Skip to content
Latchkey

How to Gate a Production Deploy With Approvals in GitHub Actions

Point the deploy job at a protected environment with required reviewers, and the run pauses until a reviewer approves it.

Configure required reviewers on a repository Environment, then set environment: on the deploy job. The run enters a pending state and notifies reviewers; it resumes only after approval.

Steps

  • Create a production Environment and add required reviewers.
  • Build/test in unguarded jobs.
  • Put the deploy in a job with environment: production so it waits for approval.

Workflow

.github/workflows/deploy.yml
jobs:
  build:
    runs-on: ubuntu-latest
    steps:
      - run: npm ci && npm run build
  deploy:
    needs: build
    runs-on: ubuntu-latest
    environment:
      name: production
      url: https://app.example.com
    steps:
      - run: ./scripts/deploy.sh

Common pitfalls

  • Approval rules live on the environment, not the workflow file; adding environment: alone without configured reviewers does not pause anything.
  • A reviewer who triggered the run may be blocked from self-approving if "prevent self-review" is on.
  • Secrets scoped to the environment are unavailable until approval, so steps that need them must live in the gated job.

Related guides

Run this faster and cheaper on Latchkey managed runners. Start free →