#5918 chore(deps): update dependency open-policy-agent/conftest to v0.63.0 in testing/dockerfile (main) Pull request opened by renovate[bot] This PR contains the following updates: | Package | Update | Change | OpenSSF | | ------------------------------------------------------------------------------------ | ------ | ---------------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | [open-policy-agent/conftest](https://redirect.github.com/open-policy-agent/conftest) | minor | 0.62.0 -> 0.63.0 | [[OpenSSF Scorecard](https://camo.githubusercontent.com/02a4aef64d2c5192de53266ba3c27ad831608eb54e62f90ce37392cbb2a73789/68747470733a2f2f6170692e736563757269747973636f726563617264732e6465762f70726f6a656374732f6769746875622e636f6d2f6f70656e2d706f6c6963792d6167656e742f636f6e66746573742f6261646765)](https://securityscorecards.dev/viewer/?uri=github.com/open-policy-agent/conftest) | --- ### Release Notes open-policy-agent/conftest (open-policy-agent/conftest) ### `v0.63.0` Compare Source #### Changelog ##### New Features • `30b9a8d`: feat: add reformat command for JSON output conversion (#​1153) (@​thevilledev) ##### Bug Fixes • `ffb6ce3`: fix: Add explicit line-number to GitHub output (#​1173) (@​tun0) ##### OPA Changes • `64bf641`: build(deps): bump github.com/open-policy-agent/opa from 1.6.0 to 1.7.1 (#​1156) (@​dependabot[bot]) • `981983b`: build(deps): bump github.com/open-policy-agent/opa from 1.7.1 to 1.8.0 (#​1165) (@​dependabot[bot]) • `c7aa1d4`: build(deps): bump github.com/open-policy-agent/opa from 1.8.0 to 1.9.0 (#​1175) (@​dependabot[bot]) ##### Other Changes • `0d903ce`: build(deps): bump actions/checkout from 4 to 5 (#​1158) (@​dependabot[bot]) • `364cf32`: build(deps): bump actions/setup-go from 5 to 6 (#​1171) (@​dependabot[bot]) • `d4aa81f`: build(deps): bump actions/setup-python from 5 to 6 (#​1172) (@​dependabot[bot]) • `a1ecf3f`: build(deps): bump alpine from 3.22.0 to 3.22.1 (#​1152) (@​dependabot[bot]) • `b87ca5f`: build(deps): bump cuelang.org/go from 0.13.2 to 0.14.1 (#​1159) (@​dependabot[bot]) • `1c5abaa`: build(deps): bump github.com/CycloneDX/cyclonedx-go from 0.9.2 to 0.9.3 (#​1177) (@​dependabot[bot]) • `2a509fe`: build(deps): bump github.com/hashicorp/go-getter from 1.7.8 to 1.7.9 (#​1162) (@​dependabot[bot]) • `a433ed0`: build(deps): bump github.com/hashicorp/go-getter from 1.7.9 to 1.8.0 (#​1169) (@​dependabot[bot]) • `d9dca30`: build(deps): bump github.com/hashicorp/go-getter from 1.8.0 to 1.8.1 (#​1174) (@​dependabot[bot]) • `b51f6d9`: build(deps): bump github.com/hashicorp/go-getter from 1.8.1 to 1.8.2 (#​1178) (@​dependabot[bot]) • `c664099`: build(deps): bump github.com/moby/buildkit from 0.23.2 to 0.24.0 (#​1166) (@​dependabot[bot]) • `5378cc3`: build(deps): bump github.com/moby/buildkit from 0.24.0 to 0.25.0 (#​1176) (@​dependabot[bot]) • `fb4c503`: build(deps): bump golang from 1.25.0-alpine to 1.25.1-alpine (#​1170) (<https://redi… runatlantis/atlantis

#5919 fix: Add env vars for PR approval and mergeable status Pull request opened by filipenf ## what Adds 2 env vars ATLANTIS_PR_APPROVED and ATLANTIS_PR_MERGEABLE. This makes it easier for the shell command to decide if the command can proceed or not depending on the PR status ## why Makes it easier to enable custom workflows that depend on approval / mergeable status (see #5779) In scenarios where there's custom logic needed on top of the built-in

apply_requirements

, this gives extra context to the shell command being executed ## tests ## references #5779 runatlantis/atlantis

#5920 chore(deps): update github/codeql-action digest to 5d5cd55 in .github/workflows/codeql.yml (main) Pull request opened by renovate[bot] This PR contains the following updates: | Package | Type | Update | Change | OpenSSF | | ------------------------------------------------------------------------ | ------ | ------ | ------------------ | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | [github/codeql-action](https://redirect.github.com/github/codeql-action) | action | digest | d198d2f -> 5d5cd55 | [[OpenSSF Scorecard](https://camo.githubusercontent.com/022cb174dc4b9ace5867eeb6408ad79e645ea194cd77cf4d40ff05e6763dd313/68747470733a2f2f6170692e736563757269747973636f726563617264732e6465762f70726f6a656374732f6769746875622e636f6d2f6769746875622f636f6465716c2d616374696f6e2f6261646765)](https://securityscorecards.dev/viewer/?uri=github.com/github/codeql-action) | --- ### Configuration 📅 Schedule: Branch creation - Between 12:00 AM and 03:59 AM ( * 0-3 * * * ) (UTC), Automerge - At any time (no schedule defined). 🚦 Automerge: Enabled. ♻️ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox. 🔕 Ignore: Close this PR and you won't be reminded about this update again. --- • If you want to rebase/retry this PR, check this box --- This PR was generated by Mend Renovate. View the repository job log. runatlantis/atlantis

#5922 chore(deps): update e1himself/goss-installation-action action to v1.3.0 in .github/workflows/atlantis-image.yml (main) Pull request opened by renovate[bot] This PR contains the following updates: | Package | Type | Update | Change | OpenSSF | | ---------------------------------------------------------------------------------------------------- | ------ | ------ | ---------------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | [e1himself/goss-installation-action](https://redirect.github.com/e1himself/goss-installation-action) | action | minor | v1.2.1 -> v1.3.0 | [[OpenSSF Scorecard](https://camo.githubusercontent.com/faddf6c6c9c38df69b502175af0a8632ee71db9975482bf2b66fc0cd21595736/68747470733a2f2f6170692e736563757269747973636f726563617264732e6465762f70726f6a656374732f6769746875622e636f6d2f653168696d73656c662f676f73732d696e7374616c6c6174696f6e2d616374696f6e2f6261646765)](https://securityscorecards.dev/viewer/?uri=github.com/e1himself/goss-installation-action) | --- ### Release Notes e1himself/goss-installation-action (e1himself/goss-installation-action) ### `v1.3.0` Compare Source #### What's Changed • Add support for Github Runner platforms and architectures other than linux-x64 by @​mlipscombe in #​27 #### New Contributors • @​mlipscombe made their first contribution in #​27 Full Changelog: e1himself/goss-installation-action@v1...v1.3.0 --- ### Configuration 📅 Schedule: Branch creation - Between 12:00 AM and 03:59 AM ( * 0-3 * * * ) (UTC), Automerge - At any time (no schedule defined). 🚦 Automerge: Enabled. ♻️ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox. 🔕 Ignore: Close this PR and you won't be reminded about this update again. --- • If you want to rebase/retry this PR, check this box --- This PR was generated by Mend Renovate. View the repository job log. runatlantis/atlantis

#5926 feat: enabling pending apply status when any of the projects has changes to… Pull request opened by rjmsilveira ## What This MR restores the ability to set commit status to pending when there are planned Terraform changes that haven't been applied yet. This feature is now: ## GitLab-specific (controlled by the --gitlab-pending-apply-status flag) Opt-in (defaults to false to maintain backward compatibility) Provides better visibility into MR readiness by blocking merges until all applies are completed ## Why When enabled, this feature prevents GitLab merge requests from being merged prematurely by setting the commit status to pending when: • atlantis plan detects changes that need to be applied • Not all projects have been successfully applied The status transitions: • ✅ Success: All projects applied or show no changes • ⏳ Pending: Planned changes exist but haven't been applied yet • ❌ Failed: Apply errors occurred This addresses a common workflow requirement where teams want to ensure all infrastructure changes are actually applied before allowing the MR to merge, preventing situations where planned changes are approved but never executed. ## Why GitLab-only and opt-in? The original implementation (#2053) caused issues (#2138) with race conditions where apply status would appear before plans completed, leading to confusion and stuck PRs. The feature was reverted in #2173. Since then, Atlantis has significantly improved its event ordering and status update handling. However, to ensure maximum safety and backward compatibility, this restoration: Limits scope to GitLab - where the feature is most requested and tested Requires explicit opt-in - prevents unexpected behavior changes for existing users Preserves existing behavior - when disabled or on other VCS platforms, no status updates occur for unapplied plans Tests Added comprehensive test coverage in TestPlanCommandRunner_GitlabPendingApplyStatus: ✅ GitLab + flag enabled + unapplied plans → Pending status ✅ GitLab + flag disabled + unapplied plans → No status update (backward compatible) ✅ GitLab + all plans applied → Success status ✅ GitHub/Bitbucket + flag enabled → No status update (GitLab-only feature) ✅ GitLab + apply errors → Failed status All existing tests pass, ensuring backward compatibility is maintained. ## References Original feature (2021): https://github.com/runatlantis/atlantis/pull/2053/files Issue reports (race conditions): https://github.com/runatlantis/atlantis/issues/2138 Feature revert (2022): https://github.com/runatlantis/atlantis/pull/2173/files ## Key improvements since the original implementation: The latest Atlantis codebase now handles event ordering much more reliably. The race condition issues that caused the original revert (where apply status would appear before plans properly finished) have been resolved through improved event sequencing. This makes it safe to reintroduce the feature with proper safeguards (opt-in flag + VCS-specific implementation). ## Configuration: See updated documentation in server-configuration.md. This approach provides the requested functionality while learning from past issues and ensuring a smooth, safe rollout for teams that need this workflow enforcement. runatlantis/atlantis

#5927 fix: handle global codeql checkrun correctly Pull request opened by nvanheuverzwijn ## what When checking mergeability, we now check that the WorkflowRun.File.RepositoryName is not an empty string. This structure appears only when github's codeql code analysis is enabled for all repository from the organization global settings. When codeql is enabled globally and we use the flag

gh-allow-mergeable-bypass-apply

and the PR is blocked, atlantis will always report that the PR is unmergeable and unapproved. ## why Atlantis should ignore these global workrun because they are not related and cannot be related to required workflows since they don't have a file related to it. ## tests I have used my data structure that I received from the same graphql query atlantis does and added it as a test case. ## references closes #5925 runatlantis/atlantis

#5929 chore(deps): update golang docker tag to v1.25.3 in testing/dockerfile (main) Pull request opened by renovate[bot] This PR contains the following updates: | Package | Type | Update | Change | | ------- | ----- | ------ | ---------------- | | golang | final | patch | 1.25.2 -> 1.25.3 | --- ### Configuration 📅 Schedule: Branch creation - Between 12:00 AM and 03:59 AM ( * 0-3 * * * ) (UTC), Automerge - At any time (no schedule defined). 🚦 Automerge: Enabled. ♻️ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox. 🔕 Ignore: Close this PR and you won't be reminded about this update again. --- • If you want to rebase/retry this PR, check this box --- This PR was generated by Mend Renovate. View the repository job log. runatlantis/atlantis

#5930 feat: Add GitLab squash merge support for automerge Pull request opened by geoff-kruss ## what Adds support for squash merging in GitLab merge requests when using Atlantis automerge functionality. Previously, GitLab automerge was limited to regular merge commits, causing failures in repositories that enforce squash-only commit policies. ## why Many organizations enforce squash commit policies on their main branches to maintain clean git history. When using Atlantis automerge with GitLab, the default merge behavior would fail with these policies, preventing automated merging of Terraform changes. This implementation enables repositories with squash-only policies to benefit from Atlantis automerge functionality by supporting the

merge_method: squash

configuration option. ## tests • Added comprehensive test coverage for GitLab squash merge functionality • Existing GitHub merge method tests continue to pass • All GitLab VCS client tests pass • Automerge integration tests pass • Tested locally with both squash and regular merge methods ## references • Addresses #5415 - Allow merge method as configurable option in atlantis.yaml • Follows established patterns from GitHub VCS client implementation • GitLab API documentation: https://docs.gitlab.com/ee/api/merge_requests.html#merge-a-merge-request runatlantis/atlantis

#5931 docs: Add new env vars to the docs Pull request opened by filipenf ## what Added new environment variables for PR approval and mergeability status. ## why New variables added in #5919 ## tests ## references #5919 runatlantis/atlantis

#5932 chore(deps): update dependency mermaid to v11.12.1 in package.json (main) Pull request opened by renovate[bot] This PR contains the following updates: | Package | Type | Update | Change | OpenSSF | | --------------------------------------------------------- | --------------- | ------ | ------------------------------------------------------------------------------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | [mermaid](https://redirect.github.com/mermaid-js/mermaid) | devDependencies | patch | [11.12.0 -> 11.12.1](https://renovatebot.com/diffs/npm/mermaid/11.12.0/11.12.1) | [[OpenSSF Scorecard](https://camo.githubusercontent.com/8e87a9a1690f0e3cf51a75f6bcee6a042335af31366b2f77e279afb4c1d9a4d9/68747470733a2f2f6170692e736563757269747973636f726563617264732e6465762f70726f6a656374732f6769746875622e636f6d2f6d65726d6169642d6a732f6d65726d6169642f6261646765)](https://securityscorecards.dev/viewer/?uri=github.com/mermaid-js/mermaid) | --- ### Release Notes mermaid-js/mermaid (mermaid) ### `v11.12.1` Compare Source ##### Patch Changes • #​7107 `cbf8946` Thanks @​shubhamparikh2704! - fix: Updated the dependency dagre-d3-es to 7.0.13 to fix GHSA-cc8p-78qf-8p7q --- ### Configuration 📅 Schedule: Branch creation - Between 12:00 AM and 03:59 AM ( * 0-3 * * * ) (UTC), Automerge - At any time (no schedule defined). 🚦 Automerge: Enabled. ♻️ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox. 🔕 Ignore: Close this PR and you won't be reminded about this update again. --- • If you want to rebase/retry this PR, check this box --- This PR was generated by Mend Renovate. View the repository job log. runatlantis/atlantis

#5933 chore(deps): update debian:12.12-slim docker digest to 4d9b5b6 in dockerfile (main) Pull request opened by renovate[bot] This PR contains the following updates: | Package | Type | Update | Change | | ------- | ----- | ------ | ------------------ | | debian | stage | digest | 78d2f66 -> 4d9b5b6 | --- ### Configuration 📅 Schedule: Branch creation - Between 12:00 AM and 03:59 AM ( * 0-3 * * * ) (UTC), Automerge - At any time (no schedule defined). 🚦 Automerge: Enabled. ♻️ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox. 🔕 Ignore: Close this PR and you won't be reminded about this update again. --- • If you want to rebase/retry this PR, check this box --- This PR was generated by Mend Renovate. View the repository job log. runatlantis/atlantis

#5934 fix: Use correct command name for ApprovePolicies Pull request opened by lukemassa ## what Change the command name for the project result of ApprovePolicies to the approve policies command. ## why The command being worked on is

ApprovePolicies

but we returning as if it ran the

PolicyCheck

command. As far as I can tell this bug has been present since this code was introduced: af2a806#diff-eb466bb07e603dbf2a2a91c776b4d812bf330b3dc02fcaf762380b0078296937R174 I frankly don't quite understand what this does, but if you look at the rest of the doXYZ in plan_command_runner, they follow a particular pattern of referring to commands, and this one simply seems to have been typod. ## tests N/A ## references N/A runatlantis/atlantis

#5935 feat: Add the command name to show who is holding dir lock Pull request opened by lukemassa ## what Add information into the TryLock error message that shows what command is trying to grab the lock, and which has it currently. ## why This will aid in debugging, and also moves us towards a locking strategy that is less "working directory" focused and more "command" focused. ## tests I ran atlantis plan twice one after the other and watched it fail [Screenshot 2025-11-03 at 11 59 55 PM](https://private-user-images.githubusercontent.com/2678195/509324224-ef714e1f-f1f4-42bc-a42a-6677616bfa76.png?jwt=eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJpc3MiOiJnaXRodWIuY29tIiwiYXVkIjoicmF3LmdpdGh1YnVzZXJjb250ZW50LmNvbSIsImtleSI6ImtleTUiLCJleHAiOjE3NjI4MjgzMTMsIm5iZiI6MTc2MjgyODAxMywicGF0aCI6Ii8yNjc4MTk1LzUwOTMyNDIyNC1lZjcxNGUxZi1mMWY0LTQyYmMtYTQyYS02Njc3NjE2YmZhNzYucG5nP1gtQW16LUFsZ29yaXRobT1BV1M0LUhNQUMtU0hBMjU2JlgtQW16LUNyZWRlbnRpYWw9QUtJQVZDT0RZTFNBNTNQUUs0WkElMkYyMDI1MTExMSUyRnVzLWVhc3QtMSUyRnMzJTJGYXdzNF9yZXF1ZXN0JlgtQW16LURhdGU9MjAyNTExMTFUMDIyNjUzWiZYLUFtei1FeHBpcmVzPTMwMCZYLUFtei1TaWduYXR1cmU9ZDhjNDk4ZDBjMzBlYzFmYTdlYWM2YzZjN2E4ZDczN2E2ZWY0YTM1NTQwN2VhYmQ1MzM5NTRkZmI0MWJhNjk4NCZYLUFtei1TaWduZWRIZWFkZXJzPWhvc3QifQ.eiMAjIOW3cpJj466-83L4VMew_Iti5172WeXCwDZk_c) I also ran atlantis plan then pushed a commit and watched it fail on the autoplan [Screenshot 2025-11-04 at 12 09 24 AM](https://private-user-images.githubusercontent.com/2678195/509327935-b51e9fc6-51c7-41a6-850b-a6c4433504b2.png?jwt=eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJpc3MiOiJnaXRodWIuY29tIiwiYXVkIjoicmF3LmdpdGh1YnVzZXJjb250ZW50LmNvbSIsImtleSI6ImtleTUiLCJleHAiOjE3NjI4MjgzMTMsIm5iZiI6MTc2MjgyODAxMywicGF0aCI6Ii8yNjc4MTk1LzUwOTMyNzkzNS1iNTFlOWZjNi01MWM3LTQxYTYtODUwYi1hNmM0NDMzNTA0YjIucG5nP1gtQW16LUFsZ29yaXRobT1BV1M0LUhNQUMtU0hBMjU2JlgtQW16LUNyZWRlbnRpYWw9QUtJQVZDT0RZTFNBNTNQUUs0WkElMkYyMDI1MTExMSUyRnVzLWVhc3QtMSUyRnMzJTJGYXdzNF9yZXF1ZXN0JlgtQW16LURhdGU9MjAyNTExMTFUMDIyNjUzWiZYLUFtei1FeHBpcmVzPTMwMCZYLUFtei1TaWduYXR1cmU9YzdkZWQyZWVkZTY0MGZjN2M2NmMzYjhjZTUzMjIxYTMwYmYzYjlhNzc3ODEyMjViY2RiODZkOTdhODNjZTJkOCZYLUFtei1TaWduZWRIZWFkZXJzPWhvc3QifQ.paS74CTIUtCie_XFd1Vvv2nW3Z0oPFDdTIlrhAtwfCE) It's worth noting that the code didn't actually know it was running an "autoplan" instead of just a "plan", this is actually a bug that this new logging has demonstrated that I plan to dig into after. ## references N/A runatlantis/atlantis

#4709 Allow for plans to be partially successful Pull request opened by shkamensky When automerge is true, if any plan fails, all plans get deleted This is true even when running from a github comment. When dealing with many projects, there is a high likelihood that one plan can fail. This allows us to keep apply some plans and reiterate so we don't lose all progress. ## what Allow for plans to be saved when automerge is true by passing a flag. ## why Because the all-or-nothing nature of saving plans can make it very difficult to apply across many projects. For example, if 1 failed because of a DNS issue and 150 others plans succeeded, we want to apply the plans that succeeded and deal with the 1 plan manually. ## tests ## references #3002 runatlantis/atlantis

#5936 chore(deps): update debian:12.12-slim docker digest to 936abff in dockerfile (main) Pull request opened by renovate[bot] This PR contains the following updates: | Package | Type | Update | Change | | ------- | ----- | ------ | ------------------ | | debian | stage | digest | 4d9b5b6 -> 936abff | --- ### Configuration 📅 Schedule: Branch creation - Between 12:00 AM and 03:59 AM ( * 0-3 * * * ) (UTC), Automerge - At any time (no schedule defined). 🚦 Automerge: Enabled. ♻️ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox. 🔕 Ignore: Close this PR and you won't be reminded about this update again. --- • If you want to rebase/retry this PR, check this box --- This PR was generated by Mend Renovate. View the repository job log. runatlantis/atlantis

#5392 feat: allowing JobUrl to the PlanSuccess model for github comment templating Pull request opened by cpaloia ## What This PR adds support for including the job URL in the GitHub comment template by adding the property

JobURL

to the

PlanSuccess

model. This PR also renames the

LockURLGenerator

to

URLGenerator

as it will be used for generating more than just the lock url. Currently the code already uses the router to fulfill this interface, so I have added the function

GenerateProjectJobURL

which it gets from the router. ## Why In certain cases, it's necessary to hide Terraform plan output in GitHub comments—such as in public repositories where the output may contain sensitive information. However, users may still need access to the plan details via a secure URL, such as one behind a firewall or ingress. By including the job URL in the GitHub comment template (in addition to the existing GitHub check link), we provide users with clear guidance on why the output is hidden and where they can access it instead. ## Tests Tested locally by overriding the comment template and verifying the job URL was correctly included. ## References • Atlantis Issue #5391 ## Notes • I encountered issues running

pegomock

unless I downgraded Go to 1.23.0 in

go.mod

. • Currently, the job URL is added only to *plan success*—I considered adding it to

PolicyCheckResults

, but I’m unsure whether those results are accessible via a URL. Would appreciate any feedback on this! runatlantis/atlantis

#5937 chore(deps): update docker/metadata-action digest to 318604b in .github/workflows/atlantis-image.yml (main) Pull request opened by renovate[bot] This PR contains the following updates: | Package | Type | Update | Change | OpenSSF | | ---------------------------------------------------------------------------- | ------ | ------ | ------------------ | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | [docker/metadata-action](https://redirect.github.com/docker/metadata-action) | action | digest | c1e5197 -> 318604b | [[OpenSSF Scorecard](https://camo.githubusercontent.com/4ac0e476ad44ae944f7d9b7ab42df2dd360d323488952230c5d616ba959ab12e/68747470733a2f2f6170692e736563757269747973636f726563617264732e6465762f70726f6a656374732f6769746875622e636f6d2f646f636b65722f6d657461646174612d616374696f6e2f6261646765)](https://securityscorecards.dev/viewer/?uri=github.com/docker/metadata-action) | --- ### Configuration 📅 Schedule: Branch creation - Between 12:00 AM and 03:59 AM ( * 0-3 * * * ) (UTC), Automerge - At any time (no schedule defined). 🚦 Automerge: Enabled. ♻️ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox. 🔕 Ignore: Close this PR and you won't be reminded about this update again. --- • If you want to rebase/retry this PR, check this box --- This PR was generated by Mend Renovate. View the repository job log. runatlantis/atlantis

#5939 chore(deps): update docker/setup-qemu-action digest to c7c5346 in .github/workflows/testing-env-image.yml (main) Pull request opened by renovate[bot] This PR contains the following updates: | Package | Type | Update | Change | OpenSSF | | -------------------------------------------------------------------------------- | ------ | ------ | ------------------ | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | [docker/setup-qemu-action](https://redirect.github.com/docker/setup-qemu-action) | action | digest | 2910929 -> c7c5346 | [[OpenSSF Scorecard](https://camo.githubusercontent.com/e5eb885f2d90f74196e7410a1fe5310ae059e266cdc1336bce526f6bd64b9c82/68747470733a2f2f6170692e736563757269747973636f726563617264732e6465762f70726f6a656374732f6769746875622e636f6d2f646f636b65722f73657475702d71656d752d616374696f6e2f6261646765)](https://securityscorecards.dev/viewer/?uri=github.com/docker/setup-qemu-action) | --- ### Configuration 📅 Schedule: Branch creation - Between 12:00 AM and 03:59 AM ( * 0-3 * * * ) (UTC), Automerge - At any time (no schedule defined). 🚦 Automerge: Enabled. ♻️ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox. 🔕 Ignore: Close this PR and you won't be reminded about this update again. --- • If you want to rebase/retry this PR, check this box --- This PR was generated by Mend Renovate. View the repository job log. runatlantis/atlantis

#5940 feat: add bitbucket cloud api-user flag Pull request opened by jeronimo-caylent ## what • Adds bitbucket-api-user flag for the Bitbucket Cloud client, keeping bitbucket-user just for git operations. By default and for backward compatibility, if not bitbucket-api-user is provided, it uses the bitbucket-user flag. ## why Bitbucket Cloud deprecated App Password authentication, which previously supported the same user for both API calls and Git operations. See #5696 ## tests With the new flag:

./atlantis server --bitbucket-user '<user>' --bitbucket-api-user '<user@example.com>' --bitbucket-token '<token>' --repo-allowlist '*' --log-level info

{"level":"info","ts":"2025-11-07T10:54:04.448-0300","caller":"server/server.go:343","msg":"Supported VCS Hosts: BitbucketCloud","json":{}} {"level":"info","ts":"2025-11-07T10:54:04.814-0300","caller":"server/server.go:504","msg":"Utilizing BoltDB","json":{}} {"level":"info","ts":"2025-11-07T10:54:04.827-0300","caller":"policy/conftest_client.go:168","msg":"failed to get default conftest version. Will attempt request scoped lazy loads DEFAULT_CONFTEST_VERSION not set","json":{}} {"level":"info","ts":"2025-11-07T10:54:04.827-0300","caller":"server/server.go:1114","msg":"Atlantis started - listening on port 4141","json":{}} {"level":"info","ts":"2025-11-07T10:54:04.827-0300","caller":"scheduled/executor_service.go:51","msg":"Scheduled Executor Service started","json":{}}

Without the flag:

./atlantis server --bitbucket-user '<user>' --bitbucket-token '<token>' --repo-allowlist '*' --log-level info

{"level":"info","ts":"2025-11-07T10:54:19.114-0300","caller":"server/server.go:343","msg":"Supported VCS Hosts: BitbucketCloud","json":{}} {"level":"info","ts":"2025-11-07T10:54:19.341-0300","caller":"server/server.go:504","msg":"Utilizing BoltDB","json":{}} {"level":"info","ts":"2025-11-07T10:54:19.350-0300","caller":"policy/conftest_client.go:168","msg":"failed to get default conftest version. Will attempt request scoped lazy loads DEFAULT_CONFTEST_VERSION not set","json":{}} {"level":"info","ts":"2025-11-07T10:54:19.352-0300","caller":"server/server.go:1114","msg":"Atlantis started - listening on port 4141","json":{}} {"level":"info","ts":"2025-11-07T10:54:19.352-0300","caller":"scheduled/executor_service.go:51","msg":"Scheduled Executor Service started","json":{}}

## references • closes #5696 runatlantis/atlantis

#5941 chore(deps): update redis:7.4-alpine docker digest to ee64a64 in docker-compose.yml (main) Pull request opened by renovate[bot] This PR contains the following updates: | Package | Update | Change | | ------- | ------ | ------------------ | | redis | digest | 3b73847 -> ee64a64 | --- ### Configuration 📅 Schedule: Branch creation - Between 12:00 AM and 03:59 AM ( * 0-3 * * * ) (UTC), Automerge - At any time (no schedule defined). 🚦 Automerge: Enabled. ♻️ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox. 🔕 Ignore: Close this PR and you won't be reminded about this update again. --- • If you want to rebase/retry this PR, check this box --- This PR was generated by Mend Renovate. View the repository job log. runatlantis/atlantis

#5942 chore(deps): update step-security/harden-runner digest to 95d9a5d in .github/workflows/scorecard.yml (main) Pull request opened by renovate[bot] This PR contains the following updates: | Package | Type | Update | Change | OpenSSF | | -------------------------------------------------------------------------------------- | ------ | ------ | ------------------ | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | [step-security/harden-runner](https://redirect.github.com/step-security/harden-runner) | action | digest | f4a75cf -> 95d9a5d | [[OpenSSF Scorecard](https://camo.githubusercontent.com/79b73feee658f578ed164ed10d5294cc2e58c70ec1db9ee00d03c41311bccebc/68747470733a2f2f6170692e736563757269747973636f726563617264732e6465762f70726f6a656374732f6769746875622e636f6d2f737465702d73656375726974792f68617264656e2d72756e6e65722f6261646765)](https://securityscorecards.dev/viewer/?uri=github.com/step-security/harden-runner) | --- ### Configuration 📅 Schedule: Branch creation - Between 12:00 AM and 03:59 AM ( * 0-3 * * * ) (UTC), Automerge - At any time (no schedule defined). 🚦 Automerge: Enabled. ♻️ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox. 🔕 Ignore: Close this PR and you won't be reminded about this update again. --- • If you want to rebase/retry this PR, check this box --- This PR was generated by Mend Renovate. View the repository job log. runatlantis/atlantis

#5943 chore(deps): update go to v1.25.4 in go.mod (main) Pull request opened by renovate[bot] This PR contains the following updates: | Package | Type | Update | Change | OpenSSF | | ----------------------------------------------------------------------- | ------ | ------ | ------------------------------ | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | [go](https://go.dev/) ([source](https://redirect.github.com/golang/go)) | golang | patch | 1.25.3 -> 1.25.4 | [[OpenSSF Scorecard](https://camo.githubusercontent.com/c969aea50aa6c73e27384d8508b5fc8f9d31bd400c588089a1c7a7cdbb51ec23/68747470733a2f2f6170692e736563757269747973636f726563617264732e6465762f70726f6a656374732f6769746875622e636f6d2f676f6c616e672f676f2f6261646765)](https://securityscorecards.dev/viewer/?uri=github.com/golang/go) | | golang | stage | patch | 1.25.3-alpine -> 1.25.4-alpine | | --- ### Release Notes golang/go (go) ### `v1.25.4` --- ### Configuration 📅 Schedule: Branch creation - Between 12:00 AM and 03:59 AM ( * 0-3 * * * ) (UTC), Automerge - At any time (no schedule defined). 🚦 Automerge: Enabled. ♻️ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox. 🔕 Ignore: Close this PR and you won't be reminded about these updates again. --- • If you want to rebase/retry this PR, check this box --- This PR was generated by Mend Renovate. View the repository job log. runatlantis/atlantis

#5921 fix: Separate user and email for bitbucket Pull request opened by lukemassa on <!date^1761880177^{date_short}|2025-10-31T03:09:37Z> ## what Separates out

email

from

user

for bitbucket. ## why My understanding of #5696 is that there has to be a separate "username" from "email" address in the new bitbucket authentication scheme, so I added a flag to tease that out:

atlantis % go run main.go server --bitbucket-user foo --bitbucket-token bar --repo-allowlist='hi'                            
Error: --bitbucket-email must be specified alongside --bitbucket-user
exit status 1
atlantis % go run main.go server --bitbucket-user foo --bitbucket-token bar --repo-allowlist='hi' --bitbucket-email=foo@bar
{"level":"info","ts":"2025-10-30T23:06:24.009-0400","caller":"server/server.go:345","msg":"Supported VCS Hosts: BitbucketCloud","json":{}}

DISCLAIMER: I've never used bitbucket before, and am just going off the description of a problem in #5696 to try to help out. ## tests TODO: add tests Also need to update documentation ## references closes: #5696 runatlantis/atlantis

#5945 chore(deps): update dependency hashicorp/terraform to v1.13.5 in testdrive/utils.go (main) Pull request opened by renovate[bot] This PR contains the following updates: | Package | Update | Change | OpenSSF | | ---------------------------------------------------------------------- | ------ | ---------------- | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | [hashicorp/terraform](https://redirect.github.com/hashicorp/terraform) | patch | 1.13.4 -> 1.13.5 | [[OpenSSF Scorecard](https://camo.githubusercontent.com/73fb079834f95fc441f42b004291acd78181a0da3cd6cfe7a912d424cbb46a81/68747470733a2f2f6170692e736563757269747973636f726563617264732e6465762f70726f6a656374732f6769746875622e636f6d2f6861736869636f72702f7465727261666f726d2f6261646765)](https://securityscorecards.dev/viewer/?uri=github.com/hashicorp/terraform) | --- ### Release Notes hashicorp/terraform (hashicorp/terraform) ### `v1.13.5` Compare Source ##### 1.13.5 (November 5, 2025) BUG FIXES: • impure functions could cause templatefile to incorrectly fail consistency checks (#​37807) • Allow filesystem functions to return inconsistent results when evaluated within provider configuration (#​37854) --- ### Configuration 📅 Schedule: Branch creation - Between 12:00 AM and 03:59 AM ( * 0-3 * * * ) (UTC), Automerge - At any time (no schedule defined). 🚦 Automerge: Enabled. ♻️ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox. 🔕 Ignore: Close this PR and you won't be reminded about this update again. --- • If you want to rebase/retry this PR, check this box --- This PR was generated by Mend Renovate. View the repository job log. runatlantis/atlantis

#5946 docs: Consolidate release documentation Pull request opened by lukemassa ## what Move release documentation out of CONTRIBUTING.md and RELEASE_CADENCE.md into a single RELEASE.md file. ## why Release information isn't relevant to contributing, and was cluttering up that document. Instead of creating another file, I thought it made sense to reuse RELEASE_CADENCE.md (which is a bit specific for a top-level file) to create RELEASE.md. ## tests N/A ## references Come up during discussion in #5890 runatlantis/atlantis

#5951 chore(deps): update ghcr.io/runatlantis/atlantis:latest docker digest to 26043ad in dockerfile.dev (main) Pull request opened by renovate[bot] This PR contains the following updates: | Package | Type | Update | Change | | ---------------------------- | ----- | ------ | ------------------ | | ghcr.io/runatlantis/atlantis | final | digest | c1e648a -> 26043ad | --- ### Configuration 📅 Schedule: Branch creation - Between 12:00 AM and 03:59 AM ( * 0-3 * * * ) (UTC), Automerge - At any time (no schedule defined). 🚦 Automerge: Enabled. ♻️ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox. 🔕 Ignore: Close this PR and you won't be reminded about this update again. --- • If you want to rebase/retry this PR, check this box --- This PR was generated by Mend Renovate. View the repository job log. runatlantis/atlantis

#5953 chore(deps): update github/codeql-action digest to f94c9be in .github/workflows/codeql.yml (main) Pull request opened by renovate[bot] This PR contains the following updates: | Package | Type | Update | Change | OpenSSF | | ------------------------------------------------------------------------ | ------ | ------ | ------------------ | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | [github/codeql-action](https://redirect.github.com/github/codeql-action) | action | digest | 5d5cd55 -> f94c9be | [[OpenSSF Scorecard](https://camo.githubusercontent.com/7297a8020f03fec30e06910592fd5839c6c112499f8c35234823a18eee5374c0/68747470733a2f2f6170692e736563757269747973636f726563617264732e6465762f70726f6a656374732f6769746875622e636f6d2f6769746875622f636f6465716c2d616374696f6e2f6261646765)](https://securityscorecards.dev/viewer/?uri=github.com/github/codeql-action) | --- ### Configuration 📅 Schedule: Branch creation - Between 12:00 AM and 03:59 AM ( * 0-3 * * * ) (UTC), Automerge - At any time (no schedule defined). 🚦 Automerge: Enabled. ♻️ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox. 🔕 Ignore: Close this PR and you won't be reminded about this update again. --- • If you want to rebase/retry this PR, check this box --- This PR was generated by Mend Renovate. View the repository job log. runatlantis/atlantis

#5954 feat: implement --ignore-vcs-status-names for GitLab Pull request opened by jklong ## what Implement the

--ignore-vcs-status-names

flag for the GitLab provider. Similar to #4978, this consults an ignore list when for commit status names when determining mergeability. If a commit status name can be parsed as

{vcsstatusname}/...

and that parsed

vcsstatusname

is present in the configured ignore list then it is skipped. ## why Similar reasoning as expressed in #2848 for the existing GitHub-only feature - when multiple atlantis servers with different

vcs-status-names

operate on a single repo with a

mergeable

requirement they see pending pipeline statuses set by the other atlantis instances and report that the MR is not mergeable. ## tests • I have tested my changes by adding unit test coverage.

go test ./server/events/vcs

passes, however an existing, unrelated, test failure at main/HEAD causes

make test

to fail. ## references #2848 #4978 runatlantis/atlantis

#5955 fix: Assume divergence until established otherwise Pull request opened by aggrand ## what This modifies the divergence checking behavior to assume divergence unless proven otherwise. On any errors it will say that there is a divergence. ## why The documentation on the merge checkout strategy describe the issue where a failure to use the updated main branch can delete resources that are configured on the main branch. Depending on the resource in question, this could be an unforseeable change that could have disastrous consequences. The existing behavior seemed to assume safety unless proven unsafe. It would be incredibly bad for a series of poorly-timed transient network failures on fetches to result in an apply that destroys resources. Our usage prioritizes safety and we would prefer that the plan/apply bail if it cannot establish safety. I realize that this is an opinionated change, but I suspect that most people who go out of their way to enable the merge strategy and undiverged requirement are expecting to make their processes as safe as possible. I was surprised by the behavior. If preferred, I could also lock this behavior behind an option. I'm not sure to what extent this would be a breaking change. ## tests ## references runatlantis/atlantis

#5956 chore(deps): update module golang.org/x/crypto to v0.43.0 [security] (main) Pull request opened by renovate[bot] This PR contains the following updates: | Package | Change | Age | Confidence | | ------------------- | ------------------ | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | golang.org/x/crypto | v0.41.0 -> v0.43.0 | [[age](https://camo.githubusercontent.com/968b4219282ea7ff526a529bc8701c10028482487c415936df84a36a331d4808/68747470733a2f2f646576656c6f7065722e6d656e642e696f2f6170692f6d632f6261646765732f6167652f676f2f676f6c616e672e6f72672532667825326663727970746f2f76302e34332e303f736c696d3d74727565)](https://docs.renovatebot.com/merge-confidence/) | [[confidence](https://camo.githubusercontent.com/d3ef03ec944f66413122c73379998b68f0b36842af6f834a784a5e89c565a670/68747470733a2f2f646576656c6f7065722e6d656e642e696f2f6170692f6d632f6261646765732f636f6e666964656e63652f676f2f676f6c616e672e6f72672532667825326663727970746f2f76302e34312e302f76302e34332e303f736c696d3d74727565)](https://docs.renovatebot.com/merge-confidence/) | --- ### Potential denial of service in golang.org/x/crypto/ssh/agent CVE-2025-47913 / GO-2025-4116 More information #### Details SSH clients receiving SSH_AGENT_SUCCESS when expecting a typed response will panic and cause early termination of the client process. #### Severity Unknown #### References • https://go.dev/cl/700295 • https://go.dev/issue/75178 • https://github.com/advisories/GHSA-hcg3-q754-cr77 This data is provided by OSV and the Go Vulnerability Database (CC-BY 4.0). --- ### Configuration 📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined). 🚦 Automerge: Enabled. ♻️ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox. 🔕 Ignore: Close this PR and you won't be reminded about this update again. --- • If you want to rebase/retry this PR, check this box --- This PR was generated by Mend Renovate. View the repository job log. runatlantis/atlantis