Cross-repo private sources, without the credential sprawl
Pulling a private Terraform module or vendoring a component from another repo in CI used to mean managing a Personal Access Token or standing up a second GitHub App, then threading it through
GITHUB_TOKEN. That's long-lived credentials to rotate, over-broad scope, and one more secret to leak.Atmos Pro is already installed on those repos and already holds the GitHub App credentials — so now it can hand your CI exactly the access it needs, exactly when it needs it. Your workflow exchanges its GitHub Actions OIDC identity for a short-lived, read-only token scoped only to the source repos that have opted in. No PAT, no second App, nothing to rotate.
What changes for you
Add an Atmos Pro auth provider and a
github/sts integration to your atmos.yaml — the same shape as the AWS provider's aws/ecr and aws/eks integrations:auth:
providers:
atmos-pro:
kind: atmos/pro # authenticate the CLI to Atmos Pro via GitHub Actions OIDC
identities:
atmos-pro:
kind: atmos/pro
via:
provider: atmos-pro
integrations:
github-sts:
kind: github/sts # mint read-only git credentials for private sources
via:
identity: atmos-pro
spec:
repos:
- acme/terraform-modulesGive the workflow
permissions: id-token: write, and atmos vendor pull, source:-provisioned components, and terraform init of a private git::https://github.com/... module all resolve — no .tf changes, no PAT, no second GitHub App. The token is injected as a git credential for the run and revoked when it finishes.The token is read-only by default, capped at GitHub's ~1-hour lifetime, and can only ever reach source repos that have opted in — never another organization's code, and never a repo that hasn't granted access.
Access is deny-by-default: a source repo becomes readable only by committing a trust policy at
.atmos/pro/sts/default.yaml that names which workflows may mint a token for it. No policy → not mintable, not even read access:# yaml-language-server: $schema=https://atmos-pro.com/schemas/v1alpha1/trust-policy.json
# .atmos/pro/sts/default.yaml — committed in the module/source repo
apiVersion: atmos-pro.com/v1alpha1
kind: TrustPolicy
metadata:
name: default
spec:
rules:
- match:
repository_owner: "acme" # only acme/* workflows may read this repo
permissions:
contents: readThe file is
default.yaml unless a caller asks for a different policy by name — handy when one repo wants different rules for different consumers. Each rule's match takes a glob by default (repository_owner: "acme", ref: "refs/heads/*"); reach for { regex: … } only when a glob can't express the intent. The # yaml-language-server line gives you autocomplete and validation in-editor.Want it effortless? Commit a match-all rule (
match: { subject: "*" }) — one file opts every workflow in your workspace into read-only access, and it's still explicit and reviewable.This is why it's safe: consent lives in the source repo, owner-granted and never consumer-requested. And because the policy is a file in the source repo, you gate it like any other protected change — a CODEOWNERS rule on
/.atmos/pro/sts/ makes your org/security admins approve every change to who may mint a token. Every mint is recorded in the audit log with the verified run identity (repository, ref, actor, and the repos it was scoped to); the token value itself is never logged.Cross-repo private module access is available on plans that include Atmos Pro STS. See the docs to enable it for your workspace.
