#5880 chore: Remove duplicate mock for WorkingDir Pull request opened by lukemassa ## what Remove

server/events/mock_workingdir_test.go

, rely on the existing mock implementation in

server/events/mocks/mock_working_dir.go

. ## why I noticed this when digging into pegomock. For some reason we were generating mock files twice for

WorkingDir

, one of which was ending up in

events

package instead of the dedicated

mocks

one where all the other mocks for events live. In fact, this was the only mock file in the entire repo that wasn't in a mocks/ subdir.

atlantis % find . \! -path '**/mocks/**' -name 'mock_*'
./server/events/mock_workingdir_test.go

## tests Depending on unit tests to continue to work. ## references N/A runatlantis/atlantis

#5881 chore: Create new workspace package Pull request opened by lukemassa ## what Move workspace-related types from

server/events

to new subpackage

server/events/workspace

. Moved: •

WorkingDir

interface •

WorkingDirLocker

interface •

FileWorkspace

struct •

GithubAppWorkingDir

struct ## why I noticed that there were two different mocks being created for `WorkingDir`: one in

events/mocks/

and another in the

events

package itself (

mock_workingdir_test.go

). It is the only mock in the project which is written into a non-mock package, leading to oddities like in #5800 where it is formatted differently (because we have different formatting rules for mock and non-mock). The duplicate existed because

project_command_builder_internal_test.go

(an internal test in

package events

) needed to import the mock, but importing

events/mocks

would create an import cycle (

events

→

events/mocks

→

events

). This was an indication that the workspace code was getting big enough to be its own package. Moving it to a subpackage breaks the import cycle while keeping the code organized. ## tests •

go build ./...

•

go test ./server/events ./server/controllers/... -short

•

golangci-lint run

## references N/A runatlantis/atlantis

#4331 feat: allow masking output on comments Pull request opened by GMartinez-Sisti ## what Part of #163 (comment). ## why I have the requirements to mask some values that are passed to the comments posted by Atlantis, building up on

strip_refreshing

I added two new output configurations that will allow this via a regex configured on the step. There is an assumption that users that shouldn't see secrets/sensitive values won't have access to the URL jobs, where the plan outputs are shown untouched. The

output

key can now contain a `string, `[]string`or`[]any`, this was we ensure compatibility while adding new possibilities to it. Example (added to the docs): workflows: terragrunt: plan: steps: - run: command: terragrunt plan -input=false -out=$PLANFILE output: - strip_refreshing # Filters text matching 'mySecret: "aaa"' -> 'mySecret: "<redacted>"' - filter_regex: "((?i)secret:\\s\")[^\"]*" Note that the changes related to mocks were made manually since

make go-generate

is currently broken (#4664). ## tests • Running all the tests locally and adding coverage for the new feature • Build and deployed this version with the new config from feature and tested that

atlantis plan

provides the desired masked output on GitHub 😄 ## references Possibly solves #163. runatlantis/atlantis

#5882 chore(deps): update redis:7.4-alpine docker digest to 3b73847 in docker-compose.yml (main) Pull request opened by renovate[bot] This PR contains the following updates: | Package | Update | Change | | ------- | ------ | ------------------ | | redis | digest | 7a7c6b5 -> 3b73847 | --- ### Configuration 📅 Schedule: Branch creation - Between 12:00 AM and 03:59 AM ( * 0-3 * * * ) (UTC), Automerge - At any time (no schedule defined). 🚦 Automerge: Enabled. ♻️ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox. 🔕 Ignore: Close this PR and you won't be reminded about this update again. --- • If you want to rebase/retry this PR, check this box --- This PR was generated by Mend Renovate. View the repository job log. runatlantis/atlantis

#5883 chore(deps): update github/codeql-action action to v3.30.7 in .github/workflows/scorecard.yml (main) Pull request opened by renovate[bot] This PR contains the following updates: | Package | Type | Update | Change | Pending | OpenSSF | | ------------------------------------------------------------------------ | ------ | ------ | ------------------ | ------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | [github/codeql-action](https://redirect.github.com/github/codeql-action) | action | patch | v3.30.5 -> v3.30.7 | v3.30.8 | [[OpenSSF Scorecard](https://camo.githubusercontent.com/022cb174dc4b9ace5867eeb6408ad79e645ea194cd77cf4d40ff05e6763dd313/68747470733a2f2f6170692e736563757269747973636f726563617264732e6465762f70726f6a656374732f6769746875622e636f6d2f6769746875622f636f6465716c2d616374696f6e2f6261646765)](https://securityscorecards.dev/viewer/?uri=github.com/github/codeql-action) | --- ### Release Notes github/codeql-action (github/codeql-action) ### `v3.30.7` Compare Source ##### CodeQL Action Changelog See the releases page for the relevant changes to the CodeQL CLI and language packs. ##### 3.30.7 - 06 Oct 2025 No user facing changes. See the full CHANGELOG.md for more information. ### `v3.30.6` Compare Source ### CodeQL Action Changelog See the releases page for the relevant changes to the CodeQL CLI and language packs. #### 3.30.6 - 02 Oct 2025 • Update default CodeQL bundle version to 2.23.2. #​3168 See the full CHANGELOG.md for more information. --- ### Configuration 📅 Schedule: Branch creation - Between 12:00 AM and 03:59 AM ( * 0-3 * * * ) (UTC), Automerge - At any time (no schedule defined). 🚦 Automerge: Enabled. ♻️ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox. 🔕 Ignore: Close this PR and you won't be reminded about this update again. --- • If you want to rebase/retry this PR, check this box --- This PR was generated by Mend Renovate. View the repository job log. runatlantis/atlantis

#5885 fix: determine mergeability of GitHub workflows from check suite Pull request opened by henriklundstrom ## what Use the conclusion of the check suite instead of the conclusion of the individual check run when determining if a pull request with a required workflow is mergeable when the

gh-allow-mergeable-bypass-apply

-flag is enabled. • Use check suite conclusion rather than check run conclusion to determine required workflow outcome ## why • Resolves the issue #5884 • The conclusion of an individual check run is insufficient for determining the conclusion of a workflow as it may have multiple check runs, the outcomes of which may differ, meaning a successful check run does not necessarily entail a successful workflow. Use the conclusion of the check suite instead, which holds the combined conclusion of each associated check run. ## tests • Adding a test case where a required workflow has multiple checks in the same suite but only the first is successful • This test fails with the implementation on main, but passes with the changes made by this PR • Making a release on this feature branch: https://github.com/nordnet/atlantis/releases/tag/v0.37.0-pre.mergeability-from-check-suite-20250929-001 • See the associated Docker image:

<http://ghcr.io/nordnet/atlantis:v0.37.0-pre.mergeability-from-check-suite-20250929-001-alpine@sha256:d7153cc2916d9c9bc0c6743ad1732bdea8d7eca73a1cd944f9f959695397cde5|ghcr.io/nordnet/atlantis:v0.37.0-pre.mergeability-from-check-suite-20250929-001-alpine@sha256:d7153cc2916d9c9bc0c6743ad1732bdea8d7eca73a1cd944f9f959695397cde5>

## references runatlantis/atlantis

#5886 chore(deps): update go in go.mod (main) Pull request opened by renovate[bot] This PR contains the following updates: | Package | Type | Update | Change | Pending | OpenSSF | | ----------------------------------------------------------------------- | ------ | ------ | ------------------------------ | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ------- | | [go](https://go.dev/) ([source](https://redirect.github.com/golang/go)) | golang | patch | 1.25.1 -> 1.25.3 | [[OpenSSF Scorecard](https://camo.githubusercontent.com/c969aea50aa6c73e27384d8508b5fc8f9d31bd400c588089a1c7a7cdbb51ec23/68747470733a2f2f6170692e736563757269747973636f726563617264732e6465762f70726f6a656374732f6769746875622e636f6d2f676f6c616e672f676f2f6261646765)](https://securityscorecards.dev/viewer/?uri=github.com/golang/go) | | | golang | final | patch | 1.25.1 -> 1.25.2 | 1.25.3 | | | golang | stage | patch | 1.25.1-alpine -> 1.25.3-alpine | | | --- ### Release Notes golang/go (go) ### `v1.25.3` ### `v1.25.2` --- ### Configuration 📅 Schedule: Branch creation - Between 12:00 AM and 03:59 AM ( * 0-3 * * * ) (UTC), Automerge - At any time (no schedule defined). 🚦 Automerge: Enabled. ♻️ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox. 👻 Immortal: This PR will be recreated if closed unmerged. Get config help if that's undesired. --- • If you want to rebase/retry this PR, check this box --- This PR was generated by Mend Renovate. View the repository job log. runatlantis/atlantis

#5887 chore(deps): update ossf/scorecard-action action to v2.4.3 in .github/workflows/scorecard.yml (main) Pull request opened by renovate[bot] This PR contains the following updates: | Package | Type | Update | Change | OpenSSF | | -------------------------------------------------------------------------- | ------ | ------ | ---------------- | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | [ossf/scorecard-action](https://redirect.github.com/ossf/scorecard-action) | action | patch | v2.4.2 -> v2.4.3 | [[OpenSSF Scorecard](https://camo.githubusercontent.com/6e2fe573e0ab5bbca090535c09c2d59c2f8223c63db2139ea81456471f80a403/68747470733a2f2f6170692e736563757269747973636f726563617264732e6465762f70726f6a656374732f6769746875622e636f6d2f6f7373662f73636f7265636172642d616374696f6e2f6261646765)](https://securityscorecards.dev/viewer/?uri=github.com/ossf/scorecard-action) | --- ### Release Notes ossf/scorecard-action (ossf/scorecard-action) ### `v2.4.3` Compare Source #### What's Changed This update bumps the Scorecard version to the v5.3.0 release. For a complete list of changes, please refer to the Scorecard v5.3.0 release notes. #### Documentation • docs: clarify

GITHUB_TOKEN

permissions needed for private repos by @​pankajtaneja5 in #​1574 • 📖 Fix recommended command to test the image in development by @​deivid-rodriguez in #​1583 #### Other • add missing top-level token permissions to workflows by @​timothyklee in #​1566 • setup codeowners for requesting reviews by @​spencerschrock in #​1576 • 🌱 Improve printing options by @​deivid-rodriguez in #​1584 #### New Contributors • @​timothyklee made their first contribution in #​1566 • @​pankajtaneja5 made their first contribution in #​1574 • @​deivid-rodriguez made their first contribution in #​1584 Full Changelog: ossf/scorecard-action@v2.4.2...v2.4.3 --- ### Configuration 📅 Schedule: Branch creation - Between 12:00 AM and 03:59 AM ( * 0-3 * * * ) (UTC), Automerge - At any time (no schedule defined). 🚦 Automerge: Enabled. ♻️ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox. 🔕 Ignore: Close this PR and you won't be reminded about this update again. --- • If you want to rebase/retry this PR, check this box --- This PR was generated by Mend Renovate. View the repository job log. runatlantis/atlantis

#5889 fix: Close metric scope after tests finish Pull request opened by lukemassa ## what Add a helper to close close metrics scope when tests are finished, use it throughout tests. ## why I was trying to use go's race detector on the unit tests, and running into these errors:

atlantis % go test ./... -short -race
?   	<http://github.com/runatlantis/atlantis|github.com/runatlantis/atlantis>	[no test files]
ok  	<http://github.com/runatlantis/atlantis/cmd|github.com/runatlantis/atlantis/cmd>	(cached)
ok  	<http://github.com/runatlantis/atlantis/server|github.com/runatlantis/atlantis/server>	2.899s
PASS
panic: Log in goroutine after TestAPIController_Plan has completed: 2025-10-15T20:28:02.707-0400	DEBUG	gauge	{"name": "tally_internal_counter_cardinality", "value": 0, "tags": {"host":"global","instance":"global","version":"4.1.17"}, "type": "gauge"}
	

goroutine 22 [running]:
testing.(*common).log(0xc00009ac40, {0xc0000ec840, 0xb6})
	/Users/lmassa/go/pkg/mod/golang.org/toolchain@v0.0.1-go1.25.1.darwin-arm64/src/testing/testing.go:1030 +0x178
testing.(*common).Logf(0xc00009ac40, {0x10515c2c8, 0x2}, {0xc0004aa410, 0x1, 0x1})
	/Users/lmassa/go/pkg/mod/golang.org/toolchain@v0.0.1-go1.25.1.darwin-arm64/src/testing/testing.go:1191 +0x80
<http://go.uber.org/zap/zaptest.TestingWriter.Write({{0x10547b050|go.uber.org/zap/zaptest.TestingWriter.Write({{0x10547b050>?, 0xc00009ac40?}, 0x0?}, {0xc0001b5400, 0xb7, 0x400})
	/Users/lmassa/go/pkg/mod/go.uber.org/zap@v1.27.0/zaptest/logger.go:146 +0xf0
<http://go.uber.org/zap/zapcore.(*ioCore).Write(0xc0001a3c80|go.uber.org/zap/zapcore.(*ioCore).Write(0xc0001a3c80>, {0xff, {0xc2342ce4aa2a28b0, 0x3ce12682, 0x105a22fc0}, {0x0, 0x0}, {0x10516232e, 0x5}, {0x0, ...}, ...}, ...)
	/Users/lmassa/go/pkg/mod/go.uber.org/zap@v1.27.0/zapcore/core.go:99 +0x114
<http://go.uber.org/zap/zapcore.(*CheckedEntry).Write(0xc0003c6b60|go.uber.org/zap/zapcore.(*CheckedEntry).Write(0xc0003c6b60>, {0x0, 0x0, 0x0})
	/Users/lmassa/go/pkg/mod/go.uber.org/zap@v1.27.0/zapcore/entry.go:253 +0x154
<http://go.uber.org/zap.(*SugaredLogger).log(0xc00006ec00|go.uber.org/zap.(*SugaredLogger).log(0xc00006ec00>, 0xff, {0x10516232e, 0x5}, {0x0, 0x0, 0x0}, {0x0, 0x0, 0x0})
	/Users/lmassa/go/pkg/mod/go.uber.org/zap@v1.27.0/sugar.go:355 +0x108
<http://go.uber.org/zap.(*SugaredLogger).Debugf(...)|go.uber.org/zap.(*SugaredLogger).Debugf(...)>
	/Users/lmassa/go/pkg/mod/go.uber.org/zap@v1.27.0/sugar.go:198
<http://github.com/runatlantis/atlantis/server/logging.(*StructuredLogger).Debug|github.com/runatlantis/atlantis/server/logging.(*StructuredLogger).Debug>(0xc0004dd640, {0x10516232e, 0x5}, {0x0, 0x0, 0x0})
	/Users/lmassa/atlantis/server/logging/simple_logger.go:134 +0x74
<http://github.com/runatlantis/atlantis/server/metrics.(*debugReporter).ReportGauge(0xc00012a420|github.com/runatlantis/atlantis/server/metrics.(*debugReporter).ReportGauge(0xc00012a420>, {0xc000035350, 0x22}, 0xc0000f8d20, 0x0)
	/Users/lmassa/atlantis/server/metrics/debug.go:47 +0x2b8
<http://github.com/uber-go/tally/v4.(*scopeRegistry).reportInternalMetrics(0xc00053a180)|github.com/uber-go/tally/v4.(*scopeRegistry).reportInternalMetrics(0xc00053a180)>
	/Users/lmassa/go/pkg/mod/github.com/uber-go/tally/v4@v4.1.17/scope_registry.go:339 +0x1ec
<http://github.com/uber-go/tally/v4.(*scopeRegistry).Report(0xc00053a180|github.com/uber-go/tally/v4.(*scopeRegistry).Report(0xc00053a180>, {0x10547c680, 0xc00012a420})
	/Users/lmassa/go/pkg/mod/github.com/uber-go/tally/v4@v4.1.17/scope_registry.go:115 +0x74
<http://github.com/uber-go/tally/v4.(*scope).reportRegistry(0xc000174900)|github.com/uber-go/tally/v4.(*scope).reportRegistry(0xc000174900)>
	/Users/lmassa/go/pkg/mod/github.com/uber-go/tally/v4@v4.1.17/scope.go:275 +0x70
<http://github.com/uber-go/tally/v4.(*scope).reportLoopRun(0xc000174900)|github.com/uber-go/tally/v4.(*scope).reportLoopRun(0xc000174900)>
	/Users/lmassa/go/pkg/mod/github.com/uber-go/tally/v4@v4.1.17/scope.go:270 +0x5c
<http://github.com/uber-go/tally/v4.(*scope).reportLoop|github.com/uber-go/tally/v4.(*scope).reportLoop>(0xc000174900, 0x3b9aca00)
	/Users/lmassa/go/pkg/mod/github.com/uber-go/tally/v4@v4.1.17/scope.go:258 +0x90
<http://github.com/uber-go/tally/v4.newRootScope.func1()|github.com/uber-go/tally/v4.newRootScope.func1()>
	/Users/lmassa/go/pkg/mod/github.com/uber-go/tally/v4@v4.1.17/scope.go:198 +0x7c
created by <http://github.com/uber-go/tally/v4.newRootScope|github.com/uber-go/tally/v4.newRootScope> in goroutine 21
	/Users/lmassa/go/pkg/mod/github.com/uber-go/tally/v4@v4.1.17/scope.go:196 +0xa48
FAIL	<http://github.com/runatlantis/atlantis/server/controllers|github.com/runatlantis/atlantis/server/controllers>	1.470s

I dug into it and the issue wasn't with the race detector itself, it's because the race detector reordered some code exposing a bug where we in many places create a new scope but then discard its

closer

. Metrics are emitted during the tests, so if we don't close it, with the reordering, the metrics try to write to t.Log() in test that has already ended. This code consolidates the places where we create a new metrics scope, and properly calls a Cleanup() handler to close the scope when the test is done. I did most of the conversions

#!/bin/bash

for file in $(git grep -l '_, _.*metrics.NewLogging')
do
    echo $file
    cat $file | perl -pe 's/(.*), _, _ := metrics\.NewLoggingScope\((.*), (.*)/\1 := metricstest.NewLoggingScope(t, \2, \3/g' | sponge $file
    ~/go/bin/goimports -w $file
done

## tests Running CI ## references N/A runatlantis/atlantis

#5890 chore: Update CONTRIBUTING doc to reorder, include section on PRs Pull request opened by lukemassa ## what Update CONTRIBUTING doc to move some of the sections around, and add a section on how to create a pull request. ## why Came up during today's Community Meeting, turns out we didn't have a dedicated instruction for how to contribute, or a link to the slack where folks can get help. I also moved "Updating the Website" into the "development" section, as it didn't quite feel like a "top level" task to me. ## tests N/A ## references N/A runatlantis/atlantis

#5893 chore(deps): update github/codeql-action action to v3.30.8 in .github/workflows/scorecard.yml (main) Pull request opened by renovate[bot] This PR contains the following updates: | Package | Type | Update | Change | OpenSSF | | ------------------------------------------------------------------------ | ------ | ------ | ------------------ | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | [github/codeql-action](https://redirect.github.com/github/codeql-action) | action | patch | v3.30.7 -> v3.30.8 | [[OpenSSF Scorecard](https://camo.githubusercontent.com/022cb174dc4b9ace5867eeb6408ad79e645ea194cd77cf4d40ff05e6763dd313/68747470733a2f2f6170692e736563757269747973636f726563617264732e6465762f70726f6a656374732f6769746875622e636f6d2f6769746875622f636f6465716c2d616374696f6e2f6261646765)](https://securityscorecards.dev/viewer/?uri=github.com/github/codeql-action) | --- ### Release Notes github/codeql-action (github/codeql-action) ### `v3.30.8` Compare Source ##### CodeQL Action Changelog See the releases page for the relevant changes to the CodeQL CLI and language packs. ##### 3.30.8 - 10 Oct 2025 No user facing changes. See the full CHANGELOG.md for more information. --- ### Configuration 📅 Schedule: Branch creation - Between 12:00 AM and 03:59 AM ( * 0-3 * * * ) (UTC), Automerge - At any time (no schedule defined). 🚦 Automerge: Enabled. ♻️ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox. 🔕 Ignore: Close this PR and you won't be reminded about this update again. --- • If you want to rebase/retry this PR, check this box --- This PR was generated by Mend Renovate. View the repository job log. runatlantis/atlantis

#5896 chore(deps): update github/codeql-action digest to 4221315 in .github/workflows/codeql.yml (main) Pull request opened by renovate[bot] This PR contains the following updates: | Package | Type | Update | Change | OpenSSF | | ------------------------------------------------------------------------ | ------ | ------ | ------------------ | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | [github/codeql-action](https://redirect.github.com/github/codeql-action) | action | digest | 755f449 -> 4221315 | [[OpenSSF Scorecard](https://camo.githubusercontent.com/022cb174dc4b9ace5867eeb6408ad79e645ea194cd77cf4d40ff05e6763dd313/68747470733a2f2f6170692e736563757269747973636f726563617264732e6465762f70726f6a656374732f6769746875622e636f6d2f6769746875622f636f6465716c2d616374696f6e2f6261646765)](https://securityscorecards.dev/viewer/?uri=github.com/github/codeql-action) | --- ### Configuration 📅 Schedule: Branch creation - Between 12:00 AM and 03:59 AM ( * 0-3 * * * ) (UTC), Automerge - At any time (no schedule defined). 🚦 Automerge: Enabled. ♻️ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox. 🔕 Ignore: Close this PR and you won't be reminded about this update again. --- • If you want to rebase/retry this PR, check this box --- This PR was generated by Mend Renovate. View the repository job log. runatlantis/atlantis

#5897 chore(deps): update actions/dependency-review-action action to v4.8.1 in .github/workflows/dependency-review.yml (main) Pull request opened by renovate[bot] This PR contains the following updates: | Package | Type | Update | Change | OpenSSF | | ------------------------------------------------------------------------------------------------ | ------ | ------ | ---------------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | [actions/dependency-review-action](https://redirect.github.com/actions/dependency-review-action) | action | minor | v4.7.3 -> v4.8.1 | [[OpenSSF Scorecard](https://camo.githubusercontent.com/83f6d4b9e75e0e8932e8f0a92513496a549b148e10bcc1e2233640ff3500b009/68747470733a2f2f6170692e736563757269747973636f726563617264732e6465762f70726f6a656374732f6769746875622e636f6d2f616374696f6e732f646570656e64656e63792d7265766965772d616374696f6e2f6261646765)](https://securityscorecards.dev/viewer/?uri=github.com/actions/dependency-review-action) | --- ### Release Notes actions/dependency-review-action (actions/dependency-review-action) ### `v4.8.1`: Dependency Review Action v4.8.1 Compare Source #### What's Changed • (bug) Fix spamming link test in deprecation warning (again) by @​ahpook in #​1000 • Bump version for 4.8.1 release by @​ahpook in #​1001 Full Changelog: actions/dependency-review-action@v4...v4.8.1 ### `v4.8.0` Compare Source #### What's Changed • Make Ruby Code Scannable by @​ljones140 in #​978 • Batch some contributions for release by @​brrygrdn in #​986 • Make license lists collapsable by @​jasperkamerling • feat: add large summary handling with artifact upload by @​MattMencel #### New Contributors • @​ljones140 made their first contribution in #​978 • @​jasperkamerling made their first contribution in #​986 • @​MattMencel made their first contribution in #​986 Full Changelog: actions/dependency-review-action@v4...v4.8.0 ### `v4.7.4` Compare Source --- ### Configuration 📅 Schedule: Branch creation - Between 12:00 AM and 03:59 AM ( * 0-3 * * * ) (UTC), Automerge - At any time (no schedule defined). 🚦 Automerge: Enabled. ♻️ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox. 🔕 Ignore: Close this PR and you won't be reminded about this update again. --- • If you want to rebase/retry this PR, check this box --- This PR was generated by Mend Renovate. View the repository job log. runatlantis/atlantis

#5898 chore(deps): update dependency vite to v6.4.0 in package.json (main) - autoclosed Pull request opened by renovate[bot] This PR contains the following updates: | Package | Type | Update | Change | Pending | OpenSSF | | ---------------------------------------------------------------------------------------------------- | --------------- | ------ | -------------------------------------------------------------------- | ------- | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | [vite](https://vite.dev) ([source](https://redirect.github.com/vitejs/vite/tree/HEAD/packages/vite)) | devDependencies | minor | [6.3.6 -> 6.4.0](https://renovatebot.com/diffs/npm/vite/6.3.6/6.4.0) | 6.4.1 | [[OpenSSF Scorecard](https://camo.githubusercontent.com/8215b15f6e981877f9a1a5c6aece43d08f62432a6f674508b5096c494379d30e/68747470733a2f2f6170692e736563757269747973636f726563617264732e6465762f70726f6a656374732f6769746875622e636f6d2f766974656a732f766974652f6261646765)](https://securityscorecards.dev/viewer/?uri=github.com/vitejs/vite) | --- ### Release Notes vitejs/vite (vite) ### `v6.4.0` Compare Source Please refer to CHANGELOG.md for details. ### `v6.3.7` Compare Source Please refer to CHANGELOG.md for details. --- ### Configuration 📅 Schedule: Branch creation - Between 12:00 AM and 03:59 AM ( * 0-3 * * * ) (UTC), Automerge - At any time (no schedule defined). 🚦 Automerge: Enabled. ♻️ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox. 🔕 Ignore: Close this PR and you won't be reminded about this update again. --- • If you want to rebase/retry this PR, check this box --- This PR was generated by Mend Renovate. View the repository job log. runatlantis/atlantis

#5900 chore(deps): update ngrok/ngrok:latest docker digest to 50234a7 in docker-compose.yml (main) Pull request opened by renovate[bot] This PR contains the following updates: | Package | Update | Change | | ----------- | ------ | ------------------ | | ngrok/ngrok | digest | 0dd920e -> 50234a7 | --- ### Configuration 📅 Schedule: Branch creation - Between 12:00 AM and 03:59 AM ( * 0-3 * * * ) (UTC), Automerge - At any time (no schedule defined). 🚦 Automerge: Enabled. ♻️ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox. 🔕 Ignore: Close this PR and you won't be reminded about this update again. --- • If you want to rebase/retry this PR, check this box --- This PR was generated by Mend Renovate. View the repository job log. runatlantis/atlantis

#5901 build(deps): bump vite Pull request opened by dependabot[bot] Bumps vite to 6.4.1 and updates ancestor dependency . These dependencies need to be updated together. Updates

vite

from 6.3.6 to 6.4.1 Release notes Sourced from vite's releases.

## create-vite@6.4.1

Please refer to CHANGELOG.md for details.

## v6.4.1

Please refer to CHANGELOG.md for details.

## create-vite@6.4.0

Please refer to CHANGELOG.md for details.

## v6.4.0

Please refer to CHANGELOG.md for details.

## v6.3.7

Please refer to CHANGELOG.md for details.

Commits • `5003434` fix(preview): use host url to open browser (#19836) • `bf9728e` release: v6.3.0-beta.2 • `380c10e` fix(hmr): run HMR handler sequentially (#19793) • `8bed1de` fix: addWatchFile doesn't work if base is specified (fixes #19792) (#19794) • `0a0c50a` refactor: simplify pluginFilter implementation (#19828) • `59d0b35` perf(css): avoid constructing

renderedModules

(#19775) • `175a839` fix: reject requests with

#

in request-target (#19830) • `e2e11b1` fix(module-runner): allow already resolved id as entry (#19768) • `7200dee` fix: correct the behavior when multiple transform filter options are specifie... • `b125172` fix(css): remove empty chunk imports correctly when chunk file name contained... • Additional commits viewable in compare view Updates

vite

from 5.4.20 to 5.4.21 Release notes Sourced from vite's releases.

## create-vite@6.4.1

Please refer to CHANGELOG.md for details.

## v6.4.1

Please refer to CHANGELOG.md for details.

## create-vite@6.4.0

Please refer to CHANGELOG.md for details.

## v6.4.0

Please refer to CHANGELOG.md for details.

## v6.3.7

Please refer to CHANGELOG.md for details.

Commits • `5003434` fix(preview): use host url to open browser (#19836) • `bf9728e` release: v6.3.0-beta.2 • `380c10e` fix(hmr): run HMR handler sequentially (#19793) • `8bed1de` fix: addWatchFile doesn't work if base is specified (fixes #19792) (#19794) • `0a0c50a` refactor: simplify pluginFilter implementation (#19828) • `59d0b35` perf(css): avoid constructing

renderedModules

(#19775) • `175a839` fix: reject requests with

#

in request-target (#19830) • `e2e11b1` fix(module-runner): allow already resolved id as entry (#19768) • `7200dee` fix: correct the behavior when multiple transform filter options are specifie... • `b125172` fix(css): remove empty chunk imports correctly when chunk file name contained... • Additional commits viewable in compare view Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting

@dependabot rebase

. --- Dependabot commands and options You can trigger Dependabot actions by commenting on this PR: •

@dependabot rebase

will rebase this PR •

@dependabot recreate

will recreate this PR, overwriting any edits that have been made to it •

@dependabot merge

will merge this PR after your CI passes on it •

@dependabot squash and merge

will squash and merge this PR after your CI passes on it •

@dependabot cancel merge

will cancel a previously requested merge and block automerging •

@dependabot reopen

will reopen this PR if it is closed •

@dependabot close

will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually •

@dependabot show <dependency name> ignore conditions

will show all of the ignore conditions of the specified dependency •

@dependabot ignore this major version

will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself) •

@dependabot ignore this minor version

will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself) •

@dependabot ignore this dependency

will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself) You can disable automated security fix PRs for this repo from the <https://github.com/… runatlantis/atlantis

#5902 chore(deps): update dependency vite to v6.4.1 [security] (main) Pull request opened by renovate[bot] This PR contains the following updates: | Package | Type | Update | Change | OpenSSF | | ---------------------------------------------------------------------------------------------------- | --------------- | ------ | -------------------------------------------------------------------- | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | [vite](https://vite.dev) ([source](https://redirect.github.com/vitejs/vite/tree/HEAD/packages/vite)) | devDependencies | minor | [6.3.6 -> 6.4.1](https://renovatebot.com/diffs/npm/vite/6.3.6/6.4.1) | [[OpenSSF Scorecard](https://camo.githubusercontent.com/8215b15f6e981877f9a1a5c6aece43d08f62432a6f674508b5096c494379d30e/68747470733a2f2f6170692e736563757269747973636f726563617264732e6465762f70726f6a656374732f6769746875622e636f6d2f766974656a732f766974652f6261646765)](https://securityscorecards.dev/viewer/?uri=github.com/vitejs/vite) | ### GitHub Vulnerability Alerts #### CVE-2025-62522 ### Summary Files denied by `server.fs.deny` were sent if the URL ended with

\

when the dev server is running on Windows. ### Impact Only apps that match the following conditions are affected: • explicitly exposes the Vite dev server to the network (using --host or `server.host` config option) • running the dev server on Windows ### Details

server.fs.deny

can contain patterns matching against files (by default it includes

.env

,

.env.*

,

*.{crt,pem}

as such patterns). These patterns were able to bypass by using a back slash(

\

). The root cause is that

fs.readFile('/foo.png/')

loads

/foo.png

. ### PoC npm create vite@latest cd vite-project/ cat "secret" > .env npm install npm run dev curl --request-target /.env\ http://localhost:5173 [image](https://private-user-images.githubusercontent.com/25881247/500857401-36212f4e-1d3c-4686-b16f-16b35ca9e175.png?jwt=eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJpc3MiOiJnaXRodWIuY29tIiwiYXVkIjoicmF3LmdpdGh1YnVzZXJjb250ZW50LmNvbSIsImtleSI6ImtleTUiLCJleHAiOjE3NjExNjc0MjAsIm5iZiI6MTc2MTE2NzEyMCwicGF0aCI6Ii8yNTg4MTI0Ny81MDA4NTc0MDEtMzYyMTJmNGUtMWQzYy00Njg2LWIxNmYtMTZiMzVjYTllMTc1LnBuZz9YLUFtei1BbGdvcml0aG09QVdTNC1ITUFDLVNIQTI1NiZYLUFtei1DcmVkZW50aWFsPUFLSUFWQ09EWUxTQTUzUFFLNFpBJTJGMjAyNTEwMjIlMkZ1cy1lYXN0LTElMkZzMyUyRmF3czRfcmVxdWVzdCZYLUFtei1EYXRlPTIwMjUxMDIyVDIxMDUyMFomWC1BbXotRXhwaXJlcz0zMDAmWC1BbXotU2lnbmF0dXJlPWUxOTA5NGI1NDA0OWM5ZmYzNmVlYzBjNzU0MGQ3MDRmZmFjN2RiOGI2NzYwODdmMzhiYTJiNzYzYmUyMDQ4MmYmWC1BbXotU2lnbmVkSGVhZGVycz1ob3N0In0.9cp9KjKxEFJ0J9Dg0st3sP0uBcHYHfDvfsx-jujmoMg) --- ### vite allows server.fs.deny bypass via backslash on Windows CVE-2025-62522 / GHSA-93m4-6634-74q7 More information #### Details ##### Summary Files denied by `server.fs.deny` were sent if the URL ended with

\

when the dev server is running on Windows. ##### Impact Only apps that match the following conditions are affected: • explicitly exposes the Vite dev server to the network (using --host or `server.host` config option) • running the dev server on Windows ##### Details

server.fs.deny

can contain patterns matching against files (by default it includes

.env

,

.env.*

,

*.{crt,pem}

as such patterns). These patterns were able to bypass by using a back slash(

\

). The root cause is that

fs.readFile('/foo.png/')

loads

/foo.png

. ##### PoC npm create vite@latest cd vite-project/ cat "secret" > .env npm install npm run dev curl --request-target /.env\ http://localhost:5173 [image](https://private-user-images.githubusercontent.com/25881247/500857401-36212f4e-1d3c-4686-b16f-16b35ca9e175.png?jwt=eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJpc3MiOiJnaXRodWIuY29tIiwiYXVkIjoicmF3LmdpdGh1YnVzZXJjb250ZW50LmNvbSIsImtleSI6ImtleTUiLCJleHAiOjE3NjExNjc0MjAsIm5iZiI6MTc2MTE2NzEyMCwicGF0aCI6Ii8yNTg4MTI0Ny81MDA4NTc0MDEtMzYyMTJmNGUtMWQzYy00Njg2LWIxNmYtMTZiMzVjYTllMTc1LnBuZz9YLUFtei1BbGdvcml0aG09QVdTNC1ITUFDLVNIQTI1NiZYLUFtei1DcmVkZW50aWFsPUFLSUFWQ09EWUxTQTUzUFFLNFpBJTJGMjAyNTEwMjIlMkZ1cy1lYXN0LTElMkZzMyUyRmF3czRfcmVxdWVzdCZYLUFtei1EYXRlPTIwMjUxMDIyVDIxMDUyMFomWC1BbXotRXhwaXJlcz0zMDAmWC1BbXotU2lnbmF0dXJlPWUxOTA5NGI1NDA0OWM5ZmYzNmVlYzBjNzU0MGQ3MDRmZmFjN2RiOGI2NzYwODdmMzhiYTJiNzYzYmUyMDQ4MmYmWC1BbXotU2lnbmVkSGVhZGVycz1ob3N0In0.9cp9KjKxEFJ0J9Dg0st3sP0uBcHYHfDvfsx-jujmoMg) #### Severity • CVSS Score: 6.0 / 10 (Medium) • Vector String:

CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N

#### References • https://github.com/vitejs/vite/security/advisories/GHSA-93m4-6634-74q7 • https://github.com/vitejs/vite/commit/f479cc57c425ed41ceb434fecebd63931b1ed4ed • https://github.com/vitejs/vite This data is provided by OSV and the GitHub Advisory Database (CC-BY 4.0). --- ### Release Notes vitejs/vite (vite) ### `v6.4.1` <https://redirect.github.com/vitejs/vite/compare/v6.4.0...v6.4.1|Compare… runatlantis/atlantis

#5903 chore(deps): update dependency vite to v6.4.1 [security] (release-0.36) Pull request opened by renovate[bot] This PR contains the following updates: | Package | Type | Update | Change | OpenSSF | | ---------------------------------------------------------------------------------------------------- | --------------- | ------ | -------------------------------------------------------------------- | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | [vite](https://vite.dev) ([source](https://redirect.github.com/vitejs/vite/tree/HEAD/packages/vite)) | devDependencies | minor | [6.3.6 -> 6.4.1](https://renovatebot.com/diffs/npm/vite/6.3.6/6.4.1) | [[OpenSSF Scorecard](https://camo.githubusercontent.com/8215b15f6e981877f9a1a5c6aece43d08f62432a6f674508b5096c494379d30e/68747470733a2f2f6170692e736563757269747973636f726563617264732e6465762f70726f6a656374732f6769746875622e636f6d2f766974656a732f766974652f6261646765)](https://securityscorecards.dev/viewer/?uri=github.com/vitejs/vite) | ### GitHub Vulnerability Alerts #### CVE-2025-62522 ### Summary Files denied by `server.fs.deny` were sent if the URL ended with

\

when the dev server is running on Windows. ### Impact Only apps that match the following conditions are affected: • explicitly exposes the Vite dev server to the network (using --host or `server.host` config option) • running the dev server on Windows ### Details

server.fs.deny

can contain patterns matching against files (by default it includes

.env

,

.env.*

,

*.{crt,pem}

as such patterns). These patterns were able to bypass by using a back slash(

\

). The root cause is that

fs.readFile('/foo.png/')

loads

/foo.png

. ### PoC npm create vite@latest cd vite-project/ cat "secret" > .env npm install npm run dev curl --request-target /.env\ http://localhost:5173 [image](https://private-user-images.githubusercontent.com/25881247/500857401-36212f4e-1d3c-4686-b16f-16b35ca9e175.png?jwt=eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJpc3MiOiJnaXRodWIuY29tIiwiYXVkIjoicmF3LmdpdGh1YnVzZXJjb250ZW50LmNvbSIsImtleSI6ImtleTUiLCJleHAiOjE3NjEwODA5MjUsIm5iZiI6MTc2MTA4MDYyNSwicGF0aCI6Ii8yNTg4MTI0Ny81MDA4NTc0MDEtMzYyMTJmNGUtMWQzYy00Njg2LWIxNmYtMTZiMzVjYTllMTc1LnBuZz9YLUFtei1BbGdvcml0aG09QVdTNC1ITUFDLVNIQTI1NiZYLUFtei1DcmVkZW50aWFsPUFLSUFWQ09EWUxTQTUzUFFLNFpBJTJGMjAyNTEwMjElMkZ1cy1lYXN0LTElMkZzMyUyRmF3czRfcmVxdWVzdCZYLUFtei1EYXRlPTIwMjUxMDIxVDIxMDM0NVomWC1BbXotRXhwaXJlcz0zMDAmWC1BbXotU2lnbmF0dXJlPTUxMzY5ZWY4ODY2OWQxOWJlMzMzNjczMWEwNjlkNGU4NjRjYmQxZGU4ODdiNjA5YzU5YWU1MWY5MTllOTM3NTkmWC1BbXotU2lnbmVkSGVhZGVycz1ob3N0In0.nTxgEs93q7C4YO8E5sBZWTCImYnPI6uyCPwMjPjnzqQ) --- ### vite allows server.fs.deny bypass via backslash on Windows CVE-2025-62522 / GHSA-93m4-6634-74q7 More information #### Details ##### Summary Files denied by `server.fs.deny` were sent if the URL ended with

\

when the dev server is running on Windows. ##### Impact Only apps that match the following conditions are affected: • explicitly exposes the Vite dev server to the network (using --host or `server.host` config option) • running the dev server on Windows ##### Details

server.fs.deny

can contain patterns matching against files (by default it includes

.env

,

.env.*

,

*.{crt,pem}

as such patterns). These patterns were able to bypass by using a back slash(

\

). The root cause is that

fs.readFile('/foo.png/')

loads

/foo.png

. ##### PoC npm create vite@latest cd vite-project/ cat "secret" > .env npm install npm run dev curl --request-target /.env\ http://localhost:5173 [image](https://private-user-images.githubusercontent.com/25881247/500857401-36212f4e-1d3c-4686-b16f-16b35ca9e175.png?jwt=eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJpc3MiOiJnaXRodWIuY29tIiwiYXVkIjoicmF3LmdpdGh1YnVzZXJjb250ZW50LmNvbSIsImtleSI6ImtleTUiLCJleHAiOjE3NjEwODA5MjUsIm5iZiI6MTc2MTA4MDYyNSwicGF0aCI6Ii8yNTg4MTI0Ny81MDA4NTc0MDEtMzYyMTJmNGUtMWQzYy00Njg2LWIxNmYtMTZiMzVjYTllMTc1LnBuZz9YLUFtei1BbGdvcml0aG09QVdTNC1ITUFDLVNIQTI1NiZYLUFtei1DcmVkZW50aWFsPUFLSUFWQ09EWUxTQTUzUFFLNFpBJTJGMjAyNTEwMjElMkZ1cy1lYXN0LTElMkZzMyUyRmF3czRfcmVxdWVzdCZYLUFtei1EYXRlPTIwMjUxMDIxVDIxMDM0NVomWC1BbXotRXhwaXJlcz0zMDAmWC1BbXotU2lnbmF0dXJlPTUxMzY5ZWY4ODY2OWQxOWJlMzMzNjczMWEwNjlkNGU4NjRjYmQxZGU4ODdiNjA5YzU5YWU1MWY5MTllOTM3NTkmWC1BbXotU2lnbmVkSGVhZGVycz1ob3N0In0.nTxgEs93q7C4YO8E5sBZWTCImYnPI6uyCPwMjPjnzqQ) #### Severity • CVSS Score: 6.0 / 10 (Medium) • Vector String:

CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N

#### References • https://github.com/vitejs/vite/security/advisories/GHSA-93m4-6634-74q7 • https://github.com/vitejs/vite/commit/f479cc57c425ed41ceb434fecebd63931b1ed4ed • https://github.com/vitejs/vite This data is provided by OSV and the GitHub Advisory Database (CC-BY 4.0). --- ### Release Notes vitejs/vite (vite) ### `v6.4.1` <https://redirect.github.com/vitejs/vite/compare/v6.4.0...v6.4.1|Compare… runatlantis/atlantis

#5895 feat: Do not delete working dir if git falls behind Pull request opened by lukemassa ## what If you go to run Clone() and you find the repo already exists but is not on the right ref, use git to get it to the right ref instead of doing a full re-clone. ## why Right now, when WorkingDir.Clone() is called, if the dir exists, it first checks to see if the ref the repo is on matches the one already determined by the relevant VCS's API as Head. If it's not, we do a forceClone, which deletes the directory and clones from scratch. However, we know what ref we're trying to get to, so we should be able to use

git fetch && git reset --hard

to simply move there. This should be a dramatic speedup, since we already likely have most of the git objects we need on disk. Additionally this is happening while holding a clone lock, so this should reduce contention. ## tests I ran it locally and confirmed that I added a commit to a branch and it didn't blow away the directory. I also added a unit test. ## references Is similar to #2921, but is not quite so ambitious. runatlantis/atlantis

#5904 chore(deps): update debian:12.12-slim docker digest to 78d2f66 in dockerfile (main) Pull request opened by renovate[bot] This PR contains the following updates: | Package | Type | Update | Change | | ------- | ----- | ------ | ------------------ | | debian | stage | digest | 7e49091 -> 78d2f66 | --- ### Configuration 📅 Schedule: Branch creation - Between 12:00 AM and 03:59 AM ( * 0-3 * * * ) (UTC), Automerge - At any time (no schedule defined). 🚦 Automerge: Enabled. ♻️ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox. 🔕 Ignore: Close this PR and you won't be reminded about this update again. --- • If you want to rebase/retry this PR, check this box --- This PR was generated by Mend Renovate. View the repository job log. runatlantis/atlantis

#5892 fix: Force renovate to keep alpine in docker version Pull request opened by lukemassa ## what Keep -alpine variant of docker version for go in the Dockerfile. ## why Renovate keeps failing because it's trying to remove the

-alpine

bit from the selection of the dockerfile. #5886 ## tests Hard to test, I couldn't get renovate to work locally ## references N/A runatlantis/atlantis

#3900 fix: Use HeadRepo instead of BaseRepo in --skip-clone-no-changes flow (#3891) Pull request opened by Ulminator ## what This PR modifies the function signature of

VCSClient.GetFileContent

and enforces that when attempting to check the

repoCfgFile

of the

HeadBranch

, the

HeadRepo

is used instead of the

BaseRepo

. ## why If one is using a forked repo, the

HeadBranch

will not exist on the

BaseRepo

(or if it does, it's not the branch you actually want). While working in a monorepo that others would fork, the disk space on the VM that Atlantis runs on quickly filled up as every PR made would be cloned. This should not happen when the

--skip-clone-no-changes

flag is used, but the logic for that currently ignores fork PRs. ## tests • I have tested my changes by ... I have deployed my branch and validated that PRs from forked repos are not cloned if the files changed in them are outside project directories.

make test

passed as well. Our workflow only uses the GitHub client so the implementation of the GitLab client has not been tested. ## references • closes #3891 runatlantis/atlantis

#5905 build(deps): bump vite from 5.4.20 to 5.4.21 Pull request opened by dependabot[bot] Bumps vite from 5.4.20 to 5.4.21. Release notes Sourced from vite's releases.

## v5.4.21

Please refer to CHANGELOG.md for details.

Changelog Sourced from vite's changelog.

## 5.4.21 (2025-10-20)

• fix(dev): trim trailing slash before

server.fs.deny

check (#20968) (#20970) (cad1d31), closes #20968 #20970

• chore: update CHANGELOG (ca88ed7)

Commits • `adce3c2` release: v5.4.21 • `cad1d31` fix(dev): trim trailing slash before

server.fs.deny

check (#20968) (#20970) • `ca88ed7` chore: update CHANGELOG • See full diff in compare view [Dependabot compatibility score](https://camo.githubusercontent.com/c9fc8c8f59b0127c5e4a7fd1c91ed77e3121a0af0c63872e048094d46ce96662/68747470733a2f2f646570656e6461626f742d6261646765732e6769746875626170702e636f6d2f6261646765732f636f6d7061746962696c6974795f73636f72653f646570656e64656e63792d6e616d653d76697465267061636b6167652d6d616e616765723d6e706d5f616e645f7961726e2670726576696f75732d76657273696f6e3d352e342e3230266e65772d76657273696f6e3d352e342e3231) Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting

@dependabot rebase

. --- Dependabot commands and options You can trigger Dependabot actions by commenting on this PR: •

@dependabot rebase

will rebase this PR •

@dependabot recreate

will recreate this PR, overwriting any edits that have been made to it •

@dependabot merge

will merge this PR after your CI passes on it •

@dependabot squash and merge

will squash and merge this PR after your CI passes on it •

@dependabot cancel merge

will cancel a previously requested merge and block automerging •

@dependabot reopen

will reopen this PR if it is closed •

@dependabot close

will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually •

@dependabot show <dependency name> ignore conditions

will show all of the ignore conditions of the specified dependency •

@dependabot ignore this major version

will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself) •

@dependabot ignore this minor version

will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself) •

@dependabot ignore this dependency

will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself) You can disable automated security fix PRs for this repo from the Security Alerts page. runatlantis/atlantis

#5906 chore(deps): update dependency git-lfs/git-lfs to v3.7.1 in dockerfile (main) Pull request opened by renovate[bot] This PR contains the following updates: | Package | Update | Change | OpenSSF | | -------------------------------------------------------------- | ------ | -------------- | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | [git-lfs/git-lfs](https://redirect.github.com/git-lfs/git-lfs) | patch | 3.7.0 -> 3.7.1 | [[OpenSSF Scorecard](https://camo.githubusercontent.com/be08947f6b6d7bb6f17cbf2ddc37043488d3ef442a86ad7e636875403fd22e2d/68747470733a2f2f6170692e736563757269747973636f726563617264732e6465762f70726f6a656374732f6769746875622e636f6d2f6769742d6c66732f6769742d6c66732f6261646765)](https://securityscorecards.dev/viewer/?uri=github.com/git-lfs/git-lfs) | --- ### Release Notes git-lfs/git-lfs (git-lfs/git-lfs) ### `v3.7.1` Compare Source This release introduces security fixes for Linux, macOS, and Windows systems, which have been collectively assigned CVE-2025-26625. When populating a Git repository's working tree with the contents of Git LFS objects, certain Git LFS commands may write to files visible outside the current Git working tree if symbolic or hard links exist which collide with the paths of files tracked by Git LFS. Git LFS has resolved this problem by revising the

git lfs checkout

and

git lfs pull

commands so that they check for symbolic links in the same manner as performed by Git before writing to files in the working tree. These commands now also remove existing files in the working tree before writing new files in their place. As well, Git LFS has resolved a problem whereby the

git lfs checkout

and

git lfs pull

commands, when run in a bare repository, could write to files visible outside the repository. While a specific and relatively unlikely set of conditions were required for this to occur, it is no longer possible under any circumstances. We would like to extend a special thanks to the following open-source contributors: • Apple Product Security for reporting this to us responsibly ##### Bugs • Detect symbolic links on checkout and pull (@​chrisd8088) ##### Misc • Upgrade to Go 1.25 (@​chrisd8088) #### Packages Up to date packages are available on PackageCloud and Homebrew. RPM RHEL 8/Rocky Linux 8 RPM RHEL 9/Rocky Linux 9 RPM RHEL 10/Rocky Linux 10 Debian 11 Debian 12 #### SHA-256 hashes: git-lfs-darwin-amd64-v3.7.1.zip b5b1b641c0648c83661fa9eda991cd3eff945264dabc2cdf411a80dfe7ec0970 git-lfs-darwin-arm64-v3.7.1.zip 76260fb34f4ee622ff0a66b857e5954aa49c7e343a92e57a1ec4a760618c94b2 git-lfs-freebsd-386-v3.7.1.tar.gz 811cf7b7d459ba507e01d01172b05f5bfea2fce9b6b9a22a98f8de87dfd4d1da git-lfs-freebsd-amd64-v3.7.1.tar.gz 50931d36415a80f5bd427cbb1e283d4c825a1b24fa6da0481c9fa1b5f5803c6f git-lfs-linux-386-v3.7.1.tar.gz a49eed4612d9a33db848db8cb9079b15d5f3116bbca2c1a11cb89a70e3218921 git-lfs-linux-amd64-v3.7.1.tar.gz 1c0b6ee5200ca708c5cebebb18fdeb0e1c98f1af5c1a9cba205a4c0ab5a5ec08 git-lfs-linux-arm-v3.7.1.tar.gz 567002d2735ceb0e876e326736f1b72895931d5ac156002cc8561b072a4ce9a3 git-lfs-linux-arm64-v3.7.1.tar.gz 73a9c90eeb4312133a63c3eaee0c38c019ea7bfa0953d174809d25b18588dd8d git-lfs-linux-loong64-v3.7.1.tar.gz 10c300a81968b070e331d36abcf21da18e478b17f4a61c009eb9d2b50374132c git-lfs-linux-ppc64le-v3.7.1.tar.gz 100fbefdd86722dafd56737121510289ece9574c7bb8ec01b4633f8892acc427 git-lfs-linux-riscv64-v3.7.1.tar.gz 4e17b28e64416b680a68cb2ac3e3514cecb86548603c78774519b26686683928 git-lfs-linux-s390x-v3.7.1.tar.gz d4b68db5d7cc34395b8d6c392326aeff98a297bde2053625560df6c76eb97c69 git-lfs-v3.7.1.tar.gz 8f56058622edfea1d111e50e9844ef2f5ce670b2dbe4d55d48e765c943af4351 git-lfs-windows-386-v3.7.1.zip 06c05c06523abf3930301b3022527ad881b1a7f8bf036ed6d93c8e68569041bb git-lfs-windows-amd64-v3.7.1.zip 8683cdc3d6c029b49393dcebbaa6265bd6efd9abdcf837be855b4cd42e5e80b6 git-lfs-windows-arm64-v3.7.1.zip 9441383a3928a7f387223711929292a46ace95580ceed443d61e7b8a4d9615c3 git-lfs-windows-v3.7.1.exe bcd9a40a1ab8e9bdb948d05b736c8129001ba167627d04384aa68086847830a9 hashes.asc 5b28310a24b404f241a6ce25bf528918a4192a7fff083c1b14779bff3a6e8729 sha256sums.asc 4b34ca0f37ff3955a4b8e217b75d4a0b744a13ee6d442989f7ae3c6e7cec07eb --- ### Configuration 📅 Schedule: Branch creation - Between 12:00 AM and 03:59 AM ( * 0-3 * * * ) (UTC), Automerge - At any time (no schedule defined). 🚦 Automerge: Enabled. ♻️ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox. 🔕 Ignore: Close this PR and you won't be reminded about this update again. --- • If you want to rebase/retry this PR, check this box --- This PR was generated by Mend Renovate. View the repository job log. runatlantis/atlantis

#5907 fix: Force renovate to keep alpine in docker version (attempt 2) Pull request opened by lukemassa ## what Second attempt at making renovate use the alpine version of the docker container for golang on upgrades. ## why First attempt (#5892) didn't work, trying again. ## tests This time I got some testing to work. I ran renovate locally and pulled out the relevant output. On main:

{
  "datasource": "docker",
  "depName": "golang",
  "displayPending": "`1.25.3`",
  "fixedVersion": "1.25.1-alpine",
  "currentVersion": "1.25.1-alpine",
  "currentValue": "1.25.1-alpine",
  "currentDigest": "sha256:b6ed3fd0452c0e9bcdef5597f29cc1418f61672e9d3a2f55bf02e7222c014abd",
  "newValue": "1.25.2",
  "newVersion": "1.25.2",
  "newDigest": "sha256:1c91b4f4391774a73d6489576878ad3ff3161ebc8c78466ec26e83474855bfcf",
  "packageFile": "Dockerfile",
  "updateType": "patch",
  "packageName": "golang"
}

On the new branch

{
  "datasource": "docker",
  "depName": "golang",
  "displayPending": "",
  "fixedVersion": "1.25.1-alpine",
  "currentVersion": "1.25.1",
  "currentValue": "1.25.1-alpine",
  "currentDigest": "sha256:b6ed3fd0452c0e9bcdef5597f29cc1418f61672e9d3a2f55bf02e7222c014abd",
  "newValue": "1.25.3-alpine",
  "newVersion": "1.25.3",
  "newDigest": "sha256:aee43c3ccbf24fdffb7295693b6e33b21e01baec1b2a55acc351fde345e9ec34",
  "packageFile": "Dockerfile",
  "updateType": "patch",
  "packageName": "golang"
}

The last attempt #5886 attempted to put in this line

ARG GOLANG_TAG=1.25.2@sha256:1c91b4f4391774a73d6489576878ad3ff3161ebc8c78466ec26e83474855bfcf

I pulled the image locally and confirmed that was the hash. Both version name and hash match the renovate output on

main

above. The new branch would imply a docker image

golang:1.25.3-alpine

with hash

aee43c3ccbf24fdffb7295693b6e33b21e01baec1b2a55acc351fde345e9ec34

, which I confirmed:

atlantis % docker pull golang:1.25.3-alpine
1.25.3-alpine: Pulling from library/golang
6b59a28fa201: Pull complete 
d32bb0dddca7: Pull complete 
5dab1238d3d9: Pull complete 
196fd7d83e7d: Pull complete 
4f4fb700ef54: Pull complete 
Digest: sha256:aee43c3ccbf24fdffb7295693b6e33b21e01baec1b2a55acc351fde345e9ec34

## references #5892 runatlantis/atlantis

#5908 chore(deps): update dependency hashicorp/terraform to v1.13.4 in testdrive/utils.go (main) Pull request opened by renovate[bot] This PR contains the following updates: | Package | Update | Change | OpenSSF | | ---------------------------------------------------------------------- | ------ | ---------------- | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | [hashicorp/terraform](https://redirect.github.com/hashicorp/terraform) | patch | 1.13.3 -> 1.13.4 | [[OpenSSF Scorecard](https://camo.githubusercontent.com/73fb079834f95fc441f42b004291acd78181a0da3cd6cfe7a912d424cbb46a81/68747470733a2f2f6170692e736563757269747973636f726563617264732e6465762f70726f6a656374732f6769746875622e636f6d2f6861736869636f72702f7465727261666f726d2f6261646765)](https://securityscorecards.dev/viewer/?uri=github.com/hashicorp/terraform) | --- ### Release Notes hashicorp/terraform (hashicorp/terraform) ### `v1.13.4` Compare Source #### 1.13.4 (October 15, 2025) BUG FIXES: • Fix crash when showing a cloud plan without having a cloud backend (#​37751) --- ### Configuration 📅 Schedule: Branch creation - Between 12:00 AM and 03:59 AM ( * 0-3 * * * ) (UTC), Automerge - At any time (no schedule defined). 🚦 Automerge: Enabled. ♻️ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox. 🔕 Ignore: Close this PR and you won't be reminded about this update again. --- • If you want to rebase/retry this PR, check this box --- This PR was generated by Mend Renovate. View the repository job log. runatlantis/atlantis

#5909 test(atlantis): fake change to trigger plan Pull request opened by Luthernmr ## what ## why ## tests ## references runatlantis/atlantis

#5910 chore(deps): update github/codeql-action action to v3.30.9 in .github/workflows/scorecard.yml (main) Pull request opened by renovate[bot] This PR contains the following updates: | Package | Type | Update | Change | OpenSSF | | ------------------------------------------------------------------------ | ------ | ------ | ------------------ | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | [github/codeql-action](https://redirect.github.com/github/codeql-action) | action | patch | v3.30.8 -> v3.30.9 | [[OpenSSF Scorecard](https://camo.githubusercontent.com/022cb174dc4b9ace5867eeb6408ad79e645ea194cd77cf4d40ff05e6763dd313/68747470733a2f2f6170692e736563757269747973636f726563617264732e6465762f70726f6a656374732f6769746875622e636f6d2f6769746875622f636f6465716c2d616374696f6e2f6261646765)](https://securityscorecards.dev/viewer/?uri=github.com/github/codeql-action) | --- ### Release Notes github/codeql-action (github/codeql-action) ### `v3.30.9` Compare Source ##### CodeQL Action Changelog See the releases page for the relevant changes to the CodeQL CLI and language packs. ##### 3.30.9 - 17 Oct 2025 • Update default CodeQL bundle version to 2.23.3. #​3205 • Experimental: A new

setup-codeql

action has been added which is similar to

init

, except it only installs the CodeQL CLI and does not initialize a database. Do not use this in production as it is part of an internal experiment and subject to change at any time. #​3204 See the full CHANGELOG.md for more information. --- ### Configuration 📅 Schedule: Branch creation - Between 12:00 AM and 03:59 AM ( * 0-3 * * * ) (UTC), Automerge - At any time (no schedule defined). 🚦 Automerge: Enabled. ♻️ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox. 🔕 Ignore: Close this PR and you won't be reminded about this update again. --- • If you want to rebase/retry this PR, check this box --- This PR was generated by Mend Renovate. View the repository job log. runatlantis/atlantis

#5911 chore(deps): update github/codeql-action digest to d198d2f in .github/workflows/codeql.yml (main) Pull request opened by renovate[bot] This PR contains the following updates: | Package | Type | Update | Change | OpenSSF | | ------------------------------------------------------------------------ | ------ | ------ | ------------------ | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | [github/codeql-action](https://redirect.github.com/github/codeql-action) | action | digest | 4221315 -> d198d2f | [[OpenSSF Scorecard](https://camo.githubusercontent.com/022cb174dc4b9ace5867eeb6408ad79e645ea194cd77cf4d40ff05e6763dd313/68747470733a2f2f6170692e736563757269747973636f726563617264732e6465762f70726f6a656374732f6769746875622e636f6d2f6769746875622f636f6465716c2d616374696f6e2f6261646765)](https://securityscorecards.dev/viewer/?uri=github.com/github/codeql-action) | --- ### Configuration 📅 Schedule: Branch creation - Between 12:00 AM and 03:59 AM ( * 0-3 * * * ) (UTC), Automerge - At any time (no schedule defined). 🚦 Automerge: Enabled. ♻️ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox. 🔕 Ignore: Close this PR and you won't be reminded about this update again. --- • If you want to rebase/retry this PR, check this box --- This PR was generated by Mend Renovate. View the repository job log. runatlantis/atlantis

#5912 chore(deps): update go in go.mod (main) Pull request opened by renovate[bot] This PR contains the following updates: | Package | Type | Update | Change | Pending | OpenSSF | | ----------------------------------------------------------------------- | ------ | ------ | ------------------------------ | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ------- | | [go](https://go.dev/) ([source](https://redirect.github.com/golang/go)) | golang | patch | 1.25.1 -> 1.25.3 | [[OpenSSF Scorecard](https://camo.githubusercontent.com/c969aea50aa6c73e27384d8508b5fc8f9d31bd400c588089a1c7a7cdbb51ec23/68747470733a2f2f6170692e736563757269747973636f726563617264732e6465762f70726f6a656374732f6769746875622e636f6d2f676f6c616e672f676f2f6261646765)](https://securityscorecards.dev/viewer/?uri=github.com/golang/go) | | | golang | final | patch | 1.25.1 -> 1.25.2 | 1.25.3 | | | golang | stage | patch | 1.25.1-alpine -> 1.25.3-alpine | | | --- ### Release Notes golang/go (go) ### `v1.25.3` ### `v1.25.2` --- ### Configuration 📅 Schedule: Branch creation - Between 12:00 AM and 03:59 AM ( * 0-3 * * * ) (UTC), Automerge - At any time (no schedule defined). 🚦 Automerge: Enabled. ♻️ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox. 👻 Immortal: This PR will be recreated if closed unmerged. Get config help if that's undesired. --- • If you want to rebase/retry this PR, check this box --- This PR was generated by Mend Renovate. View the repository job log. runatlantis/atlantis