How to Gate a Production Deploy With Approval and a Restricted Context in CircleCI
Combine a type: approval gate with a context locked to a security group so a deploy needs a human click and that human must be authorized for the secrets.
Layer two controls: an approval job that pauses the workflow and a restricted context that only members of a security group can use.
Steps
- Restrict the prod context to a security group in org settings.
- Add a
type: approvaljob before deploy. - Attach the restricted context to the deploy job.
- Require the approval job on deploy.
Config
.circleci/config.yml
version: 2.1
workflows:
release:
jobs:
- build
- test:
requires: [build]
- approve-prod:
type: approval
requires: [test]
- deploy:
requires: [approve-prod]
context:
- prod-restricted
filters:
branches:
only: mainGotchas
- Approval alone is weak; the restricted context is what stops an unauthorized user from reading prod secrets.
- Security-group restriction is an organization setting, not something expressed in the config file.
Related guides
How to Add a Manual Approval Job to a Deploy in CircleCIPause a CircleCI deploy workflow on a type: approval job so a human clicks Approve before the deploy job runs…
How to Use a Context for Production Deploy Secrets in CircleCIInject production deploy secrets into a CircleCI job with a context instead of project env vars, sharing cred…