#5965 chore(deps): update dependency opentofu/opentofu to v1.10.7 in dockerfile (main) Pull request opened by renovate[bot] This PR contains the following updates: | Package | Update | Change | OpenSSF | | ------------------------------------------------------------------ | ------ | ---------------- | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | [opentofu/opentofu](https://redirect.github.com/opentofu/opentofu) | patch | 1.10.6 -> 1.10.7 | [[OpenSSF Scorecard](https://camo.githubusercontent.com/ce717ba2c81ac0c4d405947613d026de7d49e9f59f60457ed964da33f31eb3b4/68747470733a2f2f6170692e736563757269747973636f726563617264732e6465762f70726f6a656374732f6769746875622e636f6d2f6f70656e746f66752f6f70656e746f66752f6261646765)](https://securityscorecards.dev/viewer/?uri=github.com/opentofu/opentofu) | --- ### Release Notes opentofu/opentofu (opentofu/opentofu) ### `v1.10.7` Compare Source SECURITY ADVISORIES: This release contains fixes for some security advisories related to previous releases in this series. •

tofu init

in OpenTofu v1.10.6 and earlier could potentially use unbounded memory if there is a direct or indirect dependency on a maliciously-crafted module package distributed as a "tar" archive. This would require the attacker to coerce a root module author to depend (directly or indirectly) on a module package they control, using the HTTP, Amazon S3, or Google Cloud Storage source types to refer to a tar archive. This release incorporates the upstream fixes for CVE-2025-58183. • When making requests to HTTPS servers, OpenTofu v1.10.6 and earlier could potentially use unbounded memory or crash with a "panic" error if TLS verification involves an excessively-long certificate chain or a chain including DSA public keys. This affected all outgoing HTTPS requests made by OpenTofu itself, including requests to HTTPS-based state storage backends, module registries, and provider registries. For example, an attacker could coerce a root module author to depend (directly or indirectly) on a module they control which then refers to a module or provider from an attacker-controlled registry. That mode of attack would cause failures in

tofu init

, at module or provider installation time. Provider plugins contain their own HTTPS client code, which may have similar problems. OpenTofu v1.10.7 cannot address similar problems within provider plugins, and so we recommend checking for similar advisories and fixes in the provider plugins you use. This release incorporates upstream fixes for CVE-2025-58185, CVE-2025-58187, and CVE-2025-58188. BUG FIXES: • Fix crash in tofu test when using deprecated outputs (#​3249) • Fix missing provider functions when parentheses are used (#​3402) •

for_each

inside

dynamic

blocks can now call provider-defined functions. (#​3429) Full Changelog: opentofu/opentofu@v1.10.6...v1.10.7 --- ### Configuration 📅 Schedule: Branch creation - Between 12:00 AM and 03:59 AM ( * 0-3 * * * ) (UTC), Automerge - At any time (no schedule defined). 🚦 Automerge: Enabled. ♻️ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox. 🔕 Ignore: Close this PR and you won't be reminded about this update again. --- • If you want to rebase/retry this PR, check this box --- This PR was generated by Mend Renovate. View the repository job log. runatlantis/atlantis

#5966 chore(deps): update dependency vue to v3.5.24 in package.json (main) Pull request opened by renovate[bot] This PR contains the following updates: | Package | Type | Update | Change | OpenSSF | | ------------------------------------------------------------------------------------------------------------------------------ | --------------- | ------ | ----------------------------------------------------------------------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | [vue](https://redirect.github.com/vuejs/core/tree/main/packages/vue#readme) ([source](https://redirect.github.com/vuejs/core)) | devDependencies | patch | [3.5.22 -> 3.5.24](https://renovatebot.com/diffs/npm/vue/3.5.22/3.5.24) | [[OpenSSF Scorecard](https://camo.githubusercontent.com/e1691da63d6ce4d0e287d7d5cd665594be0b5c9101500763a51a848101abc0ce/68747470733a2f2f6170692e736563757269747973636f726563617264732e6465762f70726f6a656374732f6769746875622e636f6d2f7675656a732f636f72652f6261646765)](https://securityscorecards.dev/viewer/?uri=github.com/vuejs/core) | --- ### Release Notes vuejs/core (vue) ### `v3.5.24` Compare Source ##### Reverts • Revert "fix(compiler-core): correctly handle ts type assertions in expression…" (#​14062) (11ec51a), closes #​14062 #​14060 ### `v3.5.23` Compare Source ##### Bug Fixes • compiler-core: correctly handle ts type assertions in expressions (#​13397) (e6544ac), closes #​13395 • compiler-core: fix v-bind shorthand handling for in-DOM templates (#​13933) (b3cca26), closes #​13930 • compiler-sfc: resolve numeric literals and template literals without expressions as static property key (#​13998) (75d44c7) • compiler-ssr: textarea with v-text directive SSR (#​13975) (006a0c1) • compiler: using guard instead of non-nullish assertion (#​13982) (dcc6f36) • custom-element: batch custom element prop patching (#​13478) (c13e674), closes #​12619 • custom-element: optimize slot retrieval to avoid duplicates (#​13961) (84ca349), closes #​13955 • hydration: avoid mismatch during hydrate text with newlines in interpolation (#​9232) (6cbdf78), closes #​9229 • runtime-core: pass props and children to loadingComponent (#​13997) (40c4b2a) • runtime-dom: ensure iframe sandbox is handled as an attribute to prevent unintended behavior (#​13950) (5689884), closes #​13946 • suspense: clear placeholder and fallback el after resolve to enable GC (#​13928) (f411c66) • transition-group: use offsetLeft and offsetTop instead of getBoundingClientRect to avoid transform scale affect animation (#​6108) (dc4dd59), closes #​6105 • v-model: handle number modifier on change (#​13959) (8fbe48f), closes #​13958 --- ### Configuration 📅 Schedule: Branch creation - Between 12:00 AM and 03:59 AM ( * 0-3 * * * ) (UTC), Automerge - At any time (no schedule defined). 🚦 Automerge: Enabled. ♻️ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox. 🔕 Ignore: Close this PR and you won't be reminded about this update again. --- • If you want to rebase/retry this PR, check this box --- This PR was generated by Mend Renovate. View the repository job log. runatlantis/atlantis

#5968 chore(deps): update module golang.org/x/crypto to v0.45.0 [security] (release-0.34) Pull request opened by renovate[bot] This PR contains the following updates: | Package | Change | [Age](https://docs.renovatebot.com/merge-confidence/) | [Confidence](https://docs.renovatebot.com/merge-confidence/) | | ------------------- | ------------------ | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | golang.org/x/crypto | v0.36.0 -> v0.45.0 | [[age](https://camo.githubusercontent.com/4e44f325b8df2848b2173f6b627ccf079d490a121b10b0ad32723340fa1a5b11/68747470733a2f2f646576656c6f7065722e6d656e642e696f2f6170692f6d632f6261646765732f6167652f676f2f676f6c616e672e6f72672532667825326663727970746f2f76302e34352e303f736c696d3d74727565)](https://camo.githubusercontent.com/4e44f325b8df2848b2173f6b627ccf079d490a121b10b0ad32723340fa1a5b11/68747470733a2f2f646576656c6f7065722e6d656e642e696f2f6170692f6d632f6261646765732f6167652f676f2f676f6c616e672e6f72672532667825326663727970746f2f76302e34352e303f736c696d3d74727565) | [[confidence](https://camo.githubusercontent.com/ebbdc16b77b9072e24fd8225ecca4fac53f29a5b23414cf79dda51a18d48e854/68747470733a2f2f646576656c6f7065722e6d656e642e696f2f6170692f6d632f6261646765732f636f6e666964656e63652f676f2f676f6c616e672e6f72672532667825326663727970746f2f76302e33362e302f76302e34352e303f736c696d3d74727565)](https://camo.githubusercontent.com/ebbdc16b77b9072e24fd8225ecca4fac53f29a5b23414cf79dda51a18d48e854/68747470733a2f2f646576656c6f7065722e6d656e642e696f2f6170692f6d632f6261646765732f636f6e666964656e63652f676f2f676f6c616e672e6f72672532667825326663727970746f2f76302e33362e302f76302e34352e303f736c696d3d74727565) | --- ### Potential denial of service in golang.org/x/crypto/ssh/agent CVE-2025-47913 / GO-2025-4116 More information #### Details SSH clients receiving SSH_AGENT_SUCCESS when expecting a typed response will panic and cause early termination of the client process. #### Severity Unknown #### References • https://go.dev/cl/700295 • https://go.dev/issue/75178 • https://github.com/advisories/GHSA-hcg3-q754-cr77 This data is provided by OSV and the Go Vulnerability Database (CC-BY 4.0). --- ### Unbounded memory consumption in golang.org/x/crypto/ssh CVE-2025-58181 / GHSA-j5w8-q4qc-rx2x / GO-2025-4134 More information #### Details SSH servers parsing GSSAPI authentication requests do not validate the number of mechanisms specified in the request, allowing an attacker to cause unbounded memory consumption. #### Severity Unknown #### References • https://groups.google.com/g/golang-announce/c/w-oX3UxNcZA • https://go.dev/cl/721961 • https://go.dev/issue/76363 This data is provided by OSV and the Go Vulnerability Database (CC-BY 4.0). --- ### Malformed constraint may cause denial of service in golang.org/x/crypto/ssh/agent CVE-2025-47914 / GHSA-f6x5-jh6r-wrfv / GO-2025-4135 More information #### Details SSH Agent servers do not validate the size of messages when processing new identity requests, which may cause the program to panic if the message is malformed due to an out of bounds read. #### Severity Unknown #### References • https://groups.google.com/g/golang-announce/c/w-oX3UxNcZA • https://go.dev/cl/721960 • https://go.dev/issue/76364 This data is provided by OSV and the Go Vulnerability Database (CC-BY 4.0). --- ### golang.org/x/crypto/ssh/agent vulnerable to panic if message is malformed due to out of bounds read CVE-2025-47914 / GHSA-f6x5-jh6r-wrfv / GO-2025-4135 More information #### Details SSH Agent servers do not validate the size of messages when processing new identity requests, which may cause the program to panic if the message is malformed due to an out of bounds read. #### Severity • CVSS Score: 5.3 / 10 (Medium) • Vector String:

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

#### References • https://nvd.nist.gov/vuln/detail/CVE-2025-47914 • https://go.dev/cl/721960 • https://go.dev/issue/76364 • https://go.googlesource.com/crypto • https://groups.google.com/g/golang-announce/c/w-oX3UxNcZA • https://pkg.go.dev/vuln/GO-2025-4135 This data is provided by <https://osv.dev/vulnerabi… runatlantis/atlantis

#5969 chore(deps): update module golang.org/x/crypto to v0.45.0 [security] (release-0.35) Pull request opened by renovate[bot] This PR contains the following updates: | Package | Change | [Age](https://docs.renovatebot.com/merge-confidence/) | [Confidence](https://docs.renovatebot.com/merge-confidence/) | | ------------------- | ------------------ | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | golang.org/x/crypto | v0.36.0 -> v0.45.0 | [[age](https://camo.githubusercontent.com/4e44f325b8df2848b2173f6b627ccf079d490a121b10b0ad32723340fa1a5b11/68747470733a2f2f646576656c6f7065722e6d656e642e696f2f6170692f6d632f6261646765732f6167652f676f2f676f6c616e672e6f72672532667825326663727970746f2f76302e34352e303f736c696d3d74727565)](https://camo.githubusercontent.com/4e44f325b8df2848b2173f6b627ccf079d490a121b10b0ad32723340fa1a5b11/68747470733a2f2f646576656c6f7065722e6d656e642e696f2f6170692f6d632f6261646765732f6167652f676f2f676f6c616e672e6f72672532667825326663727970746f2f76302e34352e303f736c696d3d74727565) | [[confidence](https://camo.githubusercontent.com/ebbdc16b77b9072e24fd8225ecca4fac53f29a5b23414cf79dda51a18d48e854/68747470733a2f2f646576656c6f7065722e6d656e642e696f2f6170692f6d632f6261646765732f636f6e666964656e63652f676f2f676f6c616e672e6f72672532667825326663727970746f2f76302e33362e302f76302e34352e303f736c696d3d74727565)](https://camo.githubusercontent.com/ebbdc16b77b9072e24fd8225ecca4fac53f29a5b23414cf79dda51a18d48e854/68747470733a2f2f646576656c6f7065722e6d656e642e696f2f6170692f6d632f6261646765732f636f6e666964656e63652f676f2f676f6c616e672e6f72672532667825326663727970746f2f76302e33362e302f76302e34352e303f736c696d3d74727565) | --- ### Potential denial of service in golang.org/x/crypto/ssh/agent CVE-2025-47913 / GO-2025-4116 More information #### Details SSH clients receiving SSH_AGENT_SUCCESS when expecting a typed response will panic and cause early termination of the client process. #### Severity Unknown #### References • https://go.dev/cl/700295 • https://go.dev/issue/75178 • https://github.com/advisories/GHSA-hcg3-q754-cr77 This data is provided by OSV and the Go Vulnerability Database (CC-BY 4.0). --- ### Unbounded memory consumption in golang.org/x/crypto/ssh CVE-2025-58181 / GHSA-j5w8-q4qc-rx2x / GO-2025-4134 More information #### Details SSH servers parsing GSSAPI authentication requests do not validate the number of mechanisms specified in the request, allowing an attacker to cause unbounded memory consumption. #### Severity Unknown #### References • https://groups.google.com/g/golang-announce/c/w-oX3UxNcZA • https://go.dev/cl/721961 • https://go.dev/issue/76363 This data is provided by OSV and the Go Vulnerability Database (CC-BY 4.0). --- ### Malformed constraint may cause denial of service in golang.org/x/crypto/ssh/agent CVE-2025-47914 / GHSA-f6x5-jh6r-wrfv / GO-2025-4135 More information #### Details SSH Agent servers do not validate the size of messages when processing new identity requests, which may cause the program to panic if the message is malformed due to an out of bounds read. #### Severity Unknown #### References • https://groups.google.com/g/golang-announce/c/w-oX3UxNcZA • https://go.dev/cl/721960 • https://go.dev/issue/76364 This data is provided by OSV and the Go Vulnerability Database (CC-BY 4.0). --- ### golang.org/x/crypto/ssh/agent vulnerable to panic if message is malformed due to out of bounds read CVE-2025-47914 / GHSA-f6x5-jh6r-wrfv / GO-2025-4135 More information #### Details SSH Agent servers do not validate the size of messages when processing new identity requests, which may cause the program to panic if the message is malformed due to an out of bounds read. #### Severity • CVSS Score: 5.3 / 10 (Medium) • Vector String:

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

#### References • https://nvd.nist.gov/vuln/detail/CVE-2025-47914 • https://go.dev/cl/721960 • https://go.dev/issue/76364 • https://go.googlesource.com/crypto • https://groups.google.com/g/golang-announce/c/w-oX3UxNcZA • https://pkg.go.dev/vuln/GO-2025-4135 This data is provided by <https://osv.dev/vulnerabi… runatlantis/atlantis

#5970 chore(deps): update module golang.org/x/crypto to v0.45.0 [security] (release-0.36) Pull request opened by renovate[bot] This PR contains the following updates: | Package | Change | [Age](https://docs.renovatebot.com/merge-confidence/) | [Confidence](https://docs.renovatebot.com/merge-confidence/) | | ------------------- | ------------------ | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | golang.org/x/crypto | v0.41.0 -> v0.45.0 | [[age](https://camo.githubusercontent.com/4e44f325b8df2848b2173f6b627ccf079d490a121b10b0ad32723340fa1a5b11/68747470733a2f2f646576656c6f7065722e6d656e642e696f2f6170692f6d632f6261646765732f6167652f676f2f676f6c616e672e6f72672532667825326663727970746f2f76302e34352e303f736c696d3d74727565)](https://camo.githubusercontent.com/4e44f325b8df2848b2173f6b627ccf079d490a121b10b0ad32723340fa1a5b11/68747470733a2f2f646576656c6f7065722e6d656e642e696f2f6170692f6d632f6261646765732f6167652f676f2f676f6c616e672e6f72672532667825326663727970746f2f76302e34352e303f736c696d3d74727565) | [[confidence](https://camo.githubusercontent.com/d5e9e2d48ab3a8303e003e3644d6a42caa0bb32e1683dbd0b00e7f84d9d40988/68747470733a2f2f646576656c6f7065722e6d656e642e696f2f6170692f6d632f6261646765732f636f6e666964656e63652f676f2f676f6c616e672e6f72672532667825326663727970746f2f76302e34312e302f76302e34352e303f736c696d3d74727565)](https://camo.githubusercontent.com/d5e9e2d48ab3a8303e003e3644d6a42caa0bb32e1683dbd0b00e7f84d9d40988/68747470733a2f2f646576656c6f7065722e6d656e642e696f2f6170692f6d632f6261646765732f636f6e666964656e63652f676f2f676f6c616e672e6f72672532667825326663727970746f2f76302e34312e302f76302e34352e303f736c696d3d74727565) | --- ### Potential denial of service in golang.org/x/crypto/ssh/agent CVE-2025-47913 / GO-2025-4116 More information #### Details SSH clients receiving SSH_AGENT_SUCCESS when expecting a typed response will panic and cause early termination of the client process. #### Severity Unknown #### References • https://go.dev/cl/700295 • https://go.dev/issue/75178 • https://github.com/advisories/GHSA-hcg3-q754-cr77 This data is provided by OSV and the Go Vulnerability Database (CC-BY 4.0). --- ### Unbounded memory consumption in golang.org/x/crypto/ssh CVE-2025-58181 / GHSA-j5w8-q4qc-rx2x / GO-2025-4134 More information #### Details SSH servers parsing GSSAPI authentication requests do not validate the number of mechanisms specified in the request, allowing an attacker to cause unbounded memory consumption. #### Severity Unknown #### References • https://groups.google.com/g/golang-announce/c/w-oX3UxNcZA • https://go.dev/cl/721961 • https://go.dev/issue/76363 This data is provided by OSV and the Go Vulnerability Database (CC-BY 4.0). --- ### Malformed constraint may cause denial of service in golang.org/x/crypto/ssh/agent CVE-2025-47914 / GHSA-f6x5-jh6r-wrfv / GO-2025-4135 More information #### Details SSH Agent servers do not validate the size of messages when processing new identity requests, which may cause the program to panic if the message is malformed due to an out of bounds read. #### Severity Unknown #### References • https://groups.google.com/g/golang-announce/c/w-oX3UxNcZA • https://go.dev/cl/721960 • https://go.dev/issue/76364 This data is provided by OSV and the Go Vulnerability Database (CC-BY 4.0). --- ### golang.org/x/crypto/ssh/agent vulnerable to panic if message is malformed due to out of bounds read CVE-2025-47914 / GHSA-f6x5-jh6r-wrfv / GO-2025-4135 More information #### Details SSH Agent servers do not validate the size of messages when processing new identity requests, which may cause the program to panic if the message is malformed due to an out of bounds read. #### Severity • CVSS Score: 5.3 / 10 (Medium) • Vector String:

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

#### References • https://nvd.nist.gov/vuln/detail/CVE-2025-47914 • https://go.dev/cl/721960 • https://go.dev/issue/76364 • https://go.googlesource.com/crypto • https://groups.google.com/g/golang-announce/c/w-oX3UxNcZA • https://pkg.go.dev/vuln/GO-2025-4135 This data is provided by <https://osv.dev/vulnerabi… runatlantis/atlantis

#5971 fix: Nil pointer dereference in atlantis version command Pull request opened by Adamovix ## what Fixes #5972 Initialize DefaultTFDistribution field in VersionStepRunner to match pattern used by InitStepRunner, ApplyStepRunner, and ImportStepRunner. ## why Without this field,

atlantis version

command causes two bugs: Bug 1: Nil pointer panic • When terraform binary cache is empty (after Atlantis restart, upgrade, or cache clear) • Panic at terraform_client.go:509 when calling

dist.BinName()

on nil distribution Bug 2: Command failure on fresh instances • On fresh Atlantis instances with existing PRs • Fails with "no such file or directory" / "no projects to run version in" ## tests Reproduction: 1. Clear cached binaries:

rm -rf ~/.atlantis/bin/*

2. Run

atlantis version

Result: • Before fix: Panic with nil pointer dereference • After fix: Downloads required terraform version and executes successfully Tested on locally built Docker image with fix applied. ## references runatlantis/atlantis

#5241 fix: avoid performance degradation with Github and --hide-prev-plan-comments enabled Pull request opened by oleg-glushak ## what Switch from GitHub REST API to GitHub GraphQL for listing comments to expose the

isMinimized

attribute to avoid minimizing already minimized comments on each Atlantis command execution. ## why This helps to avoid performance degradation by minimizing only non-minimized Atlantis comments, as opposed to processing all comments sequentially on each Atlantis command execution. ## tests • I have tested my changes by running unit tests. • I have tested my changes by running this version of Atlantis and checking if the --hide-prev-plan-comments performance still works in general and the performance degradation disappears. ## references • Closes #5232 runatlantis/atlantis

#5973 build(deps): bump golang.org/x/crypto from 0.43.0 to 0.45.0 Pull request opened by dependabot[bot] Bumps golang.org/x/crypto from 0.43.0 to 0.45.0. Commits • `4e0068c` go.mod: update golang.org/x dependencies • `e79546e` ssh: curb GSSAPI DoS risk by limiting number of specified OIDs • `f91f7a7` ssh/agent: prevent panic on malformed constraint • `2df4153` acme/autocert: let automatic renewal work with short lifetime certs • `bcf6a84` acme: pass context to request • `b4f2b62` ssh: fix error message on unsupported cipher • `79ec3a5` ssh: allow to bind to a hostname in remote forwarding • `122a78f` go.mod: update golang.org/x dependencies • `c0531f9` all: eliminate vet diagnostics • `0997000` all: fix some comments • Additional commits viewable in compare view [Dependabot compatibility score](https://camo.githubusercontent.com/9fd3112d3f307ff51db8f1c9fdf7513b8da6f7d9d0763fe7dd0c7beb93f359cc/68747470733a2f2f646570656e6461626f742d6261646765732e6769746875626170702e636f6d2f6261646765732f636f6d7061746962696c6974795f73636f72653f646570656e64656e63792d6e616d653d676f6c616e672e6f72672f782f63727970746f267061636b6167652d6d616e616765723d676f5f6d6f64756c65732670726576696f75732d76657273696f6e3d302e34332e30266e65772d76657273696f6e3d302e34352e30) Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting

@dependabot rebase

. --- Dependabot commands and options You can trigger Dependabot actions by commenting on this PR: •

@dependabot rebase

will rebase this PR •

@dependabot recreate

will recreate this PR, overwriting any edits that have been made to it •

@dependabot merge

will merge this PR after your CI passes on it •

@dependabot squash and merge

will squash and merge this PR after your CI passes on it •

@dependabot cancel merge

will cancel a previously requested merge and block automerging •

@dependabot reopen

will reopen this PR if it is closed •

@dependabot close

will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually •

@dependabot show <dependency name> ignore conditions

will show all of the ignore conditions of the specified dependency •

@dependabot ignore this major version

will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself) •

@dependabot ignore this minor version

will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself) •

@dependabot ignore this dependency

will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself) You can disable automated security fix PRs for this repo from the Security Alerts page. runatlantis/atlantis

#5974 chore(deps): update module golang.org/x/crypto to v0.45.0 [security] (main) Pull request opened by renovate[bot] This PR contains the following updates: | Package | Change | Age | Confidence | | ------------------- | ------------------ | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | golang.org/x/crypto | v0.43.0 -> v0.45.0 | [[age](https://camo.githubusercontent.com/4e44f325b8df2848b2173f6b627ccf079d490a121b10b0ad32723340fa1a5b11/68747470733a2f2f646576656c6f7065722e6d656e642e696f2f6170692f6d632f6261646765732f6167652f676f2f676f6c616e672e6f72672532667825326663727970746f2f76302e34352e303f736c696d3d74727565)](https://docs.renovatebot.com/merge-confidence/) | [[confidence](https://camo.githubusercontent.com/665124b95a061a163e83c3ca34b90cb032298248d26988ab937da66ace696b1d/68747470733a2f2f646576656c6f7065722e6d656e642e696f2f6170692f6d632f6261646765732f636f6e666964656e63652f676f2f676f6c616e672e6f72672532667825326663727970746f2f76302e34332e302f76302e34352e303f736c696d3d74727565)](https://docs.renovatebot.com/merge-confidence/) | --- Warning Some dependencies could not be looked up. Check the Dependency Dashboard for more information. ### GitHub Vulnerability Alerts #### CVE-2025-58181 SSH servers parsing GSSAPI authentication requests do not validate the number of mechanisms specified in the request, allowing an attacker to cause unbounded memory consumption. #### CVE-2025-47914 SSH Agent servers do not validate the size of messages when processing new identity requests, which may cause the program to panic if the message is malformed due to an out of bounds read. --- ### golang.org/x/crypto/ssh allows an attacker to cause unbounded memory consumption CVE-2025-58181 / GHSA-j5w8-q4qc-rx2x / GO-2025-4134 More information #### Details SSH servers parsing GSSAPI authentication requests do not validate the number of mechanisms specified in the request, allowing an attacker to cause unbounded memory consumption. #### Severity • CVSS Score: 5.3 / 10 (Medium) • Vector String:

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

#### References • https://nvd.nist.gov/vuln/detail/CVE-2025-58181 • https://go.dev/cl/721961 • https://go.dev/issue/76363 • https://groups.google.com/g/golang-announce/c/w-oX3UxNcZA • https://pkg.go.dev/vuln/GO-2025-4134 This data is provided by OSV and the GitHub Advisory Database (CC-BY 4.0). --- ### Malformed constraint may cause denial of service in golang.org/x/crypto/ssh/agent CVE-2025-47914 / GHSA-f6x5-jh6r-wrfv / GO-2025-4135 More information #### Details SSH Agent servers do not validate the size of messages when processing new identity requests, which may cause the program to panic if the message is malformed due to an out of bounds read. #### Severity Unknown #### References • https://groups.google.com/g/golang-announce/c/w-oX3UxNcZA • https://go.dev/cl/721960 • https://go.dev/issue/76364 This data is provided by OSV and the Go Vulnerability Database (CC-BY 4.0). --- ### golang.org/x/crypto/ssh/agent vulnerable to panic if message is malformed due to out of bounds read CVE-2025-47914 / GHSA-f6x5-jh6r-wrfv / GO-2025-4135 More information #### Details SSH Agent servers do not validate the size of messages when processing new identity requests, which may cause the program to panic if the message is malformed due to an out of bounds read. #### Severity • CVSS Score: 5.3 / 10 (Medium) • Vector String:

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

#### References • https://nvd.nist.gov/vuln/detail/CVE-2025-47914 • https://go.dev/cl/721960 • https://go.dev/issue/76364 • https://go.googlesource.com/crypto • https://groups.google.com/g/golang-announce/c/w-oX3UxNcZA • https://pkg.go.dev/vuln/GO-2025-4135 This data is provided by OSV and the GitHub Advisory Database (CC-BY 4.0). --- ### Unbounded memory consumption in golang.org/x/crypto/ssh CVE-2025-58181 / GHSA-j5w8-q4qc-rx2x / GO-2025-4134 More information #### Details SSH servers parsing GSSAPI authentication requests do not validate the number of mechanisms specified in the request, allowing an attacker to cause unbounded memory consumption. #### Severity Unknown #### References • https://groups.google.com/g/golang-announce/c/w-oX3UxNcZA • https://go.dev/cl/721961 • https://go.dev/issue/76363 This data is provided by OSV and the Go Vulnerability Database (CC-BY 4.0). --- ### Configuration 📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined). 🚦 Automerge: … runatlantis/atlantis

#5975 fix(gitea): add src as context for gitea status updates Pull request opened by maddawik ## what Updates the

GiteaClient.UpdateStatus

method so that

src

(which should be

atlantis/plan

or

atlantis/apply

afaict) is passed as the

Context

for the

gitea.CreateStatusOption

struct. This should give status checks names which can be seen in the UI and pattern matched against. This seems like how the other clients are passing the status name along as well. ## why This should make it possible for status checks to be pattern matched in branch protection rules. i.e.

atlantis/plan

and

atlantis/apply

could be explicitly required before merge. ## tests I don't see any related tests for the client though this is my first PR, so if I'm missing something I'm happy to address it. Edit: I tested this locally ### Before patch Status updates have no name, a branch protection rule that has

atlantis/*

means nothing in this context (see screenshot) [Screenshot 2025-11-23 at 1 03 16 AM](https://private-user-images.githubusercontent.com/8498296/517797920-dcbf3465-9ca1-4f26-9032-4a0950bdadf0.png?jwt=eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJpc3MiOiJnaXRodWIuY29tIiwiYXVkIjoicmF3LmdpdGh1YnVzZXJjb250ZW50LmNvbSIsImtleSI6ImtleTUiLCJleHAiOjE3NjM4NzgzNjMsIm5iZiI6MTc2Mzg3ODA2MywicGF0aCI6Ii84NDk4Mjk2LzUxNzc5NzkyMC1kY2JmMzQ2NS05Y2ExLTRmMjYtOTAzMi00YTA5NTBiZGFkZjAucG5nP1gtQW16LUFsZ29yaXRobT1BV1M0LUhNQUMtU0hBMjU2JlgtQW16LUNyZWRlbnRpYWw9QUtJQVZDT0RZTFNBNTNQUUs0WkElMkYyMDI1MTEyMyUyRnVzLWVhc3QtMSUyRnMzJTJGYXdzNF9yZXF1ZXN0JlgtQW16LURhdGU9MjAyNTExMjNUMDYwNzQzWiZYLUFtei1FeHBpcmVzPTMwMCZYLUFtei1TaWduYXR1cmU9OGRlZjJlNWYzOGVmY2E3NmM4ZjEwN2I5YmNiOWYwMjE5ODA1ZDNlMDllYTVmMmQzOWIwZTBiMjU3ODVkN2ViMiZYLUFtei1TaWduZWRIZWFkZXJzPWhvc3QifQ.2p6MZp-hY9OlJ-5Dq0UewRg1bE0v59JBCDveupQ3pSo) ### After patch I built the patched version locally and re-ran a test, seeing context appear and able to assert branch protection rules. I think this was as simple as it seemed! [Screenshot 2025-11-23 at 12 53 07 AM](https://private-user-images.githubusercontent.com/8498296/517798033-7ab8744b-0d55-4c33-974d-13ec79755d04.png?jwt=eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJpc3MiOiJnaXRodWIuY29tIiwiYXVkIjoicmF3LmdpdGh1YnVzZXJjb250ZW50LmNvbSIsImtleSI6ImtleTUiLCJleHAiOjE3NjM4NzgzNjMsIm5iZiI6MTc2Mzg3ODA2MywicGF0aCI6Ii84NDk4Mjk2LzUxNzc5ODAzMy03YWI4NzQ0Yi0wZDU1LTRjMzMtOTc0ZC0xM2VjNzk3NTVkMDQucG5nP1gtQW16LUFsZ29yaXRobT1BV1M0LUhNQUMtU0hBMjU2JlgtQW16LUNyZWRlbnRpYWw9QUtJQVZDT0RZTFNBNTNQUUs0WkElMkYyMDI1MTEyMyUyRnVzLWVhc3QtMSUyRnMzJTJGYXdzNF9yZXF1ZXN0JlgtQW16LURhdGU9MjAyNTExMjNUMDYwNzQzWiZYLUFtei1FeHBpcmVzPTMwMCZYLUFtei1TaWduYXR1cmU9NmQ4YTcxMmQzYzVhM2Q2NzY0NjE2YzhjMDVkMWY1MDI3ZmM5NGI2NzM5NThlYTI0NDZkOTIzYjQ3MTI1NTUzOSZYLUFtei1TaWduZWRIZWFkZXJzPWhvc3QifQ.1Wf6hEVbiktVcD1egYIfx_zOBIOgD3DVAFNQYFb3Kfw) [Screenshot 2025-11-23 at 12 57 09 AM](https://private-user-images.githubusercontent.com/8498296/517798037-97c44f65-a2dc-4f8c-851c-99cf056149a6.png?jwt=eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJpc3MiOiJnaXRodWIuY29tIiwiYXVkIjoicmF3LmdpdGh1YnVzZXJjb250ZW50LmNvbSIsImtleSI6ImtleTUiLCJleHAiOjE3NjM4NzgzNjMsIm5iZiI6MTc2Mzg3ODA2MywicGF0aCI6Ii84NDk4Mjk2LzUxNzc5ODAzNy05N2M0NGY2NS1hMmRjLTRmOGMtODUxYy05OWNmMDU2MTQ5YTYucG5nP1gtQW16LUFsZ29yaXRobT1BV1M0LUhNQUMtU0hBMjU2JlgtQW16LUNyZWRlbnRpYWw9QUtJQVZDT0RZTFNBNTNQUUs0WkElMkYyMDI1MTEyMyUyRnVzLWVhc3QtMSUyRnMzJTJGYXdzNF9yZXF1ZXN0JlgtQW16LURhdGU9MjAyNTExMjNUMDYwNzQzWiZYLUFtei1FeHBpcmVzPTMwMCZYLUFtei1TaWduYXR1cmU9Y2U4NDVjN2U0YWNkNDljNTk1NzA3YTA5NGRlYjJhNTNjYWY3ODAxYTFjMGRhNzBkNTU5MGM3YTcwODYyMDYyMyZYLUFtei1TaWduZWRIZWFkZXJzPWhvc3QifQ.7oxalFYNVKOBGom1_uCTA7XPxKF7YbV333LlrdNDqok) ## references Closes #5802 runatlantis/atlantis

#5978 feat: Add plan webhook support Pull request opened by hjk1996 ## what • Added event-aware webhook wiring to support both plan and apply (typed Event + ConfiguredSender, event set on payload, filtered dispatch). • Updated project runner to send plan/apply webhooks with the correct event and adjusted Slack attachment text to use the event name. • Extended webhook tests to cover plan configs and event filtering. ## why To deliver plan results through the webhook pipeline, and to make webhook payloads/messages clearly identify which event triggered them. ## tests • Added webhook tests for plan config and event filtering • Ran locally:

go test ./server/events/webhooks

(passes) ## references • #5707 runatlantis/atlantis

#5979 feat: support destroy_execution_order_group Pull request opened by romuloslv ## what This pull request enables

destroy_execution_order_group

## why To support reverse execution order during destroy operations

atlantis plan/apply -- -destroy

. Currently, Atlantis supports

execution_order_group

for both resource creation and destruction. However, when hierarchical dependencies orchestrated by Terragrunt are present, resource destruction must be performed in reverse order, ensuring that child resources are removed before their parent resources. The implementation adds automatic detection of the

-destroy

flag, calculates effective execution groups based on operation type, and maintains backward compatibility with existing configurations. Both destructive and non-destructive global plan/apply operations work correctly in the same PR - regular operations use

execution_order_group

while destroy operations use

destroy_execution_order_group

, allowing users to safely test both creation and destruction workflows before merging. ## tests Tests added in • server/core/config/raw/project_test.go • server/events/apply_command_runner_test.go • server/events/plan_command_runner_test.go • server/events/project_command_pool_executor_test.go ## references • #2243 runatlantis/atlantis

#5977 chore: Add license references to files that don't have them Pull request opened by lukemassa ## what Add license references to files that don't have them ## why I noticed a number of files have the old

Copyright 2017 HootSuite Media Inc.

from before the project was made open source. We don't want remove that per the license, but for new files we should be tracking the copyright status. I used the https://github.com/google/addlicense tool to makes sure all newer go files have a license using the condensed SPDX format, and labeling the copyright owners as The Atlantis Authors. I also added a check to CI so we wouldn't forget to add them to new files. Longer term we can add to files other than go, I just wanted to start us off somewhere. ## tests I ran the script a few times ## references N/A runatlantis/atlantis

#5980 fix: Fail policy checks when Rego syntax errors occur Pull request opened by edbighead ## what This change ensures that any conftest execution error (including parse errors) correctly marks the policy as failed, preventing plans from bypassing policy enforcement due to syntax issues ## why Previously, when conftest encountered Rego parse errors, the policy check would incorrectly pass because the code only checked for test failures in the output, not command execution errors. This created a security vulnerability where broken policies would allow all plans to proceed. ## tests • I have tested my changes with unit tests ## references After updating

atlantis

which uses

conftest 0.63.0

, policies were passing even though rego syntax was wrong.

{"level":"error","ts":"2025-11-25T09:00:44.892Z","caller":"events/project_command_runner.go:559","msg":"[{\"PolicySetName\":\"common-policies\",\"PolicyOutput\":\"Error: running test: load: loading policies: load: 2 errors occurred during loading:\\n/opt/atlantis/policies/plan_rds_test.rego:41: rego_parse_error: `if` keyword is required before rule body\\n/opt/atlantis/policies/plan_rds_test.rego:45: rego_parse_error: `if` keyword is required before rule body\\n\",\"Passed\":true,\"ReqApprovals\":1,\"CurApprovals\":0}]","json":{"repo":"myorg/myrepo","pull":"72176"},"stacktrace":"<http://github.com/runatlantis/atlantis/server/events.(*DefaultProjectCommandRunner).doPolicyCheck|github.com/runatlantis/atlantis/server/events.(*DefaultProjectCommandRunner).doPolicyCheck>\n\tgithub.com/runatlantis/atlantis/server/events/project_command_runner.go:559\ngithub.com/runatlantis/atlantis/server/events.(*DefaultProjectCommandRunner).PolicyCheck\n\tgithub.com/runatlantis/atlantis/server/events/project_command_runner.go:265\ngithub.com/runatlantis/atlantis/server/events.RunAndEmitStats\n\tgithub.com/runatlantis/atlantis/server/events/instrumented_project_command_runner.go:74\ngithub.com/runatlantis/atlantis/server/events.(*InstrumentedProjectCommandRunner).PolicyCheck\n\tgithub.com/runatlantis/atlantis/server/events/instrumented_project_command_runner.go:42\ngithub.com/runatlantis/atlantis/server/events.runProjectCmds\n\tgithub.com/runatlantis/atlantis/server/events/project_command_pool_executor.go:48\ngithub.com/runatlantis/atlantis/server/events.(*PolicyCheckCommandRunner).Run\n\tgithub.com/runatlantis/atlantis/server/events/policy_check_command_runner.go:65\ngithub.com/runatlantis/atlantis/server/events.(*PlanCommandRunner).runAutoplan\n\tgithub.com/runatlantis/atlantis/server/events/plan_command_runner.go:177\ngithub.com/runatlantis/atlantis/server/events.(*PlanCommandRunner).Run\n\tgithub.com/runatlantis/atlantis/server/events/plan_command_runner.go:319\ngithub.com/runatlantis/atlantis/server/events.(*DefaultCommandRunner).RunAutoplanCommand\n\tgithub.com/runatlantis/atlantis/server/events/command_runner.go:251"}
{"level":"info","ts":"2025-11-25T09:00:44.892Z","caller":"events/instrumented_project_command_runner.go:88","msg":"policy_check success. output available at: <https://github.com/myorg/myrepo/pull/72176%22,%22json%22:{%22repo%22:%22myorg/myrepo%22,%22pull%22:%2272176%22}}|https://github.com/myorg/myrepo/pull/72176","json":{"repo":"myorg/myrepo","pull":"72176"}}>

introduced by https://github.com/runatlantis/atlantis/pull/5820/files syntax changed after

0.60.0

• https://github.com/open-policy-agent/conftest/releases/tag/v0.60.0 • https://support.hashicorp.com/hc/en-us/articles/43942069326483-OPA-Policy-Evaluations-Fail-With-Errors-if-keyword-is-required-before-rule-body-and-contains-keyword-is-required-for-partial-set-rules runatlantis/atlantis

#5981 build(deps): bump glob and markdownlint-cli Pull request opened by dependabot[bot] Removes glob. It's no longer used after updating ancestor dependency markdownlint-cli. These dependencies need to be updated together. Removes

glob

Updates

markdownlint-cli

from 0.45.0 to 0.46.0 Release notes Sourced from markdownlint-cli's releases.

## v0.46.0

• Replace

glob

dependency with

tinyglobby

(smaller and fewer dependencies)

• Update

markdownlint

dependency to

0.39.0

• Add `MD060`/`table-column-style`

• Improve `MD001`/`MD007`/`MD009`/`MD010`/`MD029`/`MD033`/`MD037`/`MD059`

• Update all dependencies via

Dependabot

Commits • `c8fd500` Bump version 0.46.0 • `5d85fc6` Delete and recreate package-lock.json via "npm install" to bump indirect js-y... • `1b2b54c` Bump glob from 10.4.5 to 10.5.0 • `845c5ff` Bump smol-toml from 1.4.2 to 1.5.2 • `00e4437` Bump js-yaml from 4.1.0 to 4.1.1 • `76208f1` Bump minimatch from 10.0.3 to 10.1.1 • `8e31aca` Bump commander from 14.0.1 to 14.0.2 • `15c3ed0` Bump actions/setup-node from 5 to 6 • `9cc24e8` Update tests for previous commit upgrading markdownlint library. • `34c77a6` Bump markdownlint from 0.38.0 to 0.39.0 • Additional commits viewable in compare view Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting

@dependabot rebase

. --- Dependabot commands and options You can trigger Dependabot actions by commenting on this PR: •

@dependabot rebase

will rebase this PR •

@dependabot recreate

will recreate this PR, overwriting any edits that have been made to it •

@dependabot merge

will merge this PR after your CI passes on it •

@dependabot squash and merge

will squash and merge this PR after your CI passes on it •

@dependabot cancel merge

will cancel a previously requested merge and block automerging •

@dependabot reopen

will reopen this PR if it is closed •

@dependabot close

will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually •

@dependabot show <dependency name> ignore conditions

will show all of the ignore conditions of the specified dependency •

@dependabot ignore this major version

will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself) •

@dependabot ignore this minor version

will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself) •

@dependabot ignore this dependency

will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself) You can disable automated security fix PRs for this repo from the Security Alerts page. runatlantis/atlantis

#5983 chore: bump ngrok to 3.33.1 Pull request opened by chenrui333 chore: bump ngrok to 3.33.1 runatlantis/atlantis

#5986 fix: resolve issue #5944 Pull request opened by MihailoPlavsic34 ## what Adds a new flag

ATLANTIS_GITLAB_STATUS_RETRY_ENABLED

that enables additional retries with back-off logic for

GItLab

client pipeline id query. No change to default behavior, addresses issue #5944 when set to

true

. ## why • Auto-merge does not work leading to manual action required when pipelines are left in running state (more details in issue #5944) • Adding optional flag to allow for more retries allows

GitLab

to create the "merge request" pipeline and prevents this state ## tests • I have tested my changes by adding regression tests • Thoroughly

E2E

testing cases where issue was previously reproducible ## references Closes #5944 runatlantis/atlantis

#5987 feat: implement atlantis reset command Pull request opened by ljluestc ## Summary This PR implements a new

atlantis reset

command that addresses issue #1944 by providing a way to clear PR state when Atlantis gets confused about which projects to plan after PR modifications. ### Problem When a PR starts with many projects and then gets reworked with some removed, Atlantis may continue trying to plan projects that no longer exist. The only workaround was to close and reopen the PR. ### Solution The new

atlantis reset

command simulates closing and reopening a PR by: 1. Cleaning up the PR state (clearing locks, workspaces, and database entries) - same as when a PR is closed 2. Triggering autoplan on all currently modified projects - same as when a PR is opened/updated ## Changes • server/events/command/name.go: Add

Reset

to the

Name

enum and

AllCommentCommands

• server/events/comment_parser.go: Add help text for the reset command • server/events/reset_command_runner.go: New

ResetCommandRunner

that: • Uses

PullCleaner.CleanUpPull()

to clear PR state • Calls

RunAutoplanCommand()

to trigger replanning • Comments on success/failure • server/server.go: Register the reset command runner • cmd/server.go: Add

reset

to default allowed commands ## Test Plan • Unit tests for

ResetCommandRunner

covering: • Successful reset flow • Cleanup failure handling • Comment creation failure handling • Combined failure scenarios • Tests verify proper interaction with

PullCleaner

and

CommandRunner

• All existing tests pass ## Usage

atlantis reset

When commented on a PR, this will: 1. Delete all locks and workspaces for the PR 2. Re-run autoplan to detect current projects 3. Post a comment confirming the reset Fixes #1944 🤖 Generated with Claude Code runatlantis/atlantis

#5988 chore: Remove pkg/errors Pull request opened by lukemassa ## what Remove use of pkg/errors. ## why The package has been deprecated, see #5269. I had done some prep work in other PRs, then for this PR I was able to do this entirely mechanically with a tool I wrote for this purpose: https://github.com/lukemassa/unpkg-errors/. The only manual work I did was change the wording in

CONTRIBUTING.md

to reflect the use of the new API, ran

go mod tidy

to observe that

pkg/errors

was no longer a direct dependency, and fix up some errors that did not match our suggested format previously (but weren't caught by the linter).

run golangci-lint
  Running [/home/runner/golangci-lint-2.5.0-linux-amd64/golangci-lint config path] in [/home/runner/work/atlantis/atlantis] ...
  Running [/home/runner/golangci-lint-2.5.0-linux-amd64/golangci-lint config verify] in [/home/runner/work/atlantis/atlantis] ...
  Running [/home/runner/golangci-lint-2.5.0-linux-amd64/golangci-lint run] in [/home/runner/work/atlantis/atlantis] ...
  Error: server/events/vcs/bitbucketcloud/client.go:67:16: ST1005: error strings should not be capitalized (staticcheck)
  			return nil, fmt.Errorf("Could not parse response %q: %w", string(resp), err)
  			            ^
  Error: server/events/vcs/bitbucketcloud/client.go:124:10: ST1005: error strings should not be capitalized (staticcheck)
  		return fmt.Errorf("Cannot get my uuid! Please check required scope of the auth token!: %w", err)
  		       ^
  Error: server/events/vcs/bitbucketcloud/client.go:174:20: ST1005: error strings should not be capitalized (staticcheck)
  		return comments, fmt.Errorf("Could not parse response %q: %w", string(res), err)

## tests Ran tests. ## references Close: #5269 runatlantis/atlantis

#5989 Fix API pre-workflow hook execution order and enable auto-discovery Pull request opened by akoskubai-brt ### Solution 1. Reordered Hook Execution • Modified <atlantis/server/controllers/api_controller.go2420-305:1|apiPlan()> and <atlantis/server/controllers/api_controller.go3070-370:1|apiApply()> to run

PreWorkflowHooksCommandRunner.RunPreHooks()

before calling </atlantis/server/controllers/api_controller.go550-88:1|request.getCommands()> • This allows pre-workflow hooks to generate

atlantis.yaml

before it's needed • Matches the architecture of <atlantis/server/events/command_runner.go431-46:151|RunCommentCommand()> 2. Added Auto-Discovery Support • When both

Projects

and

Paths

are empty in API request, create an empty <atlantis/server/events/event_parser.go1180-146:1|CommentCommand> • Triggers </atlantis/server/events/project_command_builder.go4620-600:1|buildAllCommandsByCfg()> → discovers all modified projects • Enables

atlantis plan

-equivalent behavior via API ### Changes Made File: <atlantis/server/controllers/api_controller.go00-0:0|server/controllers/api_controller.go> 1. <atlantis/server/controllers/api_controller.go550-88:1|getCommands()>: Auto-discovery when Projects/Paths empty (lines 71-77) 2. <atlantis/server/controllers/api_controller.go2420-305:1|apiPlan()>: Run hooks before building commands (lines 244-258) 3. <atlantis/server/controllers/api_controller.go3070-370:1|apiApply()>: Run hooks before building commands (lines 309-323) ### Testing Before Fix: # Failed with "atlantis.yaml file exists" error data = {"Repository": "...", "Projects": ["dev"], "PR": 2} After Fix: # Works - hooks generate config, then Projects resolved data = {"Repository": "...", "Projects": ["dev"], "PR": 2} # Also works - auto-discovers all projects data = {"Repository": "...", "PR": 2} # No Projects/Paths ### Benefits ✅ Dynamic config generation via pre-workflow hooks now works in API ✅ Architectural consistency between API and comment flows ✅ Backward compatible - existing API calls continue to work ✅ New capability - auto-discovery via empty Projects/Paths ✅ Fixes real user issue - repo-level configurations properly merged ### Related This fixes the issue where repo-level workflow configurations were ignored when using the API, defaulting to the server-defined workflow instead of the project-specified one (e.g., terragrunt workflow). ### Log Evidence: Before: Only "setting workflow: default from repos[1]" After: Both "setting workflow: default..." AND "overriding server-defined workflow with repo-specified workflow: 'terragrunt'" runatlantis/atlantis

#3830 feat: Clarify approved vs mergeable for gitlab Pull request opened by lukemassa ## what • Make

approved

mean "Approved by a user other than the author" for gitlab • Revert #3744, as the original wording is now accurate • Update docs to clarify that "approved" means "Approved by a user other than the author" regardless of VCS, whereas "mergeable" incorporates VCS-specific approval conditions. ## why Per #2605, gitlab does not respect the

approved

the way users would expect, i.e. has someone clicked the "approved" button. This is how the other VCSs interpret

approved

. The current implementation for gitlab is closer to "are approval rules passing". That's what I thought "approved" meant when I implemented #3744 (since I'm most familiar with gitlab). However, looking closer, it turns out: • The other VCSs treat this as "someone other than the author clicked approve" • gitlab itself already implements "follows approval rules" (it asserts that

mr.ApprovalsBeforeMerge <= 0

) Thus there was this inconsistency, plus it meant that

approved

was strictly weaker than

mergeable

for gitlab. The theory here I think is that it is nice to have one knob for users to turn that means "a user needs to approve this" vs "a user needs to approve this if the project thinks a user needs to approve this". I personally will only use

mergeable

in my setup, since I have tight control over all the repos, but without a change like this, there's no way to implement #2605 , and force workflows to have approvals from the "atlantis side". ## tests Before: | apply_requirements | Project has MR Approval Rule | Project does not have MR Approval Rule | | --------------------- | ------------------------------ | ---------------------------------------- | | [] | Does not require approval | Does not require approval | | [approved] | Requires approval | Does not require approval | | [mergeable] | Requires approval | Does not require approval | | [approved, mergeable] | Requires approval | Does not require approval | After: | apply_requirements | Project has MR Approval Rule | Project does not have MR Approval Rule | | --------------------- | ------------------------------ | ---------------------------------------- | | [] | Does not require approval | Does not require approval | | [approved] | Requires approval | Requires approval | | [mergeable] | Requires approval | Does not require approval | | [approved, mergeable] | Requires approval | Requires approval | As you can see from the above, the functional change here is, for projects that do not have an MR Approval Rule, setting

approved

requires approval. ## references reverts #3744 closes: #2605 runatlantis/atlantis

#5990 chore: Move vcs code into own packages Pull request opened by lukemassa ## what Move each vcs into their own subpackage of

vcs

. ## why I always found it a bit confusing that some VCSs (bitbucketcloud, bitbucketserver, and recently gitea) had their own packages, whereas github, azuredevops, and gitlab lived side-by-side in

vcs

. Especially as github has become bigger and more complicated, it makes sense to make these subpackages. This also makes it more clear where we think we're testing "general VCS behavior" but in fact are testing github specific behavior. Finally, this can help move us more towards the "plugin" architecture for VCSs that has been discussed in other places, by first providing this isolation. ## tests This is a pure refactor; passing tests should be sufficient. ## references Relates to #5574 runatlantis/atlantis

#5926 feat: enabling pending apply status when any of the projects has changes to… Pull request opened by rjmsilveira ## What This MR restores the ability to set commit status to pending when there are planned Terraform changes that haven't been applied yet. This feature is now: ## GitLab-specific (controlled by the --pending-apply-status flag) Opt-in (defaults to false to maintain backward compatibility) Provides better visibility into MR readiness by blocking merges until all applies are completed ## Why When enabled, this feature prevents GitLab merge requests from being merged prematurely by setting the commit status to pending when: • atlantis plan detects changes that need to be applied • Not all projects have been successfully applied The status transitions: • ✅ Success: All projects applied or show no changes • ⏳ Pending: Planned changes exist but haven't been applied yet • ❌ Failed: Apply errors occurred This addresses a common workflow requirement where teams want to ensure all infrastructure changes are actually applied before allowing the MR to merge, preventing situations where planned changes are approved but never executed. ## Why GitLab-only and opt-in? The original implementation (#2053) caused issues (#2138) with race conditions where apply status would appear before plans completed, leading to confusion and stuck PRs. The feature was reverted in #2173. Since then, Atlantis has significantly improved its event ordering and status update handling. However, to ensure maximum safety and backward compatibility, this restoration: Limits scope to GitLab - where the feature is most requested and tested Requires explicit opt-in - prevents unexpected behavior changes for existing users Preserves existing behavior - when disabled or on other VCS platforms, no status updates occur for unapplied plans Tests Added comprehensive test coverage in TestPlanCommandRunner_PendingApplyStatus: ✅ GitLab + flag enabled + unapplied plans → Pending status ✅ GitLab + flag disabled + unapplied plans → No status update (backward compatible) ✅ GitLab + all plans applied → Success status ✅ GitHub/Bitbucket + flag enabled → No status update (GitLab-only feature) ✅ GitLab + apply errors → Failed status All existing tests pass, ensuring backward compatibility is maintained. ## References Original feature (2021): https://github.com/runatlantis/atlantis/pull/2053/files Issue reports (race conditions): https://github.com/runatlantis/atlantis/issues/2138 Feature revert (2022): https://github.com/runatlantis/atlantis/pull/2173/files ## Key improvements since the original implementation: The latest Atlantis codebase now handles event ordering much more reliably. The race condition issues that caused the original revert (where apply status would appear before plans properly finished) have been resolved through improved event sequencing. This makes it safe to reintroduce the feature with proper safeguards (opt-in flag + VCS-specific implementation). ## Configuration: See updated documentation in server-configuration.md. This approach provides the requested functionality while learning from past issues and ensuring a smooth, safe rollout for teams that need this workflow enforcement. runatlantis/atlantis

#5964 chore: Add project command output struct Pull request opened by lukemassa ## what ### Primary change Break some of fields of

ProjectResult

into another struct

ProjectCommandOutput

, which is then embedded into

ProjectResult

### Secondary changes 1. Plumb

SubCommand

into

command.ProjectContext

2. Add

project

information to expected output of TestApplyCommandRunner_ExecutionOrder test 3. Add mock to

TestPlanCommandRunner_IsSilenced

to handle call to Plan ## why ### Primary change My main goal here was to clean up the half dozen calls in

project_command_runner.go

that correspond (roughly) to each possible "project command" from:

func (p *DefaultProjectCommandRunner) Apply(ctx command.ProjectContext) command.ProjectResult {
	applyOut, failure, err := p.doApply(ctx)
	return command.ProjectResult{
		Command:           command.Apply,
		Failure:           failure,
		Error:             err,
		ApplySuccess:      applyOut,
		RepoRelDir:        ctx.RepoRelDir,
		Workspace:         ctx.Workspace,
		ProjectName:       ctx.ProjectName,
		SilencePRComments: ctx.SilencePRComments,
	}
}

to look like:

// Apply runs terraform apply for the project described by ctx.
func (p *DefaultProjectCommandRunner) Apply(ctx command.ProjectContext) command.ProjectCommandOutput {
    applyOut, failure, err := p.doApply(ctx)
    return command.ProjectCommandOutput{
        Failure:      failure,
        Error:        err,  
        ApplySuccess: applyOut,
    }   
}

The goal here, as described in #5962, was to not have to set the

Command

as part what is returned from a the run. This makes conceptual sense; the caller of this function knows it was told to do so by "apply", why is the return of this function including that? It's not purely academic either, as we add commands, the translation might not be so easily 1:1 (for example "autoplan"). In addition, we are copy/pasting these returns for RepoRelDir, Workspace, etc., into each command, which is error prone and brittle. The new logic has each command return just what the command returns, then the call site adds in the additional context (that it already knows) before passing it up. This would have prevented a few very subtle bugs, like #5934 and #5963, since we rely less on specifying the exact right things, in either production code or unit tests. ### Secondary changes Most of the work to make the above work, outside of the intentional changes to

project_command_runner.go

, the new types in

project_result.go

, and consolidating the call site in

project_command_pool_executor.go

, was highly mechanical, just an exercise in breaking up types in unit tests. There were however some additional changes that were necessary to make this work. All of these changes of which ended up being improvements, albeit minor ones. This gave me confidence that this change was the right direction, since it was setting up the code to be cleaner. 1. We were previously not including SubCommand in ProjectContext, even though we know it in all the same places we know CommandName. This was needed to deal with the hard-coded literal of

"rm"

that was again essentially "guessed" in

StateRm

. It was mostly just an exercising in passing an additional argument to functions 2. Now that we don't "lose" the information about "project" in the mocked version of these commands, the output is slightly different. Specifically, when we know the project we add it, whereas when the project is an empty string we omit it, so I needed to add to the expected output strings (again, in a preferable way, since previously we were specifying project in the input but having it missing in the expected output). Example: https://github.com/runatlantis/atlantis/pull/5964/files#diff-bd810f7a2c49ffcc9b60b2cd559bad49dc77687760e0b9073a9c88a362e6985aL357 3. This was a very subtle bug, basically after I made the change the was a unit test that was panicking trying to add to the database. The issue turned out to be that, because the mocked functions "forgot" about command name, the command name was specified as the default (command.Apply), which does not exercise the code path that had the missing pointer. Now that our code keeps its command even after calling mocked version of Plan(), we need to make sure we specify a non-nil value in the PlanSuccess https://github.com/runatlantis/atlantis/pull/5964/files#diff-0afeda625c8feb719ac324deab2c577861662762aecde074307d5a19aa0b1126R129 ## tests This is a refactor so should be safe. I'm not sure the "command" is used anywhere but logs and outputs anyway ## references closes: #5962 Would have prevented bugs: #5934 and #5963 runatlantis/atlantis

#5992 build(deps): bump mdast-util-to-hast from 13.2.0 to 13.2.1 Pull request opened by dependabot[bot] Bumps mdast-util-to-hast from 13.2.0 to 13.2.1. Release notes Sourced from mdast-util-to-hast's releases.

## 13.2.1

#### Fix

• ab3a795 Fix support for spaces in class names

#### Types

• efb5312 Refactor to use `@import`s

• a5bc210 Add declaration maps

Full Changelog: syntax-tree/mdast-util-to-hast@13.2.0...13.2.1

Commits • `174795b` 13.2.1 • `3d05b3a` Update Node in Actions • `ab3a795` Fix support for spaces in class names • `efb5312` Refactor to use `@import`s • `a5bc210` Add declaration maps • `b54955d` Add

.tsbuildinfo

to

.gitignore

• See full diff in compare view [Dependabot compatibility score](https://camo.githubusercontent.com/a438aa6daca7fdd58cb57105ac01f392d7a150ff735f8d86552cc525f54e08b9/68747470733a2f2f646570656e6461626f742d6261646765732e6769746875626170702e636f6d2f6261646765732f636f6d7061746962696c6974795f73636f72653f646570656e64656e63792d6e616d653d6d646173742d7574696c2d746f2d68617374267061636b6167652d6d616e616765723d6e706d5f616e645f7961726e2670726576696f75732d76657273696f6e3d31332e322e30266e65772d76657273696f6e3d31332e322e31) Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting

@dependabot rebase

. --- Dependabot commands and options You can trigger Dependabot actions by commenting on this PR: •

@dependabot rebase

will rebase this PR •

@dependabot recreate

will recreate this PR, overwriting any edits that have been made to it •

@dependabot merge

will merge this PR after your CI passes on it •

@dependabot squash and merge

will squash and merge this PR after your CI passes on it •

@dependabot cancel merge

will cancel a previously requested merge and block automerging •

@dependabot reopen

will reopen this PR if it is closed •

@dependabot close

will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually •

@dependabot show <dependency name> ignore conditions

will show all of the ignore conditions of the specified dependency •

@dependabot ignore this major version

will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself) •

@dependabot ignore this minor version

will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself) •

@dependabot ignore this dependency

will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself) You can disable automated security fix PRs for this repo from the Security Alerts page. runatlantis/atlantis

#5889 fix: Close metric scope after tests finish Pull request opened by lukemassa ## what Add a helper to close close metrics scope when tests are finished, use it throughout tests. ## why I was trying to use go's race detector on the unit tests, and running into these errors:

atlantis % go test ./... -short -race
?   	<http://github.com/runatlantis/atlantis|github.com/runatlantis/atlantis>	[no test files]
ok  	<http://github.com/runatlantis/atlantis/cmd|github.com/runatlantis/atlantis/cmd>	(cached)
ok  	<http://github.com/runatlantis/atlantis/server|github.com/runatlantis/atlantis/server>	2.899s
PASS
panic: Log in goroutine after TestAPIController_Plan has completed: 2025-10-15T20:28:02.707-0400	DEBUG	gauge	{"name": "tally_internal_counter_cardinality", "value": 0, "tags": {"host":"global","instance":"global","version":"4.1.17"}, "type": "gauge"}
	

goroutine 22 [running]:
testing.(*common).log(0xc00009ac40, {0xc0000ec840, 0xb6})
	/Users/lmassa/go/pkg/mod/golang.org/toolchain@v0.0.1-go1.25.1.darwin-arm64/src/testing/testing.go:1030 +0x178
testing.(*common).Logf(0xc00009ac40, {0x10515c2c8, 0x2}, {0xc0004aa410, 0x1, 0x1})
	/Users/lmassa/go/pkg/mod/golang.org/toolchain@v0.0.1-go1.25.1.darwin-arm64/src/testing/testing.go:1191 +0x80
<http://go.uber.org/zap/zaptest.TestingWriter.Write({{0x10547b050|go.uber.org/zap/zaptest.TestingWriter.Write({{0x10547b050>?, 0xc00009ac40?}, 0x0?}, {0xc0001b5400, 0xb7, 0x400})
	/Users/lmassa/go/pkg/mod/go.uber.org/zap@v1.27.0/zaptest/logger.go:146 +0xf0
<http://go.uber.org/zap/zapcore.(*ioCore).Write(0xc0001a3c80|go.uber.org/zap/zapcore.(*ioCore).Write(0xc0001a3c80>, {0xff, {0xc2342ce4aa2a28b0, 0x3ce12682, 0x105a22fc0}, {0x0, 0x0}, {0x10516232e, 0x5}, {0x0, ...}, ...}, ...)
	/Users/lmassa/go/pkg/mod/go.uber.org/zap@v1.27.0/zapcore/core.go:99 +0x114
<http://go.uber.org/zap/zapcore.(*CheckedEntry).Write(0xc0003c6b60|go.uber.org/zap/zapcore.(*CheckedEntry).Write(0xc0003c6b60>, {0x0, 0x0, 0x0})
	/Users/lmassa/go/pkg/mod/go.uber.org/zap@v1.27.0/zapcore/entry.go:253 +0x154
<http://go.uber.org/zap.(*SugaredLogger).log(0xc00006ec00|go.uber.org/zap.(*SugaredLogger).log(0xc00006ec00>, 0xff, {0x10516232e, 0x5}, {0x0, 0x0, 0x0}, {0x0, 0x0, 0x0})
	/Users/lmassa/go/pkg/mod/go.uber.org/zap@v1.27.0/sugar.go:355 +0x108
<http://go.uber.org/zap.(*SugaredLogger).Debugf(...)|go.uber.org/zap.(*SugaredLogger).Debugf(...)>
	/Users/lmassa/go/pkg/mod/go.uber.org/zap@v1.27.0/sugar.go:198
<http://github.com/runatlantis/atlantis/server/logging.(*StructuredLogger).Debug|github.com/runatlantis/atlantis/server/logging.(*StructuredLogger).Debug>(0xc0004dd640, {0x10516232e, 0x5}, {0x0, 0x0, 0x0})
	/Users/lmassa/atlantis/server/logging/simple_logger.go:134 +0x74
<http://github.com/runatlantis/atlantis/server/metrics.(*debugReporter).ReportGauge(0xc00012a420|github.com/runatlantis/atlantis/server/metrics.(*debugReporter).ReportGauge(0xc00012a420>, {0xc000035350, 0x22}, 0xc0000f8d20, 0x0)
	/Users/lmassa/atlantis/server/metrics/debug.go:47 +0x2b8
<http://github.com/uber-go/tally/v4.(*scopeRegistry).reportInternalMetrics(0xc00053a180)|github.com/uber-go/tally/v4.(*scopeRegistry).reportInternalMetrics(0xc00053a180)>
	/Users/lmassa/go/pkg/mod/github.com/uber-go/tally/v4@v4.1.17/scope_registry.go:339 +0x1ec
<http://github.com/uber-go/tally/v4.(*scopeRegistry).Report(0xc00053a180|github.com/uber-go/tally/v4.(*scopeRegistry).Report(0xc00053a180>, {0x10547c680, 0xc00012a420})
	/Users/lmassa/go/pkg/mod/github.com/uber-go/tally/v4@v4.1.17/scope_registry.go:115 +0x74
<http://github.com/uber-go/tally/v4.(*scope).reportRegistry(0xc000174900)|github.com/uber-go/tally/v4.(*scope).reportRegistry(0xc000174900)>
	/Users/lmassa/go/pkg/mod/github.com/uber-go/tally/v4@v4.1.17/scope.go:275 +0x70
<http://github.com/uber-go/tally/v4.(*scope).reportLoopRun(0xc000174900)|github.com/uber-go/tally/v4.(*scope).reportLoopRun(0xc000174900)>
	/Users/lmassa/go/pkg/mod/github.com/uber-go/tally/v4@v4.1.17/scope.go:270 +0x5c
<http://github.com/uber-go/tally/v4.(*scope).reportLoop|github.com/uber-go/tally/v4.(*scope).reportLoop>(0xc000174900, 0x3b9aca00)
	/Users/lmassa/go/pkg/mod/github.com/uber-go/tally/v4@v4.1.17/scope.go:258 +0x90
<http://github.com/uber-go/tally/v4.newRootScope.func1()|github.com/uber-go/tally/v4.newRootScope.func1()>
	/Users/lmassa/go/pkg/mod/github.com/uber-go/tally/v4@v4.1.17/scope.go:198 +0x7c
created by <http://github.com/uber-go/tally/v4.newRootScope|github.com/uber-go/tally/v4.newRootScope> in goroutine 21
	/Users/lmassa/go/pkg/mod/github.com/uber-go/tally/v4@v4.1.17/scope.go:196 +0xa48
FAIL	<http://github.com/runatlantis/atlantis/server/controllers|github.com/runatlantis/atlantis/server/controllers>	1.470s

I dug into it and the issue wasn't with that race detector detected a data race, it's because the race detector reordered some code exposing a bug where we in many places create a new scope but then discard its

closer

. Metrics are emitted during the tests, so if we don't close it, with the reordering, the metrics try to write to t.Log() in test that has already ended. This code consolidates the places where we create a new metrics scope, and properly calls a Cleanup() handler to close the scope when the test is done. I did most of the conversions

#!/bin/bash

for file in $(git grep -l '_, _.*metrics.NewLogging')
do
    echo $file
    cat $file | perl -pe 's/(.*), _, _ := metrics\.NewLoggingScope\((.*), (.*)/\1 := metricstest.NewLoggingScope(t, \2, \3/g' | sponge $file
    ~/go/bin/goimports -w $file
done

## tests Running CI ## references N/A runatlantis/atlantis

#5885 fix: determine mergeability of GitHub workflows from check suite Pull request opened by henriklundstrom ## what Use the conclusion of the check suite instead of the conclusion of the individual check run when determining if a pull request with a required workflow is mergeable when the

gh-allow-mergeable-bypass-apply

-flag is enabled. • Use check suite conclusion rather than check run conclusion to determine required workflow outcome ## why • Resolves the issue #5884 • The conclusion of an individual check run is insufficient for determining the conclusion of a workflow as it may have multiple check runs, the outcomes of which may differ, meaning a successful check run does not necessarily entail a successful workflow. Use the conclusion of the check suite instead, which holds the combined conclusion of each associated check run. ## tests • Adding a test case where a required workflow has multiple checks in the same suite but only the first is successful • This test fails with the implementation on main, but passes with the changes made by this PR • Making a release on this feature branch: https://github.com/nordnet/atlantis/releases/tag/v0.37.0-pre.mergeability-from-check-suite-20250929-001 • See the associated Docker image:

<http://ghcr.io/nordnet/atlantis:v0.37.0-pre.mergeability-from-check-suite-20250929-001-alpine@sha256:d7153cc2916d9c9bc0c6743ad1732bdea8d7eca73a1cd944f9f959695397cde5|ghcr.io/nordnet/atlantis:v0.37.0-pre.mergeability-from-check-suite-20250929-001-alpine@sha256:d7153cc2916d9c9bc0c6743ad1732bdea8d7eca73a1cd944f9f959695397cde5>

## references runatlantis/atlantis

#5994 fix: Fix API pre-workflow hook execution order and enable auto-discovery Pull request opened by WebOfNakedFancies ## what • Modified

/api/plan

and

/api/apply

endpoints to run pre-workflow hooks before building commands instead of after • Added support for auto-discovery when both

Projects

and

Paths

fields are empty in API requests • Aligned API execution order with the comment flow architecture to ensure consistent behavior • Fixed issue where dynamically generated

atlantis.yaml

files (via pre-workflow hooks) could not be used with the API ## why • The API had a critical chicken-and-egg problem: it tried to load

atlantis.yaml

before pre-workflow hooks could generate it • This caused

"cannot specify a project name unless an atlantis.yaml file exists"

errors for repos using dynamic config generation • The API flow was architecturally inconsistent with the comment flow (which runs hooks early and works correctly) • Without auto-discovery support, API users couldn't replicate

atlantis plan

(no args) behavior • Repo-level workflow configurations were being ignored when using the API, defaulting to server-defined workflows instead of project-specified ones (e.g., custom

terragrunt

workflow) Execution Order Before Fix: API: Clone → Load Config ❌ → Build Commands → Run Pre-Hooks (too late) Comment: Clone → Run Pre-Hooks ✅ → Load Config → Build Commands Execution Order After Fix: API: Clone → Run Pre-Hooks ✅ → Load Config → Build Commands Comment: Clone → Run Pre-Hooks ✅ → Load Config → Build Commands ## tests • Tested with dynamically generated

atlantis.yaml

via pre-workflow hooks - config now generates before being read • Verified API requests with

Projects: ["dev"]

properly resolve project configurations and apply repo-level workflows • Confirmed auto-discovery works when

Projects

and

Paths

are omitted from API request • Validated backward compatibility - existing API calls with explicit Projects/Paths continue to work • Verified logs show correct workflow merging:

"overriding server-defined workflow with repo-specified workflow"

runatlantis/atlantis

#5995 fix: ignore policies-passed requirement when validating plan command Pull request opened by nightmarlin-wise ## what This PR updates the

plan

command's validator to ignore the

policies_passed

requirement when present in

ProjectContext.PlanRequirements

. This resolves issue #5993 introduced by #5851: When a policy check fails, the subsequent plan always fails. Plans run after this run as normal.

It seems that after a failure, atlantis updates its internal state to a point before the policy check - so any subsequent plan will succeed. An alternative solution could be to "pretend" the policy checks haven't run yet in the context of the plan.

Specifying

repos[*].plan_requirements: []

in the server-side

repos.yaml

does not successfully work around the issue - the value seems to be overwritten somewhere. ## why This fixes an issue with the standard use case for policy checks. We want to upgrade to the latest atlantis version to make use of parallel plan & apply - but the additional friction caused by this (and potential contacts from teams not familiar with atlantis) means we cannot adopt this version. I believe atlantis can only run policy checks after a plan is completed, so this small-scoped solution makes the most sense to me. If this assumption is wrong, I'd be happy to look into an alternative solution that fits a broader set of use cases! ## tests • I have updated the relevant unit tests to account for this new test case ## references • caused by #5851 • closes #5993 runatlantis/atlantis

#5997 fix: add env variable DEFAULT_CONFTEST_VERSION to dockerfile so it's available at runtime Pull request opened by nvanheuverzwijn ## what Add environment variable

DEFAULT_CONFTEST_VERSION

available to runtime without explicitly defining it. ## why Prevent annoying log message related to conftest version not being defined. ## tests I have tested my changes by build atlantis and running it with docker run. ## references closes #5996 runatlantis/atlantis