How to Gate a Production Deploy With Approvals in GitHub Actions
Point the deploy job at a protected environment with required reviewers, and the run pauses until a reviewer approves it.
Configure required reviewers on a repository Environment, then set environment: on the deploy job. The run enters a pending state and notifies reviewers; it resumes only after approval.
Steps
- Create a
productionEnvironment and add required reviewers. - Build/test in unguarded jobs.
- Put the deploy in a job with
environment: productionso it waits for approval.
Workflow
.github/workflows/deploy.yml
jobs:
build:
runs-on: ubuntu-latest
steps:
- run: npm ci && npm run build
deploy:
needs: build
runs-on: ubuntu-latest
environment:
name: production
url: https://app.example.com
steps:
- run: ./scripts/deploy.shCommon pitfalls
- Approval rules live on the environment, not the workflow file; adding
environment:alone without configured reviewers does not pause anything. - A reviewer who triggered the run may be blocked from self-approving if "prevent self-review" is on.
- Secrets scoped to the environment are unavailable until approval, so steps that need them must live in the gated job.
Related guides
How to Run Database Migrations on Deploy With GitHub ActionsRun database migrations as a gated step before a deploy in GitHub Actions, applying schema changes with a mig…
How to Roll Back a Deployment With GitHub ActionsRoll back a bad deploy from GitHub Actions with a workflow_dispatch input that redeploys a previous version o…