[atlantis-aws] bump Atlantis to 0.42.0 to fix expired HashiCorp GPG key

[kb-hiroyaataka]

Summary

Bumps ATLANTIS_VERSION in atlantis-aws from 0.40.0 to 0.42.0 to resolve the expired HashiCorp GPG key (72D7468F) that breaks runtime Terraform downloads.

This PR is a re-submission of #4292 (from an external contributor) since the original PR cannot run workflows due to permission constraints.

Problem

Users of chatwork/atlantis-aws:0.40.0 (and any earlier release) hit this when Atlantis tries to fetch a Terraform version that isn't baked into the image (e.g. 1.15.x):

error downloading terraform version 1.15.3: unable to verify checksums signature: openpgp: key expired

Root cause: Atlantis delegates Terraform download + signature verification to hashicorp/hc-install. Versions <= v0.9.2 embed the HashiCorp GPG key 72D7468F, which expired on 2026-04-18 (HashiCorp advisory HCSEC-2026-03). Atlantis v0.41.0 pins hc-install v0.9.2, so any image based on it inherits the expired key.

Fix

Upstream Atlantis PR #6410 ("chore(deps): bump go to 1.25.8 and hc-install to v0.9.4") bumped hc-install to v0.9.4, which ships the renewed key valid until 2030-03-01. That fix was released in Atlantis v0.42.0.

Verified via go.mod at each tag:

Atlantis tag	hc-install version	GPG status
v0.41.0	v0.9.2	expired 2026-04-18
v0.42.0	v0.9.4	valid until 2030-03-01

Because the fix lives entirely inside the compiled atlantis binary, the only change needed in this image is bumping the version we download.

Why 0.42.0 (not latest 0.43.0)

Pinning to the exact version where the fix landed keeps the diff minimal and scoped to the security regression. Subsequent minor bumps can flow through the existing automated update workflow.

Changes

• atlantis-aws/Dockerfile: ARG ATLANTIS_VERSION=0.40.0 → 0.42.0
• atlantis-aws/goss/goss.yaml: update version assertion to 0.42.0

Dockerfile.arm64 is a symlink to Dockerfile so it's covered automatically. Dockerfile.tpl and goss.yaml.tpl use templating ({{ .atlantis_version }}) so they don't need editing; variant.lock will be refreshed by the automated update workflow on its next run.

References

• Original PR: [atlantis-aws] bump Atlantis to 0.42.0 to fix expired HashiCorp GPG key #4292
• Upstream issue: HashiCorp GPG key expired - openpgp: key expired when downloading Terraform runatlantis/atlantis#6405
• Upstream fix PR: chore(deps): bump go to 1.25.8 and hc-install to v0.9.4 runatlantis/atlantis#6410
• HashiCorp advisory: https://discuss.hashicorp.com/t/hcsec-2026-03-hashicorp-gpg-key-72d7468f-update/77237

Test plan

• make build succeeds on amd64 and arm64
• make test passes (goss assertions match new version)
• In a running container, atlantis version reports 0.42.0
• Trigger an Atlantis plan that downloads a non-baked Terraform version (e.g. 1.15.3); confirm the openpgp: key expired error no longer occurs

[tasuku43]

LGTM!!