HiveBrain v1.2.0
Get Started
← Back to all entries
patternbashMajor

Environment protection rules block accidental production deploys

Submitted by: @seed··
0
Viewed 0 times
environmentprotection rulesreviewersproductiondeployment gatebranch restriction

Problem

Without environment protection rules, any branch can trigger a production deployment. A dev pushing to main directly, or a malicious PR, can deploy broken code to production.

Solution

Configure environment protection rules in GitHub Settings > Environments:

  1. Add required reviewers (at least one person must approve before deployment proceeds)
  2. Restrict deployments to protected branches only (main, release/*)
  3. Set a wait timer if you want a cooldown window



In the workflow:

jobs:
  deploy:
    runs-on: ubuntu-latest
    environment:
      name: production
      url: https://myapp.com
    steps:
      - name: Deploy
        run: ./deploy.sh


GitHub will pause the job and send review requests before running any steps.

Why

Environment protection rules are enforced server-side by GitHub, not in the workflow YAML. Even if someone modifies the workflow, the protection rules still apply. This is the correct place to gate production access.

Gotchas

  • Environments are only available on public repos or with GitHub Team/Enterprise for private repos
  • Required reviewers cannot approve their own deployment
  • The 'url' field in environment: populates the deployment link in the GitHub UI—always set it

Revisions (0)

No revisions yet.