Open
Conversation
This is based on https://github.com/overmindtech/workspace/pull/3709 and combines all CLI changes from https://github.com/overmindtech/workspace/pull/3701 into a single commit. https://github.com/overmindtech/workspace/pull/3710 needs to be deployed before this can pass the e2e tests. <!-- CURSOR_SUMMARY --> --- > [!NOTE] > **Medium Risk** > Changes behavior of change lifecycle operations (start/end) and modifies worker retry/terminal handling, which can affect state transitions and job/flag correctness if edge cases are missed. > > **Overview** > **CLI start/end-change now runs in the background by default.** `start-change` and `end-change` switch from streaming RPCs to `StartChangeSimple`/`EndChangeSimple`, returning immediately and optionally polling `GetChange` when `--wait-for-snapshot` is set. > > **End-change UUID resolution is made race-safe.** The CLI stops client-side status checking for end-change (adds `getChangeUUID`) and relies on server-side atomic validation/queuing. > > **Snapshot worker failure semantics are unified.** Start/end snapshot workers now use a shared `snapshotWorkerRun` wrapper that treats validation/snapshot/DB errors (and panics) as retryable until the final attempt, then force-completes the status transition and clears in-progress flags; start-change also best-effort consumes any queued end-change on force-complete. GitHub composite actions gain a `wait-for-snapshot` input that forwards to the CLI. > > <sup>Written by [Cursor Bugbot](https://cursor.com/dashboard?tab=bugbot) for commit 450bb313724a2f4aea5aa14a8de609750c6b7a99. This will update automatically on new commits. Configure [here](https://cursor.com/dashboard?tab=bugbot).</sup> <!-- /CURSOR_SUMMARY --> GitOrigin-RevId: c82af9fd0a6ec952c94cfec93847ec58209f69a7
This PR contains the following updates: | Package | Type | Update | Change | |---|---|---|---| | [actions/cache](https://redirect.github.com/actions/cache) | action | major | `v4` → `v5` | | [actions/checkout](https://redirect.github.com/actions/checkout) | action | major | `v4` → `v6` | | [actions/upload-artifact](https://redirect.github.com/actions/upload-artifact) | action | major | `v6` → `v7` | | [actions/upload-artifact](https://redirect.github.com/actions/upload-artifact) | action | major | `v4` → `v7` | | [aws-actions/configure-aws-credentials](https://redirect.github.com/aws-actions/configure-aws-credentials) | action | major | `v5` → `v6` | | [crazy-max/ghaction-import-gpg](https://redirect.github.com/crazy-max/ghaction-import-gpg) | action | major | `v6` → `v7` | | [dawidd6/action-download-artifact](https://redirect.github.com/dawidd6/action-download-artifact) | action | major | `v12` → `v16` | | [docker/login-action](https://redirect.github.com/docker/login-action) | action | major | `v3` → `v4` | | [goreleaser/goreleaser-action](https://redirect.github.com/goreleaser/goreleaser-action) | action | major | `v6` → `v7` | | [hashicorp/setup-terraform](https://redirect.github.com/hashicorp/setup-terraform) | action | major | `v3` → `v4` | --- > [!WARNING] > Some dependencies could not be looked up. Check the [Dependency Dashboard](../issues/370) for more information. --- ### Release Notes <details> <summary>actions/cache (actions/cache)</summary> ### [`v5`](https://redirect.github.com/actions/cache/compare/v4...v5) [Compare Source](https://redirect.github.com/actions/cache/compare/v4...v5) </details> <details> <summary>actions/checkout (actions/checkout)</summary> ### [`v6`](https://redirect.github.com/actions/checkout/compare/v5...v6) [Compare Source](https://redirect.github.com/actions/checkout/compare/v5...v6) ### [`v5`](https://redirect.github.com/actions/checkout/compare/v4...v5) [Compare Source](https://redirect.github.com/actions/checkout/compare/v4...v5) </details> <details> <summary>actions/upload-artifact (actions/upload-artifact)</summary> ### [`v7`](https://redirect.github.com/actions/upload-artifact/compare/v6...v7) [Compare Source](https://redirect.github.com/actions/upload-artifact/compare/v6...v7) </details> <details> <summary>aws-actions/configure-aws-credentials (aws-actions/configure-aws-credentials)</summary> ### [`v6`](https://redirect.github.com/aws-actions/configure-aws-credentials/compare/v5...v6) [Compare Source](https://redirect.github.com/aws-actions/configure-aws-credentials/compare/v5...v6) </details> <details> <summary>crazy-max/ghaction-import-gpg (crazy-max/ghaction-import-gpg)</summary> ### [`v7`](https://redirect.github.com/crazy-max/ghaction-import-gpg/compare/v6...v7) [Compare Source](https://redirect.github.com/crazy-max/ghaction-import-gpg/compare/v6...v7) </details> <details> <summary>dawidd6/action-download-artifact (dawidd6/action-download-artifact)</summary> ### [`v16`](https://redirect.github.com/dawidd6/action-download-artifact/releases/tag/v16) [Compare Source](https://redirect.github.com/dawidd6/action-download-artifact/compare/v15...v16) #### What's Changed - build(deps): bump minimatch by [@​dependabot](https://redirect.github.com/dependabot)\[bot] in [#​374](https://redirect.github.com/dawidd6/action-download-artifact/pull/374) - node\_modules: update by [@​dawidd6](https://redirect.github.com/dawidd6) in [#​375](https://redirect.github.com/dawidd6/action-download-artifact/pull/375) **Full Changelog**: <dawidd6/action-download-artifact@v15...v16> ### [`v15`](https://redirect.github.com/dawidd6/action-download-artifact/releases/tag/v15) [Compare Source](https://redirect.github.com/dawidd6/action-download-artifact/compare/v14...v15) #### What's Changed - build(deps): bump [@​actions/artifact](https://redirect.github.com/actions/artifact) from 6.0.0 to 6.1.0 by [@​dependabot](https://redirect.github.com/dependabot)\[bot] in [#​369](https://redirect.github.com/dawidd6/action-download-artifact/pull/369) - node\_modules: update by [@​dawidd6](https://redirect.github.com/dawidd6) in [#​370](https://redirect.github.com/dawidd6/action-download-artifact/pull/370) - build(deps): bump fast-xml-parser from 5.3.4 to 5.3.6 by [@​dependabot](https://redirect.github.com/dependabot)\[bot] in [#​371](https://redirect.github.com/dawidd6/action-download-artifact/pull/371) - node\_modules: update by [@​dawidd6](https://redirect.github.com/dawidd6) in [#​372](https://redirect.github.com/dawidd6/action-download-artifact/pull/372) **Full Changelog**: <dawidd6/action-download-artifact@v14...v15> ### [`v14`](https://redirect.github.com/dawidd6/action-download-artifact/releases/tag/v14) [Compare Source](https://redirect.github.com/dawidd6/action-download-artifact/compare/v13...v14) ##### What's Changed - build(deps): bump fast-xml-parser from 5.3.3 to 5.3.4 by [@​dependabot](https://redirect.github.com/dependabot)\[bot] in [#​367](https://redirect.github.com/dawidd6/action-download-artifact/pull/367) - node\_modules: update by [@​dawidd6](https://redirect.github.com/dawidd6) in [#​368](https://redirect.github.com/dawidd6/action-download-artifact/pull/368) **Full Changelog**: <dawidd6/action-download-artifact@v13...v14> ### [`v13`](https://redirect.github.com/dawidd6/action-download-artifact/releases/tag/v13) [Compare Source](https://redirect.github.com/dawidd6/action-download-artifact/compare/v12...v13) #### What's Changed - build(deps): bump [@​actions/artifact](https://redirect.github.com/actions/artifact) from 5.0.1 to 5.0.2 by [@​dependabot](https://redirect.github.com/dependabot)\[bot] in [#​350](https://redirect.github.com/dawidd6/action-download-artifact/pull/350) - build(deps): bump [@​actions/github](https://redirect.github.com/actions/github) from 6.0.1 to 7.0.0 by [@​dependabot](https://redirect.github.com/dependabot)\[bot] in [#​348](https://redirect.github.com/dawidd6/action-download-artifact/pull/348) - build(deps): bump [@​actions/core](https://redirect.github.com/actions/core) from 2.0.1 to 2.0.2 by [@​dependabot](https://redirect.github.com/dependabot)\[bot] in [#​349](https://redirect.github.com/dawidd6/action-download-artifact/pull/349) - node\_modules: update by [@​dawidd6](https://redirect.github.com/dawidd6) in [#​351](https://redirect.github.com/dawidd6/action-download-artifact/pull/351) - build(deps): bump lodash from 4.17.21 to 4.17.23 by [@​dependabot](https://redirect.github.com/dependabot)\[bot] in [#​353](https://redirect.github.com/dawidd6/action-download-artifact/pull/353) - node\_modules: update by [@​dawidd6](https://redirect.github.com/dawidd6) in [#​354](https://redirect.github.com/dawidd6/action-download-artifact/pull/354) - build(deps): bump [@​actions/github](https://redirect.github.com/actions/github) from 7.0.0 to 8.0.0 by [@​dependabot](https://redirect.github.com/dependabot)\[bot] in [#​355](https://redirect.github.com/dawidd6/action-download-artifact/pull/355) - node\_modules: update by [@​dawidd6](https://redirect.github.com/dawidd6) in [#​356](https://redirect.github.com/dawidd6/action-download-artifact/pull/356) - build(deps): bump [@​actions/core](https://redirect.github.com/actions/core) from 2.0.2 to 2.0.3 by [@​dependabot](https://redirect.github.com/dependabot)\[bot] in [#​359](https://redirect.github.com/dawidd6/action-download-artifact/pull/359) - build(deps): bump [@​actions/artifact](https://redirect.github.com/actions/artifact) from 5.0.2 to 6.0.0 by [@​dependabot](https://redirect.github.com/dependabot)\[bot] in [#​361](https://redirect.github.com/dawidd6/action-download-artifact/pull/361) - build(deps): bump [@​actions/core](https://redirect.github.com/actions/core) from 2.0.3 to 3.0.0 by [@​dependabot](https://redirect.github.com/dependabot)\[bot] in [#​360](https://redirect.github.com/dawidd6/action-download-artifact/pull/360) - build(deps): bump [@​actions/github](https://redirect.github.com/actions/github) from 8.0.0 to 9.0.0 by [@​dependabot](https://redirect.github.com/dependabot)\[bot] in [#​357](https://redirect.github.com/dawidd6/action-download-artifact/pull/357) - Convert from CommonJS to ESM by [@​Copilot](https://redirect.github.com/Copilot) in [#​362](https://redirect.github.com/dawidd6/action-download-artifact/pull/362) - Fix ES module imports for [@​actions](https://redirect.github.com/actions) packages by [@​Copilot](https://redirect.github.com/Copilot) in [#​365](https://redirect.github.com/dawidd6/action-download-artifact/pull/365) - node\_modules: update by [@​dawidd6](https://redirect.github.com/dawidd6) in [#​366](https://redirect.github.com/dawidd6/action-download-artifact/pull/366) #### New Contributors - [@​Copilot](https://redirect.github.com/Copilot) made their first contribution in [#​362](https://redirect.github.com/dawidd6/action-download-artifact/pull/362) **Full Changelog**: <dawidd6/action-download-artifact@v12...v13> </details> <details> <summary>docker/login-action (docker/login-action)</summary> ### [`v4`](https://redirect.github.com/docker/login-action/compare/v3...v4) [Compare Source](https://redirect.github.com/docker/login-action/compare/v3...v4) </details> <details> <summary>goreleaser/goreleaser-action (goreleaser/goreleaser-action)</summary> ### [`v7`](https://redirect.github.com/goreleaser/goreleaser-action/compare/v6...v7) [Compare Source](https://redirect.github.com/goreleaser/goreleaser-action/compare/v6...v7) </details> <details> <summary>hashicorp/setup-terraform (hashicorp/setup-terraform)</summary> ### [`v4`](https://redirect.github.com/hashicorp/setup-terraform/compare/v3...v4) [Compare Source](https://redirect.github.com/hashicorp/setup-terraform/compare/v3...v4) </details> --- ### Configuration 📅 **Schedule**: Branch creation - "before 10am on friday" in timezone Europe/London, Automerge - At any time (no schedule defined). 🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied. ♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox. 👻 **Immortal**: This PR will be recreated if closed unmerged. Get [config help](https://redirect.github.com/renovatebot/renovate/discussions) if that's undesired. --- - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box --- This PR was generated by [Mend Renovate](https://mend.io/renovate/). View the [repository job log](https://developer.mend.io/github/overmindtech/workspace). <!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0My41NS40IiwidXBkYXRlZEluVmVyIjoiNDMuNTUuNCIsInRhcmdldEJyYW5jaCI6Im1haW4iLCJsYWJlbHMiOlsiZGVwZW5kZW5jaWVzIl19--> Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com> GitOrigin-RevId: bb72c8548df9e4f118d526ca829620e5b6bac39d
## Summary - Add a GitHub Actions CI workflow for `deploy/meta/` Terraform, enabling automated plan on PRs and apply on merge - Migrate AWS providers from SSO profiles to cross-account `assume_role` for CI compatibility - Add GCP Workload Identity Federation pool in `ovm-infra` with cross-project IAM bindings ## Linear Ticket - **Ticket**: [ENG-3049](https://linear.app/overmind/issue/ENG-3049) — Phase 1: CI workflow for deploy/meta - **Purpose**: Automate meta Terraform plan/apply via CI, unblocking Phase 2 (meta notifications via Chatbot) - **Related**: [ENG-2905](https://linear.app/overmind/issue/ENG-2905) (project plan), [ENG-2906](https://linear.app/overmind/issue/ENG-2906) (plan approval) ## Changes ### Terraform (requires manual bootstrap apply before CI works) - **`deploy/meta/main.tf`**: New `terraform-meta` IAM role (OIDC-assumable, `AdministratorAccess`), root-level Google provider for `ovm-infra`, WIF pool + provider + IAM binding for meta CI - **`deploy/meta/deployenv/aws.tf`**: Provider changed from `profile = "sso-..."` to `assume_role` targeting `terraform-deploy`; added `AllowMetaCIRole` trust statement so `terraform-meta` can chain into target accounts - **`deploy/meta/deployenv/gcp.tf`**: Cross-project IAM binding granting the `ovm-infra` WIF identity admin access in each deployenv project - **`deploy/meta/deployenv/variables.tf`**: New `meta_gcp_project_number` variable for cross-project references - **`deploy/meta/citest.tf`**: Provider changed from `profile = "sso-ci-test"` to `assume_role`; passes `meta_gcp_project_number` to module ### CI Configuration - **`.github/workflows/terraform-meta.yml`**: New workflow with brain + execute jobs. Triggers on `deploy/meta/**` path changes. Includes Overmind integration (submit-plan, start/end-change, custom signal) to prod only, GCP WIF auth, and Slack notifications (start, success, failure, cancelled, plan status) - **`deploy/.github/env/op.meta.env`**: Non-sensitive 1Password references (`TERRAFORM_DEPLOY_ROLE`, `GCP_PROJECT_ID`, `GCP_PROJECT_NUMBER`) - **`deploy/.github/env/op.meta.secret`**: Sensitive 1Password references (`OVM_API_KEY_PROD`, `ADMIN_GITHUB_TOKEN`, Slack webhooks) ### Documentation - **`deploy/meta/README.md`**: Added CI workflow section; simplified manual process to only require `AWS_PROFILE=sso-infra` ## Bootstrap Requirement > **Important**: The first CI run on this PR will fail. The `terraform-meta` IAM role and provider migrations must be applied manually once before CI can take over. 1. `AWS_PROFILE=sso-infra gcloud auth application-default login && cd deploy/meta && terraform init && terraform apply` (four-eyes) 2. Store role ARN in 1Password: global vault → "Meta Deploy Role" → field "text" 3. Store ovm-infra project ID/number in 1Password: global vault → "Meta GCP Project" → fields "project_id" and "project_number" 4. After bootstrap, merge this PR — subsequent PRs will use CI ## Deviations from Approved Plan Implementation matches the approved plan — no material deviations. Made with [Cursor](https://cursor.com) <!-- CURSOR_SUMMARY --> --- > [!NOTE] > **High Risk** > Creates/changes CI-deploy IAM roles and trust relationships (including admin-level permissions) and enables automated Terraform `apply` on merge, so misconfiguration could impact production cloud resources. > > **Overview** > Adds a new `terraform-meta` GitHub Actions workflow that automatically runs Terraform `init/validate/plan` on PRs affecting `deploy/meta`, posts a sticky PR plan comment, uploads/downloads plan artifacts, and runs `apply` on merge (or via manual dispatch), with Slack and Overmind change notifications. > > Updates meta Terraform to support CI-based deployments by introducing a `terraform-meta` AWS IAM role (OIDC-assumable) and switching AWS providers from local SSO profiles to cross-account `assume_role`, including new trust allowing the meta CI role to assume target `terraform-deploy` roles. > > Adds/updates GCP Workload Identity Federation for the meta CI identity (new WIF pool/provider in `ovm-infra`, org-level IAM grants, and per-project cross-project admin bindings via a new `meta_gcp_project_number` input), bumps the Google provider lockfile, and adjusts the Drata module ref. Also extends `actions/submit-plan` to accept a configurable sticky comment header and adds 1Password-backed env/secret files for the workflow. > > <sup>Written by [Cursor Bugbot](https://cursor.com/dashboard?tab=bugbot) for commit 63347e17fdeb5af8b5a008bc856fc553c8732074. This will update automatically on new commits. Configure [here](https://cursor.com/dashboard?tab=bugbot).</sup> <!-- /CURSOR_SUMMARY --> GitOrigin-RevId: 41226cc11e80d99ecdda0357f11c59dfe1ca798d
## Summary - Add `--comment` flag to CLI (`submit-plan`, `start-analysis`) and `--wait` flag to `get-change` to enable GitHub App PR commenting and control analysis polling - Add `comment` and `wait` inputs to the `submit-plan` composite action, with backward-compatible `fetch-change` deprecation - Migrate internal workflows (`terraform.yml`, `terraform-meta.yml`) to use the new inputs and disable legacy Slack plan notifications ## Linear Ticket - **Ticket**: [ENG-3123](https://linear.app/overmind/issue/ENG-3123/phase-4-cli-action-wire-comment-flag-auto-detect-and-skip-wait) — Phase 4: CLI + Action — Wire Comment Flag, Auto-Detect, and Skip Wait - **Project**: Multi-Plan Submission & GitHub App PR Commenting (Phase 4 of 5) ## Changes ### CLI (`cli/cmd/`) - `flags.go`: New `--comment` bool flag on `addAnalysisFlags`, requesting the GitHub App to post PR comments - `changes_submit_plan.go`: When `--comment` is set, outputs eval-able `CHANGE_URL` and `GITHUB_APP_ACTIVE` assignments instead of bare URL; passes `PostGithubComment` to `StartChangeAnalysis` RPC - `changes_start_analysis.go`: Same `--comment` behavior and `PostGithubComment` plumbing for the standalone `start-analysis` command - `changes_get_change.go`: Adds `--wait` flag (default `true`); skips `waitForChangeAnalysis` when `--wait=false`. Also fixes `MarkDeprecated` referencing wrong command (`submitPlanCmd` → `getChangeCmd`) - Housekeeping: replace `_ = MarkDeprecated`/`MarkHidden` with `cobra.CheckErr(...)` across 7 call sites ### Action (`actions/submit-plan/action.yml`) - New `comment` (default `"true"`) and `wait` (default `"false"`) inputs - `fetch-change` marked deprecated with backward-compatible shim - New `github-app-active` output; fixes `message` output (was incorrectly mapped to `change-url`) - When `comment=true`: tries `--comment` flag, falls back gracefully if CLI is older (`unknown flag` detection), and only fetches/posts sticky comment when the GitHub App is not active - Stderr isolation: redirects stderr to temp files (`submit-stderr.log`, `get-stderr.log`) instead of `2>&1` to prevent logrus output from polluting eval'd shell assignments or PR comment content ### Workflows (`.github/workflows/`) - `terraform.yml` and `terraform-meta.yml`: migrate from `fetch-change` to `comment`, add push-event guard, disable Slack plan notifications (GitHub App replaces them) ## Deviations from Approved Plan ### Additions not in the plan 1. **Stderr isolation in action shell logic** (`actions/submit-plan/action.yml`): The plan uses `eval "$(cli ...)"` directly. The implementation captures stdout to a variable with stderr redirected to temp files (`2>./overmindtech/submit-stderr.log`, `2>./overmindtech/get-stderr.log`), then evals the variable. This prevents logrus stderr lines (containing invalid bash identifiers like `change-url`) from breaking `eval`, and prevents log noise from leaking into PR comment content. 2. **Backward compatibility fallback for older CLIs** (`actions/submit-plan/action.yml`): The plan assumes the CLI supports `--comment` and `--wait`. The implementation adds fallback: if the CLI returns "unknown flag" (detected via the stderr temp file), it falls back to the legacy code path and logs a `::notice::`. This enables rolling out the action change before all CLI versions support the new flags. 3. **Push-event guard in workflows** (`.github/workflows/terraform.yml`, `terraform-meta.yml`): The plan removes `fetch-change` without adding an equivalent guard. The implementation passes `comment: ${{ github.event.number != '' }}` instead of unconditional `comment: true`, preventing comment logic from running on push events where there's no PR number. ### Minor approach changes 4. **Sticky comment condition**: The plan checks `inputs.comment != 'false'`. The implementation checks `steps.submit-plan.outputs.message != ''` — more robust since `message` is only populated when the change was actually fetched. 5. **`fetch-change` deprecation mapping**: The plan maps both `true` → `comment: true` and `false` → `comment: false`. The implementation only remaps the `false` case (setting `OVM_COMMENT='false'`), since `comment` already defaults to `"true"`. ### Omissions from the plan 6. **Part 8 — Linear issue for Slack notification feature**: The plan calls for creating a Linear issue titled "Investigate Slack notification feature for change analysis results". This was **not created** and should be filed separately. ## Test Plan - [x] Flag registration tests for `--comment` on `submit-plan` and `start-analysis` - [x] Flag registration test for `--wait` on `get-change` (default `true`) - [ ] Verify `submit-plan` action with `comment: true` on a PR event (GitHub App active path) - [ ] Verify `submit-plan` action with `comment: true` when GitHub App is not installed (sticky comment fallback) - [ ] Verify `submit-plan` action with older CLI that doesn't support `--comment` (graceful fallback) - [ ] Verify `comment: false` skips all PR commenting logic - [ ] Verify `wait: true` blocks until analysis completes and populates `message` output <!-- CURSOR_SUMMARY --> > [!NOTE] > **Medium Risk** > Changes GitHub Actions and CLI behavior around when to wait for Overmind analysis and where results are posted; misconfiguration could lead to missing plan feedback or altered CI timing. Touches deployment workflows but not Terraform execution logic itself. > > **Overview** > Routes Terraform plan reporting away from Slack and toward PR comments, wiring workflows to pass a new `comment` input to `actions/submit-plan` (and disabling the plan-to-Slack steps). > > Updates the `submit-plan` composite action and Overmind CLI to support `comment`/`wait` controls (deprecating `fetch-change`), including conditional fetching of analysis results, GitHub App vs sticky-comment handling, and new CLI flags/outputs (`--comment`, `get-change --wait`). Also tightens flag handling by checking errors when hiding/deprecating Cobra flags and adds targeted tests for the new flags. > > <sup>Written by [Cursor Bugbot](https://cursor.com/dashboard?tab=bugbot) for commit 1690417e01470b73fe9bd371b2eb1f878895d32d. This will update automatically on new commits. Configure [here](https://cursor.com/dashboard?tab=bugbot).</sup> <!-- /CURSOR_SUMMARY --> GitOrigin-RevId: a0fb20e395e0f0ffb62e32a3970c48dff980e184
… PR commenting (#4248) ## Summary - New CLI command reference page covering all `overmind changes` subcommands (`submit-plan`, `start-analysis`, `get-change`, `start-change`, `end-change`) - Updated integration docs (Atlantis, GitHub Actions, GitHub App, custom integrations) with multi-plan workflow examples and GitHub App PR commenting capability - Updated `actions/README.md` with inputs/outputs tables and multi-plan CLI examples ## Changes Phase 5 (documentation) of the [Multi-Plan Submission + GitHub App PR Commenting](https://www.notion.so/overmindtech/Project-Plan-Multi-Plan-Submission-GitHub-App-PR-Commenting-320fb60360db8182a2c1dbd74cb5dfc5) project. All docs are customer-facing and follow terminology from `docs/domain-glossary.md`. - **New: `docs.overmind.tech/docs/cli/commands.md`** — Full CLI command reference for the `overmind changes` command group with flag tables, usage examples for single-plan and multi-plan workflows, and deployment lifecycle commands - **`docs.overmind.tech/docs/integrations/atlantis.md`** — Added "Parallel Planning (Multi-Project)" section with `atlantis.yaml` and `repos.yaml` post-workflow hook examples; updated "Waiting for Analysis Results" with GitHub App `--comment` as Option 1 - **`docs.overmind.tech/docs/integrations/github_app.md`** — New "PR Commenting" section covering async behavior, Actions/Atlantis integration, and `pull_requests:write` permissions; updated frontmatter, intro, and requirements - **`docs.overmind.tech/docs/integrations/github_actions.md`** — Expanded "Enhanced with GitHub App" with auto-detection behavior; added "Action Inputs" and "Action Outputs" tables with `fetch-change` deprecation notice - **`docs.overmind.tech/docs/integrations/build_your_own.md`** — Expanded from a 35-line stub to a full guide with single-plan, multi-plan, fetching results, and deployment lifecycle sections - **`actions/README.md`** — Added inputs/outputs tables, updated "Not using GitHub?" with `--comment` and multi-plan CLI examples, added GitHub App auto-detection note ## Deviations from Approved Plan Comparing against [Phase 5 plan](https://github.com/overmindtech/workspace/blob/dev/docs/plans/phase_5_documentation_5d9f3d95.plan.md): - **Part 2 — Atlantis basic setup not updated inline**: The plan calls for adding `--comment` directly to the basic setup YAML block. Instead, `--comment` is introduced as "Option 1: GitHub App (recommended)" in the "Waiting for Analysis Results" subsection. Same information, different structural placement — arguably clearer since it keeps the basic setup simple and presents `--comment` where users are deciding how to get results. - **Part 4 — "Complete Example Workflow" not updated**: The plan asks to add `comment` and `wait` inputs to the example workflow in `github_actions.md`. The existing complete example was left as-is; the new inputs are documented in the "Action Inputs" table and demonstrated in the "Using outputs in subsequent steps" snippet instead. - **Part 7 — Quality checks**: The plan calls for running `markdownlint`, `cspell`, and `lychee` on all changed files. It is not evident from the commit that these were run. Reviewer should verify or request a follow-up pass. All other parts (1, 3, 5, 6) match the approved plan with no material deviations. Co-authored-by: Cursor Agent <cursoragent@cursor.com> GitOrigin-RevId: 6e39e8a8fb83f108365f0c70f33de254d5f66a8b
…… (#4249) …uth docs - Restore inline comments on submit-plan usage snippet in actions/README - Replace pipe-to-stdin examples with file path arguments (submit-plan does not support - for stdin) - Fix CLI commands page auth statement to mention interactive OAuth alongside API key auth <!-- CURSOR_SUMMARY --> --- > [!NOTE] > **Low Risk** > Documentation-only changes that update examples and wording; no runtime or API behavior is modified. > > **Overview** > Updates docs to match actual `submit-plan` usage: examples now pass JSON plan file paths (and show generating `tfplan.json`) instead of piping to stdin, including in Atlantis and custom integration guides. > > Clarifies authentication guidance by distinguishing CI `OVM_API_KEY` usage from interactive OAuth, and restores/expands inline comments in the GitHub Actions `submit-plan` snippet for input descriptions. > > <sup>Written by [Cursor Bugbot](https://cursor.com/dashboard?tab=bugbot) for commit f4fcd63e31f759487e7c8bd1fe57301742f20544. This will update automatically on new commits. Configure [here](https://cursor.com/dashboard?tab=bugbot).</sup> <!-- /CURSOR_SUMMARY --> Co-authored-by: Cursor Agent <cursoragent@cursor.com> GitOrigin-RevId: 2c6a55541c494a3396bb0c99ead85f4537f518a0
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Copybara Sync - Release v0.8.0
This PR was automatically created by Copybara, syncing changes from the overmindtech/workspace monorepo.
Original author: David Schmitt (david.schmitt@overmind.tech)
What happens when this PR is merged?
tag-on-mergeworkflow will automatically create thev0.8.0tag on mainReview Checklist