How to Add Approval Gates With Environments
A protected environment pauses the deploy until a required reviewer approves, and the approval (who and when) is recorded automatically.
An approval gate is the enforcement point for change control on the deploy side. Configure a protected environment with required reviewers and, optionally, a wait timer. The approval becomes evidence. This page is educational configuration guidance.
Steps
- Create the environment and add required reviewers.
- Optionally add a wait timer for a mandatory soak or notice period.
- Point the deploy job at the environment; the run pauses until approved.
Configure the environment
Terminal
gh api -X PUT repos/acme/app/environments/production --input - <<'JSON'
{
"wait_timer": 10,
"reviewers": [ { "type": "Team", "id": 42 } ],
"deployment_branch_policy": { "protected_branches": true, "custom_branch_policies": false }
}
JSONJob that waits for approval
.github/workflows/deploy.yml
jobs:
release:
runs-on: ubuntu-latest
environment: production # run pauses here until a reviewer approves
steps:
- run: ./release.shNotes
- Export approvals via the run approvals API for evidence of the sign-off.
- A wait timer gives time to abort and is itself a documentable control.
Related guides
How to Enforce Separation of Duties in CI/CDEnforce separation of duties in GitHub Actions so the author of a change cannot approve or deploy it alone, a…
How to Segregate Production Credentials in CIKeep production credentials out of build and test jobs in GitHub Actions by binding them to a protected envir…
How to Enforce Deployment Freeze Windows in CIBlock deploys during change-freeze windows in GitHub Actions by checking the current time against a freeze sc…