#5912 chore(deps): update go in go.mod (main) Pull request opened by renovate[bot] This PR contains the following updates: | Package | Type | Update | Change | Pending | OpenSSF | | ----------------------------------------------------------------------- | ------ | ------ | ------------------------------ | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ------- | | [go](https://go.dev/) ([source](https://redirect.github.com/golang/go)) | golang | patch | 1.25.1 -> 1.25.3 | [[OpenSSF Scorecard](https://camo.githubusercontent.com/c969aea50aa6c73e27384d8508b5fc8f9d31bd400c588089a1c7a7cdbb51ec23/68747470733a2f2f6170692e736563757269747973636f726563617264732e6465762f70726f6a656374732f6769746875622e636f6d2f676f6c616e672f676f2f6261646765)](https://securityscorecards.dev/viewer/?uri=github.com/golang/go) | | | golang | final | patch | 1.25.1 -> 1.25.2 | 1.25.3 | | | golang | stage | patch | 1.25.1-alpine -> 1.25.3-alpine | | | --- ### Release Notes golang/go (go) ### `v1.25.3` ### `v1.25.2` --- ### Configuration 📅 Schedule: Branch creation - Between 12:00 AM and 03:59 AM ( * 0-3 * * * ) (UTC), Automerge - At any time (no schedule defined). 🚦 Automerge: Enabled. ♻️ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox. 👻 Immortal: This PR will be recreated if closed unmerged. Get config help if that's undesired. --- • If you want to rebase/retry this PR, check this box --- This PR was generated by Mend Renovate. View the repository job log. runatlantis/atlantis

#5913 chore(deps): update dependency @playwright/test to v1.56.1 in package.json (main) Pull request opened by renovate[bot] This PR contains the following updates: | Package | Type | Update | Change | OpenSSF | | ------------------------------------------------------------------------------------------------------- | --------------- | ------ | -------------------------------------------------------------------------------------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | [@playwright/test](https://playwright.dev) ([source](https://redirect.github.com/microsoft/playwright)) | devDependencies | minor | [1.55.1 -> 1.56.1](https://renovatebot.com/diffs/npm/@playwright%2ftest/1.55.1/1.56.1) | [[OpenSSF Scorecard](https://camo.githubusercontent.com/b704a4066dce71232654bf39c03e5a6655e421664877e1dfa13e2a2b9183006b/68747470733a2f2f6170692e736563757269747973636f726563617264732e6465762f70726f6a656374732f6769746875622e636f6d2f6d6963726f736f66742f706c61797772696768742f6261646765)](https://securityscorecards.dev/viewer/?uri=github.com/microsoft/playwright) | --- ### Release Notes microsoft/playwright (@​playwright/test) ### `v1.56.1` Compare Source #### Highlights #​37871 chore: allow local-network-access permission in chromium #​37891 fix(agents): remove workspaceFolder ref from vscode mcp #​37759 chore: rename agents to test agents #​37757 chore(mcp): fallback to cwd when resolving test config #### Browser Versions • Chromium 141.0.7390.37 • Mozilla Firefox 142.0.1 • WebKit 26.0 ### `v1.56.0` Compare Source #### Playwright Agents Introducing Playwright Agents, three custom agent definitions designed to guide LLMs through the core process of building a Playwright test: • 🎭 planner explores the app and produces a Markdown test plan • 🎭 generator transforms the Markdown plan into the Playwright Test files • 🎭 healer executes the test suite and automatically repairs failing tests Run

npx playwright init-agents

with your client of choice to generate the latest agent definitions: ### Generate agent files for each agentic loop ### Visual Studio Code npx playwright init-agents --loop=vscode ### Claude Code npx playwright init-agents --loop=claude ### opencode npx playwright init-agents --loop=opencode

[!NOTE]

VS Code v1.105 (currently on the VS Code Insiders channel) is needed for the agentic experience in VS Code. It will become stable shortly, we are a bit ahead of times with this functionality!

Learn more about Playwright Agents #### New APIs • New methods page.consoleMessages() and page.pageErrors() for retrieving the most recent console messages from the page • New method page.requests() for retrieving the most recent network requests from the page • Added `--test-list` and `--test-list-invert` to allow manual specification of specific tests from a file #### UI Mode and HTML Reporter • Added option to

'html'

reporter to disable the "Copy prompt" button • Added option to

'html'

reporter and UI Mode to merge files, collapsing test and describe blocks into a single unified list • Added option to UI Mode mirroring the

--update-snapshots

options • Added option to UI Mode to run only a single worker at a time #### Breaking Changes • Event browserContext.on('backgroundpage') has been deprecated and will not be emitted. Method browserContext.backgroundPages() will return an empty list #### Miscellaneous • Aria snapshots render and compare

input

placeholder

• Added environment variable

PLAYWRIGHT_TEST

to Playwright worker processes to allow discriminating on testing status #### Browser Versions • Chromium 141.0.7390.37 • Mozilla Firefox 142.0.1 • WebKit 26.0 --- ### Configuration 📅 Schedule: Branch creation - Between 12:00 AM and 03:59 AM ( * 0-3 * * * ) (UTC), Automerge - At any time (no schedule defined). 🚦 Automerge: Enabled. ♻️ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox. 🔕 Ignore: Close this PR and you won't be reminded about this update again. --- • If you want to rebase/retry this PR, check this box --- This PR was generated by Mend Renovate. View the repository job log. runatlantis/atlantis

#5914 chore(deps): update dependency open-policy-agent/conftest to v0.63.0 in dockerfile (main) Pull request opened by renovate[bot] This PR contains the following updates: | Package | Update | Change | OpenSSF | | ------------------------------------------------------------------------------------ | ------ | ---------------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | [open-policy-agent/conftest](https://redirect.github.com/open-policy-agent/conftest) | minor | 0.62.0 -> 0.63.0 | [[OpenSSF Scorecard](https://camo.githubusercontent.com/02a4aef64d2c5192de53266ba3c27ad831608eb54e62f90ce37392cbb2a73789/68747470733a2f2f6170692e736563757269747973636f726563617264732e6465762f70726f6a656374732f6769746875622e636f6d2f6f70656e2d706f6c6963792d6167656e742f636f6e66746573742f6261646765)](https://securityscorecards.dev/viewer/?uri=github.com/open-policy-agent/conftest) | --- ### Release Notes open-policy-agent/conftest (open-policy-agent/conftest) ### `v0.63.0` Compare Source #### Changelog ##### New Features • `30b9a8d`: feat: add reformat command for JSON output conversion (#​1153) (@​thevilledev) ##### Bug Fixes • `ffb6ce3`: fix: Add explicit line-number to GitHub output (#​1173) (@​tun0) ##### OPA Changes • `64bf641`: build(deps): bump github.com/open-policy-agent/opa from 1.6.0 to 1.7.1 (#​1156) (@​dependabot[bot]) • `981983b`: build(deps): bump github.com/open-policy-agent/opa from 1.7.1 to 1.8.0 (#​1165) (@​dependabot[bot]) • `c7aa1d4`: build(deps): bump github.com/open-policy-agent/opa from 1.8.0 to 1.9.0 (#​1175) (@​dependabot[bot]) ##### Other Changes • `0d903ce`: build(deps): bump actions/checkout from 4 to 5 (#​1158) (@​dependabot[bot]) • `364cf32`: build(deps): bump actions/setup-go from 5 to 6 (#​1171) (@​dependabot[bot]) • `d4aa81f`: build(deps): bump actions/setup-python from 5 to 6 (#​1172) (@​dependabot[bot]) • `a1ecf3f`: build(deps): bump alpine from 3.22.0 to 3.22.1 (#​1152) (@​dependabot[bot]) • `b87ca5f`: build(deps): bump cuelang.org/go from 0.13.2 to 0.14.1 (#​1159) (@​dependabot[bot]) • `1c5abaa`: build(deps): bump github.com/CycloneDX/cyclonedx-go from 0.9.2 to 0.9.3 (#​1177) (@​dependabot[bot]) • `2a509fe`: build(deps): bump github.com/hashicorp/go-getter from 1.7.8 to 1.7.9 (#​1162) (@​dependabot[bot]) • `a433ed0`: build(deps): bump github.com/hashicorp/go-getter from 1.7.9 to 1.8.0 (#​1169) (@​dependabot[bot]) • `d9dca30`: build(deps): bump github.com/hashicorp/go-getter from 1.8.0 to 1.8.1 (#​1174) (@​dependabot[bot]) • `b51f6d9`: build(deps): bump github.com/hashicorp/go-getter from 1.8.1 to 1.8.2 (#​1178) (@​dependabot[bot]) • `c664099`: build(deps): bump github.com/moby/buildkit from 0.23.2 to 0.24.0 (#​1166) (@​dependabot[bot]) • `5378cc3`: build(deps): bump github.com/moby/buildkit from 0.24.0 to 0.25.0 (#​1176) (@​dependabot[bot]) • `fb4c503`: build(deps): bump golang from 1.25.0-alpine to 1.25.1-alpine (#​1170) (<https://redi… runatlantis/atlantis

#5915 fix: Prevent any users from approving custom policy sets - fix tests Pull request opened by dimisjim ## what contains the changes of #5331 but in addition fixes the tests (as requested by the maintainers here: #5331 (comment), #5331 (comment)) so that the changes of the previous PR can be merged also a new test was added as requested here: #5331 (comment) runatlantis/atlantis

#5745 feat: Adjust Endpoint Base-Path Based on ATLANTIS_ATLANTIS_URL Pull request opened by adam-verigin ## what The Atlantis documentation for --atlantis-url says:

Supports a basepath if you're hosting Atlantis under a path.

However, setting a URL with a basepath only updates the URLs in the Atlantis UI; none of the Atlantis endpoints are updated to include the basepath. This PR updates the mux Router so that if the

--atlantis-url

includes a base path, all the endpoints will also be prefixed with the same base path. ## why My team is hoping to host multiple Atlantis instances behind a single AWS ALB, using path-based routing. ALBs don't let us modify the request path, so we need Atlantis to be able to serve from a base path. This PR allows us to do that. Right now, this will append this functionality to the

--atlantis-url

flag. I could understand if you would prefer a separate flag, like

--atlantis-base-path

, to make this functionality more explicit. If you would prefer that, please let me know and I can update the PR. ## tests • I've added some tests to verify that the base path is correctly extracted from the

--atlantis-url

flag I have deployed this with and without a basepath set to manually verify the behaviour. I would love to add more tests to verify that the endpoints are correctly registered with the base path, but I'm not sure of a good way to do that. If you have any guidance on how I could do that, please let me know. ## references The base path support was originally added in #213 runatlantis/atlantis

#5918 chore(deps): update dependency open-policy-agent/conftest to v0.63.0 in testing/dockerfile (main) Pull request opened by renovate[bot] This PR contains the following updates: | Package | Update | Change | OpenSSF | | ------------------------------------------------------------------------------------ | ------ | ---------------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | [open-policy-agent/conftest](https://redirect.github.com/open-policy-agent/conftest) | minor | 0.62.0 -> 0.63.0 | [[OpenSSF Scorecard](https://camo.githubusercontent.com/02a4aef64d2c5192de53266ba3c27ad831608eb54e62f90ce37392cbb2a73789/68747470733a2f2f6170692e736563757269747973636f726563617264732e6465762f70726f6a656374732f6769746875622e636f6d2f6f70656e2d706f6c6963792d6167656e742f636f6e66746573742f6261646765)](https://securityscorecards.dev/viewer/?uri=github.com/open-policy-agent/conftest) | --- ### Release Notes open-policy-agent/conftest (open-policy-agent/conftest) ### `v0.63.0` Compare Source #### Changelog ##### New Features • `30b9a8d`: feat: add reformat command for JSON output conversion (#​1153) (@​thevilledev) ##### Bug Fixes • `ffb6ce3`: fix: Add explicit line-number to GitHub output (#​1173) (@​tun0) ##### OPA Changes • `64bf641`: build(deps): bump github.com/open-policy-agent/opa from 1.6.0 to 1.7.1 (#​1156) (@​dependabot[bot]) • `981983b`: build(deps): bump github.com/open-policy-agent/opa from 1.7.1 to 1.8.0 (#​1165) (@​dependabot[bot]) • `c7aa1d4`: build(deps): bump github.com/open-policy-agent/opa from 1.8.0 to 1.9.0 (#​1175) (@​dependabot[bot]) ##### Other Changes • `0d903ce`: build(deps): bump actions/checkout from 4 to 5 (#​1158) (@​dependabot[bot]) • `364cf32`: build(deps): bump actions/setup-go from 5 to 6 (#​1171) (@​dependabot[bot]) • `d4aa81f`: build(deps): bump actions/setup-python from 5 to 6 (#​1172) (@​dependabot[bot]) • `a1ecf3f`: build(deps): bump alpine from 3.22.0 to 3.22.1 (#​1152) (@​dependabot[bot]) • `b87ca5f`: build(deps): bump cuelang.org/go from 0.13.2 to 0.14.1 (#​1159) (@​dependabot[bot]) • `1c5abaa`: build(deps): bump github.com/CycloneDX/cyclonedx-go from 0.9.2 to 0.9.3 (#​1177) (@​dependabot[bot]) • `2a509fe`: build(deps): bump github.com/hashicorp/go-getter from 1.7.8 to 1.7.9 (#​1162) (@​dependabot[bot]) • `a433ed0`: build(deps): bump github.com/hashicorp/go-getter from 1.7.9 to 1.8.0 (#​1169) (@​dependabot[bot]) • `d9dca30`: build(deps): bump github.com/hashicorp/go-getter from 1.8.0 to 1.8.1 (#​1174) (@​dependabot[bot]) • `b51f6d9`: build(deps): bump github.com/hashicorp/go-getter from 1.8.1 to 1.8.2 (#​1178) (@​dependabot[bot]) • `c664099`: build(deps): bump github.com/moby/buildkit from 0.23.2 to 0.24.0 (#​1166) (@​dependabot[bot]) • `5378cc3`: build(deps): bump github.com/moby/buildkit from 0.24.0 to 0.25.0 (#​1176) (@​dependabot[bot]) • `fb4c503`: build(deps): bump golang from 1.25.0-alpine to 1.25.1-alpine (#​1170) (<https://redi… runatlantis/atlantis

#5919 fix: Add env vars for PR approval and mergeable status Pull request opened by filipenf ## what Adds 2 env vars ATLANTIS_PR_APPROVED and ATLANTIS_PR_MERGEABLE. This makes it easier for the shell command to decide if the command can proceed or not depending on the PR status ## why Makes it easier to enable custom workflows that depend on approval / mergeable status (see #5779) In scenarios where there's custom logic needed on top of the built-in

apply_requirements

, this gives extra context to the shell command being executed ## tests ## references #5779 runatlantis/atlantis

#5920 chore(deps): update github/codeql-action digest to 5d5cd55 in .github/workflows/codeql.yml (main) Pull request opened by renovate[bot] This PR contains the following updates: | Package | Type | Update | Change | OpenSSF | | ------------------------------------------------------------------------ | ------ | ------ | ------------------ | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | [github/codeql-action](https://redirect.github.com/github/codeql-action) | action | digest | d198d2f -> 5d5cd55 | [[OpenSSF Scorecard](https://camo.githubusercontent.com/022cb174dc4b9ace5867eeb6408ad79e645ea194cd77cf4d40ff05e6763dd313/68747470733a2f2f6170692e736563757269747973636f726563617264732e6465762f70726f6a656374732f6769746875622e636f6d2f6769746875622f636f6465716c2d616374696f6e2f6261646765)](https://securityscorecards.dev/viewer/?uri=github.com/github/codeql-action) | --- ### Configuration 📅 Schedule: Branch creation - Between 12:00 AM and 03:59 AM ( * 0-3 * * * ) (UTC), Automerge - At any time (no schedule defined). 🚦 Automerge: Enabled. ♻️ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox. 🔕 Ignore: Close this PR and you won't be reminded about this update again. --- • If you want to rebase/retry this PR, check this box --- This PR was generated by Mend Renovate. View the repository job log. runatlantis/atlantis

#5922 chore(deps): update e1himself/goss-installation-action action to v1.3.0 in .github/workflows/atlantis-image.yml (main) Pull request opened by renovate[bot] This PR contains the following updates: | Package | Type | Update | Change | OpenSSF | | ---------------------------------------------------------------------------------------------------- | ------ | ------ | ---------------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | [e1himself/goss-installation-action](https://redirect.github.com/e1himself/goss-installation-action) | action | minor | v1.2.1 -> v1.3.0 | [[OpenSSF Scorecard](https://camo.githubusercontent.com/faddf6c6c9c38df69b502175af0a8632ee71db9975482bf2b66fc0cd21595736/68747470733a2f2f6170692e736563757269747973636f726563617264732e6465762f70726f6a656374732f6769746875622e636f6d2f653168696d73656c662f676f73732d696e7374616c6c6174696f6e2d616374696f6e2f6261646765)](https://securityscorecards.dev/viewer/?uri=github.com/e1himself/goss-installation-action) | --- ### Release Notes e1himself/goss-installation-action (e1himself/goss-installation-action) ### `v1.3.0` Compare Source #### What's Changed • Add support for Github Runner platforms and architectures other than linux-x64 by @​mlipscombe in #​27 #### New Contributors • @​mlipscombe made their first contribution in #​27 Full Changelog: e1himself/goss-installation-action@v1...v1.3.0 --- ### Configuration 📅 Schedule: Branch creation - Between 12:00 AM and 03:59 AM ( * 0-3 * * * ) (UTC), Automerge - At any time (no schedule defined). 🚦 Automerge: Enabled. ♻️ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox. 🔕 Ignore: Close this PR and you won't be reminded about this update again. --- • If you want to rebase/retry this PR, check this box --- This PR was generated by Mend Renovate. View the repository job log. runatlantis/atlantis

#5926 feat: enabling pending apply status when any of the projects has changes to… Pull request opened by rjmsilveira ## What This MR restores the ability to set commit status to pending when there are planned Terraform changes that haven't been applied yet. This feature is now: ## GitLab-specific (controlled by the --gitlab-pending-apply-status flag) Opt-in (defaults to false to maintain backward compatibility) Provides better visibility into MR readiness by blocking merges until all applies are completed ## Why When enabled, this feature prevents GitLab merge requests from being merged prematurely by setting the commit status to pending when: • atlantis plan detects changes that need to be applied • Not all projects have been successfully applied The status transitions: • ✅ Success: All projects applied or show no changes • ⏳ Pending: Planned changes exist but haven't been applied yet • ❌ Failed: Apply errors occurred This addresses a common workflow requirement where teams want to ensure all infrastructure changes are actually applied before allowing the MR to merge, preventing situations where planned changes are approved but never executed. ## Why GitLab-only and opt-in? The original implementation (#2053) caused issues (#2138) with race conditions where apply status would appear before plans completed, leading to confusion and stuck PRs. The feature was reverted in #2173. Since then, Atlantis has significantly improved its event ordering and status update handling. However, to ensure maximum safety and backward compatibility, this restoration: Limits scope to GitLab - where the feature is most requested and tested Requires explicit opt-in - prevents unexpected behavior changes for existing users Preserves existing behavior - when disabled or on other VCS platforms, no status updates occur for unapplied plans Tests Added comprehensive test coverage in TestPlanCommandRunner_GitlabPendingApplyStatus: ✅ GitLab + flag enabled + unapplied plans → Pending status ✅ GitLab + flag disabled + unapplied plans → No status update (backward compatible) ✅ GitLab + all plans applied → Success status ✅ GitHub/Bitbucket + flag enabled → No status update (GitLab-only feature) ✅ GitLab + apply errors → Failed status All existing tests pass, ensuring backward compatibility is maintained. ## References Original feature (2021): https://github.com/runatlantis/atlantis/pull/2053/files Issue reports (race conditions): https://github.com/runatlantis/atlantis/issues/2138 Feature revert (2022): https://github.com/runatlantis/atlantis/pull/2173/files ## Key improvements since the original implementation: The latest Atlantis codebase now handles event ordering much more reliably. The race condition issues that caused the original revert (where apply status would appear before plans properly finished) have been resolved through improved event sequencing. This makes it safe to reintroduce the feature with proper safeguards (opt-in flag + VCS-specific implementation). ## Configuration: See updated documentation in server-configuration.md. This approach provides the requested functionality while learning from past issues and ensuring a smooth, safe rollout for teams that need this workflow enforcement. runatlantis/atlantis

#5927 fix: handle global codeql checkrun correctly Pull request opened by nvanheuverzwijn ## what When checking mergeability, we now check that the WorkflowRun.File.RepositoryName is not an empty string. This structure appears only when github's codeql code analysis is enabled for all repository from the organization global settings. When codeql is enabled globally and we use the flag

gh-allow-mergeable-bypass-apply

and the PR is blocked, atlantis will always report that the PR is unmergeable and unapproved. ## why Atlantis should ignore these global workrun because they are not related and cannot be related to required workflows since they don't have a file related to it. ## tests I have used my data structure that I received from the same graphql query atlantis does and added it as a test case. ## references closes #5925 runatlantis/atlantis

#5929 chore(deps): update golang docker tag to v1.25.3 in testing/dockerfile (main) Pull request opened by renovate[bot] This PR contains the following updates: | Package | Type | Update | Change | | ------- | ----- | ------ | ---------------- | | golang | final | patch | 1.25.2 -> 1.25.3 | --- ### Configuration 📅 Schedule: Branch creation - Between 12:00 AM and 03:59 AM ( * 0-3 * * * ) (UTC), Automerge - At any time (no schedule defined). 🚦 Automerge: Enabled. ♻️ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox. 🔕 Ignore: Close this PR and you won't be reminded about this update again. --- • If you want to rebase/retry this PR, check this box --- This PR was generated by Mend Renovate. View the repository job log. runatlantis/atlantis

#5930 feat: Add GitLab squash merge support for automerge Pull request opened by geoff-kruss ## what Adds support for squash merging in GitLab merge requests when using Atlantis automerge functionality. Previously, GitLab automerge was limited to regular merge commits, causing failures in repositories that enforce squash-only commit policies. ## why Many organizations enforce squash commit policies on their main branches to maintain clean git history. When using Atlantis automerge with GitLab, the default merge behavior would fail with these policies, preventing automated merging of Terraform changes. This implementation enables repositories with squash-only policies to benefit from Atlantis automerge functionality by supporting the

merge_method: squash

configuration option. ## tests • Added comprehensive test coverage for GitLab squash merge functionality • Existing GitHub merge method tests continue to pass • All GitLab VCS client tests pass • Automerge integration tests pass • Tested locally with both squash and regular merge methods ## references • Addresses #5415 - Allow merge method as configurable option in atlantis.yaml • Follows established patterns from GitHub VCS client implementation • GitLab API documentation: https://docs.gitlab.com/ee/api/merge_requests.html#merge-a-merge-request runatlantis/atlantis

#5931 docs: Add new env vars to the docs Pull request opened by filipenf ## what Added new environment variables for PR approval and mergeability status. ## why New variables added in #5919 ## tests ## references #5919 runatlantis/atlantis

#5932 chore(deps): update dependency mermaid to v11.12.1 in package.json (main) Pull request opened by renovate[bot] This PR contains the following updates: | Package | Type | Update | Change | OpenSSF | | --------------------------------------------------------- | --------------- | ------ | ------------------------------------------------------------------------------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | [mermaid](https://redirect.github.com/mermaid-js/mermaid) | devDependencies | patch | [11.12.0 -> 11.12.1](https://renovatebot.com/diffs/npm/mermaid/11.12.0/11.12.1) | [[OpenSSF Scorecard](https://camo.githubusercontent.com/8e87a9a1690f0e3cf51a75f6bcee6a042335af31366b2f77e279afb4c1d9a4d9/68747470733a2f2f6170692e736563757269747973636f726563617264732e6465762f70726f6a656374732f6769746875622e636f6d2f6d65726d6169642d6a732f6d65726d6169642f6261646765)](https://securityscorecards.dev/viewer/?uri=github.com/mermaid-js/mermaid) | --- ### Release Notes mermaid-js/mermaid (mermaid) ### `v11.12.1` Compare Source ##### Patch Changes • #​7107 `cbf8946` Thanks @​shubhamparikh2704! - fix: Updated the dependency dagre-d3-es to 7.0.13 to fix GHSA-cc8p-78qf-8p7q --- ### Configuration 📅 Schedule: Branch creation - Between 12:00 AM and 03:59 AM ( * 0-3 * * * ) (UTC), Automerge - At any time (no schedule defined). 🚦 Automerge: Enabled. ♻️ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox. 🔕 Ignore: Close this PR and you won't be reminded about this update again. --- • If you want to rebase/retry this PR, check this box --- This PR was generated by Mend Renovate. View the repository job log. runatlantis/atlantis

#5933 chore(deps): update debian:12.12-slim docker digest to 4d9b5b6 in dockerfile (main) Pull request opened by renovate[bot] This PR contains the following updates: | Package | Type | Update | Change | | ------- | ----- | ------ | ------------------ | | debian | stage | digest | 78d2f66 -> 4d9b5b6 | --- ### Configuration 📅 Schedule: Branch creation - Between 12:00 AM and 03:59 AM ( * 0-3 * * * ) (UTC), Automerge - At any time (no schedule defined). 🚦 Automerge: Enabled. ♻️ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox. 🔕 Ignore: Close this PR and you won't be reminded about this update again. --- • If you want to rebase/retry this PR, check this box --- This PR was generated by Mend Renovate. View the repository job log. runatlantis/atlantis

#5934 fix: Use correct command name for ApprovePolicies Pull request opened by lukemassa ## what Change the command name for the project result of ApprovePolicies to the approve policies command. ## why The command being worked on is

ApprovePolicies

but we returning as if it ran the

PolicyCheck

command. As far as I can tell this bug has been present since this code was introduced: af2a806#diff-eb466bb07e603dbf2a2a91c776b4d812bf330b3dc02fcaf762380b0078296937R174 I frankly don't quite understand what this does, but if you look at the rest of the doXYZ in plan_command_runner, they follow a particular pattern of referring to commands, and this one simply seems to have been typod. ## tests N/A ## references N/A runatlantis/atlantis

#5935 feat: Add the command name to show who is holding dir lock Pull request opened by lukemassa ## what Add information into the TryLock error message that shows what command is trying to grab the lock, and which has it currently. ## why This will aid in debugging, and also moves us towards a locking strategy that is less "working directory" focused and more "command" focused. ## tests I ran atlantis plan twice one after the other and watched it fail [Screenshot 2025-11-03 at 11 59 55 PM](https://private-user-images.githubusercontent.com/2678195/509324224-ef714e1f-f1f4-42bc-a42a-6677616bfa76.png?jwt=eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJpc3MiOiJnaXRodWIuY29tIiwiYXVkIjoicmF3LmdpdGh1YnVzZXJjb250ZW50LmNvbSIsImtleSI6ImtleTUiLCJleHAiOjE3NjI4MjgzMTMsIm5iZiI6MTc2MjgyODAxMywicGF0aCI6Ii8yNjc4MTk1LzUwOTMyNDIyNC1lZjcxNGUxZi1mMWY0LTQyYmMtYTQyYS02Njc3NjE2YmZhNzYucG5nP1gtQW16LUFsZ29yaXRobT1BV1M0LUhNQUMtU0hBMjU2JlgtQW16LUNyZWRlbnRpYWw9QUtJQVZDT0RZTFNBNTNQUUs0WkElMkYyMDI1MTExMSUyRnVzLWVhc3QtMSUyRnMzJTJGYXdzNF9yZXF1ZXN0JlgtQW16LURhdGU9MjAyNTExMTFUMDIyNjUzWiZYLUFtei1FeHBpcmVzPTMwMCZYLUFtei1TaWduYXR1cmU9ZDhjNDk4ZDBjMzBlYzFmYTdlYWM2YzZjN2E4ZDczN2E2ZWY0YTM1NTQwN2VhYmQ1MzM5NTRkZmI0MWJhNjk4NCZYLUFtei1TaWduZWRIZWFkZXJzPWhvc3QifQ.eiMAjIOW3cpJj466-83L4VMew_Iti5172WeXCwDZk_c) I also ran atlantis plan then pushed a commit and watched it fail on the autoplan [Screenshot 2025-11-04 at 12 09 24 AM](https://private-user-images.githubusercontent.com/2678195/509327935-b51e9fc6-51c7-41a6-850b-a6c4433504b2.png?jwt=eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJpc3MiOiJnaXRodWIuY29tIiwiYXVkIjoicmF3LmdpdGh1YnVzZXJjb250ZW50LmNvbSIsImtleSI6ImtleTUiLCJleHAiOjE3NjI4MjgzMTMsIm5iZiI6MTc2MjgyODAxMywicGF0aCI6Ii8yNjc4MTk1LzUwOTMyNzkzNS1iNTFlOWZjNi01MWM3LTQxYTYtODUwYi1hNmM0NDMzNTA0YjIucG5nP1gtQW16LUFsZ29yaXRobT1BV1M0LUhNQUMtU0hBMjU2JlgtQW16LUNyZWRlbnRpYWw9QUtJQVZDT0RZTFNBNTNQUUs0WkElMkYyMDI1MTExMSUyRnVzLWVhc3QtMSUyRnMzJTJGYXdzNF9yZXF1ZXN0JlgtQW16LURhdGU9MjAyNTExMTFUMDIyNjUzWiZYLUFtei1FeHBpcmVzPTMwMCZYLUFtei1TaWduYXR1cmU9YzdkZWQyZWVkZTY0MGZjN2M2NmMzYjhjZTUzMjIxYTMwYmYzYjlhNzc3ODEyMjViY2RiODZkOTdhODNjZTJkOCZYLUFtei1TaWduZWRIZWFkZXJzPWhvc3QifQ.paS74CTIUtCie_XFd1Vvv2nW3Z0oPFDdTIlrhAtwfCE) It's worth noting that the code didn't actually know it was running an "autoplan" instead of just a "plan", this is actually a bug that this new logging has demonstrated that I plan to dig into after. ## references N/A runatlantis/atlantis

#4709 Allow for plans to be partially successful Pull request opened by shkamensky When automerge is true, if any plan fails, all plans get deleted This is true even when running from a github comment. When dealing with many projects, there is a high likelihood that one plan can fail. This allows us to keep apply some plans and reiterate so we don't lose all progress. ## what Allow for plans to be saved when automerge is true by passing a flag. ## why Because the all-or-nothing nature of saving plans can make it very difficult to apply across many projects. For example, if 1 failed because of a DNS issue and 150 others plans succeeded, we want to apply the plans that succeeded and deal with the 1 plan manually. ## tests ## references #3002 runatlantis/atlantis

#5936 chore(deps): update debian:12.12-slim docker digest to 936abff in dockerfile (main) Pull request opened by renovate[bot] This PR contains the following updates: | Package | Type | Update | Change | | ------- | ----- | ------ | ------------------ | | debian | stage | digest | 4d9b5b6 -> 936abff | --- ### Configuration 📅 Schedule: Branch creation - Between 12:00 AM and 03:59 AM ( * 0-3 * * * ) (UTC), Automerge - At any time (no schedule defined). 🚦 Automerge: Enabled. ♻️ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox. 🔕 Ignore: Close this PR and you won't be reminded about this update again. --- • If you want to rebase/retry this PR, check this box --- This PR was generated by Mend Renovate. View the repository job log. runatlantis/atlantis

#5392 feat: allowing JobUrl to the PlanSuccess model for github comment templating Pull request opened by cpaloia ## What This PR adds support for including the job URL in the GitHub comment template by adding the property

JobURL

to the

PlanSuccess

model. This PR also renames the

LockURLGenerator

to

URLGenerator

as it will be used for generating more than just the lock url. Currently the code already uses the router to fulfill this interface, so I have added the function

GenerateProjectJobURL

which it gets from the router. ## Why In certain cases, it's necessary to hide Terraform plan output in GitHub comments—such as in public repositories where the output may contain sensitive information. However, users may still need access to the plan details via a secure URL, such as one behind a firewall or ingress. By including the job URL in the GitHub comment template (in addition to the existing GitHub check link), we provide users with clear guidance on why the output is hidden and where they can access it instead. ## Tests Tested locally by overriding the comment template and verifying the job URL was correctly included. ## References • Atlantis Issue #5391 ## Notes • I encountered issues running

pegomock

unless I downgraded Go to 1.23.0 in

go.mod

. • Currently, the job URL is added only to *plan success*—I considered adding it to

PolicyCheckResults

, but I’m unsure whether those results are accessible via a URL. Would appreciate any feedback on this! runatlantis/atlantis

#5937 chore(deps): update docker/metadata-action digest to 318604b in .github/workflows/atlantis-image.yml (main) Pull request opened by renovate[bot] This PR contains the following updates: | Package | Type | Update | Change | OpenSSF | | ---------------------------------------------------------------------------- | ------ | ------ | ------------------ | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | [docker/metadata-action](https://redirect.github.com/docker/metadata-action) | action | digest | c1e5197 -> 318604b | [[OpenSSF Scorecard](https://camo.githubusercontent.com/4ac0e476ad44ae944f7d9b7ab42df2dd360d323488952230c5d616ba959ab12e/68747470733a2f2f6170692e736563757269747973636f726563617264732e6465762f70726f6a656374732f6769746875622e636f6d2f646f636b65722f6d657461646174612d616374696f6e2f6261646765)](https://securityscorecards.dev/viewer/?uri=github.com/docker/metadata-action) | --- ### Configuration 📅 Schedule: Branch creation - Between 12:00 AM and 03:59 AM ( * 0-3 * * * ) (UTC), Automerge - At any time (no schedule defined). 🚦 Automerge: Enabled. ♻️ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox. 🔕 Ignore: Close this PR and you won't be reminded about this update again. --- • If you want to rebase/retry this PR, check this box --- This PR was generated by Mend Renovate. View the repository job log. runatlantis/atlantis

#5939 chore(deps): update docker/setup-qemu-action digest to c7c5346 in .github/workflows/testing-env-image.yml (main) Pull request opened by renovate[bot] This PR contains the following updates: | Package | Type | Update | Change | OpenSSF | | -------------------------------------------------------------------------------- | ------ | ------ | ------------------ | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | [docker/setup-qemu-action](https://redirect.github.com/docker/setup-qemu-action) | action | digest | 2910929 -> c7c5346 | [[OpenSSF Scorecard](https://camo.githubusercontent.com/e5eb885f2d90f74196e7410a1fe5310ae059e266cdc1336bce526f6bd64b9c82/68747470733a2f2f6170692e736563757269747973636f726563617264732e6465762f70726f6a656374732f6769746875622e636f6d2f646f636b65722f73657475702d71656d752d616374696f6e2f6261646765)](https://securityscorecards.dev/viewer/?uri=github.com/docker/setup-qemu-action) | --- ### Configuration 📅 Schedule: Branch creation - Between 12:00 AM and 03:59 AM ( * 0-3 * * * ) (UTC), Automerge - At any time (no schedule defined). 🚦 Automerge: Enabled. ♻️ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox. 🔕 Ignore: Close this PR and you won't be reminded about this update again. --- • If you want to rebase/retry this PR, check this box --- This PR was generated by Mend Renovate. View the repository job log. runatlantis/atlantis

#5940 feat: add bitbucket cloud api-user flag Pull request opened by jeronimo-caylent ## what • Adds bitbucket-api-user flag for the Bitbucket Cloud client, keeping bitbucket-user just for git operations. By default and for backward compatibility, if not bitbucket-api-user is provided, it uses the bitbucket-user flag. ## why Bitbucket Cloud deprecated App Password authentication, which previously supported the same user for both API calls and Git operations. See #5696 ## tests With the new flag:

./atlantis server --bitbucket-user '<user>' --bitbucket-api-user '<user@example.com>' --bitbucket-token '<token>' --repo-allowlist '*' --log-level info

{"level":"info","ts":"2025-11-07T10:54:04.448-0300","caller":"server/server.go:343","msg":"Supported VCS Hosts: BitbucketCloud","json":{}} {"level":"info","ts":"2025-11-07T10:54:04.814-0300","caller":"server/server.go:504","msg":"Utilizing BoltDB","json":{}} {"level":"info","ts":"2025-11-07T10:54:04.827-0300","caller":"policy/conftest_client.go:168","msg":"failed to get default conftest version. Will attempt request scoped lazy loads DEFAULT_CONFTEST_VERSION not set","json":{}} {"level":"info","ts":"2025-11-07T10:54:04.827-0300","caller":"server/server.go:1114","msg":"Atlantis started - listening on port 4141","json":{}} {"level":"info","ts":"2025-11-07T10:54:04.827-0300","caller":"scheduled/executor_service.go:51","msg":"Scheduled Executor Service started","json":{}}

Without the flag:

./atlantis server --bitbucket-user '<user>' --bitbucket-token '<token>' --repo-allowlist '*' --log-level info

{"level":"info","ts":"2025-11-07T10:54:19.114-0300","caller":"server/server.go:343","msg":"Supported VCS Hosts: BitbucketCloud","json":{}} {"level":"info","ts":"2025-11-07T10:54:19.341-0300","caller":"server/server.go:504","msg":"Utilizing BoltDB","json":{}} {"level":"info","ts":"2025-11-07T10:54:19.350-0300","caller":"policy/conftest_client.go:168","msg":"failed to get default conftest version. Will attempt request scoped lazy loads DEFAULT_CONFTEST_VERSION not set","json":{}} {"level":"info","ts":"2025-11-07T10:54:19.352-0300","caller":"server/server.go:1114","msg":"Atlantis started - listening on port 4141","json":{}} {"level":"info","ts":"2025-11-07T10:54:19.352-0300","caller":"scheduled/executor_service.go:51","msg":"Scheduled Executor Service started","json":{}}

## references • closes #5696 runatlantis/atlantis

#5941 chore(deps): update redis:7.4-alpine docker digest to ee64a64 in docker-compose.yml (main) Pull request opened by renovate[bot] This PR contains the following updates: | Package | Update | Change | | ------- | ------ | ------------------ | | redis | digest | 3b73847 -> ee64a64 | --- ### Configuration 📅 Schedule: Branch creation - Between 12:00 AM and 03:59 AM ( * 0-3 * * * ) (UTC), Automerge - At any time (no schedule defined). 🚦 Automerge: Enabled. ♻️ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox. 🔕 Ignore: Close this PR and you won't be reminded about this update again. --- • If you want to rebase/retry this PR, check this box --- This PR was generated by Mend Renovate. View the repository job log. runatlantis/atlantis

#5942 chore(deps): update step-security/harden-runner digest to 95d9a5d in .github/workflows/scorecard.yml (main) Pull request opened by renovate[bot] This PR contains the following updates: | Package | Type | Update | Change | OpenSSF | | -------------------------------------------------------------------------------------- | ------ | ------ | ------------------ | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | [step-security/harden-runner](https://redirect.github.com/step-security/harden-runner) | action | digest | f4a75cf -> 95d9a5d | [[OpenSSF Scorecard](https://camo.githubusercontent.com/79b73feee658f578ed164ed10d5294cc2e58c70ec1db9ee00d03c41311bccebc/68747470733a2f2f6170692e736563757269747973636f726563617264732e6465762f70726f6a656374732f6769746875622e636f6d2f737465702d73656375726974792f68617264656e2d72756e6e65722f6261646765)](https://securityscorecards.dev/viewer/?uri=github.com/step-security/harden-runner) | --- ### Configuration 📅 Schedule: Branch creation - Between 12:00 AM and 03:59 AM ( * 0-3 * * * ) (UTC), Automerge - At any time (no schedule defined). 🚦 Automerge: Enabled. ♻️ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox. 🔕 Ignore: Close this PR and you won't be reminded about this update again. --- • If you want to rebase/retry this PR, check this box --- This PR was generated by Mend Renovate. View the repository job log. runatlantis/atlantis

#5943 chore(deps): update go to v1.25.4 in go.mod (main) Pull request opened by renovate[bot] This PR contains the following updates: | Package | Type | Update | Change | OpenSSF | | ----------------------------------------------------------------------- | ------ | ------ | ------------------------------ | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | [go](https://go.dev/) ([source](https://redirect.github.com/golang/go)) | golang | patch | 1.25.3 -> 1.25.4 | [[OpenSSF Scorecard](https://camo.githubusercontent.com/c969aea50aa6c73e27384d8508b5fc8f9d31bd400c588089a1c7a7cdbb51ec23/68747470733a2f2f6170692e736563757269747973636f726563617264732e6465762f70726f6a656374732f6769746875622e636f6d2f676f6c616e672f676f2f6261646765)](https://securityscorecards.dev/viewer/?uri=github.com/golang/go) | | golang | stage | patch | 1.25.3-alpine -> 1.25.4-alpine | | --- ### Release Notes golang/go (go) ### `v1.25.4` --- ### Configuration 📅 Schedule: Branch creation - Between 12:00 AM and 03:59 AM ( * 0-3 * * * ) (UTC), Automerge - At any time (no schedule defined). 🚦 Automerge: Enabled. ♻️ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox. 🔕 Ignore: Close this PR and you won't be reminded about these updates again. --- • If you want to rebase/retry this PR, check this box --- This PR was generated by Mend Renovate. View the repository job log. runatlantis/atlantis

#5921 fix: Separate user and email for bitbucket Pull request opened by lukemassa on <!date^1761880177^{date_short}|2025-10-31T03:09:37Z> ## what Separates out

email

from

user

for bitbucket. ## why My understanding of #5696 is that there has to be a separate "username" from "email" address in the new bitbucket authentication scheme, so I added a flag to tease that out:

atlantis % go run main.go server --bitbucket-user foo --bitbucket-token bar --repo-allowlist='hi'                            
Error: --bitbucket-email must be specified alongside --bitbucket-user
exit status 1
atlantis % go run main.go server --bitbucket-user foo --bitbucket-token bar --repo-allowlist='hi' --bitbucket-email=foo@bar
{"level":"info","ts":"2025-10-30T23:06:24.009-0400","caller":"server/server.go:345","msg":"Supported VCS Hosts: BitbucketCloud","json":{}}

DISCLAIMER: I've never used bitbucket before, and am just going off the description of a problem in #5696 to try to help out. ## tests TODO: add tests Also need to update documentation ## references closes: #5696 runatlantis/atlantis

#5945 chore(deps): update dependency hashicorp/terraform to v1.13.5 in testdrive/utils.go (main) Pull request opened by renovate[bot] This PR contains the following updates: | Package | Update | Change | OpenSSF | | ---------------------------------------------------------------------- | ------ | ---------------- | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | [hashicorp/terraform](https://redirect.github.com/hashicorp/terraform) | patch | 1.13.4 -> 1.13.5 | [[OpenSSF Scorecard](https://camo.githubusercontent.com/73fb079834f95fc441f42b004291acd78181a0da3cd6cfe7a912d424cbb46a81/68747470733a2f2f6170692e736563757269747973636f726563617264732e6465762f70726f6a656374732f6769746875622e636f6d2f6861736869636f72702f7465727261666f726d2f6261646765)](https://securityscorecards.dev/viewer/?uri=github.com/hashicorp/terraform) | --- ### Release Notes hashicorp/terraform (hashicorp/terraform) ### `v1.13.5` Compare Source ##### 1.13.5 (November 5, 2025) BUG FIXES: • impure functions could cause templatefile to incorrectly fail consistency checks (#​37807) • Allow filesystem functions to return inconsistent results when evaluated within provider configuration (#​37854) --- ### Configuration 📅 Schedule: Branch creation - Between 12:00 AM and 03:59 AM ( * 0-3 * * * ) (UTC), Automerge - At any time (no schedule defined). 🚦 Automerge: Enabled. ♻️ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox. 🔕 Ignore: Close this PR and you won't be reminded about this update again. --- • If you want to rebase/retry this PR, check this box --- This PR was generated by Mend Renovate. View the repository job log. runatlantis/atlantis

#5946 docs: Consolidate release documentation Pull request opened by lukemassa ## what Move release documentation out of CONTRIBUTING.md and RELEASE_CADENCE.md into a single RELEASE.md file. ## why Release information isn't relevant to contributing, and was cluttering up that document. Instead of creating another file, I thought it made sense to reuse RELEASE_CADENCE.md (which is a bit specific for a top-level file) to create RELEASE.md. ## tests N/A ## references Come up during discussion in #5890 runatlantis/atlantis