Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Github Environments - Required Reviewer option ? #352

Open
kboro opened this issue Jan 8, 2025 · 3 comments
Open

Github Environments - Required Reviewer option ? #352

kboro opened this issue Jan 8, 2025 · 3 comments
Labels
enhancement New feature or request question Further information is requested or the issue is a question

Comments

@kboro
Copy link

kboro commented Jan 8, 2025

Details

Hello,
Is it possible to apply "Approval Gate" when deploying to PRODUCTION environment ?

Here is an example of existing 'production' which require reviewers on Github Level :

{6CF1901D-0F76-4158-8058-0E58C9BF301E}

But if its enable branch-deploy fails with :

.deploy production

{5F20E4B4-78B7-472C-A6DA-775A011F01F9}

How can I ensure that deployment to 'production' is managed ONLY by dedicated user(s), and deployment to 'stage' is managed by other repo 'write' users?
@kboro kboro added the question Further information is requested or the issue is a question label Jan 8, 2025
@GrantBirki
Copy link
Member

@kboro thank you for the issue. The branch-deploy Action was never really designed to work with the environment protection rules that GitHub provides.

Here is an example of environment protection rules being enabled and branch-deploy skipping right over them:

Image

Note: The repo in this example has no requirements for PR approvals. So you would think that the "required reviewers" setting would reject the deployment, but it doesn't.

The main reason for this is that the branch-deploy Action is primarily responsible for the lifecycle of deployments. It creates the deployment, and the "post-job" step of this Action either marks the deployment as successful, or a failure.

Typically, one would use these environment protection rules with the environment: <name> key in Action workflow definitions.

Perhaps if this is really something you would like to see in this project, we could add a required_reviewers input option that could take an environment and a mapping of users/teams to look for on the PR approvals.

@kboro
Copy link
Author

kboro commented Jan 20, 2025

Hello @GrantBirki,

Thank you so much for your response.

My goal is to have dedicated Github team (example "@org\stageEnvOwners") which can trigger deployment to specific environment ie. Stage. If such team member trigger ".deploy to stage" then deployment occurs. And on other hand if you are not part of that team and you trigger ".deploy to stage" nothing happens or Warning is returned.

@GrantBirki GrantBirki added the enhancement New feature or request label Jan 21, 2025
@GrantBirki
Copy link
Member

Of course, happy to help!

It looks to me that you might be in need of one (or even two) new features then. I see one feature where you might want required_reviewers (new) defined in order to gate what exact reviews must be fulfilled before a deployment can continue. The other feature would be a mapping of teams to environments that would gate who could deploy to specific environments. I'll leave this issue open to gauge demand for such a feature for now. If this is something you would like to implement, I will also be more than happy to help guide you and review any PRs. Thanks!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
enhancement New feature or request question Further information is requested or the issue is a question
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@GrantBirki @kboro