-
Notifications
You must be signed in to change notification settings - Fork 0
Releases: overmindtech/env0-plugin
1.4
1132a6e What's new
Fixes the customer-reported failure mode where the plugin's supply-chain verification step exits with HTTP 403 against api.github.com/repos/overmindtech/cli/attestations/... on env0 runners with no GH_TOKEN. Root cause: GitHub's unauthenticated REST API is capped at 60 requests per hour per IPv4, and env0's shared runner egress IPs exhaust that budget. The plugin was using curl -fsSL, which discarded GitHub's response body and surfaced only a bare curl: (22) ... 403 with no actionable hint.
Improved diagnostics
The cosign fallback now captures and surfaces GitHub's own response body on both the authenticated and unauthenticated branches, so failures look like:
ERROR: Failed to fetch attestation bundle from https://api.github.com/repos/overmindtech/cli/attestations/sha256:... (HTTP 403). GitHub response: API rate limit exceeded for 1.2.3.4. This is almost certainly GitHub's REST API rate limit. Unauthenticated requests are capped at 60/hour per IP, and env0's shared egress IPs hit that limit quickly. Set GH_TOKEN or GITHUB_TOKEN in your env0 environment to authenticate; a GitHub classic personal access token with NO scopes is sufficient and raises the limit to 5000/hour. See README 'Supply-chain verification' for setup details.
Automatic rate-limit retry
On HTTP 403/429 with X-RateLimit-Remaining: 0, the plugin reads X-RateLimit-Reset, sleeps up to that many seconds (bounded at 60), and retries once before failing. This silently absorbs short pile-ups on env0's shared egress IPs. If the reset window is longer than 60 seconds (i.e. the IP is genuinely rate-limited for the rest of the hour), the plugin fails fast with the diagnostic above.
README updates
The "Supply-chain verification" section now has a Strongly recommended: set GH_TOKEN subsection that documents:
- The 60-vs-5,000-per-hour math.
- Why a classic GitHub PAT with no scopes is sufficient (the attestations endpoint is publicly readable; authentication alone raises the cap).
- Why fine-grained PATs scoped only to a customer's own repos silently fall back to the unauthenticated path and don't help.
- That a single shared/bot GitHub account works for the whole org — useful if your team uses GitLab internally and doesn't otherwise have GitHub accounts.
How to upgrade
Pin your env0 plugin URL to @1.4 and (highly recommended) set GH_TOKEN or GITHUB_TOKEN in your env0 environment:
use: https://github.com/overmindtech/env0-plugin@1.4
Tests
tests/verify-attestation.sh gains a 9th case that installs a curl stub on PATH to deterministically reproduce a rate-limit 403 followed by a successful retry, asserting both the exit code and that the stub was called exactly twice. Full suite: 11 / 11 PASS.
Compatibility
No changes to inputs, outputs, or plugin behavior on the success path. Pure improvement to error handling and diagnostics.
Assets 2
1.3
d516fa9 What's new
Exposes six new optional inputs that map directly to Overmind CLI flags. All inputs are optional — omitting any of them preserves existing behaviour exactly.
New inputs
| Input | CLI flag | Action(s) | Description |
|---|---|---|---|
timeout |
--timeout |
all | Wall-clock time limit for the entire CLI invocation (e.g. 45m). Defaults to 31m. |
change_analysis_target_duration |
--change-analysis-target-duration |
submit-plan |
Soft server-side analysis budget. Valid range 1m–30m. |
blast_radius_link_depth |
--blast-radius-link-depth |
submit-plan |
Relationship levels to traverse for blast radius. |
blast_radius_max_items |
--blast-radius-max-items |
submit-plan |
Max resources included in blast radius. |
risk_levels |
--risk-levels |
wait-for-simulation |
Comma-separated severity filter for PR/MR comment output (e.g. high,medium). |
wait_for_snapshot |
--wait-for-snapshot |
start-change |
When true, blocks until the pre-change snapshot is fully captured. |