Merge branch 'main' into lock-repo-on-apply

.circleci/config.yml

@@ -9,7 +9,7 @@ jobs:
         # that flag starts the download asynchronously so we'd have a race
         # condition.
         # renovate: datasource=github-releases depName=hashicorp/terraform versioning=hashicorp
-        TERRAFORM_VERSION: 1.6.3
+        TERRAFORM_VERSION: 1.6.5
     steps:
     - checkout
     - run: make build-service

.github/labeler.yml

@@ -1,35 +1,45 @@
 build:
-  - 'Dockerfile*'
+- changed-files:
+  - any-glob-to-any-file: 'Dockerfile*'
 
 dependencies:
-  - 'yarn.lock'
-  - 'go.*'
+- changed-files:
+  - any-glob-to-any-file: 'yarn.lock'
+  - any-glob-to-any-file: 'go.*'
 
 docs:
-  - 'runatlantis.io/**/*.md'
-  - 'README.md'
+- changed-files:
+  - any-glob-to-any-file: 'runatlantis.io/**/*.md'
+  - any-glob-to-any-file: 'README.md'
 
 github-actions:
-  - '.github/**'
+- changed-files:
+  - any-glob-to-any-file: '.github/**'
 
 go:
-  - '**/*.go'
+- changed-files:
+  - any-glob-to-any-file: '**/*.go'
 
 provider/azuredevops:
-  - 'server/**/*azuredevops*.go'
+- changed-files:
+  - any-glob-to-any-file: 'server/**/*azuredevops*.go'
 
 provider/bitbucket:
-  - 'server/**/*bitbucket*.go'
-  - 'server/events/vcs/bitbucketcloud/*.go'
-  - 'server/events/vcs/bitbucketserver/*.go'
+- changed-files:
+  - any-glob-to-any-file: 'server/**/*bitbucket*.go'
+  - any-glob-to-any-file: 'server/events/vcs/bitbucketcloud/*.go'
+  - any-glob-to-any-file: 'server/events/vcs/bitbucketserver/*.go'
 
 provider/github:
-  - 'server/**/*github*.go'
+- changed-files:
+  - any-glob-to-any-file: 'server/**/*github*.go'
 
 provider/gitlab:
-  - 'server/**/*gitlab*.go'
+- changed-files:
+  - any-glob-to-any-file: 'server/**/*gitlab*.go'
 
 website:
-  - 'runatlantis.io/.vuepress/**/*'
-  - 'package.json'
-  - 'yarn.lock'
+- changed-files:
+  - any-glob-to-any-file: 'runatlantis.io/.vuepress/**/*'
+  - any-glob-to-any-file: 'package.json'
+  - any-glob-to-any-file: 'yarn.lock'

.github/workflows/atlantis-image.yml

@@ -21,7 +21,7 @@ concurrency:
 jobs:
   changes:
     outputs:
-      should-run-build: ${{ steps.changes.outputs.src == 'true' }}
+      should-run-build: ${{ steps.changes.outputs.src == 'true' || startsWith(github.ref, 'refs/tags/') }}
     if: github.event.pull_request.draft == false
     runs-on: ubuntu-22.04
     steps:
@@ -152,4 +152,4 @@ jobs:
         image_type: [alpine, debian]
     runs-on: ubuntu-22.04
     steps:
-      - run: 'echo "No build required"'
+      - run: 'echo "No build required"'

.github/workflows/labeler.yml

@@ -16,7 +16,4 @@ jobs:
     if: github.event.pull_request.draft == false
     runs-on: ubuntu-22.04
     steps:
-      - uses: actions/labeler@v4
-        with:
-          repo-token: "${{ secrets.GITHUB_TOKEN }}"
-          configuration-path: .github/labeler.yml
+      - uses: actions/labeler@v5

.github/workflows/release.yml

@@ -17,7 +17,7 @@ jobs:
         submodules: true
 
     - name: Set up Go
-      uses: actions/setup-go@v4
+      uses: actions/setup-go@v5
       with:
         go-version-file: go.mod
 

.github/workflows/stale.yml

@@ -6,7 +6,7 @@ jobs:
   stale:
     runs-on: ubuntu-22.04
     steps:
-      - uses: actions/stale@v8
+      - uses: actions/stale@v9
         with:
           stale-pr-message: 'This issue is stale because it has been open for 1 month with no activity. Remove stale label or comment or this will be closed in 1 month.'
           stale-issue-message: This issue is stale because it has been open for 1 month with no activity. Remove stale label or comment or this will be closed in 1 month.'

.github/workflows/website.yml

@@ -14,7 +14,7 @@ on:
     branches:
       - 'main'
       - 'release-**'
- 
+
 concurrency:
   group: ${{ github.workflow }}-${{ github.head_ref || github.run_id }}
   cancel-in-progress: true
@@ -55,16 +55,18 @@ jobs:
       - name: run http-server
         env:
           # renovate: datasource=github-releases depName=raviqqe/muffet
-          MUFFET_VERSION: 2.6.3
+          MUFFET_VERSION: 2.9.3
         run: |
           npm install -g yarn
-          # http-server is used to serve the website locally as muffet checks it.
-          yarn global add http-server
+
           # install raviqqe/muffet to check for broken links.
-          curl -L https://github.com/raviqqe/muffet/releases/download/v${MUFFET_VERSION}/muffet_${MUFFET_VERSION}_Linux_x86_64.tar.gz | tar -xz
-          yarn install
-          yarn website:build
-          http-server runatlantis.io/.vuepress/dist &
+          curl -Ls https://github.com/raviqqe/muffet/releases/download/v${MUFFET_VERSION}/muffet_linux_amd64.tar.gz | tar -xz
+
+          # build the site
+          yarn && yarn website:build
+
+          # run http-server for muffet to check the links
+          npx http-server runatlantis.io/.vuepress/dist &
 
       - name: wait until server listened
         run: curl --retry-delay 1 --retry 30 --retry-all-error http://localhost:8080
@@ -86,4 +88,4 @@ jobs:
     name: Website Link Check
     runs-on: ubuntu-latest
     steps:
-      - run: 'echo "No build required"' 
+      - run: 'echo "No build required"'

.golangci.yml

@@ -7,22 +7,26 @@ linters-settings:
     ignore-words:
       # for gitlab notes api
       - noteable
+  revive:
+    rules:
+      - name: dot-imports
+        disabled: true
 
 linters:
   enable:
-  - errcheck
-  - gochecknoinits
-  - gofmt
-  - gosec
-  - gosimple
-  - ineffassign
-  - misspell
-  - revive
-  - staticcheck
-  - typecheck
-  - unconvert
-  - unused
-  - vet
-  - vetshadow
+    - errcheck
+    - gochecknoinits
+    - gofmt
+    - gosec
+    - gosimple
+    - ineffassign
+    - misspell
+    - revive
+    - staticcheck
+    - typecheck
+    - unconvert
+    - unused
+    - vet
+    - vetshadow
 run:
   timeout: 10m

.node-version

@@ -1 +1 @@
-20.9.0
+20.10.0

Dockerfile

@@ -1,14 +1,14 @@
 # syntax=docker/dockerfile:1
 # what distro is the image being built for
-ARG ALPINE_TAG=3.18.4
+ARG ALPINE_TAG=3.19.0
 ARG DEBIAN_TAG=12.2-slim
 
 ARG DEFAULT_TERRAFORM_VERSION=1.6.3
 ARG DEFAULT_CONFTEST_VERSION=0.46.0
 
 # Stage 1: build artifact and download deps
 
-FROM golang:1.21.4-alpine AS builder
+FROM golang:1.21.5-alpine AS builder
 
 ARG ATLANTIS_VERSION=dev
 ENV ATLANTIS_VERSION=${ATLANTIS_VERSION}
@@ -53,7 +53,6 @@ RUN apt-get update && \
         git \
         unzip \
         openssh-server \
-        libcap2 \
         dumb-init \
         gnupg \
         openssl && \
@@ -159,14 +158,13 @@ COPY docker-entrypoint.sh /usr/local/bin/docker-entrypoint.sh
 # We place this last as it will bust less docker layer caches when packages update
 RUN apk add --no-cache \
         ca-certificates~=20230506 \
-        curl~=8.4 \
-        git~=2.40 \
-        unzip~=6.0 \
-        bash~=5.2 \
-        openssh~=9.3_p2 \
-        libcap~=2.69 \
-        dumb-init~=1.2 \
-        gcompat~=1.1
+        curl~=8 \
+        git~=2 \
+        unzip~=6 \
+        bash~=5 \
+        openssh~=9 \
+        dumb-init~=1 \
+        gcompat~=1
 
 
 # Set the entry point to the atlantis user and run the atlantis command

cmd/server.go

@@ -28,7 +28,6 @@ import (
 
 	"github.com/runatlantis/atlantis/server"
 	"github.com/runatlantis/atlantis/server/core/config/valid"
-	"github.com/runatlantis/atlantis/server/events/command"
 	"github.com/runatlantis/atlantis/server/events/vcs/bitbucketcloud"
 	"github.com/runatlantis/atlantis/server/logging"
 )
@@ -52,8 +51,8 @@ const (
 	ADHostnameFlag                   = "azuredevops-hostname"
 	AllowCommandsFlag                = "allow-commands"
 	AllowForkPRsFlag                 = "allow-fork-prs"
-	AllowRepoConfigFlag              = "allow-repo-config"
 	AtlantisURLFlag                  = "atlantis-url"
+	AutoDiscoverModeFlag             = "autodiscover-mode"
 	AutomergeFlag                    = "automerge"
 	ParallelPlanFlag                 = "parallel-plan"
 	ParallelApplyFlag                = "parallel-apply"
@@ -70,7 +69,6 @@ const (
 	DataDirFlag                      = "data-dir"
 	DefaultTFVersionFlag             = "default-tf-version"
 	DisableApplyAllFlag              = "disable-apply-all"
-	DisableApplyFlag                 = "disable-apply"
 	DisableAutoplanFlag              = "disable-autoplan"
 	DisableAutoplanLabelFlag         = "disable-autoplan-label"
 	DisableMarkdownFoldingFlag       = "disable-markdown-folding"
@@ -148,6 +146,7 @@ const (
 	DefaultADBasicUser                  = ""
 	DefaultADBasicPassword              = ""
 	DefaultADHostname                   = "dev.azure.com"
+	DefaultAutoDiscoverMode             = "auto"
 	DefaultAutoplanFileList             = "**/*.tf,**/*.tfvars,**/*.tfvars.json,**/terragrunt.hcl,**/.terraform.lock.hcl"
 	DefaultAllowCommands                = "version,plan,apply,unlock,approve_policies"
 	DefaultCheckoutStrategy             = CheckoutStrategyBranch
@@ -207,6 +206,12 @@ var stringFlags = map[string]stringFlag{
 	AtlantisURLFlag: {
 		description: "URL that Atlantis can be reached at. Defaults to http://$(hostname):$port where $port is from --" + PortFlag + ". Supports a base path ex. https://example.com/basepath.",
 	},
+	AutoDiscoverModeFlag: {
+		description: "Auto discover mode controls whether projects in a repo are discovered by Atlantis. Defaults to 'auto' which " +
+			"means projects will be discovered when no explicit projects are defined in repo config. Also supports 'enabled' (always " +
+			"discover projects) and 'disabled' (never discover projects).",
+		defaultValue: DefaultAutoDiscoverMode,
+	},
 	AutoplanModulesFromProjects: {
 		description: "Comma separated list of file patterns to select projects Atlantis will index for module dependencies." +
 			" Indexed projects will automatically be planned if a module they depend on is modified." +
@@ -416,13 +421,6 @@ var boolFlags = map[string]boolFlag{
 		description:  "Allow Atlantis to run on pull requests from forks. A security issue for public repos.",
 		defaultValue: false,
 	},
-	AllowRepoConfigFlag: {
-		description: "Allow repositories to use atlantis.yaml files to customize the commands Atlantis runs." +
-			" Should only be enabled in a trusted environment since it enables a pull request to run arbitrary commands" +
-			" on the Atlantis server.",
-		defaultValue: false,
-		hidden:       true,
-	},
 	AutoplanModules: {
 		description:  "Automatically plan projects that have a changed module from the local repository.",
 		defaultValue: false,
@@ -435,10 +433,6 @@ var boolFlags = map[string]boolFlag{
 		description:  "Disable \"atlantis apply\" command without any flags (i.e. apply all). A specific project/workspace/directory has to be specified for applies.",
 		defaultValue: false,
 	},
-	DisableApplyFlag: {
-		description:  "Disable all \"atlantis apply\" command regardless of which flags are passed with it.",
-		defaultValue: false,
-	},
 	DisableAutoplanFlag: {
 		description:  "Disable atlantis auto planning feature",
 		defaultValue: false,
@@ -871,6 +865,9 @@ func (s *ServerCmd) setDefaults(c *server.UserConfig) {
 	if c.WebPassword == "" {
 		c.WebPassword = DefaultWebPassword
 	}
+	if c.AutoDiscoverModeFlag == "" {
+		c.AutoDiscoverModeFlag = DefaultAutoDiscoverMode
+	}
 }
 
 func (s *ServerCmd) validate(userConfig server.UserConfig) error {
@@ -1073,16 +1070,6 @@ func (s *ServerCmd) deprecationWarnings(userConfig *server.UserConfig) error {
 		deprecatedFlags = append(deprecatedFlags, RequireMergeableFlag)
 		commandReqs = append(commandReqs, valid.MergeableCommandReq)
 	}
-	if userConfig.DisableApply {
-		deprecatedFlags = append(deprecatedFlags, DisableApplyFlag)
-		var filtered []string
-		for _, allowCommand := range strings.Split(userConfig.AllowCommands, ",") {
-			if allowCommand != command.Apply.String() {
-				filtered = append(filtered, allowCommand)
-			}
-		}
-		userConfig.AllowCommands = strings.Join(filtered, ",")
-	}
 
 	// Build up strings with what the recommended yaml and json config should
 	// be instead of using the deprecated flags.
@@ -1096,11 +1083,6 @@ func (s *ServerCmd) deprecationWarnings(userConfig *server.UserConfig) error {
 		jsonCfg += fmt.Sprintf(`, "apply_requirements":["%s"]`, strings.Join(commandReqs, "\", \""))
 		jsonCfg += fmt.Sprintf(`, "import_requirements":["%s"]`, strings.Join(commandReqs, "\", \""))
 	}
-	if userConfig.AllowRepoConfig {
-		deprecatedFlags = append(deprecatedFlags, AllowRepoConfigFlag)
-		yamlCfg += "\n  allowed_overrides: [plan_requirements, apply_requirements, import_requirements, workflow, policy_check]\n  allow_custom_workflows: true"
-		jsonCfg += `, "allowed_overrides":["plan_requirements","apply_requirements","import_requirements","workflow", "policy_check"], "allow_custom_workflows":true`
-	}
 	jsonCfg += "}]}"
 
 	if len(deprecatedFlags) > 0 {