[atlantis-aws] bump Atlantis to 0.42.0 to fix expired HashiCorp GPG key

[amit-darji]

Summary

Bumps ATLANTIS_VERSION in atlantis-aws from 0.40.0 to 0.42.0 to resolve the expired HashiCorp GPG key (72D7468F) that breaks runtime Terraform downloads.

Problem

Users of chatwork/atlantis-aws:0.40.0 (and any earlier release) hit this when Atlantis tries to fetch a Terraform version that isn't baked into the image (e.g. 1.15.x):

error downloading terraform version 1.15.3: unable to verify checksums signature: openpgp: key expired

Root cause: Atlantis delegates Terraform download + signature verification to hashicorp/hc-install. Versions <= v0.9.2 embed the HashiCorp GPG key 72D7468F, which expired on 2026-04-18 (HashiCorp advisory HCSEC-2026-03). Atlantis v0.41.0 pins hc-install v0.9.2, so any image based on it inherits the expired key.

Fix

Upstream Atlantis PR #6410 ("chore(deps): bump go to 1.25.8 and hc-install to v0.9.4") bumped hc-install to v0.9.4, which ships the renewed key valid until 2030-03-01. That fix was released in Atlantis v0.42.0.

Verified via go.mod at each tag:

Atlantis tag	hc-install version	GPG status
v0.41.0	v0.9.2	expired 2026-04-18
v0.42.0	v0.9.4	valid until 2030-03-01

Because the fix lives entirely inside the compiled atlantis binary, the only change needed in this image is bumping the version we download.

Why 0.42.0 (not latest 0.43.0)

Pinning to the exact version where the fix landed keeps the diff minimal and scoped to the security regression. Subsequent minor bumps can flow through the existing automated update workflow.

Changes

• atlantis-aws/Dockerfile: ARG ATLANTIS_VERSION=0.40.0 → 0.42.0
• atlantis-aws/goss/goss.yaml: update version assertion to 0.42.0

Dockerfile.arm64 is a symlink to Dockerfile so it's covered automatically. Dockerfile.tpl and goss.yaml.tpl use templating ({{ .atlantis_version }}) so they don't need editing; variant.lock will be refreshed by the automated update workflow on its next run.

References

• Upstream issue: HashiCorp GPG key expired - openpgp: key expired when downloading Terraform runatlantis/atlantis#6405
• Upstream fix PR: chore(deps): bump go to 1.25.8 and hc-install to v0.9.4 runatlantis/atlantis#6410
• HashiCorp advisory: https://discuss.hashicorp.com/t/hcsec-2026-03-hashicorp-gpg-key-72d7468f-update/77237

Test plan

• make build succeeds on amd64 and arm64
• make test passes (goss assertions match new version)
• In a running container, atlantis version reports 0.42.0
• Trigger an Atlantis plan that downloads a non-baked Terraform version (e.g. 1.15.3); confirm the openpgp: key expired error no longer occurs

[tasuku43]

Hi @amit-darji,

Thank you so much for taking the time to send this PR — we really appreciate the fix for the expired
HashiCorp GPG key!

I wanted to give you a heads up: due to a limitation on our side, our CI workflow requires repository
secrets to log in to Docker Hub, and those secrets are not available to PRs from forks. As a result, the
tests on this PR could not run.

To unblock the release, we re-created the same change in #4300 (already merged) from a branch in this
repository so the CI could run with the required secrets. Apologies for not being able to merge your PR
directly — this is purely a CI configuration issue on our end, not anything about your change.

We plan to fix the workflow so that fork PRs like yours can be tested properly going forward.

Thanks again for the contribution!

[tasuku43]

Closing this PR since the change has been merged via #4300. Thanks again!