Deployment Approvals
Atmos Pro leverages GitHub Environments and deployment protection rules to require manual approval before infrastructure changes are applied.
Atmos Pro integrates with GitHub Environments to give your team control over when infrastructure changes are applied. By configuring deployment protection rules on your GitHub environments, you can require manual approval from designated reviewers before any Terraform apply runs.
This is especially important for production environments where infrastructure changes can have significant impact. With deployment approvals, your team gets an explicit gate between a successful plan and the actual apply — ensuring that changes are reviewed and approved by the right people before anything is provisioned.
GitHub Enterprise Required
Custom deployment protection
rules
— including required reviewers, wait timers, and branch restrictions on environments — are only available for
repositories owned by GitHub Enterprise organizations. Public repositories on any plan can use environment protection
rules, but private repositories require GitHub Enterprise.
With Deployment Approvals, you can:
Require manual approval before applying infrastructure changes
Designate specific reviewers for each environment
Enforce different approval policies per environment (e.g., staging vs production)
Leverage GitHub's built-in audit trail for all approvals
Deployment approvals are powered entirely by GitHub's native environment protection rules. Atmos Pro dispatches workflows that target GitHub environments, and GitHub enforces the protection rules you've configured.
- 1A developer merges a pull request containing infrastructure changes.
- 2Atmos Pro detects the merge and dispatches the configured apply workflows.
- 3Each workflow targets a specific GitHub environment (e.g.,
production,staging). - 4If the environment has protection rules configured, GitHub pauses the workflow and notifies the designated reviewers.
- 5A reviewer approves (or rejects) the deployment directly in GitHub.
- 6Once approved, the workflow proceeds and Terraform apply runs.
- 7Atmos Pro tracks the workflow status and updates the PR comment accordingly.
Atmos Pro dispatches workflows and tracks their status — it does not implement its own approval mechanism. Approvals are handled entirely by GitHub, which means:
- You configure protection rules in your GitHub repository settings, not in Atmos Pro.
- Reviewers approve deployments through the GitHub UI, email notifications, or the GitHub mobile app.
- GitHub maintains a complete audit trail of who approved what and when.
- Your existing GitHub access controls and team structures apply.
This design keeps Atmos Pro focused on orchestration while leveraging GitHub's mature, well-understood approval infrastructure.
Deployment approvals are configured entirely through GitHub's native environment settings — there's nothing new to adopt. This keeps your audit surface small, works within your existing compliance tooling, and means your team manages approvals with the same GitHub UI they already know.
Environments/Configure plat-prod
Deployment protection rules
Configure reviewers, timers, and custom rules that must pass before deployments to this environment can proceed.
Required reviewers
Specify people or teams that may approve workflow runs when they access this environment.
Add up to 5 more reviewers
Search for people or teams...
acme/managers
Prevent self-review
Require a different approver than the user who triggered the workflow run.
Wait timer
Set an amount of time to wait before allowing deployments to proceed.
Enable custom rules with GitHub Apps Preview
Learn about existing apps or create your own protection rules so you can deploy with confidence.
Allow administrators to bypass configured protection rules
In your repository settings, navigate to Environments and create environments that match your deployment targets (e.g.,
production, staging, development). See Using environments for deployment in the GitHub docs for details.For each environment that requires approval, configure deployment protection rules:
- 1Enable Required reviewers and add the individuals or teams who should approve deployments.
- 2Optionally configure a wait timer to add a delay before the deployment can proceed even after approval.
- 3Optionally restrict which branches can deploy to the environment (e.g., only
maincan deploy toproduction).
In your GitHub Actions workflow file, reference the environment in the job that runs
terraform apply:jobs:
apply:
runs-on: ubuntu-latest
environment: ${{ inputs.github_environment }}
steps:
- uses: actions/checkout@v4
- name: Apply
run: atmos terraform apply ${{ inputs.component }} -s ${{ inputs.stack }}Notice that
environment uses ${{ inputs.github_environment }} rather than a hardcoded value. Atmos Pro passes the environment name through from your stack configuration when it dispatches the workflow, so the same workflow file works across all your environments. The environment is configured in your Atmos stack YAML — not in the workflow itself — which means you can dynamically target different GitHub environments based on the stack being deployed.When Atmos Pro dispatches this workflow, GitHub will automatically enforce the protection rules for the target environment before the job runs.
The most common pattern is to require approvals only for production while allowing staging to deploy automatically:
| Environment | Required Reviewers | Wait Timer | Branch Restriction |
|---|---|---|---|
development | None | None | Any branch |
staging | None | None | main only |
production | Platform team | 5 minutes | main only |
For critical infrastructure components, you can create separate environments with stricter approval requirements:
| Environment | Required Reviewers | Use Case |
|---|---|---|
production | Platform team (1 of 2) | Standard infrastructure |
production-data | DBA team (2 of 3) | Database and data store changes |
production-network | Network team (2 of 2) | VPC, DNS, and networking changes |
Ready to configure deployment approvals?
Set up GitHub environment protection rules to require approval before infrastructure changes are applied.