updated version selection precedence to consider environment variables in the defined order.
-
Tests
- Extended test coverage for environment-variable-driven version selection scenarios.
-
Chores
- Updated NOTICE entry for a dependency license URL.