patternbashMajor
Environment protection rules block accidental production deploys
Viewed 0 times
environmentprotection rulesreviewersproductiondeployment gatebranch restriction
Problem
Without environment protection rules, any branch can trigger a production deployment. A dev pushing to main directly, or a malicious PR, can deploy broken code to production.
Solution
Configure environment protection rules in GitHub Settings > Environments:
In the workflow:
GitHub will pause the job and send review requests before running any steps.
- Add required reviewers (at least one person must approve before deployment proceeds)
- Restrict deployments to protected branches only (main, release/*)
- Set a wait timer if you want a cooldown window
In the workflow:
jobs:
deploy:
runs-on: ubuntu-latest
environment:
name: production
url: https://myapp.com
steps:
- name: Deploy
run: ./deploy.shGitHub will pause the job and send review requests before running any steps.
Why
Environment protection rules are enforced server-side by GitHub, not in the workflow YAML. Even if someone modifies the workflow, the protection rules still apply. This is the correct place to gate production access.
Gotchas
- Environments are only available on public repos or with GitHub Team/Enterprise for private repos
- Required reviewers cannot approve their own deployment
- The 'url' field in environment: populates the deployment link in the GitHub UI—always set it
Revisions (0)
No revisions yet.