Merge remote-tracking branch 'origin/main' into release-fork

.circleci/config.yml

@@ -2,14 +2,14 @@ version: 2
 jobs:
   e2e:
     docker:
-    - image: cimg/go:1.21 # If you update this, update it in the Makefile too
+    - image: cimg/go:1.22 # If you update this, update it in the Makefile too
       environment:
         # This version of TF will be downloaded before Atlantis is started.
         # We do this instead of setting --default-tf-version because setting
         # that flag starts the download asynchronously so we'd have a race
         # condition.
         # renovate: datasource=github-releases depName=hashicorp/terraform versioning=hashicorp
-        TERRAFORM_VERSION: 1.5.7
+        TERRAFORM_VERSION: 1.7.3
     steps:
     - checkout
     - run: make build-service

.github/cherry-pick-bot.yml

@@ -0,0 +1,2 @@
+enabled: true
+preservePullRequestTitle: true

.github/labeler.yml

@@ -1,35 +1,45 @@
 build:
-  - 'Dockerfile*'
+- changed-files:
+  - any-glob-to-any-file: 'Dockerfile*'
 
 dependencies:
-  - 'yarn.lock'
-  - 'go.*'
+- changed-files:
+  - any-glob-to-any-file: 'yarn.lock'
+  - any-glob-to-any-file: 'go.*'
 
 docs:
-  - 'runatlantis.io/**/*.md'
-  - 'README.md'
+- changed-files:
+  - any-glob-to-any-file: 'runatlantis.io/**/*.md'
+  - any-glob-to-any-file: 'README.md'
 
 github-actions:
-  - '.github/**'
+- changed-files:
+  - any-glob-to-any-file: '.github/**'
 
 go:
-  - '**/*.go'
+- changed-files:
+  - any-glob-to-any-file: '**/*.go'
 
 provider/azuredevops:
-  - 'server/**/*azuredevops*.go'
+- changed-files:
+  - any-glob-to-any-file: 'server/**/*azuredevops*.go'
 
 provider/bitbucket:
-  - 'server/**/*bitbucket*.go'
-  - 'server/events/vcs/bitbucketcloud/*.go'
-  - 'server/events/vcs/bitbucketserver/*.go'
+- changed-files:
+  - any-glob-to-any-file: 'server/**/*bitbucket*.go'
+  - any-glob-to-any-file: 'server/events/vcs/bitbucketcloud/*.go'
+  - any-glob-to-any-file: 'server/events/vcs/bitbucketserver/*.go'
 
 provider/github:
-  - 'server/**/*github*.go'
+- changed-files:
+  - any-glob-to-any-file: 'server/**/*github*.go'
 
 provider/gitlab:
-  - 'server/**/*gitlab*.go'
+- changed-files:
+  - any-glob-to-any-file: 'server/**/*gitlab*.go'
 
 website:
-  - 'runatlantis.io/.vuepress/**/*'
-  - 'package.json'
-  - 'yarn.lock'
+- changed-files:
+  - any-glob-to-any-file: 'runatlantis.io/.vuepress/**/*'
+  - any-glob-to-any-file: 'package.json'
+  - any-glob-to-any-file: 'pnpm-lock.yaml'

.github/renovate.json5

@@ -6,12 +6,13 @@
   commitMessageSuffix: " in {{packageFile}}",
   dependencyDashboardAutoclose: true,
   automerge: true,
+  baseBranches: ["main", "/^release\-.*/"],
   platformAutomerge: true,
   labels: ["dependencies"],
   postUpdateOptions: [
     "gomodTidy",
     "gomodUpdateImportPaths",
-    "yarnDedupeHighest",
+    "pnpmDedupe",
   ],
   // needed so e2e tests do not stomp over each other
   prHourlyLimit: 1,

.github/workflows/atlantis-image.yml

@@ -4,24 +4,43 @@ on:
   push:
     branches:
       - 'main'
+      - 'release-**'
     tags:
       - v*.*.* # stable release like, v0.19.2
       - v*.*.*-pre.* # pre release like, v0.19.0-pre.calendardate
   pull_request:
-    paths:
-      - 'Dockerfile'
-      - 'docker-entrypoint.sh'
-      - '.github/workflows/atlantis-image.yml'
-      - '**.go'
-      - 'go.*'
+    branches:
+      - 'main'
+      - 'release-**'
   workflow_dispatch:
 
 concurrency:
   group: ${{ github.workflow }}-${{ github.head_ref || github.run_id }}
   cancel-in-progress: true
 
 jobs:
+  changes:
+    outputs:
+      should-run-build: ${{ steps.changes.outputs.src == 'true' || startsWith(github.ref, 'refs/tags/') }}
+    if: github.event.pull_request.draft == false
+    runs-on: ubuntu-22.04
+    steps:
+      - uses: actions/checkout@v4
+      - uses: dorny/paths-filter@v3
+        id: changes
+        with:
+          filters: |
+            src:
+              - 'Dockerfile'
+              - 'docker-entrypoint.sh'
+              - '.github/workflows/atlantis-image.yml'
+              - '**.go'
+              - 'go.*'
+
   build:
+    needs: [changes]
+    if: needs.changes.outputs.should-run-build == 'true'
+    name: Build Image
     strategy:
       matrix:
         image_type: [alpine, debian]
@@ -123,3 +142,14 @@ jobs:
         target: ${{ matrix.image_type }}
         labels: ${{ steps.meta.outputs.labels }}
         outputs: type=image,name=target,annotation-index.org.opencontainers.image.description=${{ fromJSON(steps.meta.outputs.json).labels['org.opencontainers.image.description'] }}
+
+  skip-build:
+    needs: [changes]
+    if: needs.changes.outputs.should-run-build == 'false'
+    name: Build Image
+    strategy:
+      matrix:
+        image_type: [alpine, debian]
+    runs-on: ubuntu-22.04
+    steps:
+      - run: 'echo "No build required"'

.github/workflows/codeql.yml

@@ -13,30 +13,44 @@ name: "CodeQL"
 
 on:
   push:
-    branches: [ "main" ]
-    paths:
-      - '**.go'
-      - '**.js'
+    branches:
+      - 'main'
+      - 'release-**'
   pull_request:
     # The branches below must be a subset of the branches above
     types:
       - opened
       - reopened
       - synchronize
       - ready_for_review
-    branches: [ "main" ]
-    paths:
-      - '**.go'
-      - '**.js'
+    branches:
+      - 'main'
+      - 'release-**'
 
   schedule:
     - cron: '17 9 * * 5'
 
 jobs:
+  changes:
+    outputs:
+      should-run-analyze: ${{ steps.changes.outputs.src == 'true' }}
+    if: github.event.pull_request.draft == false
+    runs-on: ubuntu-22.04
+    steps:
+      - uses: actions/checkout@v4
+      - uses: dorny/paths-filter@v3
+        id: changes
+        with:
+          filters: |
+            src:
+              - '**.go'
+              - '**.js4'
+
   analyze:
+    needs: [changes]
     name: Analyze
-    if: github.event.pull_request.draft == false
-    runs-on: ubuntu-latest
+    if: github.event.pull_request.draft == false && needs.changes.outputs.should-run-analyze == 'true'
+    runs-on: ubuntu-22.04
     permissions:
       actions: read
       contents: read
@@ -57,7 +71,7 @@ jobs:
 
     # Initializes the CodeQL tools for scanning.
     - name: Initialize CodeQL
-      uses: github/codeql-action/init@v2
+      uses: github/codeql-action/init@v3
       with:
         languages: ${{ matrix.language }}
         # If you wish to specify custom queries, you can do so here or in a config file.
@@ -71,7 +85,7 @@ jobs:
     # Autobuild attempts to build any compiled languages  (C/C++, C#, Go, or Java).
     # If this step fails, then you should remove it and run the build manually (see below)
     - name: Autobuild
-      uses: github/codeql-action/autobuild@v2
+      uses: github/codeql-action/autobuild@v3
 
     # ℹ️ Command-line programs to run using the OS shell.
     # 📚 See https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#jobsjob_idstepsrun
@@ -84,6 +98,17 @@ jobs:
     #   ./location_of_script_within_repo/buildscript.sh
 
     - name: Perform CodeQL Analysis
-      uses: github/codeql-action/analyze@v2
+      uses: github/codeql-action/analyze@v3
       with:
         category: "/language:${{matrix.language}}"
+
+  skip-analyze:
+    needs: [changes]
+    if: needs.changes.outputs.should-run-analyze == 'false'
+    name: Analyze
+    strategy:
+      matrix:
+        language: [ 'go', 'javascript' ]
+    runs-on: ubuntu-22.04
+    steps:
+      - run: 'echo "No build required"'  

.github/workflows/labeler.yml

@@ -16,7 +16,4 @@ jobs:
     if: github.event.pull_request.draft == false
     runs-on: ubuntu-22.04
     steps:
-      - uses: actions/labeler@v4
-        with:
-          repo-token: "${{ secrets.GITHUB_TOKEN }}"
-          configuration-path: .github/labeler.yml
+      - uses: actions/labeler@v5