diff --git a/.github/workflows/wg-onboard.yml b/.github/workflows/wg-onboard.yml
new file mode 100644
index 00000000..79215fd3
--- /dev/null
+++ b/.github/workflows/wg-onboard.yml
@@ -0,0 +1,134 @@
+name: WireGuard onboard environment
+
+# Self-service WireGuard onboarding for a new environment.
+# Allocates free WireGuard peers from the jumpserver and publishes them as
+# GitHub *environment* secrets (TF_WG_CONFIG, CLUSTER_WIREGUARD_WG0/WG1) so a
+# QA/dev team can run the Terraform + Helmsman workflows without DevOps.
+#
+# Requires .github/scripts/wg-onboard.sh (mosip/infra PR #253).
+
+on:
+  workflow_dispatch:
+    inputs:
+      ENV_NAME:
+        description: 'Environment / branch name to onboard (becomes the GitHub environment name)'
+        required: true
+        type: string
+      JUMPSERVER_HOST:
+        description: 'Jumpserver / WireGuard VM public IP or DNS (SSH reachable)'
+        required: true
+        type: string
+      TICKET:
+        description: 'Optional ticket id to record in assigned.txt (e.g. DSD-10264)'
+        required: false
+        type: string
+      WG_DIR:
+        description: 'WireGuard env dir on the VM'
+        required: false
+        type: string
+        default: /home/ubuntu/wireguard_env_2026
+      ALLOWED_IPS:
+        description: 'AllowedIPs to set in each conf'
+        required: false
+        type: string
+        default: 172.31.0.0/16
+      DRY_RUN:
+        description: 'Resolve and print actions without creating env/secrets'
+        required: false
+        type: boolean
+        default: true
+
+permissions:
+  contents: read
+
+concurrency:
+  group: wg-onboard-${{ inputs.ENV_NAME }}
+  cancel-in-progress: false
+
+jobs:
+  onboard:
+    runs-on: self-hosted
+    timeout-minutes: 20
+    steps:
+      - name: Validate required secrets
+        run: |
+          missing=()
+          [[ -z "${{ secrets.ACTION_PAT }}" ]] && missing+=(ACTION_PAT)
+          [[ -z "${{ secrets.MOSIP_AWS_PEM }}" ]] && missing+=(MOSIP_AWS_PEM)
+          if ((${#missing[@]})); then
+            echo "ERROR: Missing repository secrets: ${missing[*]}"
+            echo "Add them under Settings → Secrets and variables → Actions for ${GITHUB_REPOSITORY}"
+            exit 1
+          fi
+
+      - name: Checkout repository
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+        with:
+          persist-credentials: false
+
+      - name: Write SSH private key
+        env:
+          SSH_KEY: ${{ secrets.MOSIP_AWS_PEM }}
+          SSH_KEY_NAME: MOSIP_AWS_PEM
+        run: |
+          SSH_KEY_PATH="${RUNNER_TEMP}/jumpserver_key"
+          printf '%s\n' "$SSH_KEY" | tr -d '\r' > "$SSH_KEY_PATH"
+          chmod 600 "$SSH_KEY_PATH"
+          if ! ssh-keygen -l -f "$SSH_KEY_PATH" >/dev/null 2>&1; then
+            echo "ERROR: secret '$SSH_KEY_NAME' is not a valid private key (check format/newlines/CRLF)"
+            exit 1
+          fi
+          echo "SSH_KEY_PATH=$SSH_KEY_PATH" >> "$GITHUB_ENV"
+
+      - name: Run WireGuard onboarding
+        env:
+          GH_TOKEN: ${{ secrets.ACTION_PAT }}
+          GITHUB_TOKEN: ${{ secrets.ACTION_PAT }}
+          INPUT_ENV_NAME: ${{ inputs.ENV_NAME }}
+          INPUT_JUMPSERVER_HOST: ${{ inputs.JUMPSERVER_HOST }}
+          INPUT_WG_DIR: ${{ inputs.WG_DIR }}
+          INPUT_ALLOWED_IPS: ${{ inputs.ALLOWED_IPS }}
+          INPUT_TICKET: ${{ inputs.TICKET }}
+          INPUT_DRY_RUN: ${{ inputs.DRY_RUN }}
+          GITHUB_REPOSITORY: ${{ github.repository }}
+        run: |
+          chmod +x .github/scripts/wg-onboard.sh
+          args=(
+            --env "$INPUT_ENV_NAME"
+            --host "$INPUT_JUMPSERVER_HOST"
+            --ssh-key "$SSH_KEY_PATH"
+            --repo "$GITHUB_REPOSITORY"
+            --wg-dir "$INPUT_WG_DIR"
+            --allowed-ips "$INPUT_ALLOWED_IPS"
+          )
+          [[ -n "$INPUT_TICKET" ]] && args+=(--ticket "$INPUT_TICKET")
+          [[ "$INPUT_DRY_RUN" == "true" ]] && args+=(--dry-run)
+          .github/scripts/wg-onboard.sh "${args[@]}"
+
+      - name: Cleanup SSH private key
+        if: always()
+        run: rm -f "${SSH_KEY_PATH:-}"
+
+      - name: Commit updated peer allocation
+        if: ${{ inputs.DRY_RUN == false }}
+        env:
+          GH_TOKEN: ${{ secrets.ACTION_PAT }}
+          INPUT_ENV_NAME: ${{ inputs.ENV_NAME }}
+          GIT_AUTHOR_NAME: ${{ github.actor }}
+          GIT_AUTHOR_EMAIL: ${{ github.actor }}@users.noreply.github.com
+          GIT_COMMITTER_NAME: ${{ github.actor }}
+          GIT_COMMITTER_EMAIL: ${{ github.actor }}@users.noreply.github.com
+        run: |
+          tracker=".github/scripts/wg-peer-allocation.tsv"
+          if git diff --quiet -- "$tracker"; then
+            echo "No allocation change to commit"
+          else
+            remote_url="https://x-access-token:${GH_TOKEN}@github.com/${GITHUB_REPOSITORY}.git"
+            if ! git pull --rebase --autostash "$remote_url" "${GITHUB_REF_NAME}"; then
+              echo "ERROR: Rebase failed (concurrent tracker update?). Resolve on ${GITHUB_REF_NAME} and re-run."
+              exit 1
+            fi
+            git add "$tracker"
+            git commit -s -m "wg: allocate peers for environment $INPUT_ENV_NAME"
+            git push "$remote_url" "HEAD:${GITHUB_REF_NAME}"
+          fi