Skip to content
Latchkey

How to Add Approval Gates With Environments

A protected environment pauses the deploy until a required reviewer approves, and the approval (who and when) is recorded automatically.

An approval gate is the enforcement point for change control on the deploy side. Configure a protected environment with required reviewers and, optionally, a wait timer. The approval becomes evidence. This page is educational configuration guidance.

Steps

  • Create the environment and add required reviewers.
  • Optionally add a wait timer for a mandatory soak or notice period.
  • Point the deploy job at the environment; the run pauses until approved.

Configure the environment

Terminal
gh api -X PUT repos/acme/app/environments/production --input - <<'JSON'
{
  "wait_timer": 10,
  "reviewers": [ { "type": "Team", "id": 42 } ],
  "deployment_branch_policy": { "protected_branches": true, "custom_branch_policies": false }
}
JSON

Job that waits for approval

.github/workflows/deploy.yml
jobs:
  release:
    runs-on: ubuntu-latest
    environment: production   # run pauses here until a reviewer approves
    steps:
      - run: ./release.sh

Notes

  • Export approvals via the run approvals API for evidence of the sign-off.
  • A wait timer gives time to abort and is itself a documentable control.

Related guides

Run this faster and cheaper on Latchkey managed runners. Start free →