Releases: overmindtech/env0-plugin
1.4
1132a6e
dylanratcliffe
Dylan
What's new
Fixes the customer-reported failure mode where the plugin's supply-chain verification step exits with HTTP 403 against api.github.com/repos/overmindtech/cli/attestations/... on env0 runners with no GH_TOKEN. Root cause: GitHub's unauthenticated REST API is capped at 60 requests per hour per IPv4, and env0's shared runner egress IPs exhaust that budget. The plugin was using curl -fsSL, which discarded GitHub's response body and surfaced only a bare curl: (22) … 403 with no actionable hint.
Improved diagnostics
The cosign fallback now captures and surfaces GitHub's own response body on both the authenticated and unauthenticated branches, so failures look like:
ERROR: Failed to fetch attestation bundle from https://api.github.com/repos/overmindtech/cli/attestations/sha256:... (HTTP 403). GitHub response: API rate limit exceeded for 1.2.3.4. This is almost certainly GitHub's REST API rate limit. Unauthenticated requests are capped at 60/hour per IP, and env0's shared egress IPs hit that limit quickly. Set GH_TOKEN or GITHUB_TOKEN in your env0 environment to authenticate; a GitHub classic personal access token with NO scopes is sufficient and raises the limit to 5000/hour. See README 'Supply-chain verification' for setup details.
Automatic rate-limit retry
On HTTP 403/429 with X-RateLimit-Remaining: 0, the plugin reads X-RateLimit-Reset, sleeps up to that many seconds (bounded at 60), and retries once before failing. This silently absorbs short pile-ups on env0's shared egress IPs. If the reset window is longer than 60 seconds (i.e. the IP is genuinely rate-limited for the rest of the hour), the plugin fails fast with the diagnostic above.
README updates
The "Supply-chain verification" section now has a Strongly recommended: set GH_TOKEN subsection that documents:
- The 60-vs-5,000-per-hour math.
- Why a classic GitHub PAT with no scopes is sufficient (the attestations endpoint is publicly readable; authentication alone raises the cap).
- Why fine-grained PATs scoped only to a customer's own repos silently fall back to the unauthenticated path and don't help.
- That a single shared/bot GitHub account works for the whole org — useful if your team uses GitLab internally and doesn't otherwise have GitHub accounts.
How to upgrade
Pin your env0 plugin URL to @1.4 and (highly recommended) set GH_TOKEN or GITHUB_TOKEN in your env0 environment:
use: https://github.com/overmindtech/env0-plugin@1.4Tests
tests/verify-attestation.sh gains a 9th case that installs a curl stub on PATH to deterministically reproduce a rate-limit 403 followed by a successful retry, asserting both the exit code and that the stub was called exactly twice. Full suite: 11 / 11 PASS.
Compatibility
No changes to inputs, outputs, or plugin behavior on the success path. Pure improvement to error handling and diagnostics.
1.3
What's new
Exposes six new optional inputs that map directly to Overmind CLI flags. All inputs are optional — omitting any of them preserves existing behaviour exactly.
New inputs
| Input | CLI flag | Action(s) | Description |
|---|---|---|---|
timeout |
--timeout |
all | Wall-clock time limit for the entire CLI invocation (e.g. 45m). Defaults to 31m. |
change_analysis_target_duration |
--change-analysis-target-duration |
submit-plan |
Soft server-side analysis budget. Valid range 1m–30m. |
blast_radius_link_depth |
--blast-radius-link-depth |
submit-plan |
Relationship levels to traverse for blast radius. |
blast_radius_max_items |
--blast-radius-max-items |
submit-plan |
Max resources included in blast radius. |
risk_levels |
--risk-levels |
wait-for-simulation |
Comma-separated severity filter for PR/MR comment output (e.g. high,medium). |
wait_for_snapshot |
--wait-for-snapshot |
start-change |
When true, blocks until the pre-change snapshot is fully captured. |