GitHub Environments

Configure GitHub Environment protection rules to require manual approval before Atmos Pro applies infrastructure changes.

Deployment approvals are configured entirely through GitHub's native environment settings — there's nothing new to adopt. This keeps your audit surface small, works within your existing compliance tooling, and means your team manages approvals with the same GitHub UI they already know.

How deployment approvals work

Plan Requirements

Custom deployment protection rules require GitHub Enterprise for private or internal repositories. Required reviewers and wait timers are available in public repositories across plans; branch/tag deployment restrictions are also available for private repositories on GitHub Pro/Team/Enterprise.

Environments/Configure plat-prod

Deployment protection rules

Configure reviewers, timers, and custom rules that must pass before deployments to this environment can proceed.

Required reviewers

Specify people or teams that may approve workflow runs when they access this environment.

Add up to 5 more reviewers

Search for people or teams...

acme/managers

Prevent self-review

Require a different approver than the user who triggered the workflow run.

Wait timer

Set an amount of time to wait before allowing deployments to proceed.

Enable custom rules with GitHub Apps Preview

Learn about existing apps or create your own protection rules so you can deploy with confidence.

Allow administrators to bypass configured protection rules

In your repository settings, navigate to Environments and create environments that match your deployment targets (e.g., production, staging, development). See Using environments for deployment in the GitHub docs for details.

For each environment that requires approval, configure deployment protection rules:

1
Enable Required reviewers and add the individuals or teams who should approve deployments.
2
Optionally configure a wait timer to add a delay before the deployment can proceed even after approval.
3
Optionally restrict which branches can deploy to the environment (e.g., only main can deploy to production).

In your GitHub Actions workflow file, reference the environment in the job that runs terraform apply:

jobs:
  apply:
    runs-on: ubuntu-latest
    environment: ${{ inputs.github_environment }}
    steps:
      - uses: actions/checkout@v4
      - name: Apply
        env:
          COMPONENT: ${{ inputs.component }}
          STACK: ${{ inputs.stack }}
        run: atmos terraform apply "${COMPONENT}" -s "${STACK}"

Notice that environment uses ${{ inputs.github_environment }} rather than a hardcoded value. Atmos Pro passes the environment name through from your stack configuration when it dispatches the workflow, so the same workflow file works across all your environments. The environment is configured in your Atmos stack YAML — not in the workflow itself — which means you can dynamically target different GitHub environments based on the stack being deployed.

When Atmos Pro dispatches this workflow, GitHub will automatically enforce the protection rules for the target environment before the job runs.

Configure workflows Configure Atmos stacks

The most common pattern is to require approvals only for production while allowing staging to deploy automatically:

Environment	Required Reviewers	Wait Timer	Branch Restriction
`development`	None	None	Any branch
`staging`	None	None	`main` only
`production`	Platform team	5 minutes	`main` only

For critical infrastructure components, you can create separate environments with stricter approval requirements:

Environment	Required Reviewers	Use Case
`production`	Platform team (1 of 2)	Standard infrastructure
`production-data`	DBA team (2 of 3)	Database and data store changes
`production-network`	Network team (2 of 2)	VPC, DNS, and networking changes

We recommend defining GitHub Environments along permissions boundaries — typically by stage (e.g., dev, staging, production). Avoid creating an environment per component or per stack, as this leads to an explosion of environments in the GitHub UI. Atmos Pro handles fine-grained orchestration; GitHub Environments are best used for coarse-grained approval gates.

Ready to configure deployment approvals?

Set up GitHub environment protection rules to require approval before infrastructure changes are applied.

GitHub Environment Docs Learn About Approvals

GitHub Workflows Deployment Locking

GitHub Environments

Configure GitHub Environment protection rules to require manual approval before Atmos Pro applies infrastructure changes.

How deployment approvals work

Plan Requirements

Environments/Configure plat-prod

Deployment protection rules

Configure reviewers, timers, and custom rules that must pass before deployments to this environment can proceed.

Required reviewers

Specify people or teams that may approve workflow runs when they access this environment.

Add up to 5 more reviewers

Search for people or teams...

acme/managers

Prevent self-review

Require a different approver than the user who triggered the workflow run.

Wait timer

Set an amount of time to wait before allowing deployments to proceed.

Enable custom rules with GitHub Apps Preview

Learn about existing apps or create your own protection rules so you can deploy with confidence.

Allow administrators to bypass configured protection rules

For each environment that requires approval, configure deployment protection rules:

1
Enable Required reviewers and add the individuals or teams who should approve deployments.
2
Optionally configure a wait timer to add a delay before the deployment can proceed even after approval.
3
Optionally restrict which branches can deploy to the environment (e.g., only main can deploy to production).

In your GitHub Actions workflow file, reference the environment in the job that runs terraform apply:

jobs:
  apply:
    runs-on: ubuntu-latest
    environment: ${{ inputs.github_environment }}
    steps:
      - uses: actions/checkout@v4
      - name: Apply
        env:
          COMPONENT: ${{ inputs.component }}
          STACK: ${{ inputs.stack }}
        run: atmos terraform apply "${COMPONENT}" -s "${STACK}"

When Atmos Pro dispatches this workflow, GitHub will automatically enforce the protection rules for the target environment before the job runs.

Configure workflows Configure Atmos stacks

The most common pattern is to require approvals only for production while allowing staging to deploy automatically:

Environment	Required Reviewers	Wait Timer	Branch Restriction
`development`	None	None	Any branch
`staging`	None	None	`main` only
`production`	Platform team	5 minutes	`main` only

For critical infrastructure components, you can create separate environments with stricter approval requirements:

Environment	Required Reviewers	Use Case
`production`	Platform team (1 of 2)	Standard infrastructure
`production-data`	DBA team (2 of 3)	Database and data store changes
`production-network`	Network team (2 of 2)	VPC, DNS, and networking changes

Ready to configure deployment approvals?

Set up GitHub environment protection rules to require approval before infrastructure changes are applied.

GitHub Environment Docs Learn About Approvals

GitHub Workflows Deployment Locking

Atmos Pro

GitHub Environments

Deployment protection rules

Create a GitHub Environment

Add Protection Rules

Reference the Environment in Your Workflow

Environment Strategies

Per-Stage Approvals

Per-Component Approvals

Ready to configure deployment approvals?

Atmos Pro

GitHub Environments

Deployment protection rules

Create a GitHub Environment

Add Protection Rules

Reference the Environment in Your Workflow

Environment Strategies

Per-Stage Approvals

Per-Component Approvals

Ready to configure deployment approvals?