Fix vendor authentication: token injection bugs, credential precedence, and YAML templating by osterman · Pull Request #1647 · cloudposse/atmos

osterman · 2025-10-17T03:52:22Z

what

This PR fixes multiple critical issues in the Git vendoring and authentication system:

Token Injection Infrastructure Fixes (New)

inject_*_token settings completely ignored: The Detect() method logged InjectGithubToken but never checked it before calling injectToken(), making the setting useless
Missing defaults for Bitbucket/GitLab: Only GitHub had inject_github_token: true as default; Bitbucket and GitLab defaulted to false, breaking authentication
Poor code testability: Monolithic Detect() method with nested conditionals made it difficult to test and maintain
Extracted pure helper functions: Added shouldInjectTokenForHost(), isSupportedHost(), and needsTokenInjection() for better testability
Comprehensive test coverage: Added 60+ test cases covering all token injection scenarios

Original Vendor.yaml Fixes

Token fallback regression: Fixed CustomGitDetector to properly fall back to GITHUB_TOKEN when ATMOS_GITHUB_TOKEN is not set
User credential precedence: Ensured user-provided credentials in URLs always take precedence over automatic token injection
OCI authentication: Fixed OCI registry authentication to respect Docker credentials before falling back to environment tokens
Credential masking: Changed credential masking from "xxx" to "***" for clarity and professional appearance
YAML parser upgrade documentation: Documented breaking changes in nested quote handling due to YAML parser v3 upgrade

GHCR Authentication Breaking Change

GitHub username required for GHCR: GHCR authentication now requires both github_username and a token (ATMOS_GITHUB_TOKEN/GITHUB_TOKEN). This fixes authentication failures where token-as-username was incorrectly assumed to work.
Username environment variable binding: Added support for ATMOS_GITHUB_USERNAME, GITHUB_ACTOR, and GITHUB_USERNAME environment variables with proper precedence
GitHub Actions compatibility: GITHUB_ACTOR is automatically used when running in GitHub Actions CI

Test Coverage Improvements

GHCR authentication tests: Added 380 lines of comprehensive tests achieving 100% coverage for getGHCRAuth() (previously 0%)
- 8 test functions with 36+ test cases
- Tests cover token precedence, username requirements, whitespace handling, special characters, auth source formatting, and consistency
- Discovered and fixed whitespace handling bug during testing
Config loading tests: Added 211 lines of tests for github_username environment variable precedence
- 5 test functions with 20+ test cases
- Verifies ATMOS_GITHUB_USERNAME > GITHUB_ACTOR > GITHUB_USERNAME precedence order
- Tests GitHub Actions compatibility and override behavior
- All tests use t.Setenv() for automatic cleanup per lintroller rules

why

Token Injection Infrastructure Issues (New)

Settings Ignored Bug:
The code would inject tokens regardless of the inject_github_token setting. Users couldn't disable token injection even if they wanted to use alternative authentication methods. This was a critical oversight where the setting existed but was never actually checked.

Missing Defaults Bug:
Bitbucket and GitLab token injection defaulted to false (bool zero value), causing authentication failures for users with private repositories on these platforms. Only GitHub worked out-of-the-box, creating an inconsistent user experience.

Testability Issues:
The Detect() method had high cognitive complexity with mixed concerns (URL parsing, host validation, token injection, query manipulation). This made it difficult to test edge cases in isolation, leading to bugs slipping through code review.

Original Vendor.yaml Issues

Token Fallback Issue:
Users running Atmos v1.194.1+ experienced fatal: could not read Username for 'https://github.com': No such device or address errors when vendoring from private repositories, even with GITHUB_TOKEN set. The resolveToken logic only checked ATMOS_GITHUB_TOKEN when inject_github_token was true (default), never falling back to GITHUB_TOKEN.

User Credential Precedence Issue:
When users explicitly provided credentials in their vendor.yaml URLs (e.g., https://user:token@github.com/repo), Atmos would still inject tokens, potentially overwriting user credentials or causing authentication conflicts.

OCI Authentication Issue:
OCI registry authentication wasn't respecting Docker credentials stored in ~/.docker/config.json, causing unnecessary authentication failures when valid credentials were available.

Credential Masking Issue:
The masking used "xxx" which has unfortunate associations. Changed to use "REDACTED" internally with post-processing to "***" for output, avoiding URL encoding issues while maintaining traditional credential masking appearance.

GHCR Authentication Breaking Change

Username Requirement:
GHCR (GitHub Container Registry at ghcr.io) requires both username and password for authentication. The previous implementation incorrectly assumed token-as-username would work, causing authentication failures. This breaking change ensures proper GHCR authentication by requiring users to configure github_username via environment variables (ATMOS_GITHUB_USERNAME, GITHUB_ACTOR, or GITHUB_USERNAME) or the atmos.yaml settings.

GitHub Actions Compatibility:
In GitHub Actions, the GITHUB_ACTOR environment variable is automatically set. The new implementation automatically picks this up, making GHCR authentication work out-of-the-box in CI without additional configuration.

Test Coverage Rationale

Critical Gap Addressed:
The GHCR authentication changes represented a breaking change with 0% test coverage. This created significant risk for users relying on GHCR for OCI vendoring. The new comprehensive test suite:

Validates all authentication paths and edge cases
Discovered and fixed a whitespace handling bug before it reached users
Ensures the breaking change works correctly across all environments
Provides confidence for future maintenance and refactoring

references

Closes Fix ATMOS_IDENTITY=false not working (issue #1898) #1900 - Original issue reporting token fallback regression
Related to the YAML parser v3 upgrade that changed quote handling behavior
Fixes authentication issues reported by users in Slack (see commit history for context)

Summary by CodeRabbit

New Features
- Token-injection toggles for GitLab and Bitbucket; GitHub username setting exposed for registry auth.
Improvements
- Unified credential precedence for Git/OCI (user creds → env tokens → Docker/registry creds → anonymous).
- Host-aware token injection that preserves user-specified credentials and stronger log redaction of secrets.
Documentation
- Expanded docs on credential precedence, token-injection settings, template evaluation, and YAML quoting.
Tests
- Extensive unit and end-to-end tests and fixtures covering token injection, template parsing, GHCR auth, and masking.

coderabbitai · 2025-10-17T03:52:33Z

📝 Walkthrough

Walkthrough

Adds host-aware automatic token injection for Git providers, GHCR OCI auth precedence, new config bindings (github_username, inject_*_token), OCI pull signature changes, extensive tests/fixtures for template/token handling, uniform URL masking, dependency bumps, and documentation updates.

Changes

Cohort / File(s)	Summary
Git token injection detector `pkg/downloader/custom_git_detector.go`	Add `NewCustomGitDetector`; extract hostname; add `isSupportedHost`, `shouldInjectTokenForHost`, `needsTokenInjection`; host-gated token injection preserving user credentials; `resolveToken` prefers `ATMOS_*` then provider vars; improved host-scoped logging and constants.
Token injection tests (unit & e2e) `pkg/downloader/token_injection_test.go`, `pkg/downloader/token_injection_helpers_test.go`, `pkg/downloader/token_injection_e2e_test.go`	Add and rename tests covering ATMOS_* vs provider token precedence, user-specified credential preservation, host support, URL credential detection, and end-to-end detector behavior.
OCI auth & pull refactor `internal/exec/oci_utils.go`, `internal/exec/oci_utils_ghcr_test.go`, `internal/exec/oci_utils_test.go`	Change `processOciImageWithFS`/`pullImage` to accept `AtmosConfiguration`; add auth precedence (Docker keychain → GHCR via `getGHCRAuth` → anonymous); implement `getGHCRAuth` using `GithubUsername` + ATMOS/GITHUB token; add tests and logging improvements.
Vendor template & YAML tests + fixtures `internal/exec/vendor_utils_test.go`, `internal/exec/vendor_template_tokens_test.go`, `tests/fixtures/scenarios/vendor-template-tokens/...`, `tests/snapshots/...`	Add fixtures and tests for YAML quoting variants, gomplate getenv template processing, version substitution, manual vs native injection, error cases; update snapshots for redaction/normalization.
Config schema & env bindings `pkg/schema/schema.go`, `pkg/config/load.go`, `pkg/config/load_github_username_test.go`	Add `AtmosSettings.GithubUsername`; bind `github_username` from `ATMOS_GITHUB_USERNAME`, `GITHUB_ACTOR`, `GITHUB_USERNAME`; introduce `inject_gitlab_token` and `inject_bitbucket_token` defaults and tests for resolution precedence.
URL masking & masking tests `pkg/downloader/url_utils.go`, `pkg/downloader/url_utils_test.go`, `tests/snapshots/*`	Change masked secret flow: intermediate `REDACTED`, always mask userinfo, display as `***`; update tests and golden snapshots to expect masked output.
CLI tests & snapshot normalization `tests/cli_test.go`, `tests/snapshots/*`	Normalize external absolute paths and credential_store, clear ATMOS_CHDIR and GitHub env vars for non-vendor tests to stabilize snapshots; adjust snapshot expectations.
Docs: credential/token guidance `website/docs/cli/configuration/configuration.mdx`, `website/docs/core-concepts/vendor/url-syntax.mdx`, `website/docs/core-concepts/vendor/vendor-manifest.mdx`	Document new `inject__token` flags, env precedence (ATMOS_ then provider), credential precedence (URL creds > auto injection > anonymous), quoting/template guidance, GHCR username notes and examples.
Misc tests & helpers `internal/exec/oci_utils_test.go`, `internal/exec/vendor_utils_test.go`, `pkg/config/load_github_username_test.go`	Add mocks and tests for OCI layer digest failures, YAML/template parsing edge cases, GHCR auth precedence, and GitHub username env-resolution.
Go module & NOTICE `go.mod`, `NOTICE`	Bump AWS SDK / smithy-go related dependencies (patch upgrades) and update license URLs.

Sequence Diagram(s)

sequenceDiagram
    autonumber
    participant Vendor as VendorProcessor
    participant Detector as CustomGitDetector
    participant Auth as TokenResolver
    participant Env as Environment
    participant URL as URLBuilder

    Vendor->>Detector: Detect(sourceURL, atmosConfig)
    Detector->>URL: parse URL -> host, userinfo
    alt url has credentials
        URL-->>Detector: credentials present → skip injection
    else
        Detector->>Auth: isSupportedHost(host)?
        Auth-->>Detector: supported/unsupported
        alt supported
            Detector->>Auth: shouldInjectTokenForHost(host, settings)?
            Auth->>Env: read ATMOS_* token
            alt ATMOS_* present
                Env-->>Auth: return ATMOS token
            else
                Auth->>Env: read PROVIDER token (GITHUB/GITLAB/BITBUCKET)
                Env-->>Auth: return token or nil
            end
            Auth-->>Detector: token (or nil)
            alt token present and enabled
                Detector->>URL: inject token into URL
            else
                Detector->>URL: leave URL unauthenticated
            end
        end
    end
    URL-->>Detector: final URL (masked for logs)
    Detector-->>Vendor: return detected source + metadata

Estimated code review effort

🎯 4 (Complex) | ⏱️ ~45–60 minutes

Focus review on:

pkg/downloader/custom_git_detector.go — token resolution, per-host gating, credential-preservation, and logging.
internal/exec/oci_utils.go — pullImage/getGHCRAuth changes and Docker keychain + GHCR precedence.
Template/YAML processing tests and ProcessTmpl interactions (quoting edge cases).
pkg/config/load.go & pkg/schema/schema.go — env binding precedence and default inject flags.
tests/cli_test.go & snapshot updates — normalization and environment hygiene.

Possibly related PRs

Convert SCP-style URLs into proper SSH URLs v2 #1149 — closely overlaps git URL detection, token-injection and masking/SSH handling.
Update dry run for atmos vendor pull to support ssh + detailed SCP urls alignment #1076 — related changes to token-injection, custom detector invocation and dry-run flow.
Support GITHUB_TOKEN for HTTP Requests to github.com #912 — overlaps on token-injection behavior and environment token usage for GitHub.

Suggested reviewers

aknysh
osterman
kevcube

Pre-merge checks and finishing touches

✅ Passed checks (2 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title accurately summarizes the main changes: fixing vendor authentication via token injection bugs, credential precedence, and YAML templating—the core objectives of this PR.

✨ Finishing touches

🧪 Generate unit tests (beta)

Create PR with unit tests
Post copyable unit tests in a comment
Commit unit tests in branch osterman/vendor-yaml-template-bug

📜 Recent review details

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Disabled knowledge base sources:

Linear integration is disabled by default for public repositories

You can enable these sources in your CodeRabbit configuration.

📥 Commits

Reviewing files that changed from the base of the PR and between d520c7e and 82e1a59.

📒 Files selected for processing (1)

NOTICE (2 hunks)

🧰 Additional context used

🧠 Learnings (5)

📓 Common learnings

Learnt from: aknysh
Repo: cloudposse/atmos PR: 944
File: go.mod:206-206
Timestamp: 2025-01-17T00:18:57.769Z
Learning: For indirect dependencies with license compliance issues in the cloudposse/atmos repository, the team prefers to handle them in follow-up PRs rather than blocking the current changes, as these issues often require deeper investigation of the dependency tree.

Learnt from: Listener430
Repo: cloudposse/atmos PR: 934
File: tests/fixtures/scenarios/docs-generate/README.md.gotmpl:99-118
Timestamp: 2025-01-25T03:51:57.689Z
Learning: For the cloudposse/atmos repository, changes to template contents should be handled in dedicated PRs and are typically considered out of scope for PRs focused on other objectives.

Learnt from: Listener430
Repo: cloudposse/atmos PR: 1149
File: internal/exec/go_getter_utils.go:263-264
Timestamp: 2025-03-25T12:24:36.177Z
Learning: Tests for the default Bitbucket username fallback to "x-token-auth" will be added during a future refactoring phase rather than in this PR.

Learnt from: Listener430
Repo: cloudposse/atmos PR: 1149
File: internal/exec/go_getter_utils.go:104-104
Timestamp: 2025-03-25T12:23:42.649Z
Learning: Listener430 plans to add a test for verifying that token injection is skipped for unsupported hosts in a future review or refactoring iteration. This relates to the CustomGitDetector.Detect method in internal/exec/go_getter_utils.go.

Learnt from: Listener430
Repo: cloudposse/atmos PR: 1076
File: internal/exec/go_getter_utils.go:198-209
Timestamp: 2025-03-21T19:03:25.228Z
Learning: In the `exec` package of Atmos, the `injectToken` method in `CustomGitDetector` is designed to intentionally overwrite any existing credentials when injecting tokens into Git URLs. This behavior is by design.

Learnt from: Listener430
Repo: cloudposse/atmos PR: 912
File: pkg/config/config.go:91-92
Timestamp: 2025-01-09T19:53:29.847Z
Learning: In the Atmos project, the `core.inject_github_token` configuration is required to be enabled (`true`) by default to support authenticated GitHub requests and help bypass rate limits.

📚 Learning: 2025-09-23T02:30:42.362Z

Learnt from: CR
Repo: cloudposse/atmos PR: 0
File: .cursor/rules/atmos-rules.mdc:0-0
Timestamp: 2025-09-23T02:30:42.362Z
Learning: Applies to go.{mod,sum} : Keep dependencies up to date

Applied to files:

NOTICE

📚 Learning: 2025-11-01T20:24:29.557Z

Learnt from: osterman
Repo: cloudposse/atmos PR: 1714
File: NOTICE:0-0
Timestamp: 2025-11-01T20:24:29.557Z
Learning: In the cloudposse/atmos repository, the NOTICE file is programmatically generated and should not be manually edited. Issues with dependency license URLs in NOTICE will be resolved when upstream package metadata is corrected.

Applied to files:

NOTICE

📚 Learning: 2025-07-05T20:59:02.914Z

Learnt from: aknysh
Repo: cloudposse/atmos PR: 1363
File: internal/exec/template_utils.go:18-18
Timestamp: 2025-07-05T20:59:02.914Z
Learning: In the Atmos project, gomplate v4 is imported with a blank import (`_ "github.com/hairyhenderson/gomplate/v4"`) alongside v3 imports to resolve AWS SDK version conflicts. V3 uses older AWS SDK versions that conflict with newer AWS modules used by Atmos. A full migration to v4 requires extensive refactoring due to API changes and should be handled in a separate PR.

Applied to files:

NOTICE

📚 Learning: 2025-01-17T00:18:57.769Z

Learnt from: aknysh
Repo: cloudposse/atmos PR: 944
File: go.mod:206-206
Timestamp: 2025-01-17T00:18:57.769Z
Learning: For indirect dependencies with license compliance issues in the cloudposse/atmos repository, the team prefers to handle them in follow-up PRs rather than blocking the current changes, as these issues often require deeper investigation of the dependency tree.

Applied to files:

NOTICE

🪛 GitHub Actions: Dependency Review

NOTICE

[error] 1-1: NOTICE file is out of date. Run './scripts/generate-notice.sh' locally and commit the changes.

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (5)

GitHub Check: Acceptance Tests (macos)
GitHub Check: Acceptance Tests (windows)
GitHub Check: Acceptance Tests (linux)
GitHub Check: release / goreleaser
GitHub Check: Summary

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

codecov · 2025-10-17T04:02:30Z

Codecov Report

❌ Patch coverage is 86.25000% with 11 lines in your changes missing coverage. Please review.
✅ Project coverage is 69.80%. Comparing base (f21e0b4) to head (82e1a59).
⚠️ Report is 1 commits behind head on main.

Files with missing lines	Patch %	Lines
internal/exec/oci_utils.go	78.57%	6 Missing and 3 partials ⚠️
pkg/downloader/custom_git_detector.go	93.54%	1 Missing and 1 partial ⚠️

Additional details and impacted files

@@            Coverage Diff             @@
##             main    #1647      +/-   ##
==========================================
+ Coverage   69.75%   69.80%   +0.05%     
==========================================
  Files         397      397              
  Lines       36324    36375      +51     
==========================================
+ Hits        25337    25393      +56     
+ Misses       8674     8672       -2     
+ Partials     2313     2310       -3

Flag	Coverage Δ
unittests	`69.80% <86.25%> (+0.05%)`	⬆️

Flags with carried forward coverage won't be shown. Click here to find out more.

Files with missing lines	Coverage Δ
pkg/config/load.go	`79.83% <100.00%> (+0.16%)`	⬆️
pkg/downloader/url_utils.go	`100.00% <100.00%> (ø)`
pkg/schema/schema.go	`87.50% <ø> (ø)`
pkg/downloader/custom_git_detector.go	`86.92% <93.54%> (+0.81%)`	⬆️
internal/exec/oci_utils.go	`71.56% <78.57%> (+6.23%)`	⬆️

... and 4 files with indirect coverage changes

🚀 New features to boost your workflow:

❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

…in vendor.yaml. - Add test cases for correct `x-access-token:TOKEN` format vs legacy `TOKEN@` format - Update vendor-manifest.mdx to show correct GitHub authentication format - Clarify that while `TOKEN@github.com` works with Git, the documented format is `x-access-token:TOKEN@github.com` - Add explicit expectedURI assertions to verify final rendered URLs - Improve documentation structure to emphasize automatic injection over manual 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude <noreply@anthropic.com>

- Note that Atmos v1.194.0+ upgraded YAML parser from v3.0.1 to v3.0.4 - Explain this stricter parser enforces YAML spec compliance more rigorously - Clarify that nested double quotes worked in v1.193.x and below but now fail - Provide clear migration path: use single quotes or folded scalars This addresses the user's confusion about why syntax that worked in v1.170 now fails in v1.194.1. 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude <noreply@anthropic.com>

…ic token injection. - Add check in injectToken() to skip injection if URL already has credentials - Prevents overwriting user-specified credentials like https://user:pass@github.com/repo.git - Add comprehensive tests for user credential precedence scenarios - Add end-to-end tests verifying user credentials are preserved through full flow - Document credential precedence order in url-syntax.mdx Credential precedence order: 1. User-specified credentials in URL (highest) 2. Automatic token injection from ATMOS_*_TOKEN or *_TOKEN env vars 3. No authentication 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude <noreply@anthropic.com>

…en fallback. - Add proper credential precedence for OCI registries: 1. Docker credentials from ~/.docker/config.json (highest) 2. ATMOS_GITHUB_TOKEN or GITHUB_TOKEN for ghcr.io 3. Anonymous (fallback) - Use authn.DefaultKeychain to respect user's docker login credentials - Add ATMOS_GITHUB_TOKEN fallback for GitHub Container Registry - Prevent overwriting user credentials with automatic token injection - Document OCI authentication precedence in url-syntax.mdx - Use atmosConfig.Settings tokens instead of os.Getenv for consistency Previously, OCI would ignore Docker credentials and only use GITHUB_TOKEN for ghcr.io, or anonymous for all other registries. This fixes the same credential precedence issue that affected Git vendoring. 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude <noreply@anthropic.com>

github-actions · 2025-10-17T04:40:45Z

These changes were released in v1.195.0-test.0.

mergify · 2025-10-17T04:48:40Z

Warning

This PR exceeds the recommended limit of 1,000 lines.

Large PRs are difficult to review and may be rejected due to their size.

Please verify that this PR does not address multiple issues.
Consider refactoring it into smaller, more focused PRs to facilitate a smoother review process.

coderabbitai

Actionable comments posted: 2

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (2)

pkg/downloader/custom_git_detector.go (1)
67-70: Honor per-host injection flags (GitHub/GitLab/Bitbucket) instead of injecting unconditionally.

Token injection runs regardless of Settings.Inject* flags. Gate injection by host-specific settings.

Apply this diff:
-	// Inject token if available.
-	d.injectToken(parsedURL, host)
+	// Inject token only when enabled for this host.
+	shouldInject := false
+	switch host {
+	case hostGitHub:
+		shouldInject = d.atmosConfig.Settings.InjectGithubToken
+	case hostGitLab:
+		shouldInject = d.atmosConfig.Settings.InjectGitlabToken
+	case hostBitbucket:
+		shouldInject = d.atmosConfig.Settings.InjectBitbucketToken
+	}
+	log.Debug("Token injection setting", "host", host, "enabled", shouldInject)
+	if shouldInject {
+		d.injectToken(parsedURL, host)
+	}
As per coding guidelines.
internal/exec/oci_utils.go (1)
28-29: Remove unused constant.

githubTokenEnv is unused; golangci-lint will fail.

Apply this diff:
-	githubTokenEnv     = "GITHUB_TOKEN"

🧹 Nitpick comments (1)

pkg/downloader/custom_git_detector.go (1)

24-29: Missing Go doc for exported constructor.

Add a short doc comment for NewCustomGitDetector to satisfy lint.

As per coding guidelines

📜 Review details

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Disabled knowledge base sources:

Linear integration is disabled by default for public repositories

You can enable these sources in your CodeRabbit configuration.

📥 Commits

Reviewing files that changed from the base of the PR and between f2d01ed and a77e134.

📒 Files selected for processing (7)

internal/exec/oci_utils.go (3 hunks)
internal/exec/vendor_utils_test.go (2 hunks)
pkg/downloader/custom_git_detector.go (2 hunks)
pkg/downloader/token_injection_e2e_test.go (1 hunks)
pkg/downloader/token_injection_test.go (4 hunks)
website/docs/core-concepts/vendor/url-syntax.mdx (2 hunks)
website/docs/core-concepts/vendor/vendor-manifest.mdx (3 hunks)

🚧 Files skipped from review as they are similar to previous changes (1)

pkg/downloader/token_injection_test.go

🧰 Additional context used

📓 Path-based instructions (9)

pkg/**/*.go

📄 CodeRabbit inference engine (.cursor/rules/atmos-rules.mdc)

Place business logic in pkg rather than in cmd

Files:

pkg/downloader/custom_git_detector.go
pkg/downloader/token_injection_e2e_test.go

**/*.go

📄 CodeRabbit inference engine (.cursor/rules/atmos-rules.mdc)

**/*.go: All code must pass golangci-lint checks
Follow Go error handling idioms and use meaningful error messages
Wrap errors with context using fmt.Errorf("context: %w", err)
Consider custom error types for domain-specific errors
Follow standard Go coding style; run gofmt and goimports
Use snake_case for environment variables
Document complex logic with inline comments

**/*.go: All Go comments must end with periods; applies to single-line, multi-line, inline, and documentation comments (golangci-lint godot).
Group imports into three sections (stdlib, 3rd-party, Atmos), separated by blank lines; sort alphabetically within each group; preserve existing aliases.
Configuration loading must use Viper with precedence CLI → ENV → files → defaults; bind config name atmos and add path, AutomaticEnv, and ATMOS prefix.
All errors must be wrapped using static errors (defined in errors/errors.go); use errors.Join for multiple errors; fmt.Errorf with %w for context; use errors.Is for checks; never compare error strings.
Distinguish structured logging from UI output: UI prompts/status/errors to stderr; data/results to stdout; never use logging for UI.
Most text UI must go to stderr; only data/results to stdout; prefer utils.PrintfMessageToTUI for UI messages.
All new configurations must support Go templating using existing utilities and available template functions.
Prefer SDKs over external binaries for cross-platform support; use filepath/os/runtime for portability.
For non-standard execution paths, capture telemetry via telemetry.CaptureCmd or telemetry.CaptureCmdString without user data.
80% minimum coverage on new/changed lines and include unit tests for new features; add integration tests for CLI using tests/ fixtures.
Always bind environment variables with viper.BindEnv and provide ATMOS_ alternatives for every env var.
Use structured logging with levels (Fatal>Error>Warn>Debug>Trace); avoid string interpolation and ensure logging does not affect execution.
Prefer re...

Files:

pkg/downloader/custom_git_detector.go
internal/exec/vendor_utils_test.go
internal/exec/oci_utils.go
pkg/downloader/token_injection_e2e_test.go

**/!(*_test).go

📄 CodeRabbit inference engine (.cursor/rules/atmos-rules.mdc)

Document all exported functions, types, and methods with Go doc comments

Add defer perf.Track() to all public functions and critical private functions; include a blank line after the call; use package-prefixed names; pass atmosConfig when present, else nil.

Files:

pkg/downloader/custom_git_detector.go
internal/exec/oci_utils.go

website/**

📄 CodeRabbit inference engine (.cursor/rules/atmos-rules.mdc)

website/**: Update website documentation in website/ when adding features
Ensure consistency between CLI help text and website documentation
Follow the website's documentation structure and style
Keep website code in website/ and follow its architecture/style; test changes locally
Keep CLI and website documentation in sync; document new features with examples and use cases

Before committing documentation/site changes, run npm run build in website/ and fix errors, broken links, and missing images.

Files:

website/docs/core-concepts/vendor/url-syntax.mdx
website/docs/core-concepts/vendor/vendor-manifest.mdx

website/docs/**

📄 CodeRabbit inference engine (CLAUDE.md)

website/docs/**: After modifying any docs under website/docs/, build the website (npm run build) and ensure no errors.
Document user-facing template functions in the website if applicable.

Files:

website/docs/core-concepts/vendor/url-syntax.mdx
website/docs/core-concepts/vendor/vendor-manifest.mdx

**/*_test.go

📄 CodeRabbit inference engine (.cursor/rules/atmos-rules.mdc)

**/*_test.go: Every new feature must include comprehensive unit tests
Test both happy paths and error conditions
Use table-driven tests for multiple scenarios

**/*_test.go: Use table-driven unit tests for pure functions and focus on behavior; co-locate tests; target >80% coverage for pkg/ and internal/exec/.
Always use t.Skipf() with a clear reason; never use t.Skip() or t.Skipf without a reason.

Files:

internal/exec/vendor_utils_test.go
pkg/downloader/token_injection_e2e_test.go

internal/exec/**/*.go

📄 CodeRabbit inference engine (CLAUDE.md)

Place command business logic in internal/exec/ (separate from cmd/ wiring).

Files:

internal/exec/vendor_utils_test.go
internal/exec/oci_utils.go

internal/exec/*_test.go

📄 CodeRabbit inference engine (CLAUDE.md)

Add comprehensive tests for template functions under internal/exec/ with *_test.go files.

Files:

internal/exec/vendor_utils_test.go

pkg/**/*_test.go

📄 CodeRabbit inference engine (CLAUDE.md)

Unit tests for packages live under pkg/ alongside implementation files.

Files:

pkg/downloader/token_injection_e2e_test.go

🧠 Learnings (7)

📓 Common learnings

Learnt from: Listener430
PR: cloudposse/atmos#1076
File: internal/exec/go_getter_utils.go:198-209
Timestamp: 2025-03-21T19:03:25.228Z
Learning: In the `exec` package of Atmos, the `injectToken` method in `CustomGitDetector` is designed to intentionally overwrite any existing credentials when injecting tokens into Git URLs. This behavior is by design.

📚 Learning: 2025-03-21T19:03:25.228Z

Learnt from: Listener430
PR: cloudposse/atmos#1076
File: internal/exec/go_getter_utils.go:198-209
Timestamp: 2025-03-21T19:03:25.228Z
Learning: In the `exec` package of Atmos, the `injectToken` method in `CustomGitDetector` is designed to intentionally overwrite any existing credentials when injecting tokens into Git URLs. This behavior is by design.

Applied to files:

pkg/downloader/custom_git_detector.go
website/docs/core-concepts/vendor/url-syntax.mdx

📚 Learning: 2025-03-25T12:23:42.649Z

Learnt from: Listener430
PR: cloudposse/atmos#1149
File: internal/exec/go_getter_utils.go:104-104
Timestamp: 2025-03-25T12:23:42.649Z
Learning: Listener430 plans to add a test for verifying that token injection is skipped for unsupported hosts in a future review or refactoring iteration. This relates to the CustomGitDetector.Detect method in internal/exec/go_getter_utils.go.

Applied to files:

pkg/downloader/custom_git_detector.go
pkg/downloader/token_injection_e2e_test.go

📚 Learning: 2025-01-09T19:53:29.847Z

Learnt from: Listener430
PR: cloudposse/atmos#912
File: pkg/config/config.go:91-92
Timestamp: 2025-01-09T19:53:29.847Z
Learning: In the Atmos project, the `core.inject_github_token` configuration is required to be enabled (`true`) by default to support authenticated GitHub requests and help bypass rate limits.

Applied to files:

website/docs/core-concepts/vendor/url-syntax.mdx

📚 Learning: 2025-10-16T15:18:00.319Z

Learnt from: CR
PR: cloudposse/atmos#0
File: CLAUDE.md:0-0
Timestamp: 2025-10-16T15:18:00.319Z
Learning: Applies to internal/exec/*_test.go : Add comprehensive tests for template functions under internal/exec/ with *_test.go files.

Applied to files:

internal/exec/vendor_utils_test.go

📚 Learning: 2025-10-16T15:18:00.319Z

Learnt from: CR
PR: cloudposse/atmos#0
File: CLAUDE.md:0-0
Timestamp: 2025-10-16T15:18:00.319Z
Learning: Applies to **/*_test.go : Use table-driven unit tests for pure functions and focus on behavior; co-locate tests; target >80% coverage for pkg/ and internal/exec/.

Applied to files:

internal/exec/vendor_utils_test.go

📚 Learning: 2025-10-16T15:18:00.319Z

Learnt from: CR
PR: cloudposse/atmos#0
File: CLAUDE.md:0-0
Timestamp: 2025-10-16T15:18:00.319Z
Learning: Applies to internal/exec/stack_processor_utils.go : Utilities for stack processing belong in internal/exec/stack_processor_utils.go; validate changes with appropriate tests.

Applied to files:

internal/exec/vendor_utils_test.go

🧬 Code graph analysis (4)

pkg/downloader/custom_git_detector.go (1)

pkg/logger/log.go (1)

Debug (24-26)

internal/exec/vendor_utils_test.go (4)

pkg/schema/schema.go (3)

AtmosConfiguration (27-65)

ConfigAndStacksInfo (460-539)

Settings (685-689)

internal/exec/vendor_utils.go (1)

ReadAndProcessVendorConfigFile (76-106)

pkg/config/config.go (1)

InitCliConfig (25-62)

internal/exec/template_utils.go (1)

ProcessTmpl (29-73)

internal/exec/oci_utils.go (3)

pkg/schema/schema.go (2)

AtmosConfiguration (27-65)

Settings (685-689)

pkg/filesystem/interface.go (1)

FileSystem (13-54)

pkg/logger/log.go (2)

Debug (24-26)

Error (54-56)

pkg/downloader/token_injection_e2e_test.go (2)

pkg/schema/schema.go (2)

AtmosConfiguration (27-65)

AtmosSettings (251-271)

pkg/downloader/custom_git_detector.go (1)

NewCustomGitDetector (24-29)

🪛 LanguageTool

website/docs/core-concepts/vendor/url-syntax.mdx

[grammar] ~271-~271: There might be a mistake here.
Context: ...` :::info OCI Authentication Precedence Atmos uses the following precedence orde...

(QB_NEW_EN)

[grammar] ~275-~275: There might be a mistake here.
Context: ... for GitHub Container Registry (ghcr.io) 3. Anonymous - Fallback for public images...

(QB_NEW_EN)

[grammar] ~379-~379: There might be a mistake here.
Context: ...iables | Username | Enabled by Default | |----------|----------------------|-----...

(QB_NEW_EN)

[grammar] ~380-~380: There might be a mistake here.
Context: ...-------|----------|--------------------| | GitHub | ATMOS_GITHUB_TOKEN or `GITH...

(QB_NEW_EN)

(QB_NEW_EN)

(QB_NEW_EN)

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (7)

GitHub Check: release / goreleaser
GitHub Check: Build (macos-latest, macos)
GitHub Check: Build (windows-latest, windows)
GitHub Check: Lint (golangci)
GitHub Check: website-deploy-preview
GitHub Check: Analyze (go)
GitHub Check: Summary

🔇 Additional comments (15)

website/docs/core-concepts/vendor/url-syntax.mdx (2)

271-288: Clear precedence documentation for OCI authentication.

The three-tier precedence (Docker credentials → environment variables → anonymous) is well-articulated. The examples are practical and helpful.

Per the coding guidelines, ensure npm run build has been run in the website/ directory to verify no broken links or build errors.

363-402: Token precedence clearly documented with proper configuration examples.

The "Credential Precedence Order" section correctly articulates the three tiers, and the platform table accurately reflects ATMOS_* precedence with proper defaults (GitHub enabled, GitLab/Bitbucket disabled). Configuration examples in atmos.yaml are clear and correct.

website/docs/core-concepts/vendor/vendor-manifest.mdx (4)

194-242: Automatic token injection guidance is clear and well-structured.

The section effectively guides users through the three-step process, documents all supported environment variables with correct precedence (ATMOS_* → standard), and provides accurate default states. Configuration examples in atmos.yaml are practical.

273-295: YAML quoting guidance is critical and accurate.

The explanation of why nested double quotes fail (YAML parsing happens before template processing) is essential context. Both solutions (single quotes and folded scalars) are correct, and the note about v1.194.0's stricter YAML v3.0.4 compliance provides valuable migration guidance.

349-356: Template Evaluation Order note correctly clarifies YAML → template processing sequence.

Emphasizing that vendor.yaml must be valid YAML before templates are evaluated, and noting that only field values (not structure) are templated, prevents a common source of confusion.

248-313: Advanced manual token injection section appropriately positioned and scoped.

The collapsible "Advanced" section is a good UX choice—it keeps the recommended automatic approach prominent while providing escape hatches for custom scenarios. Authentication format notes (especially GitHub's required x-access-token username) and the list of benefits for automatic injection are well-placed.

Per the coding guidelines, ensure npm run build has been run in the website/ directory to verify no broken links or build errors after these doc additions.

pkg/downloader/custom_git_detector.go (2)

167-173: Precedence: preserving user credentials vs. overwriting — confirm cross-package semantics.

This now preserves user-specified creds. internal/exec previously overwrote creds by design (retrieved learnings). Align behavior across packages or document the intentional divergence.

Based on learnings

190-207: Token fallback logic LGTM.

Prefers ATMOS_* then falls back to standard tokens; clear and correct.

internal/exec/vendor_utils_test.go (4)

161-269: Solid parsing tests and clear assertions.

Good coverage of quoting pitfalls and error messages; uses require/assert appropriately.

271-327: Template + getenv path looks good.

Exercises ProcessTmpl correctly and validates substitution.

329-389: Automatic injection flow validated correctly.

Approach of not embedding token pre-injection is correct; assertions look right.

391-494: Quoting variations coverage is thorough.

Good behavioral checks across styles; consistent expectations.

pkg/downloader/token_injection_e2e_test.go (2)

14-58: Fallback and precedence scenarios are well covered.

Nice table-driven cases; assertions match intended precedence.

166-250: User-specified credentials preservation test LGTM.

Matches the detector's new behavior.
internal/exec/oci_utils.go (1)
38-40: Add perf tracking to critical functions.

Per guidelines, add defer perf.Track(...) to processOciImage, processOciImageWithFS, and pullImage.

Apply this diff:
@@
-import (
+import (
 	"bytes"
 	"encoding/json"
 	"errors"
 	"fmt"
 	"io"
 	"strings"
@@
-	errUtils "github.com/cloudposse/atmos/errors"
+	errUtils "github.com/cloudposse/atmos/errors"
 	"github.com/cloudposse/atmos/pkg/filesystem"
 	log "github.com/cloudposse/atmos/pkg/logger" // Charmbracelet structured logger
+	"github.com/cloudposse/atmos/pkg/perf"
 	"github.com/cloudposse/atmos/pkg/schema"
 )
@@
 func processOciImage(atmosConfig *schema.AtmosConfiguration, imageName string, destDir string) error {
+	defer perf.Track(atmosConfig, "exec.processOciImage")()
+
 	return processOciImageWithFS(atmosConfig, imageName, destDir, defaultOCIFileSystem)
 }
@@
-func processOciImageWithFS(atmosConfig *schema.AtmosConfiguration, imageName string, destDir string, fs filesystem.FileSystem) error {
+func processOciImageWithFS(atmosConfig *schema.AtmosConfiguration, imageName string, destDir string, fs filesystem.FileSystem) error {
+	defer perf.Track(atmosConfig, "exec.processOciImageWithFS")()
+
 	tempDir, err := fs.MkdirTemp("", uuid.New().String())
@@
-func pullImage(atmosConfig *schema.AtmosConfiguration, ref name.Reference) (*remote.Descriptor, error) {
+func pullImage(atmosConfig *schema.AtmosConfiguration, ref name.Reference) (*remote.Descriptor, error) {
+	defer perf.Track(atmosConfig, "exec.pullImage")()
As per coding guidelines.

Also applies to: 89-97, 94-97, 137-145
⛔ Skipped due to learnings
Learnt from: CR
PR: cloudposse/atmos#0
File: CLAUDE.md:0-0
Timestamp: 2025-10-16T15:18:00.319Z
Learning: Applies to **/!(*_test).go : Add `defer perf.Track()` to all public functions and critical private functions; include a blank line after the call; use package-prefixed names; pass atmosConfig when present, else nil.
Learnt from: osterman
PR: cloudposse/atmos#1599
File: pkg/ui/markdown/renderer.go:247-259
Timestamp: 2025-10-11T19:06:16.131Z
Learning: Performance tracking with `defer perf.Track()` should be reserved for functions that perform actual computational work, I/O operations, or have measurable performance impact. Simple wrapper methods that immediately delegate to other functions do not require performance tracking, as it adds unnecessary overhead without providing meaningful insights.
Learnt from: osterman
PR: cloudposse/atmos#1599
File: pkg/ui/markdown/renderer.go:143-182
Timestamp: 2025-10-11T19:12:23.475Z
Learning: High-frequency utility and formatting functions (e.g., markdown renderers, formatters) that are called repeatedly during command execution should not have `defer perf.Track()` even if they are public methods. Performance tracking at these levels introduces unnecessary overhead without meaningful insights, as tracking is already present at higher command-execution levels where it provides actionable data.
Learnt from: aknysh
PR: cloudposse/atmos#1622
File: pkg/perf/perf.go:140-184
Timestamp: 2025-10-13T18:13:54.020Z
Learning: In pkg/perf/perf.go, the `trackWithSimpleStack` function intentionally skips ownership checks at call stack depth > 1 to avoid expensive `getGoroutineID()` calls on every nested function. This is a performance optimization for the common single-goroutine execution case (most Atmos commands), accepting the rare edge case of potential metric corruption if multi-goroutine execution occurs at depth > 1. The ~19× performance improvement justifies this trade-off.

internal/exec/oci_utils.go

pkg/downloader/token_injection_e2e_test.go

- Change MaskedSecret constant from "xxx" to "REDACTED" - Update tests to expect "REDACTED" instead of "xxx" - Avoids unfortunate associations with "xxx" - REDACTED is clearer and more professional Note: Cannot use "***" because asterisks get URL-encoded as "%2A" by url.UserPassword(), breaking log output formatting. 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude <noreply@anthropic.com>

- Add string replacement in sanitizeOutput() to convert REDACTED → *** - Keeps code using clear "REDACTED" for logging - Test snapshots show traditional "***" for consistency - Handles all credential formats: user:pass@, user@, :pass@ This maintains clarity in code while preserving snapshot compatibility. 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude <noreply@anthropic.com>

…to ***." This reverts commit e6fbe73.

- Replace xxx with REDACTED in all golden snapshots - Matches the change in MaskedSecret constant - Keeps test expectations in sync with actual masking behavior - No changes to test infrastructure - masking happens in downloader code 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude <noreply@anthropic.com>

coderabbitai

Actionable comments posted: 0

🧹 Nitpick comments (1)

tests/cli_test.go (1)
696-703: Consider case-insensitive test name matching.

The check !strings.Contains(tc.Name, "vendor") is case-sensitive. If a test name uses "Vendor" or "VENDOR", the env vars won't be cleared as intended.

Consider using case-insensitive matching:
-	if !strings.Contains(tc.Name, "vendor") {
+	if !strings.Contains(strings.ToLower(tc.Name), "vendor") {

📜 Review details

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Disabled knowledge base sources:

Linear integration is disabled by default for public repositories

You can enable these sources in your CodeRabbit configuration.

📥 Commits

Reviewing files that changed from the base of the PR and between 81b0f0e and d3e3e20.

⛔ Files ignored due to path filters (1)

go.sum is excluded by !**/*.sum

📒 Files selected for processing (2)

go.mod (1 hunks)
tests/cli_test.go (3 hunks)

🧰 Additional context used

📓 Path-based instructions (3)

**/*_test.go

📄 CodeRabbit inference engine (.cursor/rules/atmos-rules.mdc)

**/*_test.go: Every new feature must include comprehensive unit tests
Test both happy paths and error conditions
Use table-driven tests for multiple scenarios

Files:

tests/cli_test.go

**/*.go

📄 CodeRabbit inference engine (.cursor/rules/atmos-rules.mdc)

**/*.go: All code must pass golangci-lint checks
Follow Go error handling idioms and use meaningful error messages
Wrap errors with context using fmt.Errorf("context: %w", err)
Consider custom error types for domain-specific errors
Follow standard Go coding style; run gofmt and goimports
Use snake_case for environment variables
Document complex logic with inline comments

Files:

tests/cli_test.go

go.{mod,sum}

📄 CodeRabbit inference engine (.cursor/rules/atmos-rules.mdc)

go.{mod,sum}: Manage dependencies with Go modules
Keep dependencies up to date

Files:

go.mod

🧠 Learnings (23)

📓 Common learnings

Learnt from: aknysh
Repo: cloudposse/atmos PR: 944
File: go.mod:206-206
Timestamp: 2025-01-17T00:18:57.769Z
Learning: For indirect dependencies with license compliance issues in the cloudposse/atmos repository, the team prefers to handle them in follow-up PRs rather than blocking the current changes, as these issues often require deeper investigation of the dependency tree.

Learnt from: Listener430
Repo: cloudposse/atmos PR: 934
File: tests/fixtures/scenarios/docs-generate/README.md.gotmpl:99-118
Timestamp: 2025-01-25T03:51:57.689Z
Learning: For the cloudposse/atmos repository, changes to template contents should be handled in dedicated PRs and are typically considered out of scope for PRs focused on other objectives.

Learnt from: Listener430
Repo: cloudposse/atmos PR: 1149
File: internal/exec/go_getter_utils.go:263-264
Timestamp: 2025-03-25T12:24:36.177Z
Learning: Tests for the default Bitbucket username fallback to "x-token-auth" will be added during a future refactoring phase rather than in this PR.

Learnt from: Listener430
Repo: cloudposse/atmos PR: 1149
File: internal/exec/go_getter_utils.go:104-104
Timestamp: 2025-03-25T12:23:42.649Z
Learning: Listener430 plans to add a test for verifying that token injection is skipped for unsupported hosts in a future review or refactoring iteration. This relates to the CustomGitDetector.Detect method in internal/exec/go_getter_utils.go.

Learnt from: Listener430
Repo: cloudposse/atmos PR: 1076
File: internal/exec/go_getter_utils.go:198-209
Timestamp: 2025-03-21T19:03:25.228Z
Learning: In the `exec` package of Atmos, the `injectToken` method in `CustomGitDetector` is designed to intentionally overwrite any existing credentials when injecting tokens into Git URLs. This behavior is by design.

Learnt from: Listener430
Repo: cloudposse/atmos PR: 912
File: pkg/config/config.go:91-92
Timestamp: 2025-01-09T19:53:29.847Z
Learning: In the Atmos project, the `core.inject_github_token` configuration is required to be enabled (`true`) by default to support authenticated GitHub requests and help bypass rate limits.

📚 Learning: 2025-09-08T01:25:44.958Z

Learnt from: osterman
Repo: cloudposse/atmos PR: 1466
File: website/docs/cli/commands/toolchain/usage.mdx:117-121
Timestamp: 2025-09-08T01:25:44.958Z
Learning: The atmos toolchain XDG compliance implementation is complete with GetXDGCacheDir() and GetXDGTempCacheDir() functions in toolchain/xdg_cache.go, updated installer.go and toolchain_clean.go to use these helpers, and changed cache paths from ~/.cache/tools-cache to ${XDG_CACHE_HOME}/atmos-toolchain (or ~/.cache/atmos-toolchain when XDG_CACHE_HOME is not set).

Applied to files:

tests/cli_test.go

📚 Learning: 2025-09-08T01:25:44.958Z

Learnt from: osterman
Repo: cloudposse/atmos PR: 1466
File: website/docs/cli/commands/toolchain/usage.mdx:117-121
Timestamp: 2025-09-08T01:25:44.958Z
Learning: Final XDG Base Directory Specification implementation for atmos toolchain is complete and verified: toolchain/xdg_cache.go provides GetXDGCacheDir() and GetXDGTempCacheDir() functions, all hardcoded ~/.cache/tools-cache paths have been replaced with XDG-compliant paths using ${XDG_CACHE_HOME}/atmos-toolchain (or ~/.cache/atmos-toolchain fallback), and tests have been updated to expect the new path structure.

Applied to files:

tests/cli_test.go

📚 Learning: 2025-09-08T01:25:44.958Z

Learnt from: osterman
Repo: cloudposse/atmos PR: 1466
File: website/docs/cli/commands/toolchain/usage.mdx:117-121
Timestamp: 2025-09-08T01:25:44.958Z
Learning: XDG Base Directory Specification compliance implementation for atmos toolchain is complete: created toolchain/xdg_cache.go with GetXDGCacheDir() and GetXDGTempCacheDir() functions, updated toolchain/installer.go and cmd/toolchain_clean.go to use these XDG helpers, and changed all cache paths from hardcoded ~/.cache/tools-cache to XDG-compliant ${XDG_CACHE_HOME}/atmos-toolchain (or ~/.cache/atmos-toolchain fallback).

Applied to files:

tests/cli_test.go

📚 Learning: 2025-05-23T19:51:47.091Z

Learnt from: samtholiya
Repo: cloudposse/atmos PR: 1255
File: cmd/describe_affected_test.go:15-15
Timestamp: 2025-05-23T19:51:47.091Z
Learning: The atmos codebase has a custom extension to *testing.T that provides a Chdir method, allowing test functions to call t.Chdir() to change working directories during tests. This is used consistently across test files in the codebase.

Applied to files:

tests/cli_test.go

📚 Learning: 2025-09-08T01:25:44.958Z

Learnt from: osterman
Repo: cloudposse/atmos PR: 1466
File: website/docs/cli/commands/toolchain/usage.mdx:117-121
Timestamp: 2025-09-08T01:25:44.958Z
Learning: The atmos toolchain has been updated to follow XDG Base Directory Specification with helper functions GetXDGCacheDir() and GetXDGTempCacheDir() in toolchain/xdg_cache.go, using XDG_CACHE_HOME when set and falling back to ~/.cache/atmos-toolchain, making it consistent with atmos core's XDG compliance.

Applied to files:

tests/cli_test.go

📚 Learning: 2024-10-28T01:51:30.811Z

Learnt from: osterman
Repo: cloudposse/atmos PR: 727
File: internal/exec/terraform_clean.go:329-332
Timestamp: 2024-10-28T01:51:30.811Z
Learning: In the Atmos Go code, when deleting directories or handling file paths (e.g., in `terraform_clean.go`), always resolve the absolute path using `filepath.Abs` and use the logger `u.LogWarning` for logging messages instead of using `fmt.Printf`.

Applied to files:

tests/cli_test.go

📚 Learning: 2025-05-23T19:51:47.091Z

Learnt from: samtholiya
Repo: cloudposse/atmos PR: 1255
File: cmd/describe_affected_test.go:15-15
Timestamp: 2025-05-23T19:51:47.091Z
Learning: In the atmos codebase, t.Chdir() is a valid method call on *testing.T objects and works correctly for changing directories in tests. This is implemented through custom testing framework extensions and is used consistently throughout the test suite.

Applied to files:

tests/cli_test.go

📚 Learning: 2025-08-15T14:43:41.030Z

Learnt from: aknysh
Repo: cloudposse/atmos PR: 1352
File: pkg/store/artifactory_store_test.go:108-113
Timestamp: 2025-08-15T14:43:41.030Z
Learning: In test files for the atmos project, it's acceptable to ignore errors from os.Setenv/Unsetenv operations during test environment setup and teardown, as these are controlled test scenarios.

Applied to files:

tests/cli_test.go

📚 Learning: 2025-05-23T19:51:47.091Z

Learnt from: samtholiya
Repo: cloudposse/atmos PR: 1255
File: cmd/describe_affected_test.go:15-15
Timestamp: 2025-05-23T19:51:47.091Z
Learning: In the atmos codebase, t.Chdir() is a valid method that can be called on *testing.T objects. This functionality is implemented through custom testing framework extensions and is used consistently throughout the test suite for changing working directories during tests.

Applied to files:

tests/cli_test.go

📚 Learning: 2024-12-25T20:28:19.618Z

Learnt from: osterman
Repo: cloudposse/atmos PR: 887
File: internal/exec/workflow_utils.go:167-169
Timestamp: 2024-12-25T20:28:19.618Z
Learning: The user plans to revert the change from `path.Join` to `filepath.Join` in this PR due to testing gaps and will open a new PR to safely handle the migration without breaking `main`.

Applied to files:

tests/cli_test.go

📚 Learning: 2025-09-23T02:30:42.362Z

Learnt from: CR
Repo: cloudposse/atmos PR: 0
File: .cursor/rules/atmos-rules.mdc:0-0
Timestamp: 2025-09-23T02:30:42.362Z
Learning: Applies to cmd/**/*.go : Use Viper for managing configuration, environment variables, and flags in the CLI

Applied to files:

tests/cli_test.go

📚 Learning: 2025-09-23T02:30:42.362Z

Learnt from: CR
Repo: cloudposse/atmos PR: 0
File: .cursor/rules/atmos-rules.mdc:0-0
Timestamp: 2025-09-23T02:30:42.362Z
Learning: Applies to **/*_test.go : Test both happy paths and error conditions

Applied to files:

tests/cli_test.go

📚 Learning: 2024-12-05T22:33:54.807Z

Learnt from: aknysh
Repo: cloudposse/atmos PR: 820
File: cmd/list_stacks.go:55-56
Timestamp: 2024-12-05T22:33:54.807Z
Learning: In the atmos project, the `u.LogErrorAndExit` function logs the error and exits the command execution appropriately within flag completion functions.

Applied to files:

tests/cli_test.go

📚 Learning: 2024-10-23T21:36:40.262Z

Learnt from: osterman
Repo: cloudposse/atmos PR: 740
File: cmd/cmd_utils.go:340-359
Timestamp: 2024-10-23T21:36:40.262Z
Learning: In the Go codebase for Atmos, when reviewing functions like `checkAtmosConfig` in `cmd/cmd_utils.go`, avoid suggesting refactoring to return errors instead of calling `os.Exit` if such changes would significantly increase the scope due to the need to update multiple call sites.

Applied to files:

tests/cli_test.go

📚 Learning: 2025-09-23T02:30:42.362Z

Learnt from: CR
Repo: cloudposse/atmos PR: 0
File: .cursor/rules/atmos-rules.mdc:0-0
Timestamp: 2025-09-23T02:30:42.362Z
Learning: Applies to cmd/**/*.go : Use Viper for configuration management; support files, env vars, and flags with precedence flags > env > config > defaults

Applied to files:

tests/cli_test.go

📚 Learning: 2025-08-29T20:57:35.423Z

Learnt from: osterman
Repo: cloudposse/atmos PR: 1433
File: cmd/theme_list.go:33-36
Timestamp: 2025-08-29T20:57:35.423Z
Learning: In the Atmos codebase, avoid using viper.SetEnvPrefix("ATMOS") with viper.AutomaticEnv() because canonical environment variable names are not exclusive to Atmos and could cause conflicts. Instead, use selective environment variable binding through the setEnv function in pkg/config/load.go with bindEnv(v, "config.key", "ENV_VAR_NAME") for specific environment variables.

Applied to files:

tests/cli_test.go

📚 Learning: 2025-09-10T17:34:52.568Z

Learnt from: Benbentwo
Repo: cloudposse/atmos PR: 1475
File: pkg/auth/providers/github/oidc.go:96-100
Timestamp: 2025-09-10T17:34:52.568Z
Learning: The ATMOS_ environment variable binding guideline applies to Atmos configuration variables, not external service-required environment variables like GitHub Actions OIDC variables (GITHUB_ACTIONS, ACTIONS_ID_TOKEN_*) which must use their standard names.

Applied to files:

tests/cli_test.go

📚 Learning: 2025-01-17T00:21:32.987Z

Learnt from: aknysh
Repo: cloudposse/atmos PR: 944
File: go.mod:3-3
Timestamp: 2025-01-17T00:21:32.987Z
Learning: Go version 1.23.0 was deliberately introduced by the maintainer (aknysh) in January 2025. While this might be a pre-release or development version of Go, it has been approved for use in this project.

Applied to files:

go.mod

📚 Learning: 2025-09-23T02:30:42.362Z

Learnt from: CR
Repo: cloudposse/atmos PR: 0
File: .cursor/rules/atmos-rules.mdc:0-0
Timestamp: 2025-09-23T02:30:42.362Z
Learning: Applies to go.{mod,sum} : Keep dependencies up to date

Applied to files:

go.mod

📚 Learning: 2025-09-23T02:30:42.362Z

Learnt from: CR
Repo: cloudposse/atmos PR: 0
File: .cursor/rules/atmos-rules.mdc:0-0
Timestamp: 2025-09-23T02:30:42.362Z
Learning: Applies to go.{mod,sum} : Manage dependencies with Go modules

Applied to files:

go.mod

📚 Learning: 2025-01-17T00:21:32.987Z

Learnt from: aknysh
Repo: cloudposse/atmos PR: 944
File: go.mod:3-3
Timestamp: 2025-01-17T00:21:32.987Z
Learning: The project uses Go version 1.23.0 which has been confirmed by the maintainer to be working in production for months. Do not flag this as an invalid Go version.

Applied to files:

go.mod

📚 Learning: 2025-07-05T20:59:02.914Z

Learnt from: aknysh
Repo: cloudposse/atmos PR: 1363
File: internal/exec/template_utils.go:18-18
Timestamp: 2025-07-05T20:59:02.914Z
Learning: In the Atmos project, gomplate v4 is imported with a blank import (`_ "github.com/hairyhenderson/gomplate/v4"`) alongside v3 imports to resolve AWS SDK version conflicts. V3 uses older AWS SDK versions that conflict with newer AWS modules used by Atmos. A full migration to v4 requires extensive refactoring due to API changes and should be handled in a separate PR.

Applied to files:

go.mod

🔇 Additional comments (5)

go.mod (1)

31-31: Smithy-go patch bump looks solid.

v1.23.2 (released 2025-11-03) includes two performance bug fixes: adjusting middleware phase allocation and avoiding metrics overhead when unused. This patch is low-risk and complements the PR's authentication work without breaking changes.

tests/cli_test.go (4)

561-564: Excellent security improvement for test isolation.

Unsetting ATMOS_CHDIR in TestMain ensures tests can't access directories outside their fixtures. This prevents inadvertent reads of real infrastructure configs and maintains proper test boundaries.

416-420: Good addition of 'file' credential store backend.

Adding file to the regex alongside system-keyring and noop ensures all credential store backends are normalized to a stable placeholder for cross-platform snapshot consistency.

403-414: Comment renumbering looks correct.

The step numbers were updated correctly after inserting the external path normalization. This maintains clear documentation of the normalization sequence.

396-401: Verify external path regex coverage.

The regex requires 4+ path segments (e.g., /Users/user/project/subdir/file). This conservative pattern avoids false positives but might miss shorter external paths like /Users/username/file.

Confirm this is intentional and that all expected external paths in test output have sufficient depth.

github-actions · 2025-11-05T16:31:10Z

These changes were released in v1.198.0-test.7.

aknysh · 2025-11-05T17:02:07Z

@coderabbitai full review please

coderabbitai · 2025-11-05T17:02:33Z

@aknysh, I'll conduct a full review of all changes in this PR.

🧠 Learnings used

Learnt from: Listener430
Repo: cloudposse/atmos PR: 1149
File: internal/exec/go_getter_utils.go:104-104
Timestamp: 2025-03-25T12:23:42.649Z
Learning: Listener430 plans to add a test for verifying that token injection is skipped for unsupported hosts in a future review or refactoring iteration. This relates to the CustomGitDetector.Detect method in internal/exec/go_getter_utils.go.

Learnt from: Listener430
Repo: cloudposse/atmos PR: 1076
File: internal/exec/go_getter_utils.go:198-209
Timestamp: 2025-03-21T19:03:25.228Z
Learning: In the `exec` package of Atmos, the `injectToken` method in `CustomGitDetector` is designed to intentionally overwrite any existing credentials when injecting tokens into Git URLs. This behavior is by design.

Learnt from: Listener430
Repo: cloudposse/atmos PR: 1149
File: internal/exec/go_getter_utils.go:263-264
Timestamp: 2025-03-25T12:24:36.177Z
Learning: Tests for the default Bitbucket username fallback to "x-token-auth" will be added during a future refactoring phase rather than in this PR.

Learnt from: aknysh
Repo: cloudposse/atmos PR: 944
File: go.mod:206-206
Timestamp: 2025-01-17T00:18:57.769Z
Learning: For indirect dependencies with license compliance issues in the cloudposse/atmos repository, the team prefers to handle them in follow-up PRs rather than blocking the current changes, as these issues often require deeper investigation of the dependency tree.

Learnt from: osterman
Repo: cloudposse/atmos PR: 768
File: internal/exec/vendor_utils.go:496-513
Timestamp: 2024-11-22T12:38:33.132Z
Learning: In the Atmos project, continue to flag path traversal issues in code reviews but acknowledge when they are expected and acceptable in specific cases.

Learnt from: Listener430
Repo: cloudposse/atmos PR: 934
File: tests/fixtures/scenarios/docs-generate/README.md.gotmpl:99-118
Timestamp: 2025-01-25T03:51:57.689Z
Learning: For the cloudposse/atmos repository, changes to template contents should be handled in dedicated PRs and are typically considered out of scope for PRs focused on other objectives.

✅ Actions performed

Full review triggered.

coderabbitai

Actionable comments posted: 1

🧹 Nitpick comments (1)

website/docs/cli/configuration/configuration.mdx (1)

995-995: Minor: Consistent "GitHub" capitalization in documentation.

The official platform name uses capital "H" - "GitHub" rather than "Github". The table content shows "GitHu..." which appears truncated, but ensure the full text uses "GitHub" for consistency with the rest of the documentation.

📜 Review details

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Disabled knowledge base sources:

Linear integration is disabled by default for public repositories

You can enable these sources in your CodeRabbit configuration.

📥 Commits

Reviewing files that changed from the base of the PR and between f21e0b4 and 2c5c08d.

⛔ Files ignored due to path filters (1)

go.sum is excluded by !**/*.sum

📒 Files selected for processing (33)

NOTICE (2 hunks)
go.mod (1 hunks)
internal/exec/oci_utils.go (3 hunks)
internal/exec/oci_utils_ghcr_test.go (1 hunks)
internal/exec/oci_utils_test.go (1 hunks)
internal/exec/vendor_template_tokens_test.go (1 hunks)
internal/exec/vendor_utils_test.go (1 hunks)
pkg/config/load.go (2 hunks)
pkg/config/load_github_username_test.go (1 hunks)
pkg/downloader/custom_git_detector.go (5 hunks)
pkg/downloader/token_injection_e2e_test.go (1 hunks)
pkg/downloader/token_injection_helpers_test.go (1 hunks)
pkg/downloader/token_injection_test.go (4 hunks)
pkg/downloader/url_utils.go (2 hunks)
pkg/downloader/url_utils_test.go (2 hunks)
pkg/schema/schema.go (1 hunks)
tests/cli_test.go (3 hunks)
tests/fixtures/scenarios/vendor-template-tokens/atmos.yaml (1 hunks)
tests/fixtures/scenarios/vendor-template-tokens/vendor.yaml (1 hunks)
tests/snapshots/TestCLICommands_atmos_auth_whoami_without_authentication.stderr.golden (1 hunks)
tests/snapshots/TestCLICommands_atmos_describe_config.stdout.golden (1 hunks)
tests/snapshots/TestCLICommands_atmos_describe_config_-f_yaml.stdout.golden (1 hunks)
tests/snapshots/TestCLICommands_atmos_describe_config_imports.stdout.golden (1 hunks)
tests/snapshots/TestCLICommands_atmos_describe_configuration.stdout.golden (1 hunks)
tests/snapshots/TestCLICommands_atmos_vendor_pull_component_using_SSH.stderr.golden (1 hunks)
tests/snapshots/TestCLICommands_atmos_vendor_pull_custom_detector_credentials_leakage.stderr.golden (1 hunks)
tests/snapshots/TestCLICommands_atmos_vendor_pull_ssh_component.stderr.golden (1 hunks)
tests/snapshots/TestCLICommands_atmos_vendor_pull_using_SSH.stderr.golden (1 hunks)
tests/snapshots/TestCLICommands_atmos_vendor_pull_with_custom_detector_and_handling_credentials_leakage.stderr.golden (2 hunks)
tests/snapshots/TestCLICommands_indentation.stdout.golden (1 hunks)
website/docs/cli/configuration/configuration.mdx (2 hunks)
website/docs/core-concepts/vendor/url-syntax.mdx (2 hunks)
website/docs/core-concepts/vendor/vendor-manifest.mdx (4 hunks)

🧰 Additional context used

📓 Path-based instructions (6)

pkg/**/*.go

📄 CodeRabbit inference engine (.cursor/rules/atmos-rules.mdc)

Place business logic in pkg rather than in cmd

Files:

pkg/schema/schema.go
pkg/downloader/token_injection_helpers_test.go
pkg/config/load_github_username_test.go
pkg/downloader/token_injection_e2e_test.go
pkg/downloader/url_utils_test.go
pkg/downloader/custom_git_detector.go
pkg/config/load.go
pkg/downloader/url_utils.go
pkg/downloader/token_injection_test.go

**/*.go

📄 CodeRabbit inference engine (.cursor/rules/atmos-rules.mdc)

**/*.go: All code must pass golangci-lint checks
Follow Go error handling idioms and use meaningful error messages
Wrap errors with context using fmt.Errorf("context: %w", err)
Consider custom error types for domain-specific errors
Follow standard Go coding style; run gofmt and goimports
Use snake_case for environment variables
Document complex logic with inline comments

Files:

pkg/schema/schema.go
pkg/downloader/token_injection_helpers_test.go
pkg/config/load_github_username_test.go
tests/cli_test.go
internal/exec/vendor_utils_test.go
pkg/downloader/token_injection_e2e_test.go
pkg/downloader/url_utils_test.go
pkg/downloader/custom_git_detector.go
pkg/config/load.go
internal/exec/oci_utils_test.go
internal/exec/vendor_template_tokens_test.go
pkg/downloader/url_utils.go
internal/exec/oci_utils_ghcr_test.go
pkg/downloader/token_injection_test.go
internal/exec/oci_utils.go

**/!(*_test).go

📄 CodeRabbit inference engine (.cursor/rules/atmos-rules.mdc)

Document all exported functions, types, and methods with Go doc comments

Files:

pkg/schema/schema.go
pkg/downloader/custom_git_detector.go
pkg/config/load.go
pkg/downloader/url_utils.go
internal/exec/oci_utils.go

website/**

📄 CodeRabbit inference engine (.cursor/rules/atmos-rules.mdc)

website/**: Update website documentation in website/ when adding features
Ensure consistency between CLI help text and website documentation
Follow the website's documentation structure and style
Keep website code in website/ and follow its architecture/style; test changes locally
Keep CLI and website documentation in sync; document new features with examples and use cases

Files:

website/docs/core-concepts/vendor/url-syntax.mdx
website/docs/cli/configuration/configuration.mdx
website/docs/core-concepts/vendor/vendor-manifest.mdx

**/*_test.go

📄 CodeRabbit inference engine (.cursor/rules/atmos-rules.mdc)

**/*_test.go: Every new feature must include comprehensive unit tests
Test both happy paths and error conditions
Use table-driven tests for multiple scenarios

Files:

pkg/downloader/token_injection_helpers_test.go
pkg/config/load_github_username_test.go
tests/cli_test.go
internal/exec/vendor_utils_test.go
pkg/downloader/token_injection_e2e_test.go
pkg/downloader/url_utils_test.go
internal/exec/oci_utils_test.go
internal/exec/vendor_template_tokens_test.go
internal/exec/oci_utils_ghcr_test.go
pkg/downloader/token_injection_test.go

go.{mod,sum}

📄 CodeRabbit inference engine (.cursor/rules/atmos-rules.mdc)

go.{mod,sum}: Manage dependencies with Go modules
Keep dependencies up to date

Files:

go.mod

🧠 Learnings (74)

📓 Common learnings

Learnt from: aknysh
Repo: cloudposse/atmos PR: 944
File: go.mod:206-206
Timestamp: 2025-01-17T00:18:57.769Z
Learning: For indirect dependencies with license compliance issues in the cloudposse/atmos repository, the team prefers to handle them in follow-up PRs rather than blocking the current changes, as these issues often require deeper investigation of the dependency tree.

Learnt from: Listener430
Repo: cloudposse/atmos PR: 934
File: tests/fixtures/scenarios/docs-generate/README.md.gotmpl:99-118
Timestamp: 2025-01-25T03:51:57.689Z
Learning: For the cloudposse/atmos repository, changes to template contents should be handled in dedicated PRs and are typically considered out of scope for PRs focused on other objectives.

Learnt from: Listener430
Repo: cloudposse/atmos PR: 1149
File: internal/exec/go_getter_utils.go:263-264
Timestamp: 2025-03-25T12:24:36.177Z
Learning: Tests for the default Bitbucket username fallback to "x-token-auth" will be added during a future refactoring phase rather than in this PR.

Learnt from: Listener430
Repo: cloudposse/atmos PR: 1149
File: internal/exec/go_getter_utils.go:104-104
Timestamp: 2025-03-25T12:23:42.649Z
Learning: Listener430 plans to add a test for verifying that token injection is skipped for unsupported hosts in a future review or refactoring iteration. This relates to the CustomGitDetector.Detect method in internal/exec/go_getter_utils.go.

Learnt from: Listener430
Repo: cloudposse/atmos PR: 1076
File: internal/exec/go_getter_utils.go:198-209
Timestamp: 2025-03-21T19:03:25.228Z
Learning: In the `exec` package of Atmos, the `injectToken` method in `CustomGitDetector` is designed to intentionally overwrite any existing credentials when injecting tokens into Git URLs. This behavior is by design.

Learnt from: Listener430
Repo: cloudposse/atmos PR: 912
File: pkg/config/config.go:91-92
Timestamp: 2025-01-09T19:53:29.847Z
Learning: In the Atmos project, the `core.inject_github_token` configuration is required to be enabled (`true`) by default to support authenticated GitHub requests and help bypass rate limits.

📚 Learning: 2025-03-18T12:26:25.329Z

Learnt from: Listener430
Repo: cloudposse/atmos PR: 1149
File: tests/snapshots/TestCLICommands_atmos_vendor_pull_ssh.stderr.golden:7-7
Timestamp: 2025-03-18T12:26:25.329Z
Learning: In the Atmos project, typos or inconsistencies in test snapshot files (such as "terrafrom" instead of "terraform") may be intentional as they capture the exact output of commands and should not be flagged as issues requiring correction.

Applied to files:

tests/snapshots/TestCLICommands_atmos_describe_config_-f_yaml.stdout.golden
tests/fixtures/scenarios/vendor-template-tokens/atmos.yaml
tests/snapshots/TestCLICommands_atmos_describe_configuration.stdout.golden
tests/snapshots/TestCLICommands_atmos_describe_config_imports.stdout.golden
tests/snapshots/TestCLICommands_atmos_vendor_pull_ssh_component.stderr.golden
tests/snapshots/TestCLICommands_atmos_auth_whoami_without_authentication.stderr.golden
tests/snapshots/TestCLICommands_atmos_describe_config.stdout.golden
tests/snapshots/TestCLICommands_atmos_vendor_pull_with_custom_detector_and_handling_credentials_leakage.stderr.golden
tests/fixtures/scenarios/vendor-template-tokens/vendor.yaml
tests/snapshots/TestCLICommands_atmos_vendor_pull_custom_detector_credentials_leakage.stderr.golden

📚 Learning: 2025-01-09T20:02:37.990Z

Learnt from: osterman
Repo: cloudposse/atmos PR: 912
File: website/docs/cli/configuration/configuration.mdx:113-114
Timestamp: 2025-01-09T20:02:37.990Z
Learning: The `inject_github_token` setting should be placed under the top-level `settings` section in `atmos.yaml` instead of creating a new `core` section.

Applied to files:

tests/snapshots/TestCLICommands_atmos_describe_config_-f_yaml.stdout.golden
tests/snapshots/TestCLICommands_indentation.stdout.golden
tests/fixtures/scenarios/vendor-template-tokens/atmos.yaml
website/docs/core-concepts/vendor/url-syntax.mdx
tests/snapshots/TestCLICommands_atmos_describe_configuration.stdout.golden
tests/snapshots/TestCLICommands_atmos_describe_config_imports.stdout.golden
website/docs/cli/configuration/configuration.mdx
pkg/config/load.go
tests/snapshots/TestCLICommands_atmos_describe_config.stdout.golden
website/docs/core-concepts/vendor/vendor-manifest.mdx

📚 Learning: 2025-03-21T19:03:25.228Z

Learnt from: Listener430
Repo: cloudposse/atmos PR: 1076
File: internal/exec/go_getter_utils.go:198-209
Timestamp: 2025-03-21T19:03:25.228Z
Learning: In the `exec` package of Atmos, the `injectToken` method in `CustomGitDetector` is designed to intentionally overwrite any existing credentials when injecting tokens into Git URLs. This behavior is by design.

Applied to files:

tests/snapshots/TestCLICommands_atmos_describe_config_-f_yaml.stdout.golden
tests/snapshots/TestCLICommands_indentation.stdout.golden
website/docs/core-concepts/vendor/url-syntax.mdx
tests/snapshots/TestCLICommands_atmos_vendor_pull_component_using_SSH.stderr.golden
tests/snapshots/TestCLICommands_atmos_describe_configuration.stdout.golden
tests/snapshots/TestCLICommands_atmos_describe_config_imports.stdout.golden
pkg/downloader/token_injection_e2e_test.go
pkg/downloader/custom_git_detector.go
website/docs/cli/configuration/configuration.mdx
tests/snapshots/TestCLICommands_atmos_vendor_pull_ssh_component.stderr.golden
internal/exec/vendor_template_tokens_test.go
tests/snapshots/TestCLICommands_atmos_describe_config.stdout.golden
tests/snapshots/TestCLICommands_atmos_vendor_pull_with_custom_detector_and_handling_credentials_leakage.stderr.golden
pkg/downloader/token_injection_test.go
website/docs/core-concepts/vendor/vendor-manifest.mdx
tests/snapshots/TestCLICommands_atmos_vendor_pull_using_SSH.stderr.golden
internal/exec/oci_utils.go
tests/snapshots/TestCLICommands_atmos_vendor_pull_custom_detector_credentials_leakage.stderr.golden

📚 Learning: 2025-01-09T19:53:29.847Z

Learnt from: Listener430
Repo: cloudposse/atmos PR: 912
File: pkg/config/config.go:91-92
Timestamp: 2025-01-09T19:53:29.847Z
Learning: In the Atmos project, the `core.inject_github_token` configuration is required to be enabled (`true`) by default to support authenticated GitHub requests and help bypass rate limits.

Applied to files:

tests/snapshots/TestCLICommands_atmos_describe_config_-f_yaml.stdout.golden
tests/snapshots/TestCLICommands_indentation.stdout.golden
pkg/schema/schema.go
website/docs/core-concepts/vendor/url-syntax.mdx
tests/snapshots/TestCLICommands_atmos_vendor_pull_component_using_SSH.stderr.golden
tests/snapshots/TestCLICommands_atmos_describe_configuration.stdout.golden
tests/snapshots/TestCLICommands_atmos_describe_config_imports.stdout.golden
website/docs/cli/configuration/configuration.mdx
pkg/config/load.go
tests/snapshots/TestCLICommands_atmos_describe_config.stdout.golden
tests/snapshots/TestCLICommands_atmos_vendor_pull_with_custom_detector_and_handling_credentials_leakage.stderr.golden
website/docs/core-concepts/vendor/vendor-manifest.mdx
internal/exec/oci_utils.go

📚 Learning: 2025-02-14T23:12:38.030Z

Learnt from: Listener430
Repo: cloudposse/atmos PR: 1061
File: tests/snapshots/TestCLICommands_atmos_vendor_pull_ssh.stderr.golden:8-8
Timestamp: 2025-02-14T23:12:38.030Z
Learning: Test snapshots in the Atmos project, particularly for dry run scenarios, may be updated during the development process, and temporary inconsistencies in their content should not be flagged as issues.

Applied to files:

tests/snapshots/TestCLICommands_atmos_describe_config_-f_yaml.stdout.golden
tests/snapshots/TestCLICommands_atmos_describe_configuration.stdout.golden
tests/snapshots/TestCLICommands_atmos_describe_config_imports.stdout.golden
tests/snapshots/TestCLICommands_atmos_auth_whoami_without_authentication.stderr.golden
tests/snapshots/TestCLICommands_atmos_describe_config.stdout.golden
tests/snapshots/TestCLICommands_atmos_vendor_pull_with_custom_detector_and_handling_credentials_leakage.stderr.golden
tests/snapshots/TestCLICommands_atmos_vendor_pull_custom_detector_credentials_leakage.stderr.golden

📚 Learning: 2025-10-07T00:25:16.333Z

Learnt from: osterman
Repo: cloudposse/atmos PR: 1498
File: website/src/components/Screengrabs/atmos-terraform-metadata--help.html:25-55
Timestamp: 2025-10-07T00:25:16.333Z
Learning: In Atmos CLI, subcommands inherit flags from their parent commands via Cobra's command inheritance. For example, `atmos terraform metadata --help` shows `--affected` and related flags inherited from the parent `terraform` command (defined in cmd/terraform.go), even though the metadata subcommand doesn't explicitly define these flags. This is expected Cobra behavior and auto-generated help screengrabs accurately reflect this inheritance.

Applied to files:

tests/snapshots/TestCLICommands_atmos_describe_config_-f_yaml.stdout.golden
tests/snapshots/TestCLICommands_atmos_describe_configuration.stdout.golden

📚 Learning: 2024-11-25T17:17:15.703Z

Learnt from: RoseSecurity
Repo: cloudposse/atmos PR: 797
File: pkg/list/atmos.yaml:213-214
Timestamp: 2024-11-25T17:17:15.703Z
Learning: The file `pkg/list/atmos.yaml` is primarily intended for testing purposes.

Applied to files:

tests/snapshots/TestCLICommands_atmos_describe_config_-f_yaml.stdout.golden
tests/fixtures/scenarios/vendor-template-tokens/atmos.yaml
tests/fixtures/scenarios/vendor-template-tokens/vendor.yaml

📚 Learning: 2025-10-10T23:51:36.597Z

Learnt from: osterman
Repo: cloudposse/atmos PR: 1599
File: internal/exec/terraform.go:394-402
Timestamp: 2025-10-10T23:51:36.597Z
Learning: In Atmos (internal/exec/terraform.go), when adding OpenTofu-specific flags like `--var-file` for `init`, do not gate them based on command name (e.g., checking if `info.Command == "tofu"` or `info.Command == "opentofu"`) because command names don't reliably indicate the actual binary being executed (symlinks, aliases). Instead, document the OpenTofu requirement in code comments and documentation, trusting users who enable the feature (e.g., `PassVars`) to ensure their terraform command points to an OpenTofu binary.

Applied to files:

tests/snapshots/TestCLICommands_atmos_describe_config_-f_yaml.stdout.golden
tests/snapshots/TestCLICommands_atmos_describe_configuration.stdout.golden
internal/exec/oci_utils.go

📚 Learning: 2025-06-23T02:14:30.937Z

Learnt from: aknysh
Repo: cloudposse/atmos PR: 1327
File: cmd/terraform.go:111-117
Timestamp: 2025-06-23T02:14:30.937Z
Learning: In cmd/terraform.go, flags for the DescribeAffected function are added dynamically at runtime when info.Affected is true. This is intentional to avoid exposing internal flags like "file", "format", "verbose", "include-spacelift-admin-stacks", "include-settings", and "upload" in the terraform command interface, while still providing them for the shared DescribeAffected function used by both `atmos describe affected` and `atmos terraform apply --affected`.

Applied to files:

tests/snapshots/TestCLICommands_atmos_describe_config_-f_yaml.stdout.golden

📚 Learning: 2025-02-19T05:50:35.853Z

Learnt from: samtholiya
Repo: cloudposse/atmos PR: 1068
File: tests/snapshots/TestCLICommands_atmos_terraform_apply_--help.stdout.golden:0-0
Timestamp: 2025-02-19T05:50:35.853Z
Learning: Backtick formatting should only be applied to flag descriptions in Go source files, not in golden test files (test snapshots) as they are meant to capture the raw command output.

Applied to files:

tests/snapshots/TestCLICommands_atmos_describe_config_-f_yaml.stdout.golden
tests/snapshots/TestCLICommands_atmos_describe_config_imports.stdout.golden

📚 Learning: 2024-10-28T01:51:30.811Z

Learnt from: osterman
Repo: cloudposse/atmos PR: 727
File: internal/exec/terraform_clean.go:329-332
Timestamp: 2024-10-28T01:51:30.811Z
Learning: In the Atmos Go code, when deleting directories or handling file paths (e.g., in `terraform_clean.go`), always resolve the absolute path using `filepath.Abs` and use the logger `u.LogWarning` for logging messages instead of using `fmt.Printf`.

Applied to files:

tests/snapshots/TestCLICommands_atmos_describe_config_-f_yaml.stdout.golden
tests/cli_test.go
tests/snapshots/TestCLICommands_atmos_describe_config_imports.stdout.golden

📚 Learning: 2025-09-08T01:25:44.958Z

Learnt from: osterman
Repo: cloudposse/atmos PR: 1466
File: website/docs/cli/commands/toolchain/usage.mdx:117-121
Timestamp: 2025-09-08T01:25:44.958Z
Learning: Final XDG Base Directory Specification implementation for atmos toolchain is complete and verified: toolchain/xdg_cache.go provides GetXDGCacheDir() and GetXDGTempCacheDir() functions, all hardcoded ~/.cache/tools-cache paths have been replaced with XDG-compliant paths using ${XDG_CACHE_HOME}/atmos-toolchain (or ~/.cache/atmos-toolchain fallback), and tests have been updated to expect the new path structure.

Applied to files:

tests/snapshots/TestCLICommands_atmos_describe_config_-f_yaml.stdout.golden
tests/cli_test.go

📚 Learning: 2024-12-25T20:28:19.618Z

Learnt from: osterman
Repo: cloudposse/atmos PR: 887
File: internal/exec/workflow_utils.go:167-169
Timestamp: 2024-12-25T20:28:19.618Z
Learning: The user plans to revert the change from `path.Join` to `filepath.Join` in this PR due to testing gaps and will open a new PR to safely handle the migration without breaking `main`.

Applied to files:

tests/snapshots/TestCLICommands_atmos_describe_config_-f_yaml.stdout.golden

📚 Learning: 2025-08-15T14:43:41.030Z

Learnt from: aknysh
Repo: cloudposse/atmos PR: 1352
File: pkg/store/artifactory_store_test.go:108-113
Timestamp: 2025-08-15T14:43:41.030Z
Learning: In test files for the atmos project, it's acceptable to ignore errors from os.Setenv/Unsetenv operations during test environment setup and teardown, as these are controlled test scenarios.

Applied to files:

tests/snapshots/TestCLICommands_atmos_describe_config_-f_yaml.stdout.golden
pkg/config/load_github_username_test.go
tests/cli_test.go
pkg/config/load.go
internal/exec/vendor_template_tokens_test.go
tests/snapshots/TestCLICommands_atmos_vendor_pull_with_custom_detector_and_handling_credentials_leakage.stderr.golden

📚 Learning: 2025-09-08T01:25:44.958Z

Learnt from: osterman
Repo: cloudposse/atmos PR: 1466
File: website/docs/cli/commands/toolchain/usage.mdx:117-121
Timestamp: 2025-09-08T01:25:44.958Z
Learning: The atmos toolchain XDG compliance implementation is complete with GetXDGCacheDir() and GetXDGTempCacheDir() functions in toolchain/xdg_cache.go, updated installer.go and toolchain_clean.go to use these helpers, and changed cache paths from ~/.cache/tools-cache to ${XDG_CACHE_HOME}/atmos-toolchain (or ~/.cache/atmos-toolchain when XDG_CACHE_HOME is not set).

Applied to files:

tests/snapshots/TestCLICommands_atmos_describe_config_-f_yaml.stdout.golden
tests/cli_test.go
tests/snapshots/TestCLICommands_atmos_vendor_pull_with_custom_detector_and_handling_credentials_leakage.stderr.golden
internal/exec/oci_utils.go

📚 Learning: 2025-03-25T12:23:42.649Z

Learnt from: Listener430
Repo: cloudposse/atmos PR: 1149
File: internal/exec/go_getter_utils.go:104-104
Timestamp: 2025-03-25T12:23:42.649Z
Learning: Listener430 plans to add a test for verifying that token injection is skipped for unsupported hosts in a future review or refactoring iteration. This relates to the CustomGitDetector.Detect method in internal/exec/go_getter_utils.go.

Applied to files:

tests/snapshots/TestCLICommands_indentation.stdout.golden
tests/snapshots/TestCLICommands_atmos_vendor_pull_component_using_SSH.stderr.golden
pkg/downloader/token_injection_helpers_test.go
pkg/downloader/token_injection_e2e_test.go
pkg/downloader/custom_git_detector.go
tests/snapshots/TestCLICommands_atmos_vendor_pull_ssh_component.stderr.golden
internal/exec/vendor_template_tokens_test.go
internal/exec/oci_utils_ghcr_test.go
tests/snapshots/TestCLICommands_atmos_vendor_pull_with_custom_detector_and_handling_credentials_leakage.stderr.golden
pkg/downloader/token_injection_test.go
tests/snapshots/TestCLICommands_atmos_vendor_pull_using_SSH.stderr.golden
internal/exec/oci_utils.go
tests/snapshots/TestCLICommands_atmos_vendor_pull_custom_detector_credentials_leakage.stderr.golden

📚 Learning: 2025-03-25T12:24:36.177Z

Learnt from: Listener430
Repo: cloudposse/atmos PR: 1149
File: internal/exec/go_getter_utils.go:263-264
Timestamp: 2025-03-25T12:24:36.177Z
Learning: Tests for the default Bitbucket username fallback to "x-token-auth" will be added during a future refactoring phase rather than in this PR.

Applied to files:

tests/snapshots/TestCLICommands_indentation.stdout.golden
tests/snapshots/TestCLICommands_atmos_vendor_pull_component_using_SSH.stderr.golden
tests/snapshots/TestCLICommands_atmos_describe_configuration.stdout.golden
tests/snapshots/TestCLICommands_atmos_describe_config_imports.stdout.golden
pkg/downloader/token_injection_e2e_test.go
tests/snapshots/TestCLICommands_atmos_vendor_pull_ssh_component.stderr.golden
tests/snapshots/TestCLICommands_atmos_describe_config.stdout.golden
pkg/downloader/token_injection_test.go
tests/snapshots/TestCLICommands_atmos_vendor_pull_using_SSH.stderr.golden
internal/exec/oci_utils.go
tests/snapshots/TestCLICommands_atmos_vendor_pull_custom_detector_credentials_leakage.stderr.golden

📚 Learning: 2025-01-25T03:51:57.689Z

Learnt from: Listener430
Repo: cloudposse/atmos PR: 934
File: tests/fixtures/scenarios/docs-generate/README.md.gotmpl:99-118
Timestamp: 2025-01-25T03:51:57.689Z
Learning: For the cloudposse/atmos repository, changes to template contents should be handled in dedicated PRs and are typically considered out of scope for PRs focused on other objectives.

Applied to files:

tests/fixtures/scenarios/vendor-template-tokens/atmos.yaml
website/docs/core-concepts/vendor/vendor-manifest.mdx
tests/fixtures/scenarios/vendor-template-tokens/vendor.yaml

📚 Learning: 2025-09-10T21:17:55.273Z

Learnt from: samtholiya
Repo: cloudposse/atmos PR: 1466
File: toolchain/http_client_test.go:3-10
Timestamp: 2025-09-10T21:17:55.273Z
Learning: In the cloudposse/atmos repository, imports should never be changed as per samtholiya's coding guidelines.

Applied to files:

tests/fixtures/scenarios/vendor-template-tokens/atmos.yaml
tests/snapshots/TestCLICommands_atmos_vendor_pull_component_using_SSH.stderr.golden
NOTICE
tests/snapshots/TestCLICommands_atmos_vendor_pull_with_custom_detector_and_handling_credentials_leakage.stderr.golden

📚 Learning: 2024-12-12T15:17:45.245Z

Learnt from: osterman
Repo: cloudposse/atmos PR: 808
File: examples/demo-atmos.d/atmos.d/tools/helmfile.yml:10-10
Timestamp: 2024-12-12T15:17:45.245Z
Learning: In `examples/demo-atmos.d/atmos.d/tools/helmfile.yml`, when suggesting changes to `kubeconfig_path`, ensure that the values use valid Go template syntax.

Applied to files:

tests/fixtures/scenarios/vendor-template-tokens/atmos.yaml
internal/exec/vendor_utils_test.go
tests/fixtures/scenarios/vendor-template-tokens/vendor.yaml

📚 Learning: 2024-12-01T00:33:20.298Z

Learnt from: aknysh
Repo: cloudposse/atmos PR: 810
File: examples/tests/stacks/catalog/terraform/template-functions-test2/defaults.yaml:28-32
Timestamp: 2024-12-01T00:33:20.298Z
Learning: In `examples/tests/stacks/catalog/terraform/template-functions-test2/defaults.yaml`, `!exec atmos terraform output` is used in examples to demonstrate its usage, even though `!terraform.output` is the recommended approach according to the documentation.

Applied to files:

tests/fixtures/scenarios/vendor-template-tokens/atmos.yaml
website/docs/core-concepts/vendor/vendor-manifest.mdx
tests/fixtures/scenarios/vendor-template-tokens/vendor.yaml

📚 Learning: 2025-01-25T03:44:52.619Z

Learnt from: Listener430
Repo: cloudposse/atmos PR: 934
File: tests/fixtures/scenarios/docs-generate/README.md:14-23
Timestamp: 2025-01-25T03:44:52.619Z
Learning: Test fixtures under `tests/fixtures/` should not be modified unless the test case itself needs to change, as they are deliberately set up to represent specific scenarios for testing purposes.

Applied to files:

tests/fixtures/scenarios/vendor-template-tokens/atmos.yaml
tests/fixtures/scenarios/vendor-template-tokens/vendor.yaml

📚 Learning: 2025-07-05T20:59:02.914Z

Learnt from: aknysh
Repo: cloudposse/atmos PR: 1363
File: internal/exec/template_utils.go:18-18
Timestamp: 2025-07-05T20:59:02.914Z
Learning: In the Atmos project, gomplate v4 is imported with a blank import (`_ "github.com/hairyhenderson/gomplate/v4"`) alongside v3 imports to resolve AWS SDK version conflicts. V3 uses older AWS SDK versions that conflict with newer AWS modules used by Atmos. A full migration to v4 requires extensive refactoring due to API changes and should be handled in a separate PR.

Applied to files:

tests/fixtures/scenarios/vendor-template-tokens/atmos.yaml
NOTICE
go.mod
tests/fixtures/scenarios/vendor-template-tokens/vendor.yaml

📚 Learning: 2025-09-10T17:34:52.568Z

Learnt from: Benbentwo
Repo: cloudposse/atmos PR: 1475
File: pkg/auth/providers/github/oidc.go:96-100
Timestamp: 2025-09-10T17:34:52.568Z
Learning: The ATMOS_ environment variable binding guideline applies to Atmos configuration variables, not external service-required environment variables like GitHub Actions OIDC variables (GITHUB_ACTIONS, ACTIONS_ID_TOKEN_*) which must use their standard names.

Applied to files:

tests/fixtures/scenarios/vendor-template-tokens/atmos.yaml
website/docs/core-concepts/vendor/url-syntax.mdx
pkg/config/load_github_username_test.go
tests/cli_test.go
website/docs/cli/configuration/configuration.mdx
pkg/config/load.go
tests/snapshots/TestCLICommands_atmos_describe_config.stdout.golden
website/docs/core-concepts/vendor/vendor-manifest.mdx
internal/exec/oci_utils.go

📚 Learning: 2025-01-08T19:02:28.099Z

Learnt from: osterman
Repo: cloudposse/atmos PR: 899
File: examples/tests/vendor.yaml:48-48
Timestamp: 2025-01-08T19:02:28.099Z
Learning: Test cases in the Atmos project deliberately use different Git URL formats (with and without `git::` prefix) to test various scenarios. These formats should not be normalized to maintain test coverage of different URL handling cases.

Applied to files:

tests/snapshots/TestCLICommands_atmos_vendor_pull_component_using_SSH.stderr.golden
internal/exec/vendor_utils_test.go
pkg/downloader/token_injection_e2e_test.go
tests/snapshots/TestCLICommands_atmos_vendor_pull_ssh_component.stderr.golden
tests/snapshots/TestCLICommands_atmos_vendor_pull_with_custom_detector_and_handling_credentials_leakage.stderr.golden
tests/snapshots/TestCLICommands_atmos_vendor_pull_using_SSH.stderr.golden

📚 Learning: 2025-11-01T20:24:29.557Z

Learnt from: osterman
Repo: cloudposse/atmos PR: 1714
File: NOTICE:0-0
Timestamp: 2025-11-01T20:24:29.557Z
Learning: In the cloudposse/atmos repository, the NOTICE file is programmatically generated and should not be manually edited. Issues with dependency license URLs in NOTICE will be resolved when upstream package metadata is corrected.

Applied to files:

tests/snapshots/TestCLICommands_atmos_vendor_pull_component_using_SSH.stderr.golden
NOTICE

📚 Learning: 2024-11-12T13:06:56.194Z

Learnt from: osterman
Repo: cloudposse/atmos PR: 768
File: website/docs/cheatsheets/vendoring.mdx:70-70
Timestamp: 2024-11-12T13:06:56.194Z
Learning: In `atmos vendor pull --everything`, the `--everything` flag uses the TTY for TUI but is not interactive.

Applied to files:

tests/snapshots/TestCLICommands_atmos_vendor_pull_component_using_SSH.stderr.golden

📚 Learning: 2025-01-17T00:18:57.769Z

Learnt from: aknysh
Repo: cloudposse/atmos PR: 944
File: go.mod:206-206
Timestamp: 2025-01-17T00:18:57.769Z
Learning: For indirect dependencies with license compliance issues in the cloudposse/atmos repository, the team prefers to handle them in follow-up PRs rather than blocking the current changes, as these issues often require deeper investigation of the dependency tree.

Applied to files:

tests/snapshots/TestCLICommands_atmos_vendor_pull_component_using_SSH.stderr.golden
NOTICE

📚 Learning: 2025-09-23T02:30:42.362Z

Learnt from: CR
Repo: cloudposse/atmos PR: 0
File: .cursor/rules/atmos-rules.mdc:0-0
Timestamp: 2025-09-23T02:30:42.362Z
Learning: Applies to **/*_test.go : Every new feature must include comprehensive unit tests

Applied to files:

pkg/downloader/token_injection_helpers_test.go
pkg/config/load_github_username_test.go
internal/exec/vendor_utils_test.go
pkg/downloader/token_injection_e2e_test.go
internal/exec/vendor_template_tokens_test.go
internal/exec/oci_utils_ghcr_test.go

📚 Learning: 2025-09-23T02:30:42.362Z

Learnt from: CR
Repo: cloudposse/atmos PR: 0
File: .cursor/rules/atmos-rules.mdc:0-0
Timestamp: 2025-09-23T02:30:42.362Z
Learning: Applies to **/*_test.go : Use table-driven tests for multiple scenarios

Applied to files:

pkg/downloader/token_injection_helpers_test.go
pkg/config/load_github_username_test.go
internal/exec/vendor_template_tokens_test.go
internal/exec/oci_utils_ghcr_test.go

📚 Learning: 2025-09-23T02:30:42.362Z

Learnt from: CR
Repo: cloudposse/atmos PR: 0
File: .cursor/rules/atmos-rules.mdc:0-0
Timestamp: 2025-09-23T02:30:42.362Z
Learning: Applies to **/*_test.go : Test both happy paths and error conditions

Applied to files:

pkg/downloader/token_injection_helpers_test.go
pkg/config/load_github_username_test.go
tests/cli_test.go
internal/exec/vendor_utils_test.go
pkg/downloader/url_utils_test.go
internal/exec/oci_utils_test.go
internal/exec/vendor_template_tokens_test.go
internal/exec/oci_utils_ghcr_test.go

📚 Learning: 2025-05-30T03:21:37.197Z

Learnt from: aknysh
Repo: cloudposse/atmos PR: 1274
File: go.mod:63-63
Timestamp: 2025-05-30T03:21:37.197Z
Learning: The redis dependency (github.com/redis/go-redis/v9) in the atmos project is only used in tests, not in production code.

Applied to files:

NOTICE

📚 Learning: 2025-08-29T20:57:35.423Z

Learnt from: osterman
Repo: cloudposse/atmos PR: 1433
File: cmd/theme_list.go:33-36
Timestamp: 2025-08-29T20:57:35.423Z
Learning: In the Atmos codebase, avoid using viper.SetEnvPrefix("ATMOS") with viper.AutomaticEnv() because canonical environment variable names are not exclusive to Atmos and could cause conflicts. Instead, use selective environment variable binding through the setEnv function in pkg/config/load.go with bindEnv(v, "config.key", "ENV_VAR_NAME") for specific environment variables.

Applied to files:

pkg/config/load_github_username_test.go
tests/cli_test.go
pkg/config/load.go

📚 Learning: 2025-09-23T02:30:42.362Z

Learnt from: CR
Repo: cloudposse/atmos PR: 0
File: .cursor/rules/atmos-rules.mdc:0-0
Timestamp: 2025-09-23T02:30:42.362Z
Learning: Applies to go.{mod,sum} : Keep dependencies up to date

Applied to files:

go.mod

📚 Learning: 2025-09-23T02:30:42.362Z

Learnt from: CR
Repo: cloudposse/atmos PR: 0
File: .cursor/rules/atmos-rules.mdc:0-0
Timestamp: 2025-09-23T02:30:42.362Z
Learning: Applies to go.{mod,sum} : Manage dependencies with Go modules

Applied to files:

go.mod

📚 Learning: 2025-01-17T00:21:32.987Z

Learnt from: aknysh
Repo: cloudposse/atmos PR: 944
File: go.mod:3-3
Timestamp: 2025-01-17T00:21:32.987Z
Learning: Go version 1.23.0 was deliberately introduced by the maintainer (aknysh) in January 2025. While this might be a pre-release or development version of Go, it has been approved for use in this project.

Applied to files:

go.mod

📚 Learning: 2025-01-17T00:21:32.987Z

Learnt from: aknysh
Repo: cloudposse/atmos PR: 944
File: go.mod:3-3
Timestamp: 2025-01-17T00:21:32.987Z
Learning: The project uses Go version 1.23.0 which has been confirmed by the maintainer to be working in production for months. Do not flag this as an invalid Go version.

Applied to files:

go.mod

📚 Learning: 2025-05-23T19:51:47.091Z

Learnt from: samtholiya
Repo: cloudposse/atmos PR: 1255
File: cmd/describe_affected_test.go:15-15
Timestamp: 2025-05-23T19:51:47.091Z
Learning: The atmos codebase has a custom extension to *testing.T that provides a Chdir method, allowing test functions to call t.Chdir() to change working directories during tests. This is used consistently across test files in the codebase.

Applied to files:

tests/cli_test.go

📚 Learning: 2025-09-08T01:25:44.958Z

Learnt from: osterman
Repo: cloudposse/atmos PR: 1466
File: website/docs/cli/commands/toolchain/usage.mdx:117-121
Timestamp: 2025-09-08T01:25:44.958Z
Learning: The atmos toolchain has been updated to follow XDG Base Directory Specification with helper functions GetXDGCacheDir() and GetXDGTempCacheDir() in toolchain/xdg_cache.go, using XDG_CACHE_HOME when set and falling back to ~/.cache/atmos-toolchain, making it consistent with atmos core's XDG compliance.

Applied to files:

tests/cli_test.go
internal/exec/oci_utils.go

📚 Learning: 2025-09-08T01:25:44.958Z

Learnt from: osterman
Repo: cloudposse/atmos PR: 1466
File: website/docs/cli/commands/toolchain/usage.mdx:117-121
Timestamp: 2025-09-08T01:25:44.958Z
Learning: XDG Base Directory Specification compliance implementation for atmos toolchain is complete: created toolchain/xdg_cache.go with GetXDGCacheDir() and GetXDGTempCacheDir() functions, updated toolchain/installer.go and cmd/toolchain_clean.go to use these XDG helpers, and changed all cache paths from hardcoded ~/.cache/tools-cache to XDG-compliant ${XDG_CACHE_HOME}/atmos-toolchain (or ~/.cache/atmos-toolchain fallback).

Applied to files:

tests/cli_test.go
internal/exec/oci_utils.go

📚 Learning: 2025-09-23T02:30:42.362Z

Learnt from: CR
Repo: cloudposse/atmos PR: 0
File: .cursor/rules/atmos-rules.mdc:0-0
Timestamp: 2025-09-23T02:30:42.362Z
Learning: Applies to cmd/**/*.go : Use Viper for managing configuration, environment variables, and flags in the CLI

Applied to files:

tests/cli_test.go
pkg/config/load.go

📚 Learning: 2024-12-05T22:33:54.807Z

Learnt from: aknysh
Repo: cloudposse/atmos PR: 820
File: cmd/list_stacks.go:55-56
Timestamp: 2024-12-05T22:33:54.807Z
Learning: In the atmos project, the `u.LogErrorAndExit` function logs the error and exits the command execution appropriately within flag completion functions.

Applied to files:

tests/cli_test.go

📚 Learning: 2024-10-23T21:36:40.262Z

Learnt from: osterman
Repo: cloudposse/atmos PR: 740
File: cmd/cmd_utils.go:340-359
Timestamp: 2024-10-23T21:36:40.262Z
Learning: In the Go codebase for Atmos, when reviewing functions like `checkAtmosConfig` in `cmd/cmd_utils.go`, avoid suggesting refactoring to return errors instead of calling `os.Exit` if such changes would significantly increase the scope due to the need to update multiple call sites.

Applied to files:

tests/cli_test.go
internal/exec/oci_utils_ghcr_test.go
internal/exec/oci_utils.go

📚 Learning: 2025-05-23T19:51:47.091Z

Learnt from: samtholiya
Repo: cloudposse/atmos PR: 1255
File: cmd/describe_affected_test.go:15-15
Timestamp: 2025-05-23T19:51:47.091Z
Learning: In the atmos codebase, t.Chdir() is a valid method that can be called on *testing.T objects. This functionality is implemented through custom testing framework extensions and is used consistently throughout the test suite for changing working directories during tests.

Applied to files:

tests/cli_test.go

📚 Learning: 2025-05-23T19:51:47.091Z

Learnt from: samtholiya
Repo: cloudposse/atmos PR: 1255
File: cmd/describe_affected_test.go:15-15
Timestamp: 2025-05-23T19:51:47.091Z
Learning: In the atmos codebase, t.Chdir() is a valid method call on *testing.T objects and works correctly for changing directories in tests. This is implemented through custom testing framework extensions and is used consistently throughout the test suite.

Applied to files:

tests/cli_test.go

📚 Learning: 2025-09-23T02:30:42.362Z

Learnt from: CR
Repo: cloudposse/atmos PR: 0
File: .cursor/rules/atmos-rules.mdc:0-0
Timestamp: 2025-09-23T02:30:42.362Z
Learning: Applies to cmd/**/*.go : Use Viper for configuration management; support files, env vars, and flags with precedence flags > env > config > defaults

Applied to files:

tests/cli_test.go
pkg/config/load.go

📚 Learning: 2025-09-07T17:38:17.619Z

Learnt from: osterman
Repo: cloudposse/atmos PR: 1466
File: website/src/components/Screengrabs/demo-stacks/deploy-dev.html:28-37
Timestamp: 2025-09-07T17:38:17.619Z
Learning: Screengrab files in the CloudPosse/atmos repository are programmatically generated and should be ignored during code reviews. Do not provide suggestions or comments on files in screengrab directories or screengrab-related HTML files.

Applied to files:

tests/snapshots/TestCLICommands_atmos_describe_config_imports.stdout.golden

📚 Learning: 2024-10-22T23:00:20.627Z

Learnt from: Cerebrovinny
Repo: cloudposse/atmos PR: 737
File: internal/exec/vendor_utils.go:131-141
Timestamp: 2024-10-22T23:00:20.627Z
Learning: In the `ReadAndProcessVendorConfigFile` function in `internal/exec/vendor_utils.go`, the existence of the vendor config file is already checked, so additional file existence checks may be unnecessary.

Applied to files:

internal/exec/vendor_utils_test.go
internal/exec/vendor_template_tokens_test.go

📚 Learning: 2024-10-31T07:09:31.983Z

Learnt from: Cerebrovinny
Repo: cloudposse/atmos PR: 737
File: internal/exec/vendor_utils.go:181-182
Timestamp: 2024-10-31T07:09:31.983Z
Learning: In `internal/exec/vendor_utils.go`, the variables `mergedSources` and `mergedImports` are declared and used later in the code. Do not suggest removing them as unused variables.

Applied to files:

internal/exec/vendor_utils_test.go

📚 Learning: 2024-11-19T23:00:45.899Z

Learnt from: osterman
Repo: cloudposse/atmos PR: 795
File: internal/exec/stack_processor_utils.go:378-386
Timestamp: 2024-11-19T23:00:45.899Z
Learning: In the `ProcessYAMLConfigFile` function within `internal/exec/stack_processor_utils.go`, directory traversal in stack imports is acceptable and should not be restricted.

Applied to files:

internal/exec/vendor_utils_test.go

📚 Learning: 2025-09-30T19:03:50.738Z

Learnt from: Cerebrovinny
Repo: cloudposse/atmos PR: 1560
File: pkg/utils/string_utils.go:43-64
Timestamp: 2025-09-30T19:03:50.738Z
Learning: In the Atmos codebase, YAML tags like !terraform.output rely on positional arguments, so the SplitStringByDelimiter function in pkg/utils/string_utils.go must preserve empty strings (even after trimming quotes) to maintain the correct number of positional arguments. Filtering out empty values after trimming would collapse the array and break these function calls.

Applied to files:

internal/exec/vendor_utils_test.go

📚 Learning: 2025-02-18T15:20:49.080Z

Learnt from: Listener430
Repo: cloudposse/atmos PR: 1061
File: tests/fixtures/scenarios/vendor-pulls-ssh/vendor.yaml:20-22
Timestamp: 2025-02-18T15:20:49.080Z
Learning: Hardcoded credentials are acceptable in test fixtures when they are specifically testing credential handling, masking, or injection behavior. For example, in `tests/fixtures/scenarios/vendor-pulls-ssh/vendor.yaml`, credentials like "myuser:supersecret" are used to test that direct credentials in URLs are not overwritten by token injection.

Applied to files:

pkg/downloader/token_injection_e2e_test.go
internal/exec/vendor_template_tokens_test.go
tests/snapshots/TestCLICommands_atmos_vendor_pull_with_custom_detector_and_handling_credentials_leakage.stderr.golden
tests/fixtures/scenarios/vendor-template-tokens/vendor.yaml
tests/snapshots/TestCLICommands_atmos_vendor_pull_custom_detector_credentials_leakage.stderr.golden

📚 Learning: 2025-02-13T07:30:28.946Z

Learnt from: Listener430
Repo: cloudposse/atmos PR: 1061
File: internal/exec/go_getter_utils.go:74-75
Timestamp: 2025-02-13T07:30:28.946Z
Learning: In the `CustomGitDetector.Detect` method of `internal/exec/go_getter_utils.go`, verbose debug logging of raw URLs is intentionally kept for debugging purposes, despite potential credential exposure risks.

Applied to files:

pkg/downloader/token_injection_e2e_test.go
pkg/downloader/custom_git_detector.go
tests/snapshots/TestCLICommands_atmos_vendor_pull_ssh_component.stderr.golden
internal/exec/vendor_template_tokens_test.go
tests/snapshots/TestCLICommands_atmos_vendor_pull_custom_detector_credentials_leakage.stderr.golden

📚 Learning: 2025-02-05T11:10:51.031Z

Learnt from: mss
Repo: cloudposse/atmos PR: 1024
File: internal/exec/go_getter_utils.go:31-33
Timestamp: 2025-02-05T11:10:51.031Z
Learning: The path traversal check in `ValidateURI` function in `internal/exec/go_getter_utils.go` is intentionally kept despite potentially blocking valid Git URLs, as this validation is planned to be addressed in a separate ticket.

Applied to files:

pkg/downloader/token_injection_e2e_test.go
pkg/downloader/custom_git_detector.go

📚 Learning: 2024-10-23T20:13:23.054Z

Learnt from: osterman
Repo: cloudposse/atmos PR: 731
File: pkg/utils/file_utils.go:198-202
Timestamp: 2024-10-23T20:13:23.054Z
Learning: In `pkg/utils/file_utils.go`, the current implementation of the `IsURL` function is considered sufficient; avoid suggesting more complex URL validation in future reviews.

Applied to files:

pkg/downloader/url_utils_test.go
pkg/downloader/custom_git_detector.go

📚 Learning: 2025-02-03T15:51:48.035Z

Learnt from: osterman
Repo: cloudposse/atmos PR: 984
File: internal/exec/go_getter_utils.go:103-109
Timestamp: 2025-02-03T15:51:48.035Z
Learning: When checking for subdirectories in GitHub URLs, use `parsedURL.Path` to check for "//" instead of the entire URL, as the scheme portion (e.g., "https://") will always contain "//".

Applied to files:

pkg/downloader/custom_git_detector.go

📚 Learning: 2024-12-02T21:26:32.337Z

Learnt from: osterman
Repo: cloudposse/atmos PR: 808
File: pkg/config/config.go:478-483
Timestamp: 2024-12-02T21:26:32.337Z
Learning: In the 'atmos' project, when reviewing Go code like `pkg/config/config.go`, avoid suggesting file size checks after downloading remote configs if such checks aren't implemented elsewhere in the codebase.

Applied to files:

pkg/downloader/custom_git_detector.go
internal/exec/oci_utils.go

📚 Learning: 2025-02-04T22:45:15.845Z

Learnt from: osterman
Repo: cloudposse/atmos PR: 0
File: :0-0
Timestamp: 2025-02-04T22:45:15.845Z
Learning: When validating URLs in Go, use the standard `url.Parse` function instead of character-based validation to properly handle URL-safe characters and query parameters.

Applied to files:

pkg/downloader/custom_git_detector.go

📚 Learning: 2025-04-23T15:02:50.246Z

Learnt from: osterman
Repo: cloudposse/atmos PR: 1202
File: pkg/utils/yaml_func_exec.go:104-104
Timestamp: 2025-04-23T15:02:50.246Z
Learning: In the Atmos codebase, direct calls to `os.Getenv` should be avoided. Instead, use `viper.BindEnv` for environment variable access. This provides a consistent approach to configuration management across the codebase.

Applied to files:

pkg/config/load.go
website/docs/core-concepts/vendor/vendor-manifest.mdx

📚 Learning: 2025-09-29T15:47:10.908Z

Learnt from: aknysh
Repo: cloudposse/atmos PR: 1540
File: internal/exec/terraform_cli_args_utils.go:64-73
Timestamp: 2025-09-29T15:47:10.908Z
Learning: In the Atmos codebase, viper.BindEnv is required for CLI commands in the cmd/ package, but internal utilities can use os.Getenv directly when parsing environment variables for business logic purposes. The requirement to use viper is specific to the CLI interface layer, not all environment variable access throughout the codebase.

Applied to files:

pkg/config/load.go

📚 Learning: 2025-09-23T04:43:31.857Z

Learnt from: osterman
Repo: cloudposse/atmos PR: 1430
File: pkg/config/config.go:98-107
Timestamp: 2025-09-23T04:43:31.857Z
Learning: In the Atmos codebase, NO_PAGER environment variable handling is intentionally kept as direct os.Getenv() access in pkg/config/config.go rather than using Viper binding, because adding no_pager to the config file would be confusing for users. This is an acknowledged exception to the normal Viper binding pattern for environment variables.

Applied to files:

pkg/config/load.go

📚 Learning: 2025-04-10T20:48:22.687Z

Learnt from: samtholiya
Repo: cloudposse/atmos PR: 1147
File: pkg/config/load.go:0-0
Timestamp: 2025-04-10T20:48:22.687Z
Learning: In the `bindEnv` function in `pkg/config/load.go`, panic is used deliberately instead of returning errors because errors from `BindEnv` would only occur due to developer mistakes. Using panic helps with early detection of these developer errors during initialization.

Applied to files:

pkg/config/load.go

📚 Learning: 2025-09-13T16:39:20.007Z

Learnt from: samtholiya
Repo: cloudposse/atmos PR: 1466
File: cmd/markdown/atmos_toolchain_aliases.md:2-4
Timestamp: 2025-09-13T16:39:20.007Z
Learning: In the cloudposse/atmos repository, CLI documentation files in cmd/markdown/ follow a specific format that uses " $ atmos command" (with leading space and dollar sign prompt) in code blocks. This is the established project convention and should not be changed to comply with standard markdownlint rules MD040 and MD014.

Applied to files:

tests/snapshots/TestCLICommands_atmos_auth_whoami_without_authentication.stderr.golden
tests/snapshots/TestCLICommands_atmos_vendor_pull_with_custom_detector_and_handling_credentials_leakage.stderr.golden

📚 Learning: 2025-01-25T03:49:03.951Z

Learnt from: Listener430
Repo: cloudposse/atmos PR: 934
File: internal/exec/template_utils.go:268-271
Timestamp: 2025-01-25T03:49:03.951Z
Learning: The `ProcessTmplWithDatasourcesGomplate` function in `internal/exec/template_utils.go` is used for documentation generation purposes, where simple environment variable handling is acceptable and thread-safety concerns are not critical.

Applied to files:

internal/exec/vendor_template_tokens_test.go

📚 Learning: 2025-09-23T02:30:42.362Z

Learnt from: CR
Repo: cloudposse/atmos PR: 0
File: .cursor/rules/atmos-rules.mdc:0-0
Timestamp: 2025-09-23T02:30:42.362Z
Learning: Applies to **/*.go : Document complex logic with inline comments

Applied to files:

pkg/downloader/url_utils.go

📚 Learning: 2024-12-12T15:15:46.457Z

Learnt from: osterman
Repo: cloudposse/atmos PR: 808
File: examples/demo-atmos-cli-imports/atmos.yaml:7-7
Timestamp: 2024-12-12T15:15:46.457Z
Learning: In example configuration files, such as `examples/demo-atmos-cli-imports/atmos.yaml`, it's acceptable to use `refs/heads/main` in remote URLs.

Applied to files:

website/docs/core-concepts/vendor/vendor-manifest.mdx

📚 Learning: 2024-10-31T01:22:09.586Z

Learnt from: osterman
Repo: cloudposse/atmos PR: 737
File: examples/demo-vendoring/vendor.d/vendor1.yaml:10-11
Timestamp: 2024-10-31T01:22:09.586Z
Learning: In `examples/demo-vendoring/vendor.d/vendor1.yaml`, when specifying the source for the `ipinfo` component, it's acceptable to use `main` as the version reference if pinning to a specific version is not practical.

Applied to files:

website/docs/core-concepts/vendor/vendor-manifest.mdx

📚 Learning: 2025-01-19T22:30:27.600Z

Learnt from: aknysh
Repo: cloudposse/atmos PR: 0
File: :0-0
Timestamp: 2025-01-19T22:30:27.600Z
Learning: The Atmos YAML function `!env` is used to retrieve environment variables and assign them to sections in stack manifests. It supports both simple types (string, number, boolean) and complex types (JSON-encoded lists, maps, objects).

Applied to files:

website/docs/core-concepts/vendor/vendor-manifest.mdx

📚 Learning: 2025-01-19T22:30:27.600Z

Learnt from: aknysh
Repo: cloudposse/atmos PR: 0
File: :0-0
Timestamp: 2025-01-19T22:30:27.600Z
Learning: The Atmos YAML function `!include` allows downloading local or remote files from different sources and assigning their contents to sections in stack manifests. It supports various protocols (file, http, git, s3, etc.) and can filter content using YQ expressions.

Applied to files:

website/docs/core-concepts/vendor/vendor-manifest.mdx

📚 Learning: 2024-12-07T16:16:13.038Z

Learnt from: Listener430
Repo: cloudposse/atmos PR: 825
File: internal/exec/helmfile_generate_varfile.go:28-31
Timestamp: 2024-12-07T16:16:13.038Z
Learning: In `internal/exec/helmfile_generate_varfile.go`, the `--help` command (`./atmos helmfile generate varfile --help`) works correctly without requiring stack configurations, and the only change needed was to make `ProcessCommandLineArgs` exportable by capitalizing its name.

Applied to files:

internal/exec/oci_utils.go

📚 Learning: 2024-12-15T10:20:08.436Z

Learnt from: Listener430
Repo: cloudposse/atmos PR: 844
File: cmd/cmd_utils.go:454-464
Timestamp: 2024-12-15T10:20:08.436Z
Learning: Avoid adding timeout handling for GitHub API calls in `CheckForAtmosUpdateAndPrintMessage` function in `cmd/cmd_utils.go`, as it might be disabled by user settings.

Applied to files:

internal/exec/oci_utils.go

📚 Learning: 2025-09-09T02:14:36.708Z

Learnt from: Benbentwo
Repo: cloudposse/atmos PR: 1452
File: internal/auth/types/whoami.go:14-15
Timestamp: 2025-09-09T02:14:36.708Z
Learning: The WhoamiInfo struct in internal/auth/types/whoami.go requires the Credentials field to be JSON-serializable for keystore unmarshaling operations, despite security concerns about credential exposure.

Applied to files:

internal/exec/oci_utils.go

📚 Learning: 2025-09-10T22:38:42.212Z

Learnt from: Benbentwo
Repo: cloudposse/atmos PR: 1475
File: pkg/auth/identities/aws/user.go:141-145
Timestamp: 2025-09-10T22:38:42.212Z
Learning: The user confirmed that the errors package has an error string wrapping format, contradicting the previous learning about ErrWrappingFormat being invalid. The current usage of fmt.Errorf(errUtils.ErrWrappingFormat, errUtils.ErrAuthAwsFileManagerFailed, err) appears to be the correct pattern.

Applied to files:

internal/exec/oci_utils.go

🪛 LanguageTool

website/docs/cli/configuration/configuration.mdx

[uncategorized] ~995-~995: The official name of this software platform is spelled with a capital “H”.
Context: ... | settings.github_username | GitHu...

(GITHUB)

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (1)

GitHub Check: Summary

pkg/downloader/token_injection_e2e_test.go

Fixed bug in TestCustomGitDetector_EndToEnd_* tests where empty token strings would incorrectly pass the assertion: strings.Contains(finalURL, "") always returns true This masked real regressions where tokens weren't being injected. Solution: Gate the Contains checks on non-empty tokens: - hasGithubToken := tt.githubToken != "" && strings.Contains(finalURL, tt.githubToken) - hasAtmosToken := tt.atmosGithubToken != "" && strings.Contains(finalURL, tt.atmosGithubToken) Now the test only passes if: 1. A token is configured (non-empty) 2. AND that token appears in the final URL Identified by: CodeRabbitAI review File: pkg/downloader/token_injection_e2e_test.go:100-102 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude <noreply@anthropic.com>

…g' into osterman/vendor-yaml-template-bug

coderabbitai

Actionable comments posted: 0

🧹 Nitpick comments (4)

pkg/downloader/token_injection_e2e_test.go (4)
78-84: Strengthen non-injection path assertions.

The early return in the no-token case leaves URL structure and detection behavior unchecked. Consider verifying that detection returns consistent results (e.g., detected=false or finalURL remains unchanged) even when no token is available.
 		if !tt.expectTokenInjected {
-			// If no token expected, detection might still succeed but without credentials
-			if detected {
-				assert.NotContains(t, finalURL, "@", "URL should not contain credentials")
-			}
-			return
+			// No token expected; verify detection behavior is consistent
+			assert.False(t, detected, "Detection should fail when no token available")
+			assert.Empty(t, finalURL, "Final URL should be empty when detection fails")
+			return
 		}
25-58: Add test case for disabled token injection.

All cases assume InjectGithubToken=true. Add a case with InjectGithubToken=false and a token present to verify that injection is correctly skipped when disabled.

Add this test case to the table:
{
	name:                "InjectGithubToken disabled - no injection despite token present",
	githubToken:         "ghp_token_should_not_be_used",
	atmosGithubToken:    "",
	sourceURL:           "github.com/test-org/test-repo.git?ref=main",
	expectTokenInjected: false,
	expectedUsername:    "",
},
Then update line 67 to use a field from the test case:
InjectGithubToken: true, // or add tt.injectGithubToken field to control this per-case
17-251: Add GitLab and Bitbucket test coverage.

The PR adds support for GitLab and Bitbucket with inject_gitlab_token and inject_bitbucket_token defaulting to true, but only GitHub hosts are tested. Add equivalent e2e tests for GitLab and Bitbucket to ensure parity and verify the injection logic works consistently across all supported providers.

Consider adding test functions like:

TestCustomGitDetector_EndToEnd_GitLabTokenInjection

TestCustomGitDetector_EndToEnd_BitbucketTokenInjection

These should mirror the GitHub scenarios (token fallback, pre-existing credentials, etc.) to maintain coverage parity across all supported hosts.

17-251: Add error condition tests.

The test file covers happy paths and edge cases but lacks error condition coverage (e.g., malformed URLs, invalid schemes). Per coding guidelines, comprehensive tests should include error scenarios.

Add a test function like:
func TestCustomGitDetector_EndToEnd_ErrorConditions(t *testing.T) {
	tests := []struct {
		name      string
		sourceURL string
		wantError bool
	}{
		{
			name:      "Malformed URL",
			sourceURL: "ht!tp://invalid-url",
			wantError: true,
		},
		// Add other error scenarios
	}
	// Test implementation...
}

📜 Review details

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Disabled knowledge base sources:

Linear integration is disabled by default for public repositories

You can enable these sources in your CodeRabbit configuration.

📥 Commits

Reviewing files that changed from the base of the PR and between 2c5c08d and d520c7e.

⛔ Files ignored due to path filters (1)

go.sum is excluded by !**/*.sum

📒 Files selected for processing (2)

go.mod (2 hunks)
pkg/downloader/token_injection_e2e_test.go (1 hunks)

🧰 Additional context used

📓 Path-based instructions (4)

pkg/**/*.go

📄 CodeRabbit inference engine (.cursor/rules/atmos-rules.mdc)

Place business logic in pkg rather than in cmd

Files:

pkg/downloader/token_injection_e2e_test.go

**/*_test.go

📄 CodeRabbit inference engine (.cursor/rules/atmos-rules.mdc)

**/*_test.go: Every new feature must include comprehensive unit tests
Test both happy paths and error conditions
Use table-driven tests for multiple scenarios

Files:

pkg/downloader/token_injection_e2e_test.go

**/*.go

📄 CodeRabbit inference engine (.cursor/rules/atmos-rules.mdc)

**/*.go: All code must pass golangci-lint checks
Follow Go error handling idioms and use meaningful error messages
Wrap errors with context using fmt.Errorf("context: %w", err)
Consider custom error types for domain-specific errors
Follow standard Go coding style; run gofmt and goimports
Use snake_case for environment variables
Document complex logic with inline comments

Files:

pkg/downloader/token_injection_e2e_test.go

go.{mod,sum}

📄 CodeRabbit inference engine (.cursor/rules/atmos-rules.mdc)

go.{mod,sum}: Manage dependencies with Go modules
Keep dependencies up to date

Files:

go.mod

🧠 Learnings (19)

📓 Common learnings

Learnt from: aknysh
Repo: cloudposse/atmos PR: 944
File: go.mod:206-206
Timestamp: 2025-01-17T00:18:57.769Z
Learning: For indirect dependencies with license compliance issues in the cloudposse/atmos repository, the team prefers to handle them in follow-up PRs rather than blocking the current changes, as these issues often require deeper investigation of the dependency tree.

Learnt from: Listener430
Repo: cloudposse/atmos PR: 934
File: tests/fixtures/scenarios/docs-generate/README.md.gotmpl:99-118
Timestamp: 2025-01-25T03:51:57.689Z
Learning: For the cloudposse/atmos repository, changes to template contents should be handled in dedicated PRs and are typically considered out of scope for PRs focused on other objectives.

Learnt from: Listener430
Repo: cloudposse/atmos PR: 1149
File: internal/exec/go_getter_utils.go:263-264
Timestamp: 2025-03-25T12:24:36.177Z
Learning: Tests for the default Bitbucket username fallback to "x-token-auth" will be added during a future refactoring phase rather than in this PR.

Learnt from: Listener430
Repo: cloudposse/atmos PR: 1149
File: internal/exec/go_getter_utils.go:104-104
Timestamp: 2025-03-25T12:23:42.649Z
Learning: Listener430 plans to add a test for verifying that token injection is skipped for unsupported hosts in a future review or refactoring iteration. This relates to the CustomGitDetector.Detect method in internal/exec/go_getter_utils.go.

Learnt from: Listener430
Repo: cloudposse/atmos PR: 1076
File: internal/exec/go_getter_utils.go:198-209
Timestamp: 2025-03-21T19:03:25.228Z
Learning: In the `exec` package of Atmos, the `injectToken` method in `CustomGitDetector` is designed to intentionally overwrite any existing credentials when injecting tokens into Git URLs. This behavior is by design.

Learnt from: Listener430
Repo: cloudposse/atmos PR: 912
File: pkg/config/config.go:91-92
Timestamp: 2025-01-09T19:53:29.847Z
Learning: In the Atmos project, the `core.inject_github_token` configuration is required to be enabled (`true`) by default to support authenticated GitHub requests and help bypass rate limits.

📚 Learning: 2025-03-25T12:23:42.649Z

Learnt from: Listener430
Repo: cloudposse/atmos PR: 1149
File: internal/exec/go_getter_utils.go:104-104
Timestamp: 2025-03-25T12:23:42.649Z
Learning: Listener430 plans to add a test for verifying that token injection is skipped for unsupported hosts in a future review or refactoring iteration. This relates to the CustomGitDetector.Detect method in internal/exec/go_getter_utils.go.

Applied to files:

pkg/downloader/token_injection_e2e_test.go

📚 Learning: 2025-09-23T02:30:42.362Z

Learnt from: CR
Repo: cloudposse/atmos PR: 0
File: .cursor/rules/atmos-rules.mdc:0-0
Timestamp: 2025-09-23T02:30:42.362Z
Learning: Applies to **/*_test.go : Every new feature must include comprehensive unit tests

Applied to files:

pkg/downloader/token_injection_e2e_test.go

📚 Learning: 2025-03-21T19:03:25.228Z

Learnt from: Listener430
Repo: cloudposse/atmos PR: 1076
File: internal/exec/go_getter_utils.go:198-209
Timestamp: 2025-03-21T19:03:25.228Z
Learning: In the `exec` package of Atmos, the `injectToken` method in `CustomGitDetector` is designed to intentionally overwrite any existing credentials when injecting tokens into Git URLs. This behavior is by design.

Applied to files:

pkg/downloader/token_injection_e2e_test.go

📚 Learning: 2025-03-25T12:24:36.177Z

Learnt from: Listener430
Repo: cloudposse/atmos PR: 1149
File: internal/exec/go_getter_utils.go:263-264
Timestamp: 2025-03-25T12:24:36.177Z
Learning: Tests for the default Bitbucket username fallback to "x-token-auth" will be added during a future refactoring phase rather than in this PR.

Applied to files:

pkg/downloader/token_injection_e2e_test.go

📚 Learning: 2025-02-18T15:20:49.080Z

Learnt from: Listener430
Repo: cloudposse/atmos PR: 1061
File: tests/fixtures/scenarios/vendor-pulls-ssh/vendor.yaml:20-22
Timestamp: 2025-02-18T15:20:49.080Z
Learning: Hardcoded credentials are acceptable in test fixtures when they are specifically testing credential handling, masking, or injection behavior. For example, in `tests/fixtures/scenarios/vendor-pulls-ssh/vendor.yaml`, credentials like "myuser:supersecret" are used to test that direct credentials in URLs are not overwritten by token injection.

Applied to files:

pkg/downloader/token_injection_e2e_test.go

📚 Learning: 2025-02-13T07:30:28.946Z

Learnt from: Listener430
Repo: cloudposse/atmos PR: 1061
File: internal/exec/go_getter_utils.go:74-75
Timestamp: 2025-02-13T07:30:28.946Z
Learning: In the `CustomGitDetector.Detect` method of `internal/exec/go_getter_utils.go`, verbose debug logging of raw URLs is intentionally kept for debugging purposes, despite potential credential exposure risks.

Applied to files:

pkg/downloader/token_injection_e2e_test.go

📚 Learning: 2025-01-08T19:02:28.099Z

Learnt from: osterman
Repo: cloudposse/atmos PR: 899
File: examples/tests/vendor.yaml:48-48
Timestamp: 2025-01-08T19:02:28.099Z
Learning: Test cases in the Atmos project deliberately use different Git URL formats (with and without `git::` prefix) to test various scenarios. These formats should not be normalized to maintain test coverage of different URL handling cases.

Applied to files:

pkg/downloader/token_injection_e2e_test.go

📚 Learning: 2024-12-02T21:26:32.337Z

Learnt from: osterman
Repo: cloudposse/atmos PR: 808
File: pkg/config/config.go:478-483
Timestamp: 2024-12-02T21:26:32.337Z
Learning: In the 'atmos' project, when reviewing Go code like `pkg/config/config.go`, avoid suggesting file size checks after downloading remote configs if such checks aren't implemented elsewhere in the codebase.

Applied to files:

pkg/downloader/token_injection_e2e_test.go

📚 Learning: 2024-10-23T20:13:23.054Z

Learnt from: osterman
Repo: cloudposse/atmos PR: 731
File: pkg/utils/file_utils.go:198-202
Timestamp: 2024-10-23T20:13:23.054Z
Learning: In `pkg/utils/file_utils.go`, the current implementation of the `IsURL` function is considered sufficient; avoid suggesting more complex URL validation in future reviews.

Applied to files:

pkg/downloader/token_injection_e2e_test.go

📚 Learning: 2025-02-05T11:10:51.031Z

Learnt from: mss
Repo: cloudposse/atmos PR: 1024
File: internal/exec/go_getter_utils.go:31-33
Timestamp: 2025-02-05T11:10:51.031Z
Learning: The path traversal check in `ValidateURI` function in `internal/exec/go_getter_utils.go` is intentionally kept despite potentially blocking valid Git URLs, as this validation is planned to be addressed in a separate ticket.

Applied to files:

pkg/downloader/token_injection_e2e_test.go

📚 Learning: 2025-09-23T02:30:42.362Z

Learnt from: CR
Repo: cloudposse/atmos PR: 0
File: .cursor/rules/atmos-rules.mdc:0-0
Timestamp: 2025-09-23T02:30:42.362Z
Learning: Applies to **/*_test.go : Test both happy paths and error conditions

Applied to files:

pkg/downloader/token_injection_e2e_test.go

📚 Learning: 2025-04-04T02:03:23.676Z

Learnt from: aknysh
Repo: cloudposse/atmos PR: 1185
File: internal/exec/yaml_func_store.go:26-26
Timestamp: 2025-04-04T02:03:23.676Z
Learning: The Atmos codebase currently uses `log.Fatal` for error handling in multiple places. The maintainers are aware this isn't an ideal pattern (should only be used in main() or init() functions) and plan to address it comprehensively in a separate PR. CodeRabbit should not flag these issues or push for immediate changes until that refactoring is complete.

Applied to files:

pkg/downloader/token_injection_e2e_test.go

📚 Learning: 2025-09-23T02:30:42.362Z

Learnt from: CR
Repo: cloudposse/atmos PR: 0
File: .cursor/rules/atmos-rules.mdc:0-0
Timestamp: 2025-09-23T02:30:42.362Z
Learning: Applies to go.{mod,sum} : Manage dependencies with Go modules

Applied to files:

go.mod

📚 Learning: 2025-09-23T02:30:42.362Z

Learnt from: CR
Repo: cloudposse/atmos PR: 0
File: .cursor/rules/atmos-rules.mdc:0-0
Timestamp: 2025-09-23T02:30:42.362Z
Learning: Applies to go.{mod,sum} : Keep dependencies up to date

Applied to files:

go.mod

📚 Learning: 2025-01-17T00:21:32.987Z

Learnt from: aknysh
Repo: cloudposse/atmos PR: 944
File: go.mod:3-3
Timestamp: 2025-01-17T00:21:32.987Z
Learning: Go version 1.23.0 was deliberately introduced by the maintainer (aknysh) in January 2025. While this might be a pre-release or development version of Go, it has been approved for use in this project.

Applied to files:

go.mod

📚 Learning: 2025-01-17T00:21:32.987Z

Learnt from: aknysh
Repo: cloudposse/atmos PR: 944
File: go.mod:3-3
Timestamp: 2025-01-17T00:21:32.987Z
Learning: The project uses Go version 1.23.0 which has been confirmed by the maintainer to be working in production for months. Do not flag this as an invalid Go version.

Applied to files:

go.mod

📚 Learning: 2025-07-05T20:59:02.914Z

Learnt from: aknysh
Repo: cloudposse/atmos PR: 1363
File: internal/exec/template_utils.go:18-18
Timestamp: 2025-07-05T20:59:02.914Z
Learning: In the Atmos project, gomplate v4 is imported with a blank import (`_ "github.com/hairyhenderson/gomplate/v4"`) alongside v3 imports to resolve AWS SDK version conflicts. V3 uses older AWS SDK versions that conflict with newer AWS modules used by Atmos. A full migration to v4 requires extensive refactoring due to API changes and should be handled in a separate PR.

Applied to files:

go.mod

📚 Learning: 2025-05-30T03:21:37.197Z

Learnt from: aknysh
Repo: cloudposse/atmos PR: 1274
File: go.mod:63-63
Timestamp: 2025-05-30T03:21:37.197Z
Learning: The redis dependency (github.com/redis/go-redis/v9) in the atmos project is only used in tests, not in production code.

Applied to files:

go.mod

🧬 Code graph analysis (1)

pkg/downloader/token_injection_e2e_test.go (2)

pkg/schema/schema.go (2)

AtmosConfiguration (27-65)

AtmosSettings (267-288)

pkg/downloader/custom_git_detector.go (1)

NewCustomGitDetector (25-30)

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (11)

GitHub Check: release / goreleaser
GitHub Check: Build (windows)
GitHub Check: Build (macos)
GitHub Check: Build (linux)
GitHub Check: Run pre-commit hooks
GitHub Check: Lint (golangci)
GitHub Check: Review Dependency Licenses
GitHub Check: Analyze (go)
GitHub Check: autofix
GitHub Check: website-deploy-preview
GitHub Check: Summary

🔇 Additional comments (7)

go.mod (3)

3-3: Verify Go version bump intention.

The Go version has been updated from 1.23.0 (previously approved per learnings) to 1.25.0. Confirm this is intentional and compatible with the project's requirements and deployment environment.

22-30: Routine AWS SDK dependency maintenance looks good.

AWS SDK for Go v2 and supporting libraries (smithy-go) have been updated with consistent patch/minor version bumps. These updates appear routine and maintain dependency alignment.

Also applies to: 31-31

149-158: Indirect dependencies kept in sync.

Indirect AWS SDK v2 components are properly updated alongside direct dependencies. Good hygiene.

pkg/downloader/token_injection_e2e_test.go (4)

99-104: Previous false-positive issue resolved.

The gated token assertions now correctly prevent false positives when tokens are empty. This addresses the earlier review feedback effectively.

116-143: Credential preservation logic verified.

This test now correctly expects user-provided credentials to be preserved rather than overwritten, aligning with the updated implementation. The assertions properly validate both preservation and non-injection.

145-165: Unsupported host handling verified.

This test correctly validates that non-GitHub/GitLab/Bitbucket hosts return detected=false without attempting token injection.

167-251: Comprehensive credential format coverage.

This table-driven test thoroughly validates preservation of various user-specified credential formats (user:pass, token-only, username-only) and correctly handles the no-credentials case. The URL parsing and assertions are precise and appropriate.

github-actions · 2025-11-05T18:09:40Z

These changes were released in v1.198.0-test.8.

github-actions · 2025-11-06T01:13:49Z

These changes were released in v1.198.0-rc.2.

Resolved conflicts in internal/exec/oci_utils.go by accepting refactored authentication code from main branch. Changes from main: - PR #1647: Fix vendor authentication (token injection, credential precedence) - PR #1749: Add omitempty tag for atlantis generate repo-config - Refactored OCI authentication with proper credential precedence: 1. Docker keychain (~/.docker/config.json) 2. Environment variable tokens (ATMOS_GITHUB_TOKEN/GITHUB_TOKEN) 3. Anonymous fallback - New getGHCRAuth() helper function - Improved test coverage with new test files Conflict resolution: - Removed local nolint:forbidigo directive (no longer needed) - Kept refactored authentication logic from main - New code uses atmosConfig.Settings instead of os.Getenv() 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude <noreply@anthropic.com>

github-actions · 2025-11-07T01:13:29Z

These changes were released in v1.198.0-rc.3.

Changes auto-committed by Conductor

4cbb4e4

osterman requested a review from a team as a code owner October 17, 2025 03:52

github-actions bot added the size/l Large size PR label Oct 17, 2025

[autofix.ci] apply automated fixes

f2d01ed

github-actions bot deployed to preview October 17, 2025 03:56 View deployment

coderabbitai bot previously approved these changes Oct 17, 2025

View reviewed changes

osterman added the patch A minor, backward compatible change label Oct 17, 2025

osterman added the release/feature Create release from this PR label Oct 17, 2025

osterman temporarily deployed to feature-releases October 17, 2025 04:05 — with GitHub Actions Inactive

osterman temporarily deployed to feature-releases October 17, 2025 04:06 — with GitHub Actions Inactive

osterman and others added 2 commits October 16, 2025 23:09

osterman temporarily deployed to feature-releases October 17, 2025 04:39 — with GitHub Actions Inactive

osterman dismissed coderabbitai[bot]’s stale review via a77e134 October 17, 2025 04:48

osterman temporarily deployed to feature-releases October 17, 2025 04:48 — with GitHub Actions Inactive

github-actions bot added size/xl Extra large size PR and removed size/l Large size PR labels Oct 17, 2025

osterman had a problem deploying to feature-releases October 17, 2025 04:49 — with GitHub Actions Failure

github-actions bot deployed to preview October 17, 2025 04:51 View deployment

coderabbitai bot requested changes Oct 17, 2025

View reviewed changes

internal/exec/oci_utils.go Show resolved Hide resolved

pkg/downloader/token_injection_e2e_test.go Show resolved Hide resolved

osterman and others added 4 commits October 17, 2025 00:11

Revert "Normalize credential masking in test snapshots from REDACTED …

5701001

…to ***." This reverts commit e6fbe73.

autofix-ci bot temporarily deployed to feature-releases November 5, 2025 15:54 Inactive

coderabbitai bot reviewed Nov 5, 2025

View reviewed changes

github-actions bot deployed to preview November 5, 2025 15:57 View deployment

autofix-ci bot temporarily deployed to feature-releases November 5, 2025 16:30 Inactive

coderabbitai bot requested changes Nov 5, 2025

View reviewed changes

pkg/downloader/token_injection_e2e_test.go Show resolved Hide resolved

aknysh and others added 2 commits November 5, 2025 12:16

Merge remote-tracking branch 'origin/osterman/vendor-yaml-template-bu…

d520c7e

…g' into osterman/vendor-yaml-template-bug

aknysh temporarily deployed to feature-releases November 5, 2025 17:30 — with GitHub Actions Inactive

aknysh had a problem deploying to feature-releases November 5, 2025 17:31 — with GitHub Actions Error

github-actions bot deployed to preview November 5, 2025 17:33 View deployment

[autofix.ci] apply automated fixes

82e1a59

autofix-ci bot temporarily deployed to feature-releases November 5, 2025 17:34 Inactive

github-actions bot deployed to preview November 5, 2025 17:37 View deployment

coderabbitai bot reviewed Nov 5, 2025

View reviewed changes

coderabbitai bot approved these changes Nov 5, 2025

View reviewed changes

autofix-ci bot temporarily deployed to feature-releases November 5, 2025 18:08 Inactive

aknysh approved these changes Nov 5, 2025

View reviewed changes

aknysh merged commit 072a31f into main Nov 5, 2025
62 checks passed

aknysh deleted the osterman/vendor-yaml-template-bug branch November 5, 2025 22:44

coderabbitai bot mentioned this pull request Nov 6, 2025

fix: Resolve --chdir flag parsing for commands with DisableFlagParsing #1751

Closed

osterman mentioned this pull request Nov 8, 2025

Add devcontainer command for managing development containers #1697

Merged

4 tasks

coderabbitai bot mentioned this pull request Dec 29, 2025

feat: implement source provisioner for JIT component vendoring #1877

Merged

Uh oh!

Conversation

osterman commented Oct 17, 2025 • edited by coderabbitai bot Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

what

Token Injection Infrastructure Fixes (New)

Original Vendor.yaml Fixes

GHCR Authentication Breaking Change

Test Coverage Improvements

why

Token Injection Infrastructure Issues (New)

Original Vendor.yaml Issues

GHCR Authentication Breaking Change

Test Coverage Rationale

references

Summary by CodeRabbit

Uh oh!

coderabbitai bot commented Oct 17, 2025 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Walkthrough

Changes

Sequence Diagram(s)

Estimated code review effort

Possibly related PRs

Suggested reviewers

Pre-merge checks and finishing touches

Uh oh!

codecov bot commented Oct 17, 2025 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Codecov Report

Uh oh!

github-actions bot commented Oct 17, 2025

Uh oh!

mergify bot commented Oct 17, 2025

This PR exceeds the recommended limit of 1,000 lines.

Uh oh!

coderabbitai bot left a comment

Choose a reason for hiding this comment

Uh oh!

Uh oh!

Uh oh!

coderabbitai bot left a comment

Choose a reason for hiding this comment

Uh oh!

github-actions bot commented Nov 5, 2025

Uh oh!

aknysh commented Nov 5, 2025

Uh oh!

coderabbitai bot commented Nov 5, 2025

Uh oh!

coderabbitai bot left a comment

Choose a reason for hiding this comment

Uh oh!

Uh oh!

coderabbitai bot left a comment

Choose a reason for hiding this comment

Uh oh!

github-actions bot commented Nov 5, 2025

Uh oh!

Uh oh!

github-actions bot commented Nov 6, 2025

Uh oh!

github-actions bot commented Nov 7, 2025

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

3 participants

osterman commented Oct 17, 2025 •

edited by coderabbitai bot

Loading

coderabbitai bot commented Oct 17, 2025 •

edited

Loading

codecov bot commented Oct 17, 2025 •

edited

Loading