Commit From CI
Use `atmos pro commit` to push generated files back to your branch from a workflow with a GitHub-verified Atmos Pro App commit that re-triggers CI.
CI jobs that auto-format code or regenerate files —
terraform fmt, gofumpt, prettier, generated providers and backends — need to commit those changes back to the branch. Commits made with the workflow's GITHUB_TOKEN do not trigger another CI run; this is a deliberate GitHub limitation to prevent infinite loops. That missing run is more than an inconvenience: if your branch protection requires status checks to pass — which any secure repository should — the generated commit never gets those checks, and the pull request can't be merged. atmos pro commit sidesteps it by creating the commit server-side through the Atmos Pro GitHub App, so the commit is GitHub-verified and your plan and apply workflows run on the generated changes automatically.Your workflow stages the files it changed and runs
atmos pro commit. The command authenticates to Atmos Pro with the workflow's OIDC token, uploads the staged file contents, and Atmos Pro creates the commit on the branch using GitHub's createCommitOnBranch API under the Atmos Pro App identity.The workflow never receives a write token — it only uploads file contents, and Atmos Pro decides what to commit. A malicious pull request therefore can't exfiltrate write access or modify workflow definitions, because the server rejects any path under
.github/. Atmos Pro also re-reads the new commit and fails the command if GitHub does not report it as verified.- The repository is connected to your workspace and the Atmos Pro GitHub App is installed.
- The CI role used by your workflows holds the
ws:commits:createpermission. See Repository Permissions. - Your workflows already authenticate to Atmos Pro over OIDC. See Cloud Authentication and GitHub Workflows.
Run a fixer, stage its output, and commit. The
if: github.actor != 'atmos-pro[bot]' guard prevents the commit from re-triggering this same job.name: 👽 Atmos Pro Autocommit
on:
pull_request:
permissions:
id-token: write
contents: read
jobs:
autocommit:
if: github.actor != 'atmos-pro[bot]'
runs-on:
- "ubuntu-latest"
container:
image: ghcr.io/cloudposse/atmos:${{ vars.ATMOS_VERSION }}
defaults:
run:
shell: bash
steps:
- name: Checkout
uses: actions/checkout@v6
with:
ref: ${{ github.event.pull_request.head.ref }}
- name: Format
run: terraform fmt -recursive
- name: Commit
env:
ATMOS_PRO_WORKSPACE_ID: ${{ vars.ATMOS_PRO_WORKSPACE_ID }}
run: atmos pro commit --all -m "[autocommit] terraform fmt"Choose how files are staged:
# Commit whatever is already staged
atmos pro commit -m "terraform fmt"
# Stage every change first (git add -A)
atmos pro commit -m "terraform fmt" --all
# Stage only files matching a pattern
atmos pro commit -m "terraform fmt" --add "*.tf"
# Post a comment on the pull request alongside the commit
atmos pro commit -m "terraform fmt" --comment "Auto-formatted Terraform files"| Flag | Alias | Required | Description |
|---|---|---|---|
--message | -m | Yes | Commit message (max 500 characters). |
--comment | — | No | Comment to post on the pull request (max 2000 characters). |
--add | — | No | Glob to stage before committing. Mutually exclusive with --all. |
--all | -A | No | Stage all changes (git add -A). Mutually exclusive with --add. |
| Variable | Description |
|---|---|
ATMOS_PRO_WORKSPACE_ID | Workspace the commit belongs to. Set it as a GitHub Actions variable. |
ATMOS_PROFILE | Atmos auth profile to use in CI (e.g. github). See Authentication. |
ACTIONS_ID_TOKEN_REQUEST_URL | Set automatically by GitHub Actions when id-token: write is granted. |
ACTIONS_ID_TOKEN_REQUEST_TOKEN | Set automatically by GitHub Actions when id-token: write is granted. |
GITHUB_HEAD_REF | The pull request branch. Set automatically by GitHub Actions on pull_request events. |
ATMOS_PRO_BASE_URL defaults to the Atmos Pro SaaS API and only needs to be set for self-hosted installations.
Configure it in atmos.yaml rather than per workflow.Atmos Pro validates every request server-side and rejects anything outside these bounds:
- Up to 200 total file changes (additions plus deletions) per commit.
- Each added file is at most 2 MiB.
- No paths under
.github/, no path traversal (..), and no absolute paths. - On
pull_requestevents, the target branch must match the pull request's head branch. - The created commit must be reported as verified by GitHub, or the command fails.
When the Atmos Pro App pushes a commit, the resulting CI run sees
atmos-pro[bot] as the actor. Guard your autocommit job with if: github.actor != 'atmos-pro[bot]' so it skips that run instead of committing again.Every commit is written to the Audit Log as
commit.created, and failed attempts as commit.failed, with the repository, branch, and file count. The Deployments table shows a verification indicator next to the dispatch ref when Atmos Pro has commit metadata for the run.Next: Configure GitHub Workflows
Create the GitHub Actions workflows that Atmos Pro dispatches to plan, apply, and detect drift on your infrastructure.