Erik Osterman
CEO & Founder of Cloud Posse
Erik Osterman
CEO & Founder of Cloud Posse
Erik is the founder of Cloud Posse and creator of Atmos. With over a decade of experience helping teams adopt Terraform at scale, he is passionate about open-source infrastructure tooling and developer experience.
GITHUB_TOKEN never trigger another CI run. That's a deliberate GitHub limitation. And if your branch protection requires status checks to pass — which any secure repository should — that missing run leaves the pull request unmergeable. Worse, most workarounds share the same flaw: they hinge on a static credential — a personal access token, or your own GitHub App whose private key and installation tokens you store and rotate as CI secrets. That's a long-lived secret sitting in your CI, waiting to leak.atmos pro commit does it natively, with no extra app to build. Your workflow stages its changes and runs the command, and the Atmos Pro App you already installed creates the commit server-side. Because the App authors the commit, GitHub signs it as a verified commit and your downstream CI runs on it — plan and apply pick up the generated changes automatically..github/. The command also detects when it's running on a commit it just made (atmos-pro[bot]) and exits, so you don't get loops.name: 👽 Atmos Pro Autocommit
on:
pull_request:
permissions:
id-token: write
contents: read
jobs:
autocommit:
if: github.actor != 'atmos-pro[bot]'
runs-on: ubuntu-latest
container:
image: ghcr.io/cloudposse/atmos:${{ vars.ATMOS_VERSION }}
steps:
- uses: actions/checkout@v6
with:
ref: ${{ github.event.pull_request.head.ref }}
- name: Format
run: terraform fmt -recursive
- name: Commit
env:
ATMOS_PRO_WORKSPACE_ID: ${{ vars.ATMOS_PRO_WORKSPACE_ID }}
run: atmos pro commit --all -m "[autocommit] terraform fmt"