Merge remote-tracking branch 'origin/master' into deleted-status

.gitignore

@@ -12,4 +12,4 @@ node_modules/
 helm/test-values.yaml
 *.swp
 golangci-lint
-atlantis
+atlantis

CONTRIBUTING.md

@@ -43,7 +43,7 @@ docker run --rm -v $(pwd):/go/src/github.com/runatlantis/atlantis -w /go/src/git
 
 ## Calling Your Local Atlantis From GitHub
 - Create a test terraform repository in your GitHub.
-- Create a personal access token for Atlantis. See [Create a GitHub token](https://github.com/runatlantis/atlantis#create-a-github-token).
+- Create a personal access token for Atlantis. See [Create a GitHub token](https://github.com/runatlantis/atlantis/tree/master/runatlantis.io/docs/access-credentials.md#generating-an-access-token).
 - Start Atlantis in server mode using that token:
 ```
 atlantis server --gh-user <your username> --gh-token <your token> --repo-whitelist <your repo> --gh-webhook-secret <your webhook secret> --log-level debug
@@ -53,7 +53,7 @@ atlantis server --gh-user <your username> --gh-token <your token> --repo-whiteli
 ```
 ngrok http 4141
 ```
-- Create a Webhook in your repo and use the `https` url that `ngrok` printed out after running `ngrok http 4141`. Be sure to append `/events` so your webhook url looks something like `https://efce3bcd.ngrok.io/events`. See [Add GitHub Webhook](https://github.com/runatlantis/atlantis#add-github-webhook).
+- Create a Webhook in your repo and use the `https` url that `ngrok` printed out after running `ngrok http 4141`. Be sure to append `/events` so your webhook url looks something like `https://efce3bcd.ngrok.io/events`. See [Add GitHub Webhook](https://github.com/runatlantis/atlantis/blob/master/runatlantis.io/docs/configuring-webhooks.md#configuring-webhooks).
 - Create a pull request and type `atlantis help`. You should see the request in the `ngrok` and Atlantis logs and you should also see Atlantis comment back.
 
 ## Code Style

cmd/server.go

@@ -57,6 +57,9 @@ const (
 	GHHostnameFlag             = "gh-hostname"
 	GHTokenFlag                = "gh-token"
 	GHUserFlag                 = "gh-user"
+	GHAppIDFlag                = "gh-app-id"
+	GHAppKeyFileFlag           = "gh-app-key-file"
+	GHOrganizationFlag         = "gh-org"
 	GHWebhookSecretFlag        = "gh-webhook-secret" // nolint: gosec
 	GitlabHostnameFlag         = "gitlab-hostname"
 	GitlabTokenFlag            = "gitlab-token"
@@ -159,11 +162,20 @@ var stringFlags = map[string]stringFlag{
 		defaultValue: DefaultGHHostname,
 	},
 	GHUserFlag: {
-		description: "GitHub username of API user.",
+		description:  "GitHub username of API user.",
+		defaultValue: "",
 	},
 	GHTokenFlag: {
 		description: "GitHub token of API user. Can also be specified via the ATLANTIS_GH_TOKEN environment variable.",
 	},
+	GHAppKeyFileFlag: {
+		description:  "A path to a file containing the GitHub App's private key",
+		defaultValue: "",
+	},
+	GHOrganizationFlag: {
+		description:  "The name of the GitHub organization to use during the creation of a Github App for Atlantis",
+		defaultValue: "",
+	},
 	GHWebhookSecretFlag: {
 		description: "Secret used to validate GitHub webhooks (see https://developer.github.com/webhooks/securing/)." +
 			" SECURITY WARNING: If not specified, Atlantis won't be able to validate that the incoming webhook call came from GitHub. " +
@@ -302,6 +314,13 @@ var intFlags = map[string]intFlag{
 	},
 }
 
+var int64Flags = map[string]int64Flag{
+	GHAppIDFlag: {
+		description:  "GitHub App Id. If defined, initializes the GitHub client with app-based credentials",
+		defaultValue: 0,
+	},
+}
+
 // ValidLogLevels are the valid log levels that can be set
 var ValidLogLevels = []string{"debug", "info", "warn", "error"}
 
@@ -315,6 +334,11 @@ type intFlag struct {
 	defaultValue int
 	hidden       bool
 }
+type int64Flag struct {
+	description  string
+	defaultValue int64
+	hidden       bool
+}
 type boolFlag struct {
 	description  string
 	defaultValue bool
@@ -409,6 +433,19 @@ func (s *ServerCmd) Init() *cobra.Command {
 		s.Viper.BindPFlag(name, c.Flags().Lookup(name)) // nolint: errcheck
 	}
 
+	// Set int64 flags.
+	for name, f := range int64Flags {
+		usage := f.description
+		if f.defaultValue != 0 {
+			usage = fmt.Sprintf("%s (default %d)", usage, f.defaultValue)
+		}
+		c.Flags().Int(name, 0, usage+"\n")
+		if f.hidden {
+			c.Flags().MarkHidden(name) // nolint: errcheck
+		}
+		s.Viper.BindPFlag(name, c.Flags().Lookup(name)) // nolint: errcheck
+	}
+
 	// Set bool flags.
 	for name, f := range boolFlags {
 		c.Flags().Bool(name, f.defaultValue, f.description+"\n")
@@ -528,13 +565,13 @@ func (s *ServerCmd) validate(userConfig server.UserConfig) error {
 	// 3. bitbucket user and token set
 	// 4. azuredevops user and token set
 	// 5. any combination of the above
-	vcsErr := fmt.Errorf("--%s/--%s or --%s/--%s or --%s/--%s or --%s/--%s must be set", GHUserFlag, GHTokenFlag, GitlabUserFlag, GitlabTokenFlag, BitbucketUserFlag, BitbucketTokenFlag, ADUserFlag, ADTokenFlag)
-	if ((userConfig.GithubUser == "") != (userConfig.GithubToken == "")) || ((userConfig.GitlabUser == "") != (userConfig.GitlabToken == "")) || ((userConfig.BitbucketUser == "") != (userConfig.BitbucketToken == "")) || ((userConfig.AzureDevopsUser == "") != (userConfig.AzureDevopsToken == "")) {
+	vcsErr := fmt.Errorf("--%s/--%s or --%s/--%s or --%s/--%s or --%s/--%s or --%s/--%s must be set", GHUserFlag, GHTokenFlag, GHAppIDFlag, GHAppKeyFileFlag, GitlabUserFlag, GitlabTokenFlag, BitbucketUserFlag, BitbucketTokenFlag, ADUserFlag, ADTokenFlag)
+	if ((userConfig.GithubUser == "") != (userConfig.GithubToken == "")) || ((userConfig.GithubAppID == 0) != (userConfig.GithubAppKey == "")) || ((userConfig.GitlabUser == "") != (userConfig.GitlabToken == "")) || ((userConfig.BitbucketUser == "") != (userConfig.BitbucketToken == "")) || ((userConfig.AzureDevopsUser == "") != (userConfig.AzureDevopsToken == "")) {
 		return vcsErr
 	}
 	// At this point, we know that there can't be a single user/token without
 	// its partner, but we haven't checked if any user/token is set at all.
-	if userConfig.GithubUser == "" && userConfig.GitlabUser == "" && userConfig.BitbucketUser == "" && userConfig.AzureDevopsUser == "" {
+	if userConfig.GithubAppID == 0 && userConfig.GithubUser == "" && userConfig.GitlabUser == "" && userConfig.BitbucketUser == "" && userConfig.AzureDevopsUser == "" {
 		return vcsErr
 	}
 

cmd/server_test.go

@@ -69,6 +69,9 @@ var testFlags = map[string]interface{}{
 	GHHostnameFlag:             "ghhostname",
 	GHTokenFlag:                "token",
 	GHUserFlag:                 "user",
+	GHAppIDFlag:                int64(0),
+	GHAppKeyFileFlag:           "",
+	GHOrganizationFlag:         "",
 	GHWebhookSecretFlag:        "secret",
 	GitlabHostnameFlag:         "gitlab-hostname",
 	GitlabTokenFlag:            "gitlab-token",
@@ -347,7 +350,7 @@ func TestExecute_ValidateSSLConfig(t *testing.T) {
 }
 
 func TestExecute_ValidateVCSConfig(t *testing.T) {
-	expErr := "--gh-user/--gh-token or --gitlab-user/--gitlab-token or --bitbucket-user/--bitbucket-token or --azuredevops-user/--azuredevops-token must be set"
+	expErr := "--gh-user/--gh-token or --gh-app-id/--gh-app-key-file or --gitlab-user/--gitlab-token or --bitbucket-user/--bitbucket-token or --azuredevops-user/--azuredevops-token must be set"
 	cases := []struct {
 		description string
 		flags       map[string]interface{}
@@ -393,6 +396,20 @@ func TestExecute_ValidateVCSConfig(t *testing.T) {
 			},
 			true,
 		},
+		{
+			"just github app set",
+			map[string]interface{}{
+				GHAppIDFlag: "1",
+			},
+			true,
+		},
+		{
+			"just github app key set",
+			map[string]interface{}{
+				GHAppKeyFileFlag: "key.pem",
+			},
+			true,
+		},
 		{
 			"just gitlab user set",
 			map[string]interface{}{
@@ -446,6 +463,14 @@ func TestExecute_ValidateVCSConfig(t *testing.T) {
 			},
 			false,
 		},
+		{
+			"github app and key set and should be successful",
+			map[string]interface{}{
+				GHAppIDFlag:      "1",
+				GHAppKeyFileFlag: "key.pem",
+			},
+			false,
+		},
 		{
 			"gitlab user and gitlab token set and should be successful",
 			map[string]interface{}{
@@ -544,6 +569,19 @@ func TestExecute_GithubUser(t *testing.T) {
 	Equals(t, "user", passedConfig.GithubUser)
 }
 
+func TestExecute_GithubApp(t *testing.T) {
+	t.Log("Should remove the @ from the github username if it's passed.")
+	c := setup(map[string]interface{}{
+		GHAppKeyFileFlag:  "key.pem",
+		GHAppIDFlag:       "1",
+		RepoWhitelistFlag: "*",
+	})
+	err := c.Execute()
+	Ok(t, err)
+
+	Equals(t, int64(1), passedConfig.GithubAppID)
+}
+
 func TestExecute_GitlabUser(t *testing.T) {
 	t.Log("Should remove the @ from the gitlab username if it's passed.")
 	c := setup(map[string]interface{}{

go.mod

@@ -9,8 +9,10 @@ require (
 	github.com/aokoli/goutils v1.0.1 // indirect
 	github.com/asaskevich/govalidator v0.0.0-20190424111038-f61b66f89f4a // indirect
 	github.com/aws/aws-sdk-go v1.17.14 // indirect
+	github.com/bradleyfalzon/ghinstallation v1.1.1
 	github.com/briandowns/spinner v0.0.0-20170614154858-48dbb65d7bd5
 	github.com/davecgh/go-spew v1.1.1
+	github.com/dgrijalva/jwt-go v3.2.0+incompatible
 	github.com/docker/docker v0.0.0-20180620051407-e2593239d949
 	github.com/elazarl/go-bindata-assetfs v1.0.0
 	github.com/flynn-archive/go-shlex v0.0.0-20150515145356-3f9db97f8568

go.sum

@@ -30,6 +30,8 @@ github.com/aws/aws-sdk-go v1.17.14 h1:IjqZDIQoLyZ48A93BxVrZOaIGgZPRi4nXt6WQUMJpl
 github.com/aws/aws-sdk-go v1.17.14/go.mod h1:KmX6BPdI08NWTb3/sm4ZGu5ShLoqVDhKgpiN924inxo=
 github.com/bgentry/go-netrc v0.0.0-20140422174119-9fd32a8b3d3d h1:xDfNPAt8lFiC1UJrqV3uuy861HCTo708pDMbjHHdCas=
 github.com/bgentry/go-netrc v0.0.0-20140422174119-9fd32a8b3d3d/go.mod h1:6QX/PXZ00z/TKoufEY6K/a0k6AhaJrQKdFe6OfVXsa4=
+github.com/bradleyfalzon/ghinstallation v1.1.1 h1:pmBXkxgM1WeF8QYvDLT5kuQiHMcmf+X015GI0KM/E3I=
+github.com/bradleyfalzon/ghinstallation v1.1.1/go.mod h1:vyCmHTciHx/uuyN82Zc3rXN3X2KTK8nUTCrTMwAhcug=
 github.com/briandowns/spinner v0.0.0-20170614154858-48dbb65d7bd5 h1:osZyZB7J4kE1tKLeaUjV6+uZVBfS835T0I/RxmwWw1w=
 github.com/briandowns/spinner v0.0.0-20170614154858-48dbb65d7bd5/go.mod h1:hw/JEQBIE+c/BLI4aKM8UU8v+ZqrD3h7HC27kKt8JQU=
 github.com/bsm/go-vlq v0.0.0-20150828105119-ec6e8d4f5f4e/go.mod h1:N+BjUcTjSxc2mtRGSCPsat1kze3CUtvJN3/jTXlp29k=
@@ -38,6 +40,8 @@ github.com/client9/misspell v0.3.4/go.mod h1:qj6jICC3Q7zFZvVWo7KLAzC3yx5G7kyvSDk
 github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
 github.com/davecgh/go-spew v1.1.1 h1:vj9j/u1bqnvCEfJOwUhtlOARqs3+rkHYY13jYWTU97c=
 github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
+github.com/dgrijalva/jwt-go v3.2.0+incompatible h1:7qlOGliEKZXTDg6OTjfoBKDXWrumCAMpl/TFQ4/5kLM=
+github.com/dgrijalva/jwt-go v3.2.0+incompatible/go.mod h1:E3ru+11k8xSBh+hMPgOLZmtrrCbhqsmaPHjLKYnJCaQ=
 github.com/docker/docker v0.0.0-20180620051407-e2593239d949 h1:La/qO5ApRpiO4c0wGWFs4YB/HdobJHArySoQZfXtaUQ=
 github.com/docker/docker v0.0.0-20180620051407-e2593239d949/go.mod h1:eEKB0N0r5NX/I1kEveEz05bcu8tLC/8azJZsviup8Sk=
 github.com/elazarl/go-bindata-assetfs v1.0.0 h1:G/bYguwHIzWq9ZoyUQqrjTmJbbYn3j3CKKpKinvZLFk=
@@ -72,8 +76,9 @@ github.com/google/go-cmp v0.2.0/go.mod h1:oXzfMopK8JAjlY9xF4vHSVASa0yLyX7SntLO5a
 github.com/google/go-cmp v0.3.0/go.mod h1:8QqcDgzrUqlUb/G2PQTWiueGozuR1884gddMywk6iLU=
 github.com/google/go-cmp v0.3.1 h1:Xye71clBPdm5HgqGwUkwhbynsUJZhDbS20FvLhQ2izg=
 github.com/google/go-cmp v0.3.1/go.mod h1:8QqcDgzrUqlUb/G2PQTWiueGozuR1884gddMywk6iLU=
-github.com/google/go-github/v28 v28.0.0 h1:+UjHI4+1W/vsXR4jJBWt0ZA74XHbvt5yBAvsf1M3bgM=
-github.com/google/go-github/v28 v28.0.0/go.mod h1:+5GboIspo7F0NG2qsvfYh7en6F3EK37uyqv+c35AR3s=
+github.com/google/go-github/v29 v29.0.2 h1:opYN6Wc7DOz7Ku3Oh4l7prmkOMwEcQxpFtxdU8N8Pts=
+github.com/google/go-github/v29 v29.0.2/go.mod h1:CHKiKKPHJ0REzfwc14QMklvtHwCveD0PxlMjLlzAM5E=
+github.com/google/go-github/v31 v31.0.0 h1:JJUxlP9lFK+ziXKimTCprajMApV1ecWD4NB6CCb0plo=
 github.com/google/go-github/v31 v31.0.0/go.mod h1:NQPZol8/1sMoWYGN2yaALIBytu17gAWfhbweiEed3pM=
 github.com/google/go-querystring v1.0.0 h1:Xkwi/a1rcvNg1PPYe5vI8GbeBY/jrVuDX5ASuANWTrk=
 github.com/google/go-querystring v1.0.0/go.mod h1:odCYkC5MyYFN7vkCjXpyrEuKhc/BUO6wN/zVPAxq5ck=
@@ -295,7 +300,6 @@ golang.org/x/tools v0.0.0-20190312170243-e65039ee4138/go.mod h1:LCzVGOaR6xXOjkQ3
 golang.org/x/tools v0.0.0-20190425150028-36563e24a262/go.mod h1:RgjU9mgBXZiqYHBnxXauZ1Gv1EHHAz9KjViQ78xBX0Q=
 golang.org/x/tools v0.0.0-20190506145303-2d16b83fe98c/go.mod h1:RgjU9mgBXZiqYHBnxXauZ1Gv1EHHAz9KjViQ78xBX0Q=
 golang.org/x/tools v0.0.0-20190606124116-d0a3d012864b/go.mod h1:/rFqwRUd4F7ZHNgwSSTFct+R/Kf4OFW1sUzUTQQTgfc=
-golang.org/x/tools v0.0.0-20190628153133-6cdbf07be9d0 h1:Dh6fw+p6FyRl5x/FvNswO1ji0lIGzm3KP8Y9VkS9PTE=
 golang.org/x/tools v0.0.0-20190628153133-6cdbf07be9d0/go.mod h1:/rFqwRUd4F7ZHNgwSSTFct+R/Kf4OFW1sUzUTQQTgfc=
 google.golang.org/api v0.4.0/go.mod h1:8k5glujaEP+g9n7WNsDg8QP6cUVNI86fCNMcbazEtwE=
 google.golang.org/api v0.7.0/go.mod h1:WtwebWUNSVBH/HAw79HIFXZNqEvBhG+Ra+ax0hx3E3M=

runatlantis.io/docs/access-credentials.md

@@ -7,7 +7,7 @@ that Atlantis will use to make API calls.
 ## Create an Atlantis user (optional)
 We recommend creating a new user named **@atlantis** (or something close) or using a dedicated CI user.
 
-This isn't required (you can use an existing user), however all the comments that Atlantis writes
+This isn't required (you can use an existing user or github app credentials), however all the comments that Atlantis writes
 will come from that user so it might be confusing if its coming from a personal account.
 
 ![Example Comment](./images/example-comment.png)
@@ -16,13 +16,14 @@ will come from that user so it might be confusing if its coming from a personal
 ## Generating an Access Token
 Once you've created a new user (or decided to use an existing one), you need to
 generate an access token. Read on for the instructions for your specific Git host:
-* [GitHub](#github)
+* [GitHub](#github-user)
+* [GitHub app](#github-app)
 * [GitLab](#gitlab)
 * [Bitbucket Cloud (bitbucket.org)](#bitbucket-cloud-bitbucket-org)
 * [Bitbucket Server (aka Stash)](#bitbucket-server-aka-stash)
 * [Azure DevOps](#azure-devops)
 
-### GitHub
+### GitHub user
 - Create a Personal Access Token by following: [https://help.github.com/articles/creating-a-personal-access-token-for-the-command-line/#creating-a-token](https://help.github.com/articles/creating-a-personal-access-token-for-the-command-line/#creating-a-token)
 - Create the token with **repo** scope
 - Record the access token
@@ -31,6 +32,19 @@ Your Atlantis user must also have "Write permissions" (for repos in an organizat
 ![Atlantis status](./images/status.png)
 :::
 
+### GitHub app
+- Start Atlantis with fake github username and token (`atlantis server --gh-user fake --gh-token fake --repo-whitelist 'github.com/your-org/*' --atlantis-url https://$ATLANTIS_HOST`)
+- Visit `https://$ATLANTIS_HOST/github-app/setup` and click on **Setup** to create the app on Github. You'll be redirected back to Atlantis
+- A link to install your app, along with its secrets, will be shown on the screen. Record your app's credentials and install your app for your user/org by following said link.
+- Create a file with the contents of the GitHub App Key, e.g. `atlantis-app-key.pem`
+- Restart Atlantis with new flags: `atlantis server --gh-app-id <your id> --gh-app-key-file atlantis-app-key.pem --gh-webhook-secret <your secret> --write-git-creds --repo-whitelist 'github.com/your-org/*' --atlantis-url https://$ATLANTIS_HOST`.
+
+  NOTE: You can also create a config file instead of using flags. See [Server Configuration](/docs/server-configuration.html#config-file).
+
+::: warning
+Only a single installation per Github App is supported at the moment.
+:::
+
 ### GitLab
 - Follow: [https://docs.gitlab.com/ce/user/profile/personal_access_tokens.html#creating-a-personal-access-token](https://docs.gitlab.com/ce/user/profile/personal_access_tokens.html#creating-a-personal-access-token)
 - Create a token with **api** scope

runatlantis.io/docs/configuring-webhooks.md

@@ -18,6 +18,8 @@ If only some of the repos in your organization are to be managed by Atlantis, th
 may want to only install on specific repos for now.
 :::
 
+When authenticating as a Github App, Webhooks are automatically created and need no additional setup, beyond being installed to your organization/user account after creation. Refer to the [Github App setup](access-credentials.html#github-app) section for instructions on how to do so.
+
 If you're installing on the organization, navigate to your organization's page and click **Settings**.
 If installing on a single repository, navigate to the repository home page and click **Settings**.
 - Select **Webhooks** or **Hooks** in the sidebar

runatlantis.io/docs/server-configuration.md

@@ -240,6 +240,40 @@ Values are chosen in this order:
   This means that an attacker could spoof calls to Atlantis and cause it to perform malicious actions.
   :::
 
+- ### `--gh-org`
+  ```bash
+  atlantis server --gh-org="myorgname"
+  ```
+  GitHub organization name. Set to enable creating a private Github app for this organization.
+
+- ### `--gh-app-id`
+  ```bash
+  atlantis server --gh-app-id="00000"
+  ```
+  GitHub app ID. If set, GitHub authentication will be performed as [an installation](https://developer.github.com/v3/apps/installations/).
+
+  ::: tip
+  A GitHub app can be created by starting Atlantis first, then pointing your browser at
+
+  ```
+  $(hostname)/github-app/setup
+  ```
+
+  You'll be redirected to GitHub to create a new app, and will then be redirected to
+
+  ```
+  $(hostname)/github-app/exchange-code?code=some-code
+  ```
+
+  After which Atlantis will display your new app's credentials: your app's ID, its generated `--gh-webhook-secret` and the contents of the file for `--gh-app-key-file`. Update your Atlantis config accordingly, and restart the server.
+  :::
+
+- ### `--gh-app-key-file`
+  ```bash
+  atlantis server --gh-app-key-file="path/to/app-key.pem"
+  ```
+  Path to a GitHub App PEM encoded private key file. If set, GitHub authentication will be performed as [an installation](https://developer.github.com/v3/apps/installations/).
+
 * ### `--gitlab-hostname`
   ```bash
   atlantis server --gitlab-hostname="my.gitlab.enterprise.com"

runatlantis.io/docs/webhook-secrets.md

@@ -16,6 +16,10 @@ security.
 Azure DevOps uses Basic authentication for webhooks rather than webhook secrets.
 :::
 
+::: tip NOTE
+An app-wide token is generated during [Github App setup](access-credentials.html#github-app). You can recover it by navigating to the [Github app settings page](https://github.com/settings/apps) and selecting "Edit" next to your Atlantis app's name. Token appears after clicking "Edit" under the Webhook header.
+:::
+
 ::: warning
 Bitbucket.org **does not** support webhook secrets.
 To mitigate, use repo whitelists and IP whitelists. See [Security](security.html#bitbucket-cloud-bitbucket-org) for more information.

server/events/command_runner.go

@@ -17,7 +17,7 @@ import (
 	"fmt"
 	"sync"
 
-	"github.com/google/go-github/v28/github"
+	"github.com/google/go-github/v31/github"
 	"github.com/mcdafydd/go-azuredevops/azuredevops"
 	"github.com/pkg/errors"
 	"github.com/remeh/sizedwaitgroup"
@@ -105,6 +105,7 @@ type DefaultCommandRunner struct {
 	WorkingDir        WorkingDir
 	DB                *db.BoltDB
 	Drainer           *Drainer
+	DeleteLockCommand DeleteLockCommand
 }
 
 // RunAutoplanCommand runs plan when a pull request is opened or updated.
@@ -247,6 +248,19 @@ func (c *DefaultCommandRunner) RunCommentCommand(baseRepo models.Repo, maybeHead
 		return
 	}
 
+	if cmd.Name == models.UnlockCommand {
+		vcsMessage := "All Atlantis locks for this PR have been unlocked and plans discarded"
+		err := c.DeleteLockCommand.DeleteLocksByPull(baseRepo.FullName, pullNum)
+		if err != nil {
+			vcsMessage = "Failed to delete PR locks"
+			log.Err("failed to delete locks by pull %s", err.Error())
+		}
+		if commentErr := c.VCSClient.CreateComment(baseRepo, pullNum, vcsMessage); commentErr != nil {
+			log.Err("unable to comment: %s", commentErr)
+		}
+		return
+	}
+
 	if cmd.CommandName() == models.ApplyCommand {
 		// Get the mergeable status before we set any build statuses of our own.
 		// We do this here because when we set a "Pending" status, if users have
@@ -302,6 +316,7 @@ func (c *DefaultCommandRunner) RunCommentCommand(baseRepo models.Repo, maybeHead
 		c.deletePlans(ctx)
 		result.PlansDeleted = true
 	}
+
 	c.updatePull(
 		ctx,
 		cmd,