Script 'mail_helper' called by obssrc Hello community, here is the log from the commit of package digger-cli for openSUSE:Factory checked in at 2026-01-13 21:29:35 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/digger-cli (Old) and /work/SRC/openSUSE:Factory/.digger-cli.new.1928 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "digger-cli" Tue Jan 13 21:29:35 2026 rev:44 rq:1326832 version:0.6.139 Changes: -------- --- /work/SRC/openSUSE:Factory/digger-cli/digger-cli.changes 2025-12-19 16:48:41.557014559 +0100 +++ /work/SRC/openSUSE:Factory/.digger-cli.new.1928/digger-cli.changes 2026-01-13 21:30:01.228688554 +0100 @@ -1,0 +2,12 @@ +Mon Jan 12 18:56:27 UTC 2026 - Johannes Kastl <[email protected]> + +- Update to version 0.6.139: + * fix approvers to be latest (#2529) + * log level arg (#2528) + * support debug log pass thru (#2527) + * support debug log pass thru (#2526) + * add input in the debug (#2525) + * doc: fix minor typo (#2523) + * docs: concepts/unit (#2520) + +------------------------------------------------------------------- Old: ---- digger-cli-0.6.138.obscpio New: ---- digger-cli-0.6.139.obscpio ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ digger-cli.spec ++++++ --- /var/tmp/diff_new_pack.8PJSbA/_old 2026-01-13 21:30:05.876880356 +0100 +++ /var/tmp/diff_new_pack.8PJSbA/_new 2026-01-13 21:30:05.880880521 +0100 @@ -1,7 +1,7 @@ # # spec file for package digger-cli # -# Copyright (c) 2025 SUSE LLC and contributors +# Copyright (c) 2026 SUSE LLC and contributors # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed @@ -19,7 +19,7 @@ %define executable_name digger Name: digger-cli -Version: 0.6.138 +Version: 0.6.139 Release: 0 Summary: CLI for the digger open source IaC orchestration tool License: Apache-2.0 ++++++ _service ++++++ --- /var/tmp/diff_new_pack.8PJSbA/_old 2026-01-13 21:30:05.928882502 +0100 +++ /var/tmp/diff_new_pack.8PJSbA/_new 2026-01-13 21:30:05.932882667 +0100 @@ -6,7 +6,7 @@ <param name="exclude">go.mod</param> <param name="exclude">go.work</param> <param name="exclude">go.work.sum</param> - <param name="revision">v0.6.138</param> + <param name="revision">v0.6.139</param> <param name="match-tag">v*</param> <param name="versionformat">@PARENT_TAG@</param> <param name="versionrewrite-pattern">v(.*)</param> ++++++ _servicedata ++++++ --- /var/tmp/diff_new_pack.8PJSbA/_old 2026-01-13 21:30:05.964883988 +0100 +++ /var/tmp/diff_new_pack.8PJSbA/_new 2026-01-13 21:30:05.968884153 +0100 @@ -1,7 +1,7 @@ <servicedata> <service name="tar_scm"> <param name="url">https://github.com/diggerhq/digger</param> - <param name="changesrevision">a0df344f158f46a9e93585bf5aae204f73bef2a2</param></service><service name="tar_scm"> + <param name="changesrevision">31d84f9498d8d54bb173d086c83d6c9af314d603</param></service><service name="tar_scm"> <param name="url">https://github.com/johanneskastl/digger</param> <param name="changesrevision">8fe377068e53e2050ff4c745388d8428d2b13bb0</param></service></servicedata> (No newline at EOF) ++++++ digger-cli-0.6.138.obscpio -> digger-cli-0.6.139.obscpio ++++++ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/digger-cli-0.6.138/action.yml new/digger-cli-0.6.139/action.yml --- old/digger-cli-0.6.138/action.yml 2025-12-19 02:37:17.000000000 +0100 +++ new/digger-cli-0.6.139/action.yml 2026-01-06 00:41:37.000000000 +0100 @@ -262,6 +262,10 @@ description: "Architecture of the digger CLI to install. Valid configurable values are: amd64, arm64, 386." required: false default: "X64" + log-level: + description: "Log level for digger CLI. Valid values are: DEBUG, INFO, WARN, ERROR." + required: false + default: "INFO" outputs: output: @@ -527,6 +531,7 @@ TG_PROVIDER_CACHE_DIR: ${{ env.TF_PLUGIN_CACHE_DIR }} TERRAGRUNT_PROVIDER_CACHE_DIR: ${{ env.TF_PLUGIN_CACHE_DIR }} DIGGER_RUN_SPEC: ${{inputs.digger-spec}} + DIGGER_LOG_LEVEL: ${{ inputs.log-level }} run: | if [[ ${{ inputs.ee }} == "true" ]]; then cd $GITHUB_ACTION_PATH/ee/cli @@ -579,6 +584,7 @@ TG_PROVIDER_CACHE_DIR: ${{ env.TF_PLUGIN_CACHE_DIR }} TERRAGRUNT_PROVIDER_CACHE_DIR: ${{ env.TF_PLUGIN_CACHE_DIR }} DIGGER_RUN_SPEC: ${{inputs.digger-spec}} + DIGGER_LOG_LEVEL: ${{ inputs.log-level }} id: digger shell: bash run: | @@ -665,6 +671,7 @@ TG_PROVIDER_CACHE_DIR: ${{ env.TF_PLUGIN_CACHE_DIR }} TERRAGRUNT_PROVIDER_CACHE_DIR: ${{ env.TF_PLUGIN_CACHE_DIR }} DIGGER_RUN_SPEC: ${{inputs.digger-spec}} + DIGGER_LOG_LEVEL: ${{ inputs.log-level }} id: digger-local-run shell: bash run: | diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/digger-cli-0.6.138/docs/ce/concepts/role.mdx new/digger-cli-0.6.139/docs/ce/concepts/role.mdx --- old/digger-cli-0.6.138/docs/ce/concepts/role.mdx 1970-01-01 01:00:00.000000000 +0100 +++ new/digger-cli-0.6.139/docs/ce/concepts/role.mdx 2026-01-06 00:41:37.000000000 +0100 @@ -0,0 +1,14 @@ +--- +title: Role +--- + + +A openTaco role is a collection of permissions that can be assigned to users or groups within an organization. Roles help manage access control by defining what actions can be performed on various resources. + +By default, user who create an organization are assigned the "admin" role, which grants full permissions to manage the organization and its resources. Additional roles can be created as needed. + + + +## Interacting with roles +You can manage roles via the `rbac` sub-command on the `taco` CLI or via the dashboard. + diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/digger-cli-0.6.138/docs/ce/concepts/unit.mdx new/digger-cli-0.6.139/docs/ce/concepts/unit.mdx --- old/digger-cli-0.6.138/docs/ce/concepts/unit.mdx 1970-01-01 01:00:00.000000000 +0100 +++ new/digger-cli-0.6.139/docs/ce/concepts/unit.mdx 2026-01-06 00:41:37.000000000 +0100 @@ -0,0 +1,21 @@ +--- +title: "Units" +--- + +A unit is an OpenTaco workspace: the smallest deployable Terraform state plus its lock and history. Each unit tracks one Terraform state file, supports optimistic locking, and keeps a versioned history so you can restore any previous state snapshot. + + +## Use case for units +Units are useful for both small and large teams to organize and manage multiple states (or workspaces as you might be used to): +- Isolate environments or services (e.g., `app/prod`, `network/shared`). +- Work in parallel while lock semantics prevent conflicting writes. +- Keep built-in state history, incase you need to rollback. + + +## Interacting with units. +You can manage units via the `unit` sub-command on the `taco` CLI, available subcommands are +- `create`, `ls`, `info`, `rm` : basic lifecycle for unit registration. +- `pull`, `push`, `acquire`, `release` :download/upload state with optional locking. +- `lock`, `unlock` : manage locks directly when coordinating writers. +- `versions`, `restore` : list history and roll back to a prior state snapshot. +- `status` : view dependency status for a unit or prefix. \ No newline at end of file diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/digger-cli-0.6.138/docs/ce/local-development/statesman.mdx new/digger-cli-0.6.139/docs/ce/local-development/statesman.mdx --- old/digger-cli-0.6.138/docs/ce/local-development/statesman.mdx 2025-12-19 02:37:17.000000000 +0100 +++ new/digger-cli-0.6.139/docs/ce/local-development/statesman.mdx 2026-01-06 00:41:37.000000000 +0100 @@ -1,81 +1,262 @@ --- -title: Statesman local setup +title: Running Statesman Locally --- -Statesman serves state storage + Terraform Cloud-compatible APIs. The UI uses its internal endpoints, so enable webhook auth and sync your org/user. +Statesman provides state storage and Terraform Cloud-compatible APIs for managing Terraform workspaces, runs, and state files. The UI uses Statesman's internal endpoints, so you'll need to enable webhook authentication and sync your organization and user data. -## First-time setup (SQLite migrations) +## Prerequisites -If using SQLite with persistence, run migrations before starting: +Before you begin, ensure you have the following installed: + +- Go 1.25 or later +- [Atlas CLI](https://atlasgo.io/getting-started#installation) (for database migrations) +- SQLite (bundled with most systems) or S3 credentials (for production deployments) + +<Tip> +If you don't have Atlas installed, you can install it by running `make atlas-install` from the `taco` directory. +</Tip> + +## Installation + +<Steps> + <Step title="Navigate to the taco directory"> + From your project root, navigate to the Statesman directory: + ```bash + cd taco + ``` + </Step> + + <Step title="Run database migrations"> + If you're using SQLite with persistence, create the data directory and apply the migrations before starting Statesman: + + ```bash + # Create the data directory if it doesn't exist + mkdir -p data + + # Apply migrations + atlas migrate apply --dir file://migrations/sqlite --url "sqlite://data/taco.db" + ``` + + <Note> + If you encounter checksum errors, regenerate the hash first: + ```bash + atlas migrate hash --dir file://migrations/sqlite + ``` + </Note> + </Step> + + <Step title="Build Statesman"> + Build the Statesman service: + ```bash + make build-svc + ``` + This creates the `statesman` executable in your current directory. + </Step> + + <Step title="Start the service"> + Run Statesman with your preferred configuration: + + ```bash + ./statesman -storage memory -auth-disable + ``` + + The service will start on port `8080` by default. + + <Tip> + For local development, use `-storage memory` to avoid database setup. This option uses in-memory storage with SQLite as the query backend. + </Tip> + </Step> +</Steps> + +## Configuration + +Configure Statesman using environment variables: + +### Basic Configuration ```bash -cd taco +OPENTACO_PORT=8080 # Port to run the service (default: 8080) +OPENTACO_STORAGE=memory # Storage backend: 'memory' or 's3' +OPENTACO_AUTH_DISABLE=true # Skip OIDC authentication (for local development) +``` -# If you get checksum errors, regenerate the hash first: -atlas migrate hash --dir file://migrations/sqlite +### UI Integration + +To enable the UI to communicate with Statesman, set the webhook secret: + +```bash +OPENTACO_ENABLE_INTERNAL_ENDPOINTS=statesman-secret +``` + +<Warning> +This secret must match `STATESMAN_BACKEND_WEBHOOK_SECRET` in your UI's `.env.local` file. +</Warning> + +<Accordion title="Advanced Configuration Options"> + +### S3 Storage Backend + +For production deployments, configure S3 storage: + +```bash +OPENTACO_STORAGE=s3 +OPENTACO_S3_BUCKET=my-bucket +OPENTACO_S3_REGION=us-east-1 +OPENTACO_S3_PREFIX=opentaco/ +AWS_ACCESS_KEY_ID=your_access_key +AWS_SECRET_ACCESS_KEY=your_secret_key +``` + +### Additional Options + +```bash +OPENTACO_SECRET_KEY=<secret> # Secret key for signed URLs +OPENTACO_SQLITE_DB_PATH=<path> # Custom SQLite database path +``` + +</Accordion> + +## Using Statesman as a Terraform Backend -# Apply migrations (adjust path to match your OPENTACO_SQLITE_DB_PATH) -atlas migrate apply --dir file://migrations/sqlite --url "sqlite://cmd/statesman/data/taco.db" +Once Statesman is running, you can configure Terraform to use it as a remote backend. + +### Terraform Configuration + +Add the following backend configuration to your Terraform code: + +```hcl +terraform { + backend "remote" { + hostname = "localhost:8080" + organization = "your-org-name" + + workspaces { + name = "my-workspace" + } + } +} ``` -If you don't have Atlas installed: `make atlas-install` +<Note> +For production deployments, replace `localhost:8080` with your Statesman instance's public URL. If authentication is enabled, you'll also need to configure credentials. +</Note> + +### Authentication + +If you've enabled authentication (not using `-auth-disable`), configure your Terraform credentials: + +```bash +# Create credentials file at ~/.terraform.d/credentials.tfrc.json +{ + "credentials": { + "localhost:8080": { + "token": "your-auth-token" + } + } +} +``` -## Quick start +## Syncing Organizations and Users -1. Set env vars: - ```bash - OPENTACO_ENABLE_INTERNAL_ENDPOINTS=statesman-secret # must match UI STATESMAN_BACKEND_WEBHOOK_SECRET - OPENTACO_AUTH_DISABLE=true # skips OIDC for local - OPENTACO_STORAGE=memory # default; uses SQLite query backend automatically - # Optional: OPENTACO_SECRET_KEY for signed URLs; OPENTACO_PORT=8080 - ``` -2. Run the service (from repo root): - ```bash - cd taco - go run cmd/statesman/main.go -storage memory -auth-disable # or ./statesman with the same flags - ``` - Default port: `8080`. +<Accordion title="Syncing for UI Integration"> -## Sync org and user (required for UI) +The UI requires organization and user data to be synced to Statesman. Statesman resolves organizations by `external_org_id` (your WorkOS organization ID). If the organization cannot be resolved, `/internal/api/units` will return a 500 error. -Statesman resolves orgs by `external_org_id` (your WorkOS org id). If it cannot resolve, `/internal/api/units` will 500. +### Using the Sync Script -A helper script is available at `taco/cmd/statesman/sync-org.sh` - edit the values before running: +A helper script is available to simplify the sync process: ```bash -chmod +x taco/cmd/statesman/sync-org.sh -./taco/cmd/statesman/sync-org.sh +chmod +x cmd/statesman/sync-org.sh +./cmd/statesman/sync-org.sh ``` -Or run manually: +<Note> +Edit the script with your WorkOS organization and user IDs before running it. +</Note> + +### Manual Sync + +Alternatively, you can sync manually using curl commands: ```bash +# Set your configuration SECRET=$OPENTACO_ENABLE_INTERNAL_ENDPOINTS -ORG_ID=org_xxx # WorkOS org id -ORG_NAME=digger-org # slug to store -ORG_DISPLAY="Digger Org" -USER_ID=user_xxx # WorkOS user id [email protected] +ORG_ID=org_xxx # Your WorkOS organization ID +ORG_NAME=digger-org # Organization slug +ORG_DISPLAY="Digger Org" # Organization display name +USER_ID=user_xxx # Your WorkOS user ID [email protected] # Your email address -# create/sync org -curl -s -X POST http://localhost:8080/internal/api/orgs/sync \ +# Sync the organization +curl -X POST http://localhost:8080/internal/api/orgs/sync \ -H "Authorization: Bearer $SECRET" \ - -H "X-User-ID: $USER_ID" -H "X-Email: $USER_EMAIL" \ + -H "X-User-ID: $USER_ID" \ + -H "X-Email: $USER_EMAIL" \ -H "Content-Type: application/json" \ - -d '{"name":"'"$ORG_NAME"'","display_name":"'"$ORG_DISPLAY"'","external_org_id":"'"$ORG_ID"'"}' + -d '{ + "name": "'"$ORG_NAME"'", + "display_name": "'"$ORG_DISPLAY"'", + "external_org_id": "'"$ORG_ID"'" + }' -# ensure user exists in that org -curl -s -X POST http://localhost:8080/internal/api/users \ +# Create the user in the organization +curl -X POST http://localhost:8080/internal/api/users \ -H "Authorization: Bearer $SECRET" \ - -H "X-Org-ID: '$ORG_ID'" -H "X-User-ID: $USER_ID" -H "X-Email: $USER_EMAIL" \ + -H "X-Org-ID: $ORG_ID" \ + -H "X-User-ID: $USER_ID" \ + -H "X-Email: $USER_EMAIL" \ -H "Content-Type: application/json" \ - -d '{"subject":"'"$USER_ID"'","email":"'"$USER_EMAIL"'"}' + -d '{ + "subject": "'"$USER_ID"'", + "email": "'"$USER_EMAIL"'" + }' ``` +</Accordion> + ## Troubleshooting -- **"no such table: organizations"**: Run migrations first (see First-time setup above). -- **Atlas checksum mismatch**: Run `atlas migrate hash --dir file://migrations/sqlite` then retry apply. -- **403**: webhook secret mismatch (`OPENTACO_ENABLE_INTERNAL_ENDPOINTS` vs UI `STATESMAN_BACKEND_WEBHOOK_SECRET`). -- **404/500 resolving org**: org not synced; rerun the sync script or `orgs/sync` call above. -- **SQLite quirks**: defaults to SQLite in-process; no config needed for local. For Postgres/MySQL, set `TACO_QUERY_BACKEND` and related envs (see `docs/ce/state-management/query-backend`). +### Database Errors + +**"unable to open database file: no such file or directory"** + +This error occurs when the data directory doesn't exist. Create it first: + +```bash +cd taco +mkdir -p data +atlas migrate apply --dir file://migrations/sqlite --url "sqlite://data/taco.db" +``` + +**"no such table: organizations"** + +This error indicates that migrations have not been applied. Run the migrations as described in Step 2 of the Installation section. + +**Atlas checksum mismatch** + +If you encounter checksum errors during migration, regenerate the hash: + +```bash +atlas migrate hash --dir file://migrations/sqlite +``` + +Then retry the migration apply command. + +### Authentication Errors + +**403 Forbidden** + +This typically indicates a webhook secret mismatch. Verify that `OPENTACO_ENABLE_INTERNAL_ENDPOINTS` matches `STATESMAN_BACKEND_WEBHOOK_SECRET` in your UI configuration. + +### Organization Resolution Errors + +**404 or 500 errors when resolving organization** + +The organization has not been synced to Statesman. Run the sync script or manual sync commands described in the "Syncing Organizations and Users" section. + +### Storage Configuration + +**SQLite quirks** + +By default, Statesman uses SQLite as the in-process query backend. No additional configuration is needed for local development. For PostgreSQL or MySQL backends, set `TACO_QUERY_BACKEND` and related environment variables (see `docs/ce/state-management/query-backend` for details). diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/digger-cli-0.6.138/docs/ce/state-management/digger-integration.mdx new/digger-cli-0.6.139/docs/ce/state-management/digger-integration.mdx --- old/digger-cli-0.6.138/docs/ce/state-management/digger-integration.mdx 2025-12-19 02:37:17.000000000 +0100 +++ new/digger-cli-0.6.139/docs/ce/state-management/digger-integration.mdx 2026-01-06 00:41:37.000000000 +0100 @@ -15,7 +15,7 @@ cat ~/.terraform.d/credentials.tfrc.json ``` -And copy the value of the token from the JSON file of your terraform credentials file. Store the token as a secret STATESMANE_TOKEN in your CI system. +And copy the value of the token from the JSON file of your terraform credentials file. Store the token as a secret STATESMAN_TOKEN in your CI system. From there you would need to make some small tweaks to your digger workflow: ``` @@ -116,4 +116,4 @@ The key part here is that we override the default workflow and pass extra arguments of `-backend-config=tf_backend.tfbackend` to the `plan` and `apply` steps. In this way it is easy to add additional states simply by adding a record for them in digger.yml. Once a PR is created and applied we will end up with a bucket that has three state files: - \ No newline at end of file + diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/digger-cli-0.6.138/docs/docs.json new/digger-cli-0.6.139/docs/docs.json --- old/digger-cli-0.6.138/docs/docs.json 2025-12-19 02:37:17.000000000 +0100 +++ new/digger-cli-0.6.139/docs/docs.json 2026-01-06 00:41:37.000000000 +0100 @@ -87,6 +87,14 @@ ] }, { + "group": "Concepts", + "pages": [ + "ce/concepts/unit", + "ce/concepts/role" + + ] + }, + { "group": "How To", "pages": [ "ce/howto/noise-reduction", diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/digger-cli-0.6.138/ee/cli/cmd/digger/default.go new/digger-cli-0.6.139/ee/cli/cmd/digger/default.go --- old/digger-cli-0.6.138/ee/cli/cmd/digger/default.go 2025-12-19 02:37:17.000000000 +0100 +++ new/digger-cli-0.6.139/ee/cli/cmd/digger/default.go 2026-01-06 00:41:37.000000000 +0100 @@ -4,6 +4,10 @@ "crypto/fips140" "encoding/json" "fmt" + "log/slog" + "os" + "runtime/debug" + "github.com/diggerhq/digger/cli/pkg/digger" "github.com/diggerhq/digger/cli/pkg/github" spec2 "github.com/diggerhq/digger/cli/pkg/spec" @@ -17,16 +21,30 @@ comment_summary "github.com/diggerhq/digger/libs/comment_utils/summary" lib_spec "github.com/diggerhq/digger/libs/spec" "github.com/spf13/cobra" - "log" - "os" - "runtime/debug" ) +func initLogger() { + logLevel := os.Getenv("DIGGER_LOG_LEVEL") + var level slog.Leveler + if logLevel == "DEBUG" { + level = slog.LevelDebug + } else if logLevel == "WARN" { + level = slog.LevelWarn + } else { + level = slog.LevelInfo + } + logger := slog.New(slog.NewTextHandler(os.Stdout, &slog.HandlerOptions{ + Level: level, + })) + slog.SetDefault(logger) +} + var defaultCmd = &cobra.Command{ Use: "default", Run: func(cmd *cobra.Command, args []string) { + initLogger() specStr := os.Getenv("DIGGER_RUN_SPEC") - log.Printf("Fips140 enabled in build: %v", fips140.Enabled()) + slog.Info("Fips140 enabled in build", "enabled", fips140.Enabled()) if specStr != "" { var spec lib_spec.Spec err := json.Unmarshal([]byte(specStr), &spec) @@ -70,7 +88,7 @@ logLeader = os.Getenv("GITHUB_ACTOR") github.GitHubCI(lock, policy.PolicyCheckerProviderAdvanced{}, BackendApi, ReportStrategy, github2.GithubServiceProviderAdvanced{}, comment_updater.CommentUpdaterProviderAdvanced{}, drift.DriftNotificationProviderAdvanced{}) case digger.GitLab: - log.Printf("gitlab CI detected") + slog.Info("gitlab CI detected") gitlab.GitLabCI(lock, policy.PolicyCheckerProviderAdvanced{}, BackendApi, ReportStrategy, github2.GithubServiceProviderAdvanced{}, comment_updater.CommentUpdaterProviderAdvanced{}, drift.DriftNotificationProviderAdvanced{}) case digger.None: print("No CI detected.") @@ -79,10 +97,10 @@ defer func() { if r := recover(); r != nil { - log.Println("stacktrace from panic: \n" + string(debug.Stack())) + slog.Error("stacktrace from panic", "stack", string(debug.Stack())) err := usage.SendLogRecord(logLeader, fmt.Sprintf("Panic occurred. %s", r)) if err != nil { - log.Printf("Failed to send log record. %s\n", err) + slog.Error("Failed to send log record", "error", err) } os.Exit(1) } diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/digger-cli-0.6.138/libs/ci/github/github.go new/digger-cli-0.6.139/libs/ci/github/github.go --- old/digger-cli-0.6.138/libs/ci/github/github.go 2025-12-19 02:37:17.000000000 +0100 +++ new/digger-cli-0.6.139/libs/ci/github/github.go 2026-01-06 00:41:37.000000000 +0100 @@ -215,13 +215,33 @@ func (svc GithubService) GetApprovals(prNumber int) ([]string, error) { reviews, _, err := svc.Client.PullRequests.ListReviews(context.Background(), svc.Owner, svc.RepoName, prNumber, &github.ListOptions{}) - approvals := make([]string, 0) + if err != nil { + return nil, err + } + + // Track the latest review state per user + // GitHub returns reviews in chronological order, so later entries are more recent + // We need to consider the latest review state, not just any APPROVED review + latestReviewState := make(map[string]string) for _, review := range reviews { - if *review.State == "APPROVED" { - approvals = append(approvals, *review.User.Login) + if review.User == nil || review.User.Login == nil || review.State == nil { + continue + } + // Skip COMMENTED reviews as they don't change approval status + if *review.State == "COMMENTED" { + continue + } + latestReviewState[*review.User.Login] = *review.State + } + + // Collect users whose latest review state is APPROVED + approvals := make([]string, 0) + for user, state := range latestReviewState { + if state == "APPROVED" { + approvals = append(approvals, user) } } - return approvals, err + return approvals, nil } func (svc GithubService) EditComment(prNumber int, id string, comment string) error { diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/digger-cli-0.6.138/libs/policy/policy.go new/digger-cli-0.6.139/libs/policy/policy.go --- old/digger-cli-0.6.138/libs/policy/policy.go 2025-12-19 02:37:17.000000000 +0100 +++ new/digger-cli-0.6.139/libs/policy/policy.go 2026-01-06 00:41:37.000000000 +0100 @@ -459,7 +459,14 @@ } ctx := context.Background() - slog.Debug("Evaluating plan policy", "policy", policy) + inputPretty, err := json.MarshalIndent(input, "", " ") + if err != nil { + slog.Warn("Failed to marshal plan policy input", "error", err) + slog.Debug("Evaluating plan policy", "policy", policy, "input", input) + } else { + slog.Debug("Evaluating plan policy", "policy", policy, "input", inputPretty) + } + query, err := rego.New( rego.Query("data.digger.deny"), ++++++ digger-cli.obsinfo ++++++ --- /var/tmp/diff_new_pack.8PJSbA/_old 2026-01-13 21:30:17.325352765 +0100 +++ /var/tmp/diff_new_pack.8PJSbA/_new 2026-01-13 21:30:17.341353425 +0100 @@ -1,5 +1,5 @@ name: digger-cli -version: 0.6.138 -mtime: 1766108237 -commit: a0df344f158f46a9e93585bf5aae204f73bef2a2 +version: 0.6.139 +mtime: 1767656497 +commit: 31d84f9498d8d54bb173d086c83d6c9af314d603 ++++++ vendor.tar.gz ++++++ /work/SRC/openSUSE:Factory/digger-cli/vendor.tar.gz /work/SRC/openSUSE:Factory/.digger-cli.new.1928/vendor.tar.gz differ: char 134, line 4
