feat(vendor): vendor update/diff, archived-repo checks, component.yaml @osterman (#2715)
## what- Add
atmos vendor update— checks every Git-backed source invendor.yaml(and standalonecomponent.yaml/component.ymlmanifests) for a newer version, honoring each source'sconstraints(semver range, excluded versions,no_prereleases), and writes the newversionin place using the format-preservingpkg/yamlengine. Supports--check(dry run),--pull(fetch after updating),--component,--tags,--outdated, and--component-manifests. - Add
atmos vendor diff— shows the Git diff between two versions (tags, branches, or commits) of a vendored component with no local checkout. - Detect archived upstream GitHub repositories (
pkg/github/archived.go,pkg/vendoring/archived.go) and surface that status during update checks. - Add a spinner/progress UI (
cmd/vendor/update_spinner.go) and a tabular update report (cmd/vendor/update_report.go) forvendor update's output. - Fix
vendor.base_path/--chdirresolution sovendor update/diff/get/setno longer fail to findvendor.yamlwhenatmos.yamlconfigures a non-defaultvendor.base_path. - Supporting changes:
pkg/io/streams.gomasking,cmd/version/formatters.go,pkg/toolchain/info.go,errors/errors.go, plus newpkg/vendoring/resolve.goandpkg/vendoring/component_files.goto unify component resolution acrossvendor.yamlandcomponent.yamlsources. - Adds a blog post (
website/blog/2026-07-09-vendor-diff-and-update.mdx) and roadmap milestone update.
why
- Bumping a vendored component's pinned version previously meant three manual steps: checking upstream tags yourself, cloning the repo somewhere to diff two versions, and hand-editing the
versionfield invendor.yamlwhile risking a stripped comment or mangled YAML anchor. - These commands close that loop using the existing format-preserving
pkg/yamlengine (the same one behindatmos config|stack|vendor get|set|delete), and extend it to repos that only use per-componentcomponent.yamlmanifests.
references
- Blog:
website/blog/2026-07-09-vendor-diff-and-update.mdx
Summary by CodeRabbit
- New Features
atmos vendor updatenow includes archived-source detection, enhanced update-table reporting, and a TTY progress UI;--pullnow batches and resets state more reliably.- Added
--component-manifestsand--type/-t(defaulting toterraform), plus component-manifestspec.source.constraintssupport. atmos vendor diffadds--type/-tand falls back to per-componentcomponent.yaml/component.ymlwhenvendor.yamldoesn’t declare the component.
- Bug Fixes
- Improved vendoring discovery/precedence, table sizing, truncation safety, filtering, and component vs mixin failure reporting.
- More reliable terminal output handling during progress rendering.
- Documentation
- Updated vendor diff/update docs and added blog/docs for constraints and component-resolution behavior.
chore(security): resolve all open Dependabot and CodeQL alerts @osterman (#2717)
## whatDrives every outstanding GitHub security finding on this repo to zero: all 84 open Dependabot alerts (6 Go, 78 npm) and all 11 open CodeQL alerts.
Go modules (6 alerts, all high):
github.com/containerd/containerd/v2v2.3.1 → v2.3.3 — GHSA-33vj-92qq-66hc, GHSA-rgh6-rfwx-v388, GHSA-xhf5-7wjv-pqxp, GHSA-cvxm-645q-p574, GHSA-jpcc-p29g-p8mqoras.land/oras-go/v2v2.6.1 → v2.6.2 — GHSA-fxhp-mv3v-67qpaws-sdk-go-v2inspector2/ecrpublicbumps (folds in #2605, #2580)NOTICEregenerated viascripts/generate-notice.sh
GitHub Actions (folds in #2699):
actions/setup-pythonv6.3.0,chrnorm/deployment-statusv2.0.4,cloudposse/github-action-pre-commitv4.1.0,github/codeql-actionv4.36.2,hashicorp/setup-packerpin refresh
Website (78 npm alerts, folds in #2690):
- Docusaurus 3.9.2 → 3.10.x plus the rest of the website-group direct-dependency bumps
- New
pnpm.overridesblock pinning every alerted transitive dependency out of its vulnerable range (shell-quotecritical,node-forge,mermaid,dompurify,lodash/lodash-es,ws,minimatch,webpack,serialize-javascript,uuid, and more) — every override is scoped to the affected major version so unrelated majors are untouched - Landing Hero:
react-icons5.6 removedSiAmazonwebservices(Simple Icons trademark cleanup); switched to Font Awesome'sFaAws
CodeQL (11 alerts):
- Fixes all 8
go/allocation-size-overflowalerts by sizing allocations with a singlelen()term instead of alen(a)+len(b)sum (capacity hints only; behavior unchanged):pkg/yaml,pkg/secrets,pkg/merge,pkg/emulator,pkg/ci,internal/exec - The 3
go/weak-sensitive-data-hashingalerts were dismissed on GitHub as false positives: the flagged SHA-256 usage derives cache filenames / dedup keys (content addressing), not password storage
why
- Every push reported dozens of open vulnerabilities/CVEs; this clears the board in one pass
- Dependency alerts auto-close once the default branch's manifests leave the vulnerable ranges; the CodeQL allocation alerts close on the next
mainanalysis
references
- Supersedes and closes: #2690, #2699, #2605, #2580
- Verified:
go build ./..., targeted package tests,atmos lint changed, pre-commit hooks, andcd website && pnpm run buildall pass; every Dependabot alert range was re-checked against the regeneratedgo.mod/pnpm-lock.yamland none still match
[!NOTE]
Zero user-visible behavior change — dependency bumps and allocation-capacity hints only.
Summary by CodeRabbit
-
Improvements
- Refreshed the website’s AWS landing icon.
- Updated Terraform/OpenTofu example lockfiles to match the intended tooling/registry.
-
New Features
- Added an automated security-remediation skill with a post-command trigger to help address Dependabot and code-scanning alerts on the current branch.
-
Maintenance
- Pinned and standardized many CI workflow action versions for more consistent runs.
- Strengthened SHA pinning verification by detecting unpinned third-party actions.
- Updated CI dependency license allowlists/references and bumped key Go/website dependencies.
-
Quality
- Raised Codecov targets to 85%.
🚀 Enhancements
fix: run parallel/matrix, shell, and exec steps through the step registry @osterman (#2703)
## what- Wire
parallelandmatrixcontrol steps into thepkg/runner/stepregistry through a reverse-registeredControlRunnerseam (mirroring the emulator seam), so they execute from custom commands and lifecycle hooks, not onlyatmos workflow. Interactive (TTY) child steps are rejected, since they cannot run concurrently. - Register the
execstep type in the registry sotype: execworks outside the legacy workflow executor too. - Run the registry shell handler and parallel/matrix shell children through the in-process
mvdan/shinterpreter with secret masking, replacing a hostsh -cinvocation; thread acontextso fail-fast cancellation reaches running scripts. - Delete the dormant, duplicate workflow
Executorengine and its adapters/mocks (zero production callers), preserving the still-live helpers that were co-located in those files (BuildConditionContext,CheckAndGenerateWorkflowStepNames).
why
parallel,matrix, andexecwere recognized/validated step types whose handlers only ever worked insideatmos workflow; through the registry (hooks, custom commands) they returned a "requires workflow executor context" error. This closes that registry gap.- The registry shell path shelled out to the host
sh -c, so it applied no secret masking (a leak risk) and broke on Windows. Unifying on the samemvdan/shinterpreter the workflow already used makes every shell step masked, cross-platform, and exit-code-correct. - Two execution engines existed side by side; the newer
pkg/workflow.Executorhad no production callers and was pure split-brain maintenance risk. Removing it (~6.8k lines) leaves one dispatcher.
references
- Branch:
osterman/parallel-step-registry-gap
Summary by CodeRabbit
- New Features
- Added support for
execworkflow steps (withexit_codereporting). - Parallel and matrix steps now run through a shared execution path that captures each child’s output into workflow variables.
- Workflow steps now get automatic names when omitted.
- Added support for
- Improvements
- Non-interactive shell steps now use a consistent in-process execution approach and respect cancellation.
- Shell working-directory handling is more consistent across platforms.
- Workflow condition evaluation now builds richer, merged context from workflow, step, and command-line inputs.
- Parallel/matrix now rejects interactive (TTY-requiring) child steps with a clear validation error.
fix(downloader): authenticate !include GitHub raw-content fetches @osterman (#2706)
## what!include https://raw.githubusercontent.com/...(and GitHub archive/release URLs) now authenticate with a GitHub token when one is available (GITHUB_TOKEN/ATMOS_GITHUB_TOKEN/ATMOS_PRO_GITHUB_TOKEN/gh auth token), reusing Atmos's existingpkg/http.GitHubAuthenticatedTransport(already used by the Terraform registry cache and toolchain downloaders).- Added
(*http.DefaultClient).HTTPClient()so callers needing the concrete*http.Client(likego-getter'sHttpGetter.Clientfield) can get one without duplicating transport/redirect-stripping setup. - Non-GitHub HTTP(S) sources, and GitHub sources with no token configured, are unaffected — behavior only changes when both conditions (GitHub host + token present) are true.
why
- The
!includeYAML function's HTTP(S) downloads went out fully unauthenticated via go-getter's stockHttpGetter, subject to GitHub's much lower anonymous per-IP rate limit onraw.githubusercontent.com, regardless of whether a token was available. pkg/downloader/file_downloader.goalready pre-checks GitHub's rate limit using an authenticated client before fetching, but that check and the actual download were disconnected — the download itself never carried the token, so the pre-check didn't reflect (or prevent) the limit the real request actually hit.- This surfaced as intermittent
bad response code: 429failures in CI for tests exercising!includeagainst a real GitHub raw URL (e.g.tests/yaml_functions_include_test.go), unrelated to whatever PR happened to be running at the time.
references
- Discovered while investigating unrelated CI flakiness on #2705.
Summary by CodeRabbit
- Bug Fixes
- GitHub raw-content and archive downloads now use token-based authentication when available to reduce intermittent rate-limit errors.
- Terraform now returns consistent “invalid flag value” errors for
--failure-modeand--log-order.
- Documentation
- Added documentation describing the GitHub raw-download authentication fix and how to run the related tests.
- Tests
- Added coverage for accessing the underlying stdlib HTTP client and updated Terraform validation expectations.
- Refactor
- Standardized Terraform subcommand strings used for concurrency support.
Audit missing casts: fix version-track bug, backfill demo embeds @osterman (#2707)
This branch started as an audit of which examples and changelog posts were missing a recorded cast demo. That audit surfaced a real correctness bug along the way, plus a few rough edges in the supporting cast/secret tooling — all fixed here alongside the actual backfill.what
- Fix a real engine bug: a stack's top-level
version: {track: ...}assertion was silently dropped during stack compilation, so!version <name>/{{ .version.* }}in component vars always resolved against the global default track instead of the stack's own asserted track. - Rename
examples/demo-version-trackertoexamples/version-trackerand add a second, independent story to it: dev/prod tracks across three real ecosystems (toolchain,oci,github-actions) feeding a stack's component vars via!version/{{ .version.* }}, usingatmos version track set/getinstead of ad-hoc file edits. Record and wire in its cast (tracks-and-vars.cast). - Widen the credential-free skip list used by every
atmos secret *subcommand so resolving where to read/write a secret no longer requires sibling components' terraform state or store contents to already exist. - Give session-mode cast recordings a themed default prompt instead of leaking the real shell's
PS1(hostname/cwd), and drop the now-redundant manualPS1override from theinteractive-workflowscast. - Make
quick-start-advanced's!terraform.statecatalog references tolerate not-yet-deployed sibling components (// "pending"fallback), and turn itslist-instancescast into a real emulator-backed deploy/teardown recording. - Backfill cast embeds across ~28 existing changelog blog posts (
<CastPlayer>+ a link to the full example), converting the two posts that used the heavierEmbedExamplebundle to the same lightweight pattern for consistency. - Codify in the
atmos-asciicastandpull-requestskills that a feature's changelog blog post should embed its cast going forward, so this doesn't drift out of date again.
why
- The version-track bug meant the documented "stacks can assert their own track" capability never actually worked — anyone using it got silently wrong versions with no error. Auditing which examples were missing casts surfaced the gap; fixing it properly (with real end-to-end regression coverage, verified to fail without the fix) was safer than shipping an example that demonstrated broken behavior.
- The
atmos secret *andquick-start-advancedfixes remove a class of failures where resolving secrets or listing/describing components required unrelated sibling infrastructure to already be deployed — brittle in CI, emulator, and first-run scenarios. - Blog posts without a working demo undersell what shipped; embedding the existing cast recordings makes the changelog self-verifying and more useful to readers, and the skill update keeps future posts from shipping without one.
references
- N/A
Summary by CodeRabbit
- New Features
- Added an Atmos Version Tracker example with independent dev/prod tracks, plus new cast fixtures.
- Stack manifests now support a top-level
versionsection;atmos version track get --showcan print a single field.
- Bug Fixes
- Improved secret/credential-free handling and Terraform state tolerance/refresh behavior.
- Improved cast recording/replay reliability and CastPlayer theming/prompt defaults.
- S3 backend now honors identity endpoint overrides and supports
use_path_style.
- Documentation
- Updated docs and blog posts to embed interactive cast previews via CastPlayer, including a featured-casts experience.
- Tests / CI
- Expanded version-tracking, cast-validation, and CastPlayer replay test coverage; improved example/fixture CI reliability.