Multi VCS trunk

docs/concepts/blueprint/README.md

@@ -14,6 +14,7 @@ You can configure the following resources in a Blueprint:
     - Name, description, labels, [Space](../spaces/README.md)
     - Behavioral settings: administrative, auto-apply, auto-destroy, hooks, runner image etc.
 - [VCS configuration](../../integrations/source-control/README.md)
+    - Both default and Space-level VCS integrations
 - Vendor configuration for your IaaC provider
 - [Environment variables](../configuration/environment.md#environment-variables), both non-sensitive and sensitive
 - [Mounted files](../configuration/environment.md#mounted-files)
@@ -217,6 +218,7 @@ stack:
     # Note that this is just the name of the repository, not the full URL
     repository: my-repository
     provider: GITHUB # Possible values: GITHUB, GITLAB, BITBUCKET_DATACENTER, BITBUCKET_CLOUD, GITHUB_ENTERPRISE, AZURE_DEVOPS
+    id: "github-for-my-org" # Optional, only needed if you want to use a Space-level VCS integration. Use the "Copy ID" button to get the ID.
   vendor:
     terraform:
       manage_state: ${{ inputs.manage_state }}
@@ -830,6 +832,10 @@ For simplicity, here is the current schema, but it might change in the future:
                                         "AZURE_DEVOPS"
                                     ]
                                 },
+                                "id": {
+                                    "type": "string",
+                                    "description": "The id of the VCS provider."
+                                },
                                 "namespace": {
                                     "type": "string"
                                 },
@@ -1250,7 +1256,8 @@ For simplicity, here is the current schema, but it might change in the future:
                     "type": "string",
                     "enum": [
                         "TERRAFORM_FOSS",
-                        "CUSTOM"
+                        "CUSTOM",
+                        "OPEN_TOFU"
                     ]
                 }
             }

docs/concepts/policy/push-policy/README.md

@@ -348,7 +348,7 @@ As input, Git push policy receives the following document:
     "mergeable": "boolean - indicates whether the PR can be merged",
     "title": "string",
     "undiverged": "boolean - indicates whether the PR is up to date with the target branch"
-  }
+  },
   "push": {
     // For Git push events, this contains the pushed commit.
     // For Pull Request events,
@@ -384,6 +384,21 @@ As input, Git push policy receives the following document:
     "worker_pool": {
       "public": "boolean - indicates whether the worker pool is public or not"
     }
+  },
+  "vcs_integration": {
+    "id": "string - ID of the VCS integration",
+    "name": "string - name of the VCS integration",
+    "provider": "string - possible values are AZURE_DEVOPS, BITBUCKET_CLOUD, BITBUCKET_DATACENTER, GIT, GITHUB, GITHUB_ENTERPRISE, GITLAB",
+    "description": "string - description of the VCS integration",
+    "is_default": "boolean - indicates whether the VCS integration is the default one or Space-level",
+    "space": {
+      "id": "string",
+      "labels": ["string"],
+      "name": "string"
+    },
+    "labels": ["string - list of arbitrary, user-defined selectors"],
+    "updated_at": "number (timestamp in nanoseconds)",
+    "created_at": "number (timestamp in nanoseconds)"
   }
 }
 ```
@@ -415,7 +430,7 @@ When triggered by a _new module version_, this is the schema of the data input t
       "name": "string - name of the worker pool, if it is private",
       "public": "boolean - is the worker pool public"
     }
-  }
+  },
   "pull_request": {
     "action": "string - opened, reopened, closed, merged, edited, labeled, synchronize, unlabeled",
     "action_initiator": "string",
@@ -429,6 +444,21 @@ When triggered by a _new module version_, this is the schema of the data input t
       "message": "string",
       "tag": "string"
     }
+  },
+  "vcs_integration": {
+    "id": "bitbucket-for-payments-team",
+    "name": "Bitbucket for Payments Team",
+    "provider": "BITBUCKET_CLOUD",
+    "description": "### Payments Team BB integration\n\nThis integration should be **only** used by the Payments Integrations team. If you need access, drop [Joe](https://mycorp.slack.com/users/432JOE435) a message on Slack.",
+    "is_default": false,
+    "labels": ["bitbucketcloud", "paymentsorg"],
+    "space": {
+      "id": "paymentsteamspace-01HN0BF3GMYZQ4NYVNQ1RKQ9M7",
+      "labels": [],
+      "name": "PaymentsTeamSpace"
+    },
+    "created_at": 1706187931079960000,
+    "updated_at": 1706274820310231000
   }
 }
 ```

docs/concepts/stack/creating-a-stack.md

@@ -37,7 +37,9 @@ Also, this is the opportunity to set a few [labels](stack-settings.md#labels). L
 
 ![](<../../assets/screenshots/Create_Stack_VCS.png>)
 
-In this step, you will need to tell Spacelift where to look for the Terraform code for the stack - a combination of Git repository and one of its existing branches. The branch that you specify set here is what we called a _tracked_ branch. By default, anything that you push to this branch will be considered for deployment. Anything you push to a different branch will be tested for changes against the current state.
+In this step, you will need to tell Spacelift where to look for the IaC code for the stack - if you have multiple integrations per VCS type, then you'll need to choose the one which includes your repository. Please note that only those VCS integrations will appear which the stack Space (set in the previous step) has access to. For example, if the stack Space is `ParentSpace` and the VCS integration Space is `ChildSpace` with inheritance enabled, it will appear. Integrations marked as default will always appear here, regardless of the stack Space. Take a look at the [source control](../../integrations/source-control/README.md) docs for more details.
+
+The branch that you specify set here is what we called a _tracked_ branch. By default, anything that you push to this branch will be considered for deployment. Anything you push to a different branch will be tested for changes against the current state.
 
  The project root configuration is where inside the repository Spacelift should look for the infra project source code (e.g. create a stack for a specific folder in the repository).
 

docs/concepts/stack/stack-settings.md

@@ -20,13 +20,13 @@ If this sounds interesting and you want to give it a try, please refer to the [h
 
 ### Autodeploy
 
-Indicates whether changes to the stack can be [applied](../run/README.md#applying) automatically. When autodeploy is set to _true_, any change to the [tracked branch](#repository-and-branch) will automatically be [applied](../run/README.md#applying) if the [planning](../run/README.md#planning) phase was successful and there are no plan policy warnings.
+Indicates whether changes to the stack can be [applied](../run/tracked.md#applying) automatically. When autodeploy is set to _true_, any change to the tracked branch will automatically be [applied](../run/tracked.md#applying) if the [planning](../run/proposed.md#planning) phase was successful and there are no plan policy warnings.
 
 Consider setting it to _true_ if you always do a code review before merging to the tracked branch, and/or want to rely on [plan policies](../policy/terraform-plan-policy.md) to automatically flag potential problems. If each candidate change goes through a meaningful human code review with stack [writers](../policy/stack-access-policy.md#readers-and-writers) as reviewers, having a separate step to confirm deployment may be overkill. You may also want to refer to a [dedicated section](../policy/terraform-plan-policy.md#automated-code-review) on using plan policies for automated code review.
 
 ### Autoretry
 
-Indicates whether obsolete proposed changes will be retried automatically. When autoretry is set to _true_ and a change gets applied, all Pull Requests to the [tracked branch](#repository-and-branch) conflicting with that change will be reevaluated based on the changed state.
+Indicates whether obsolete proposed changes will be retried automatically. When autoretry is set to _true_ and a change gets applied, all Pull Requests to the [tracked branch](#vcs-integration-and-repository) conflicting with that change will be reevaluated based on the changed state.
 
 This saves you from manually retrying runs on Pull Requests when the state changes. This way it also gives you more confidence, that the proposed changes will actually be the actual changes you get after merging the Pull Request.
 
@@ -143,7 +143,7 @@ echo "::command arg1 arg2"
 Below is a list of supported commands. See the more detailed doc after this table.
 
 | Command                   | Description                                              |
-|---------------------------|----------------------------------------------------------|
+| ------------------------- | -------------------------------------------------------- |
 | [`::add-mask`](#add-mask) | Adds a set of values that should be masked in log output |
 
 #### ::add-mask
@@ -231,7 +231,11 @@ Example matches:
 
 As you can see in the example matches, these are the regex rules that you are already accustomed to.
 
-### Repository and branch
+### VCS integration and repository
+
+![](<../../assets/screenshots/stack_settings_vcs_page.png>)
+
+We have two types of integrations types: default and Space-level. Default integrations will be always available for all stacks, however Space-level integrations will be available only for stacks that are in the same Space as the integration or have access to it [via inheritance](../spaces/access-control.md#inheritance). Read more about VCS integrations in the [source control](../../integrations/source-control/README.md) page.
 
 _Repository_ and _branch_ point to the location of the source code for a stack. The repository must either belong to the GitHub account linked to Spacelift  (its choice may further be limited by the way the Spacelift GitHub app has been installed) or to the GitLab server integrated with your Spacelift account. For more information about these integrations, please refer to our [GitHub](../../integrations/source-control/github.md) and [GitLab](../../integrations/source-control/gitlab.md) documentation respectively.
 

docs/integrations/api.md

@@ -113,7 +113,7 @@ Choose API Keys menu and click on Add new API key
 
 The API key creation form will allow you to specify an arbitrary key name, along with the _Admin_ setting and the list of _teams_. If the key is given admin privileges, it has full access to the Spacelift API and won't be subject to [access policies](../concepts/policy/stack-access-policy.md).
 
-For non-administrative keys, you may want to add a **virtual** list of teams that the key should "belong to" so that existing access policies based on [GitHub teams](source-control/github.md#team-based-access) or [SAML assertions](single-sign-on/README.md#setting-up-the-integration) can work with your API keys just as they do with regular users.
+For non-administrative keys, you may want to add a **virtual** list of teams that the key should "belong to" so that existing access policies based on [GitHub teams](source-control/github.md#access-controls) or [SAML assertions](single-sign-on/README.md) can work with your API keys just as they do with regular users.
 
 Without further ado, let's create a non-administrative API key with virtual membership in two teams: _Developers_ and _DevOps:_