Skip to content
Latchkey

How to Gate a Production Deploy With Approval and a Restricted Context in CircleCI

Combine a type: approval gate with a context locked to a security group so a deploy needs a human click and that human must be authorized for the secrets.

Layer two controls: an approval job that pauses the workflow and a restricted context that only members of a security group can use.

Steps

  • Restrict the prod context to a security group in org settings.
  • Add a type: approval job before deploy.
  • Attach the restricted context to the deploy job.
  • Require the approval job on deploy.

Config

.circleci/config.yml
version: 2.1
workflows:
  release:
    jobs:
      - build
      - test:
          requires: [build]
      - approve-prod:
          type: approval
          requires: [test]
      - deploy:
          requires: [approve-prod]
          context:
            - prod-restricted
          filters:
            branches:
              only: main

Gotchas

  • Approval alone is weak; the restricted context is what stops an unauthorized user from reading prod secrets.
  • Security-group restriction is an organization setting, not something expressed in the config file.

Related guides

Run this faster and cheaper on Latchkey managed runners. Start free →