package manager for vendor pull

[haitham911]

what

• New Feature interactive package manager for vendor pull
  interactive shell for atmos vendor pull --everything
• Support --everything flag for test non TTY mod run atmos vendor pull --everything </dev/null |& cat > atmos_vendor_pull.log

screenshots

example for process with error

example for process successfully done

why

Build an interface for a package manager using bubbletea

references

• https://linear.app/cloudposse/issue/DEV-270/atmos-vendor-pull-ux
• https://linear.app/cloudposse/issue/DEV-2716/support-atmos-vendor-pull-everything
• Closes atmos vendor pull --tags ... --dry-run doesn't do a full run #792
• Closes Feature request: atmos vendor pull --all #301

Summary by CodeRabbit

• New Features

  • Introduced a --everything flag for the vendor pull command, allowing users to vendor all components at once.
  • Enhanced command behavior to default to pulling all vendor components unless specified otherwise.

• Bug Fixes

  • Improved error handling and validation for vendor commands.

• Documentation

  • Updated CLI command cheat sheets and documentation to reflect the new --everything flag and its usage.
  • Enhanced clarity in the vendor-manifest documentation regarding vendoring from OCI registries.
  • Expanded the "Atlantis Integration" document with detailed configuration examples and workflow explanations.

• Chores

  • Updated the Atmos tool version in the Dockerfile for example projects.

[osterman]

running download error: could not open a new TTY: open /dev/tty: no such device or address

We need a fallback for headless terminals. This is probably handled by charmbracelet as well. We might just not be using it.

[coderabbitai]

📝 Walkthrough

📝 Walkthrough

Walkthrough

This pull request introduces a comprehensive enhancement to the Atmos vendoring system, focusing on improving the vendor pull command's functionality. The changes include adding an --everything flag to pull all components, implementing a new Text User Interface (TUI) for better user experience, and refactoring the underlying vendoring logic to support more flexible and robust component management.

Changes

File	Change Summary
go.mod	Updated dependencies, added bubbletea and harmonica packages
internal/exec/vendor_*	Significant refactoring of vendoring logic, added new functions for component and package management, implemented TUI support
cmd/vendor_pull.go	Added --everything flag to vendor pull command
examples/*/atmos.yaml	Updated vendor pull command to use --everything flag
website/docs/*	Updated documentation to reflect new vendoring capabilities

Assessment against linked issues

Objective	Addressed	Explanation
Support atmos vendor pull --everything [DEV-2716]	✅
Improve vendor pull UX with TUI [DEV-270]	✅
Fix --dry-run behavior for tags [#792]	✅
Add --all vendoring capability [#301]	✅	Implemented via --everything flag

Possibly related PRs

• Always template vendor source and targets #712: Related to Bubble Tea TUI implementation
• Fix vendor pull directory creation issue #782: Connected to vendor configuration enhancements
• feat: create atmos list command for listing stacks and components #797: Involves command-line interface improvements

Suggested reviewers

• Gowiem
• osterman

---

📜 Recent review details

Configuration used: .coderabbit.yaml
Review profile: CHILL
Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 9702100 and 8553678.

📒 Files selected for processing (2)

• examples/quick-start-advanced/Dockerfile (1 hunks)
• website/docs/integrations/atlantis.mdx (1 hunks)

🧰 Additional context used

📓 Learnings (2)

📓 Common learnings

Learnt from: osterman
PR: cloudposse/atmos#768
File: website/docs/cheatsheets/vendoring.mdx:70-70
Timestamp: 2024-11-12T13:06:56.195Z
Learning: In `atmos vendor pull --everything`, the `--everything` flag uses the TTY for TUI but is not interactive.

examples/quick-start-advanced/Dockerfile (2)

Learnt from: aknysh
PR: cloudposse/atmos#775
File: examples/quick-start-advanced/Dockerfile:9-9
Timestamp: 2024-11-12T05:52:05.088Z
Learning: It is acceptable to set `ARG ATMOS_VERSION` to a future version like `1.105.0` in `examples/quick-start-advanced/Dockerfile` if that will be the next release.

Learnt from: osterman
PR: cloudposse/atmos#801
File: examples/quick-start-advanced/Dockerfile:9-9
Timestamp: 2024-11-23T00:13:22.004Z
Learning: When updating the `ATMOS_VERSION` in Dockerfiles, the team prefers to pin to the next future version when the PR merges, even if the version is not yet released.

🔇 Additional comments (2)

examples/quick-start-advanced/Dockerfile (1)

9-9: LGTM: Version bump aligns with team preferences

The update of ATMOS_VERSION to 1.130.0 is consistent with the team's practice of pinning to future versions for upcoming releases.

website/docs/integrations/atlantis.mdx (1)

676-676: LGTM: Documentation version aligned with Dockerfile

The Atmos version update in the GitHub Actions example maintains consistency with the version specified in the Dockerfile.

---

Thank you for using CodeRabbit. We offer it for free to the OSS community and would appreciate your support in helping us grow. If you find it useful, would you consider giving us a shout-out on your favorite social media?

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

🪧 Tips

Chat

There are 3 ways to chat with CodeRabbit:

• Review comments: Directly reply to a review comment made by CodeRabbit. Example:
  • I pushed a fix in commit <commit_id>, please review it.
  • Generate unit testing code for this file.
  • Open a follow-up GitHub issue for this discussion.
• Files and specific lines of code (under the "Files changed" tab): Tag @coderabbitai in a new review comment at the desired location with your query. Examples:
  • @coderabbitai generate unit testing code for this file.
  • @coderabbitai modularize this function.
• PR comments: Tag @coderabbitai in a new PR comment to ask questions about the PR branch. For the best results, please provide a very specific query, as very limited context is provided in this mode. Examples:
  • @coderabbitai gather interesting stats about this repository and render them as a table. Additionally, render a pie chart showing the language distribution in the codebase.
  • @coderabbitai read src/utils.ts and generate unit testing code.
  • @coderabbitai read the files in the src/scheduler package and generate a class diagram using mermaid and a README in the markdown format.
  • @coderabbitai help me debug CodeRabbit configuration file.

Note: Be mindful of the bot's finite context window. It's strongly recommended to break down tasks such as reading entire modules into smaller chunks. For a focused discussion, use review comments to chat about specific files and their changes, instead of using the PR comments.

CodeRabbit Commands (Invoked using PR comments)

• @coderabbitai pause to pause the reviews on a PR.
• @coderabbitai resume to resume the paused reviews.
• @coderabbitai review to trigger an incremental review. This is useful when automatic reviews are disabled for the repository.
• @coderabbitai full review to do a full review from scratch and review all the files again.
• @coderabbitai summary to regenerate the summary of the PR.
• @coderabbitai generate docstrings to generate docstrings for this PR. (Beta)
• @coderabbitai resolve resolve all the CodeRabbit review comments.
• @coderabbitai configuration to show the current CodeRabbit configuration for the repository.
• @coderabbitai help to get help.

Other keywords and placeholders

• Add @coderabbitai ignore anywhere in the PR description to prevent this PR from being reviewed.
• Add @coderabbitai summary or @auto-summary to generate the high-level summary at a specific location in the PR description.
• Add @coderabbitai or @auto-title anywhere in the PR title to generate the title automatically.

Documentation and Community

• Visit our Documentation for detailed information on how to use CodeRabbit.
• Join our Discord Community to get help, request features, and share feedback.
• Follow us on X/Twitter for updates and announcements.

[coderabbitai]

Actionable comments posted: 6

🧹 Outside diff range and nitpick comments (9)

internal/exec/vendor_model.go (1)

148-148: Add missing space in completion message

There's a missing space after the period in the string "Vendored %d components.Failed to vendor %d components.\n", which causes the message to read incorrectly. Adding a space will improve readability.

Apply this diff to fix the formatting:

return doneStyle.Render(fmt.Sprintf("Vendored %d components.Failed to vendor %d components.\n", n-m.failedPkg, m.failedPkg))
+return doneStyle.Render(fmt.Sprintf("Vendored %d components. Failed to vendor %d components.\n", n-m.failedPkg, m.failedPkg))

internal/exec/vendor_model_component.go (5)

23-34: Export pkgComponentVendor struct

If there's a possibility of using pkgComponentVendor outside this package in the future, consider exporting it by capitalizing the struct name. Adding comments to structs and fields will also enhance code readability.

---

135-137: Add missing space in status message

There's a missing space after the period in the status message. This will improve the readability of the output.

-return doneStyle.Render(fmt.Sprintf("Vendored %d components.Failed to vendor %d components.\n", n-m.failedPkg, m.failedPkg))
+return doneStyle.Render(fmt.Sprintf("Vendored %d components. Failed to vendor %d components.\n", n-m.failedPkg, m.failedPkg))

---

166-199: Refactor to eliminate duplicate code in downloadComponentAndInstall

The function downloadComponentAndInstall contains similar code blocks for handling components and mixins. Refactoring can reduce duplication and simplify maintenance.

Here's a possible refactor:

 func downloadComponentAndInstall(p pkgComponentVendor, dryRun bool, cliConfig schema.CliConfiguration) tea.Cmd {
     return func() tea.Msg {
         if dryRun {
             time.Sleep(100 * time.Millisecond)
             return installedPkgMsg{
                 err:  nil,
                 name: p.name,
             }
         }

-        if p.IsComponent {
-            err := installComponent(p, cliConfig)
-            if err != nil {
-                return installedPkgMsg{
-                    err:  err,
-                    name: p.name,
-                }
-            }
-            return installedPkgMsg{
-                err:  nil,
-                name: p.name,
-            }
-        }
-        if p.IsMixins {
-            err := installMixin(p, cliConfig)
-            if err != nil {
-                return installedPkgMsg{
-                    err:  err,
-                    name: p.name,
-                }
-            }
-            return installedPkgMsg{
-                err:  nil,
-                name: p.name,
-            }
-        }
+        var err error
+        if p.IsComponent {
+            err = installComponent(p, cliConfig)
+        } else if p.IsMixins {
+            err = installMixin(p, cliConfig)
+        } else {
+            err = fmt.Errorf("unknown install operation")
+        }
         return installedPkgMsg{
             err:  err,
             name: p.name,
         }
     }
 }

---

258-259: Include package type in error message

Adding the package type to the error message will help in debugging unknown package types.

-return fmt.Errorf("unknown package type")
+return fmt.Errorf("unknown package type: %v", p.pkgType)

---

297-298: Include package type in error message

Similarly, in installMixin, include the package type in the error message for better clarity.

-return fmt.Errorf("unknown package type")
+return fmt.Errorf("unknown package type: %v", p.pkgType)

internal/exec/vendor_component_utils.go (3)

96-105: Implement ExecuteStackVendorInternal function

The ExecuteStackVendorInternal function currently returns a "not supported yet" error. Consider implementing the necessary logic or providing a more detailed message.

Would you like assistance in drafting the implementation or creating a GitHub issue to track this task?

---

343-343: Wrap error with %w for proper error handling

To enable error unwrapping, replace %v with %w when formatting errors.

Apply this diff:

- return fmt.Errorf("error initializing model: %v", err)
+ return fmt.Errorf("error initializing model: %w", err)

---

341-345: Handle errors from the TUI run

Ensure that errors from tea.NewProgram(model).Run() are properly handled to maintain robustness.

Apply this diff:

if _, err := tea.NewProgram(model).Run(); err != nil {
-   return fmt.Errorf("running download error: %w", err)
+   return fmt.Errorf("error running TUI program: %w", err)
}

📜 Review details

Configuration used: .coderabbit.yaml
Review profile: CHILL

📥 Commits

Reviewing files that changed from the base of the PR and between 3342e8e and 5248650.

⛔ Files ignored due to path filters (1)

• go.sum is excluded by !**/*.sum

📒 Files selected for processing (5)

• go.mod (1 hunks)
• internal/exec/vendor_component_utils.go (4 hunks)
• internal/exec/vendor_model.go (1 hunks)
• internal/exec/vendor_model_component.go (1 hunks)
• internal/exec/vendor_utils.go (5 hunks)

🔇 Additional comments (10)

go.mod (1)

96-96: LGTM! Clean dependency addition for TUI animations.

The addition of github.com/charmbracelet/harmonica aligns perfectly with implementing an improved vendor pull interface using Bubble Tea. This indirect dependency will provide smooth animation capabilities for the TUI.

Let's verify the harmonica package usage in the codebase:

internal/exec/vendor_utils.go (8)

10-10: Importing Bubble Tea library for TUI functionality

The addition of the tea import integrates the Bubble Tea library, enabling the new TUI enhancements.

---

178-179: Calling logInitialMessage to enhance user feedback

Incorporating logInitialMessage improves the user experience by logging initial processing information.

---

Line range hint 250-309: Refactoring source processing into modular functions

The introduction of shouldSkipSource and validateSourceFields enhances code readability and maintainability by encapsulating specific logic.

---

271-280: Clarifying source type determination logic

The determineSourceType function cleanly separates the logic for source type determination, improving code clarity.

---

311-321: Implementing TUI for package processing

Introducing the TUI enhances the user interface during package processing with Bubble Tea.

---

372-379: Defining logInitialMessage function

Centralizing initial logging supports better code organization and reduces redundancy.

---

380-392: Duplicate issue: Modifying a value receiver in validateSourceFields

As mentioned earlier, modifying s.File won't affect the original struct since s is passed by value.

---

435-491: Generating skip function for file copying

The generateSkipFunction effectively handles inclusion and exclusion patterns, enhancing modularity and reusability.

internal/exec/vendor_component_utils.go (1)

15-15: Bubble Tea import added for TUI integration

The addition of the Bubble Tea package is appropriate for implementing TUI features, aligning with the PR objectives.

[osterman]

Running atmos vendor pull --logs-level Debug provides no useful debug information.

[osterman]

@aknysh i updated the tests to check for this and they passed.

https://github.com/cloudposse/atmos/actions/runs/12364998225/job/34509262900?pr=768

[mergify]

💥 This pull request now has conflicts. Could you fix it @haitham911? 🙏

[coderabbitai]

Actionable comments posted: 0

🔭 Outside diff range comments (2)

internal/exec/vendor_model_component.go (1)

Line range hint 312-315: Fix ineffectual assignment to pType in local file handling.

The continue statement skips the package creation, making the pType assignment ineffective. This could lead to incorrect package type determination.

Apply this fix:

 if u.FileExists(absPath) {
     pType = pkgTypeLocal
-    continue
+    uri = absPath
 }

internal/exec/vendor_component_utils.go (1)

Line range hint 600-632: Enhance URI validation with additional security checks.

The URI validation could be strengthened with more comprehensive checks.

 func validateURI(uri string) error {
     if uri == "" {
         return fmt.Errorf("URI cannot be empty")
     }
+    // Normalize URI before validation
+    normalizedURI := filepath.Clean(uri)
+
     // Maximum length check
     if len(uri) > 2048 {
         return fmt.Errorf("URI exceeds maximum length of 2048 characters")
     }
-    // Add more validation as needed
     // Validate URI format
     if strings.Contains(uri, "..") {
         return fmt.Errorf("URI cannot contain path traversal sequences")
     }
+    // Check for encoded traversal attempts
+    if strings.Contains(normalizedURI, "%2e%2e") {
+        return fmt.Errorf("URI cannot contain encoded path traversal sequences")
+    }
     // ... rest of the validation

🧹 Nitpick comments (4)

internal/exec/vendor_model_component.go (2)

20-31: Add documentation for the pkgComponentVendor struct.

Consider adding detailed documentation for each field to improve maintainability.

+// pkgComponentVendor represents a vendor component package with its metadata
 type pkgComponentVendor struct {
+    // uri is the source location of the component
     uri                 string
+    // name is the unique identifier of the component
     name                string
+    // sourceIsLocalFile indicates if the source is a local file
     sourceIsLocalFile   bool
     // ... add documentation for remaining fields

---

116-118: Standardize error message formatting.

Error messages should follow a consistent format with proper capitalization.

Apply these improvements:

-return fmt.Errorf("Failed to create temp directory %s", err)
+return fmt.Errorf("failed to create temp directory: %v", err)

-return fmt.Errorf("Failed to download package %s error %s", p.name, err)
+return fmt.Errorf("failed to download package %s: %v", p.name, err)

-return fmt.Errorf("Failed to process OCI image %s error %s", p.name, err)
+return fmt.Errorf("failed to process OCI image %s: %v", p.name, err)

-return fmt.Errorf("failed to copy package %s error %s", p.name, err)
+return fmt.Errorf("failed to copy package %s: %v", p.name, err)

Also applies to: 139-140, 146-147, 166-167

internal/exec/vendor_component_utils.go (2)

Line range hint 402-405: Enhance non-TTY mode feedback.

The warning message could be more descriptive about the fallback behavior.

-u.LogWarning(cliConfig, "No TTY detected. Falling back to basic output. This can happen when no terminal is attached or when commands are pipelined.")
+u.LogWarning(cliConfig, "No TTY detected. Falling back to basic output mode. Progress will be logged as text. This typically occurs when running in CI/CD pipelines or when output is redirected.")

---

Line range hint 497-514: Enhance determineSourceType function documentation and immutability.

The function modifies its input parameter and lacks comprehensive documentation.

+// determineSourceType analyzes the given URI and determines its type (OCI, local file, or remote).
+// It handles OCI scheme prefixes and resolves local file paths relative to the vendor config path.
+//
+// Parameters:
+//   - uri: Pointer to the URI string that may be modified during processing
+//   - vendorConfigFilePath: Base path for resolving relative file paths
+//
+// Returns:
+//   - useOciScheme: true if the URI uses the OCI scheme
+//   - useLocalFileSystem: true if the URI points to the local filesystem
+//   - sourceIsLocalFile: true if the URI points to an existing local file
 func determineSourceType(uri *string, vendorConfigFilePath string) (bool, bool, bool) {

📜 Review details

Configuration used: .coderabbit.yaml
Review profile: CHILL
Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between cd0143d and 9702100.

📒 Files selected for processing (6)

• internal/exec/vendor_component_utils.go (4 hunks)
• internal/exec/vendor_model.go (1 hunks)
• internal/exec/vendor_model_component.go (1 hunks)
• internal/exec/vendor_utils.go (11 hunks)
• pkg/utils/file_utils.go (1 hunks)
• pkg/vender/vendor_config_test.go (3 hunks)

🚧 Files skipped from review as they are similar to previous changes (3)

• pkg/utils/file_utils.go
• pkg/vender/vendor_config_test.go
• internal/exec/vendor_model.go

🧰 Additional context used

📓 Learnings (4)

📓 Common learnings

Learnt from: osterman
PR: cloudposse/atmos#768
File: website/docs/cheatsheets/vendoring.mdx:70-70
Timestamp: 2024-11-12T13:06:56.195Z
Learning: In `atmos vendor pull --everything`, the `--everything` flag uses the TTY for TUI but is not interactive.

internal/exec/vendor_model_component.go (1)

Learnt from: aknysh
PR: cloudposse/atmos#768
File: internal/exec/vendor_model_component.go:3-20
Timestamp: 2024-11-18T13:59:10.824Z
Learning: When replacing significant dependencies like `go-getter` that require extensive changes, prefer to address them in separate PRs.

internal/exec/vendor_component_utils.go (2)

Learnt from: aknysh
PR: cloudposse/atmos#768
File: internal/exec/vendor_component_utils.go:312-316
Timestamp: 2024-11-20T18:38:34.525Z
Learning: Ensure that mixin package type determination supports local files, handling them consistently with component package type determination.

Learnt from: osterman
PR: cloudposse/atmos#768
File: internal/exec/vendor_component_utils.go:354-360
Timestamp: 2024-11-12T05:52:05.088Z
Learning: In the vendoring process, a TTY can exist without being interactive. If the process does not prompt the user, we should not require interactive mode to display the TUI. The `CheckTTYSupport` function should check TTY support on stdout rather than stdin.

internal/exec/vendor_utils.go (3)

Learnt from: osterman
PR: cloudposse/atmos#768
File: internal/exec/vendor_utils.go:496-513
Timestamp: 2024-11-22T12:38:33.132Z
Learning: In the Atmos project, continue to flag path traversal issues in code reviews but acknowledge when they are expected and acceptable in specific cases.

Learnt from: osterman
PR: cloudposse/atmos#768
File: internal/exec/vendor_utils.go:496-513
Timestamp: 2024-11-19T14:50:16.194Z
Learning: In the Atmos project, path traversal is acceptable due to its role in automation. Do not flag path traversal as an issue in code reviews.

Learnt from: osterman
PR: cloudposse/atmos#768
File: internal/exec/vendor_utils.go:0-0
Timestamp: 2024-11-12T05:52:05.088Z
Learning: When TTY is not supported, log the downgrade message at the Warn level using `u.LogWarning(cliConfig, ...)` instead of `fmt.Println`.

🪛 golangci-lint (1.62.2)

internal/exec/vendor_component_utils.go

314-314: ineffectual assignment to pType

(ineffassign)

🔇 Additional comments (2)

internal/exec/vendor_model_component.go (1)

129-140: 🛠️ Refactor suggestion

Add timeout context for component downloads.

The component installation uses context.Background() without a timeout, which could lead to hanging operations.

Apply this improvement:

 client := &getter.Client{
-    Ctx: context.Background(),
+    Ctx: func() context.Context {
+        ctx, cancel := context.WithTimeout(context.Background(), 10*time.Minute)
+        // Store cancel in struct for cleanup
+        return ctx
+    }(),
     Dst: tempDir,
     Src: p.uri,
     Mode: getter.ClientModeAny,
 }

Likely invalid or redundant comment.

internal/exec/vendor_utils.go (1)

75-84: LGTM! Well-implemented default behavior for the --everything flag.

The logic correctly defaults to everything = true when no specific flags are set, providing a good user experience.

[mergify]

Important

Cloud Posse Engineering Team Review Required

This pull request modifies files that require Cloud Posse's review. Please be patient, and a core maintainer will review your changes.

To expedite this process, reach out to us on Slack in the #pr-reviews channel.

[aknysh]

@aknysh i updated the tests to check for this and they passed.

https://github.com/cloudposse/atmos/actions/runs/12364998225/job/34509262900?pr=768

It works if we do

cd examples/tests
atmos vendor pull

but if we use the atmos.yaml from the root of the repo, and set

base_path: "./examples/tests"

and execute atmos vendor pull from the root of the repo, it fails to download the mixins from the local paths.

The issue is prob that the code just uses vendor.base_path, but does not respect the base_path: "./examples/tests".

It should do the following:

• Check if vendor.base_path is an absolute path and use it
• If it's a relative path, it should be relative to the base_path (./examples/tests in this case). We need to join base_path with vendor.base_path`, and use it to load the vendor.yaml file

We'll release this as is, but @haitham911 please take a look at this and try to fix it so it woks from any folder (given that the base_path and vendor.base_path` are configured correctly. The fix can be in a separate PR (since it's not blocking)

cc: @osterman

[github-actions]

These changes were released in v1.130.0.

[jamengual]

looks like this broke the parsing:

Run cd atmos/
Vendoring from 'vendor.yaml'
unsupported URI scheme: git::https
Error: Process completed with exit code 1.

when

sources:
      - source: 'git::https://x-access-token:{{env "GITHUB_TOKEN"}}@github.com......