Merge branch 'main' into error-handling-infra

Author: aknysh

.github/workflows/changelog-check.yml

@@ -44,9 +44,14 @@ jobs:
           GH_TOKEN: ${{ github.token }}
         run: |
           PR_NUMBER="${{ github.event.pull_request.number }}"
+          BASE_REF="${{ github.event.pull_request.base.sha }}"
+          HEAD_REF="${{ github.event.pull_request.head.sha }}"
 
-          # Get all files added in this PR (not just the latest commit)
-          NEW_BLOG_FILES=$(gh pr diff $PR_NUMBER --name-only | grep -E '^website/blog/.*\.(md|mdx)$' | grep -v 'tags.yml' || true)
+          # Use git diff directly instead of gh pr diff to avoid API limitations
+          # GitHub's diff API has a limit of ~300 files or ~3000 lines, which fails on large PRs
+          # git diff works locally without these limitations
+          echo "Checking for blog post files between $BASE_REF and $HEAD_REF"
+          NEW_BLOG_FILES=$(git diff --name-only "$BASE_REF" "$HEAD_REF" | grep -E '^website/blog/.*\.(md|mdx)$' | grep -v 'tags.yml' || true)
 
           if [ -z "$NEW_BLOG_FILES" ]; then
             echo "has_changelog=false" >> $GITHUB_OUTPUT
@@ -93,9 +98,11 @@ jobs:
           GH_TOKEN: ${{ github.token }}
         run: |
           PR_NUMBER="${{ github.event.pull_request.number }}"
+          BASE_REF="${{ github.event.pull_request.base.sha }}"
+          HEAD_REF="${{ github.event.pull_request.head.sha }}"
 
-          # Get list of blog files added
-          BLOG_FILES=$(gh pr diff $PR_NUMBER --name-only | grep -E '^website/blog/.*\.(md|mdx)$' | grep -v 'tags.yml' || true)
+          # Get list of blog files added (using git diff to avoid API limitations)
+          BLOG_FILES=$(git diff --name-only "$BASE_REF" "$HEAD_REF" | grep -E '^website/blog/.*\.(md|mdx)$' | grep -v 'tags.yml' || true)
 
           # Find existing comment (warning or success)
           EXISTING_COMMENT=$(gh pr view $PR_NUMBER --json comments --jq '.comments[] | select(.body | contains("<!-- changelog-check -->")) | .id' | head -1)

NOTICE

@@ -107,19 +107,19 @@ APACHE 2.0 LICENSED DEPENDENCIES
 
   - github.com/aws/aws-sdk-go-v2/config
     License: Apache-2.0
-    URL: https://github.com/aws/aws-sdk-go-v2/blob/config/v1.31.17/config/LICENSE.txt
+    URL: https://github.com/aws/aws-sdk-go-v2/blob/config/v1.31.18/config/LICENSE.txt
 
   - github.com/aws/aws-sdk-go-v2/credentials
     License: Apache-2.0
-    URL: https://github.com/aws/aws-sdk-go-v2/blob/credentials/v1.18.21/credentials/LICENSE.txt
+    URL: https://github.com/aws/aws-sdk-go-v2/blob/credentials/v1.18.22/credentials/LICENSE.txt
 
   - github.com/aws/aws-sdk-go-v2/feature/ec2/imds
     License: Apache-2.0
     URL: https://github.com/aws/aws-sdk-go-v2/blob/feature/ec2/imds/v1.18.13/feature/ec2/imds/LICENSE.txt
 
   - github.com/aws/aws-sdk-go-v2/feature/s3/manager
     License: Apache-2.0
-    URL: https://github.com/aws/aws-sdk-go-v2/blob/feature/s3/manager/v1.20.4/feature/s3/manager/LICENSE.txt
+    URL: https://github.com/aws/aws-sdk-go-v2/blob/feature/s3/manager/v1.20.5/feature/s3/manager/LICENSE.txt
 
   - github.com/aws/aws-sdk-go-v2/internal/configsources
     License: Apache-2.0
@@ -163,7 +163,7 @@ APACHE 2.0 LICENSED DEPENDENCIES
 
   - github.com/aws/aws-sdk-go-v2/service/ssm
     License: Apache-2.0
-    URL: https://github.com/aws/aws-sdk-go-v2/blob/service/ssm/v1.66.4/service/ssm/LICENSE.txt
+    URL: https://github.com/aws/aws-sdk-go-v2/blob/service/ssm/v1.67.0/service/ssm/LICENSE.txt
 
   - github.com/aws/aws-sdk-go-v2/service/sso
     License: Apache-2.0
@@ -175,7 +175,7 @@ APACHE 2.0 LICENSED DEPENDENCIES
 
   - github.com/aws/aws-sdk-go-v2/service/sts
     License: Apache-2.0
-    URL: https://github.com/aws/aws-sdk-go-v2/blob/service/sts/v1.39.1/service/sts/LICENSE.txt
+    URL: https://github.com/aws/aws-sdk-go-v2/blob/service/sts/v1.40.0/service/sts/LICENSE.txt
 
   - github.com/aws/smithy-go
     License: Apache-2.0
@@ -748,7 +748,7 @@ BSD LICENSED DEPENDENCIES
 
   - golang.org/x/oauth2
     License: BSD-3-Clause
-    URL: https://cs.opensource.google/go/x/oauth2/+/v0.32.0:LICENSE
+    URL: https://cs.opensource.google/go/x/oauth2/+/v0.33.0:LICENSE
 
   - golang.org/x/sync
     License: BSD-3-Clause
@@ -954,7 +954,7 @@ MIT LICENSED DEPENDENCIES
 
   - github.com/Azure/azure-sdk-for-go/sdk/azidentity
     License: MIT
-    URL: https://github.com/Azure/azure-sdk-for-go/blob/sdk/azidentity/v1.13.0/sdk/azidentity/LICENSE.txt
+    URL: https://github.com/Azure/azure-sdk-for-go/blob/sdk/azidentity/v1.13.1/sdk/azidentity/LICENSE.txt
 
   - github.com/Azure/azure-sdk-for-go/sdk/internal
     License: MIT
@@ -978,7 +978,7 @@ MIT LICENSED DEPENDENCIES
 
   - github.com/AzureAD/microsoft-authentication-library-for-go/apps
     License: MIT
-    URL: https://github.com/AzureAD/microsoft-authentication-library-for-go/blob/v1.5.0/LICENSE
+    URL: https://github.com/AzureAD/microsoft-authentication-library-for-go/blob/v1.6.0/LICENSE
 
   - github.com/BurntSushi/toml
     License: MIT

cmd/describe.go

@@ -20,13 +20,12 @@ func init() {
 	// when processing YAML template functions (!terraform.state, !terraform.output).
 	// By default, all describe commands execute YAML functions and Go templates unless
 	// disabled with --process-functions=false or --process-templates=false flags.
-	describeCmd.PersistentFlags().StringP("identity", "i", "", "Specify the identity to authenticate to before describing. Use without value to interactively select.")
-
-	// Set NoOptDefVal to enable optional flag value for interactive identity selection.
-	// When --identity is used without a value, it will receive IdentityFlagSelectValue.
-	if identityFlag := describeCmd.PersistentFlags().Lookup("identity"); identityFlag != nil {
-		identityFlag.NoOptDefVal = IdentityFlagSelectValue
-	}
+	//
+	// NOTE: NoOptDefVal is NOT used here to avoid Cobra parsing issues with commands
+	// that have positional arguments. When NoOptDefVal is set and a space-separated value
+	// is used (--identity value), Cobra misinterprets the value as a subcommand/positional arg.
+	// Users should use --identity=select or similar for interactive selection.
+	describeCmd.PersistentFlags().StringP("identity", "i", "", "Specify the identity to authenticate with before describing")
 
 	// Register shell completion for identity flag.
 	AddIdentityCompletion(describeCmd)

cmd/identity_flag.go

@@ -1,18 +1,12 @@
 package cmd
 
 import (
-	"context"
-	"errors"
-	"fmt"
 	"strings"
 
 	"github.com/spf13/cobra"
 	"github.com/spf13/viper"
 
-	errUtils "github.com/cloudposse/atmos/errors"
 	"github.com/cloudposse/atmos/pkg/auth"
-	"github.com/cloudposse/atmos/pkg/auth/credentials"
-	"github.com/cloudposse/atmos/pkg/auth/validation"
 	cfg "github.com/cloudposse/atmos/pkg/config"
 	"github.com/cloudposse/atmos/pkg/schema"
 )
@@ -133,45 +127,12 @@ func extractIdentityFromArgs(args []string) string {
 // Returns nil if identityName is empty (no authentication requested).
 // Returns error if identityName is provided but auth is not configured in atmos.yaml.
 // This helper reduces nested complexity in describe commands.
+//
+// This function delegates to auth.CreateAndAuthenticateManager to ensure consistent
+// authentication behavior across CLI commands and internal execution logic.
 func CreateAuthManagerFromIdentity(
 	identityName string,
 	authConfig *schema.AuthConfig,
 ) (auth.AuthManager, error) {
-	if identityName == "" {
-		return nil, nil
-	}
-
-	// Check if auth is configured when --identity flag is provided.
-	if authConfig == nil || len(authConfig.Identities) == 0 {
-		return nil, fmt.Errorf("%w: the --identity flag requires authentication to be configured in atmos.yaml with at least one identity", errUtils.ErrAuthNotConfigured)
-	}
-
-	// Create a ConfigAndStacksInfo for the auth manager to populate with AuthContext.
-	authStackInfo := &schema.ConfigAndStacksInfo{
-		AuthContext: &schema.AuthContext{},
-	}
-
-	credStore := credentials.NewCredentialStore()
-	validator := validation.NewValidator()
-	authManager, err := auth.NewAuthManager(authConfig, credStore, validator, authStackInfo)
-	if err != nil {
-		return nil, errors.Join(errUtils.ErrFailedToInitializeAuthManager, err)
-	}
-
-	// Handle interactive selection.
-	forceSelect := identityName == IdentityFlagSelectValue
-	if forceSelect {
-		identityName, err = authManager.GetDefaultIdentity(forceSelect)
-		if err != nil {
-			return nil, err
-		}
-	}
-
-	// Authenticate.
-	_, err = authManager.Authenticate(context.Background(), identityName)
-	if err != nil {
-		return nil, err
-	}
-
-	return authManager, nil
+	return auth.CreateAndAuthenticateManager(identityName, authConfig, IdentityFlagSelectValue)
 }

cmd/root.go

@@ -302,8 +302,10 @@ var RootCmd = &cobra.Command{
 	},
 }
 
-// setupLogger configures the global logger based on the provided Atmos configuration.
-func setupLogger(atmosConfig *schema.AtmosConfiguration) {
+// SetupLogger configures the global logger based on the provided Atmos configuration.
+//
+//nolint:revive,cyclop // Function complexity is acceptable for logger configuration.
+func SetupLogger(atmosConfig *schema.AtmosConfiguration) {
 	switch atmosConfig.Logs.Level {
 	case "Trace":
 		log.SetLevel(log.TraceLevel)
@@ -593,7 +595,7 @@ func Execute() error {
 	}
 
 	// Set the log level for the charmbracelet/log package based on the atmosConfig.
-	setupLogger(&atmosConfig)
+	SetupLogger(&atmosConfig)
 
 	var err error
 	// If CLI configuration was found, process its custom commands and command aliases.

cmd/root_test.go

@@ -162,7 +162,7 @@ func TestSetupLogger_TraceLevel(t *testing.T) {
 				},
 			}
 
-			setupLogger(cfg)
+			SetupLogger(cfg)
 			assert.Equal(t, tt.expectedLevel, log.GetLevel(),
 				"Expected level %v for config %q", tt.expectedLevel, tt.configLevel)
 		})
@@ -228,7 +228,7 @@ func TestSetupLogger_TraceVisibility(t *testing.T) {
 					Terminal: schema.Terminal{},
 				},
 			}
-			setupLogger(cfg)
+			SetupLogger(cfg)
 
 			// Test trace visibility.
 			buf.Reset()
@@ -281,7 +281,7 @@ func TestSetupLogger_TraceLevelFromEnvironment(t *testing.T) {
 			Terminal: schema.Terminal{},
 		},
 	}
-	setupLogger(cfg)
+	SetupLogger(cfg)
 
 	assert.Equal(t, log.TraceLevel, log.GetLevel(),
 		"Should set trace level from environment variable")
@@ -309,10 +309,10 @@ func TestSetupLogger_NoColorWithTraceLevel(t *testing.T) {
 	}
 
 	// Mock the IsColorEnabled to return false.
-	// Since we can't easily mock it, we'll just test that setupLogger doesn't panic.
+	// Since we can't easily mock it, we'll just test that SetupLogger doesn't panic.
 	assert.NotPanics(t, func() {
-		setupLogger(cfg)
-	}, "setupLogger should not panic with trace level and no color")
+		SetupLogger(cfg)
+	}, "SetupLogger should not panic with trace level and no color")
 
 	assert.Equal(t, log.TraceLevel, log.GetLevel(),
 		"Trace level should be set even with no color")