Branch matcher does not work in atlantis v0.17.0 #1539
Comments
|
I think even if you specify a single |
is there any workaround for this ? i'm currently using bitbucket server (stash) and need this feature so atlantis cannot be abused using other branch |
|
Hi, @ericsonrumuy7 and all. The following example restricts the base branch to default branch: # Tested in atlantis v0.17.0
repos:
- id: /.*/
apply_requirements: [approved, mergeable]
pre_workflow_hooks:
- run: pre_workflow_hooks.sh#!/bin/bash
set -euo pipefail
# pre_workflow_hooks.sh
# Get the default branch
DEFAULT_BRANCH=$(git remote show origin | grep 'HEAD branch' | sed 's/.*: //')
echo "BASE_BRANCH_NAME: $BASE_BRANCH_NAME"
echo "DEFAULT_BRANCH: $DEFAULT_BRANCH"
if [ "$BASE_BRANCH_NAME" != "$DEFAULT_BRANCH" ] ; then
echo "generate an invalid atlantis.yaml to restrict executions of plan / apply on the pull request that are merged into the non-default branch for security reasons."
cat << EOF > atlantis.yaml
version: invalid
EOF
# Note that exit with non-zero actually doesn't stop the following plan phase. It only writes stdout to log with ERROR level.
# Generating the invalid atlantis.yaml will cause an error in plan.
exit 1
fiIt works for me, but it's not the best solution by all means. |
|
@minamijoyo - so does the plan still run and put a comment on the PR? I've got three atlantis instances running in three different AWS accounts, all tied to a single terragrunt repo. So the repo has three hooks, one for each atlantis instance behind an ALB. I was toying with the idea of generating an atlantis config that was "valid", but sets the |
|
@jasonrberk (Aside from the original issue that the |
Fixes runatlantis#1539 The branch matcher feature has been introduced in runatlantis#1383, but the current implementation was broken and doesn't work at all (runatlantis#1539). If my understanding is correct, there are two problems: (1) The `GlobalCfg` has a default `Repo` instance which always matches any repositries and branches. Therefore the branch matcher never be functional. (2) Validating base branches in `DefaultPreWorkflowHooksCommandRunner.RunPreHooks()` implicitly assumed that users customize `pre_workflow_hooks`, but the assumption isn't always true because it defaults to empty. For (1), I added a new method `MatchingRepo()` to `GlobalCfg` to check `BranchMatches()` for a single `Repo` instance. For (2), I moved validating branch to `DefaultCommandRunner.validateCtxAndComment()`. Since the method has already validated meta data of pull request, I think it's suitable place to check base branches, but please let me know if there is anywhere more suitable.
Fixes runatlantis#1539 The branch matcher feature has been introduced in runatlantis#1383, but the current implementation was broken and doesn't work at all (runatlantis#1539). If my understanding is correct, there are two problems: (1) The `GlobalCfg` has a default `Repo` instance which always matches any repositries and branches. Therefore the branch matcher never be functional. (2) Validating base branches in `DefaultPreWorkflowHooksCommandRunner.RunPreHooks()` implicitly assumed that users customize `pre_workflow_hooks`, but the assumption isn't always true because it defaults to empty. For (1), I added a new method `MatchingRepo()` to `GlobalCfg` to check `BranchMatches()` for a single `Repo` instance. For (2), I moved validating branch to `DefaultCommandRunner.validateCtxAndComment()`. Since the method has already validated meta data of pull request, I think it's suitable place to check base branches, but please let me know if there is anywhere more suitable.
Fixes #1539 The branch matcher feature has been introduced in #1383, but the current implementation was broken and doesn't work at all (#1539). If my understanding is correct, there are two problems: (1) The `GlobalCfg` has a default `Repo` instance which always matches any repositries and branches. Therefore the branch matcher never be functional. (2) Validating base branches in `DefaultPreWorkflowHooksCommandRunner.RunPreHooks()` implicitly assumed that users customize `pre_workflow_hooks`, but the assumption isn't always true because it defaults to empty. For (1), I added a new method `MatchingRepo()` to `GlobalCfg` to check `BranchMatches()` for a single `Repo` instance. For (2), I moved validating branch to `DefaultCommandRunner.validateCtxAndComment()`. Since the method has already validated meta data of pull request, I think it's suitable place to check base branches, but please let me know if there is anywhere more suitable.
Fixes #1539 The branch matcher feature has been introduced in #1383, but the current implementation was broken and doesn't work at all (#1539). If my understanding is correct, there are two problems: (1) The `GlobalCfg` has a default `Repo` instance which always matches any repositries and branches. Therefore the branch matcher never be functional. (2) Validating base branches in `DefaultPreWorkflowHooksCommandRunner.RunPreHooks()` implicitly assumed that users customize `pre_workflow_hooks`, but the assumption isn't always true because it defaults to empty. For (1), I added a new method `MatchingRepo()` to `GlobalCfg` to check `BranchMatches()` for a single `Repo` instance. For (2), I moved validating branch to `DefaultCommandRunner.validateCtxAndComment()`. Since the method has already validated meta data of pull request, I think it's suitable place to check base branches, but please let me know if there is anywhere more suitable.
Fixes runatlantis#1539 The branch matcher feature has been introduced in runatlantis#1383, but the current implementation was broken and doesn't work at all (runatlantis#1539). If my understanding is correct, there are two problems: (1) The `GlobalCfg` has a default `Repo` instance which always matches any repositries and branches. Therefore the branch matcher never be functional. (2) Validating base branches in `DefaultPreWorkflowHooksCommandRunner.RunPreHooks()` implicitly assumed that users customize `pre_workflow_hooks`, but the assumption isn't always true because it defaults to empty. For (1), I added a new method `MatchingRepo()` to `GlobalCfg` to check `BranchMatches()` for a single `Repo` instance. For (2), I moved validating branch to `DefaultCommandRunner.validateCtxAndComment()`. Since the method has already validated meta data of pull request, I think it's suitable place to check base branches, but please let me know if there is anywhere more suitable.
|
Has this been resolved? I am facing the same issue in 2024.
|
I saw that in v0.17.0 atlantis has added branch matcher feature #1383, but when I tried it, its seem does not work.
but atlantis still can be execute from that PR
The text was updated successfully, but these errors were encountered: