branch-deploy icon indicating copy to clipboard operation
branch-deploy copied to clipboard
verified publisher icon github

Github Environments - Required Reviewer option ?

Open kboro opened this issue 1 year ago • 3 comments

Details

Hello, Is it possible to apply "Approval Gate" when deploying to PRODUCTION environment ?

Here is an example of existing 'production' which require reviewers on Github Level :

{6CF1901D-0F76-4158-8058-0E58C9BF301E}

But if its enable branch-deploy fails with :

.deploy production

{5F20E4B4-78B7-472C-A6DA-775A011F01F9}

How can I ensure that deployment to 'production' is managed ONLY by dedicated user(s), and deployment to 'stage' is managed by other repo 'write' users?

kboro avatar Jan 08 '25 14:01 kboro

@kboro thank you for the issue. The branch-deploy Action was never really designed to work with the environment protection rules that GitHub provides.

Here is an example of environment protection rules being enabled and branch-deploy skipping right over them:

Image

Note: The repo in this example has no requirements for PR approvals. So you would think that the "required reviewers" setting would reject the deployment, but it doesn't.

The main reason for this is that the branch-deploy Action is primarily responsible for the lifecycle of deployments. It creates the deployment, and the "post-job" step of this Action either marks the deployment as successful, or a failure.

Typically, one would use these environment protection rules with the environment: <name> key in Action workflow definitions.

Perhaps if this is really something you would like to see in this project, we could add a required_reviewers input option that could take an environment and a mapping of users/teams to look for on the PR approvals.

GrantBirki avatar Jan 13 '25 23:01 GrantBirki

Hello @GrantBirki,

Thank you so much for your response.

My goal is to have dedicated Github team (example "@org\stageEnvOwners") which can trigger deployment to specific environment ie. Stage. If such team member trigger ".deploy to stage" then deployment occurs. And on other hand if you are not part of that team and you trigger ".deploy to stage" nothing happens or Warning is returned.

kboro avatar Jan 20 '25 12:01 kboro

Of course, happy to help!

It looks to me that you might be in need of one (or even two) new features then. I see one feature where you might want required_reviewers (new) defined in order to gate what exact reviews must be fulfilled before a deployment can continue. The other feature would be a mapping of teams to environments that would gate who could deploy to specific environments. I'll leave this issue open to gauge demand for such a feature for now. If this is something you would like to implement, I will also be more than happy to help guide you and review any PRs. Thanks!

GrantBirki avatar Jan 21 '25 06:01 GrantBirki