[REQUEST]: Allow skipping environment approval on specific branches #112177

maxnorth · 2024-03-11T21:15:53Z

maxnorth
Mar 11, 2024

Select Topic Area

Product Feedback

Body

We'd like to be able to require manual approval to our staging environment from feature branches, but have them automatically proceed when running from the main branch. We allow developers to optionally test in staging from their feature branches, but we want every main commit to go to staging as part of our continuous delivery pipeline.

Currently I see no secure way to do this.

I see a couple options to get the desired workflow, but both undermine security and cause other maintenance headaches:

Create two 'environment' definitions for staging, one with and one without the approval condition. This is bad for maintainability because it requires manual duplication/synchronization of variables and secrets between environments. It's bad for security, because any contributor could easily swap the environment values and run staging deployments without the approval from feature branches. It's also a clear hack that undermines the design of the "environment" concept in Github actions. We don't have two staging environments, so the two instances would no longer represent environments, they'd just be functional needs imposed on the environment feature.
Another option that I've seen suggested more frequently in here is to store a PAT as a repo secret that has permissions to do approvals, and conditionally send a REST request within the workflow. This fully undermines the security goals of environments, as anyone could use that PAT to approve any environment that the PAT's user is an approver for. We also avoid using PAT's in workflows as they depend on user's inclusion in the org, which will unexpectedly break in a few years whenever that person leaves the company.

Allowing environments to be configured to bypass approvals for specific branches seems like the simplest and most desirable approach. This still enables the repo admins to control the conditions under which environment access can occur, since they can set branch protection rules that must be met to merge to that branch.

maxnorth · 2024-03-12T18:00:04Z

maxnorth
Mar 12, 2024
Author

A partial self-correction - I realized that in option 1, you can avoid a security vulnerability if you apply a branch requirement on the version of the environment that does not have an approval requirement. That would prevent workflow authors from swapping them. However, the points about redundant environment variable/secret management and clunky semantics of what an "environment" is at that point still stand.

It's interesting that branch conditions are already supported, but can only be combined with other conditions like approvals using "AND" logic. Really the functionality needed here is just to support "OR" conditions for multiple requirements.

0 replies

AlistairGempf · 2025-05-20T10:15:56Z

AlistairGempf
May 20, 2025

Just wanted to add an agreement to this as it's not been replied/actioned in over a year. We require approvals from another dev before merge to main, so we implicitly already have approval to deploy to our first environment on merge. We also want to be able to test from feature branches on the first environment, but would like that to be approved by another developer. An "OR" condition on the environment would make our workflows much simpler.

I think a newish third option is using a custom deployment rule, but that feels to me like using a hydraulic press to crack a nut and has trust and security implications depending on the service you're using to approve the deployment.

1 reply

Sunbelt Computer Software

PL/B Language Development and Support

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

GitHub Community

[REQUEST]: Allow skipping environment approval on specific branches #112177

Uh oh!

{{title}}

Uh oh!

Uh oh!

{{editor}}'s edit

{{editor}}'s edit

Uh oh!

Replies: 2 comments 1 reply

Uh oh!

{{title}}

Uh oh!

Uh oh!

{{editor}}'s edit

{{editor}}'s edit

Uh oh!

Uh oh!

{{title}}

Uh oh!

Uh oh!

{{editor}}'s edit

{{editor}}'s edit

Uh oh!

Uh oh!

{{title}}

Uh oh!

Select a reply

Uh oh!

Sunbelt Computer Software

PL/B Language Development and Support

GitHub Community

[REQUEST]: Allow skipping environment approval on specific branches #112177

Uh oh!

Uh oh!

maxnorth Mar 11, 2024

Select Topic Area

Body

Replies: 2 comments · 1 reply

Uh oh!

Uh oh!

maxnorth Mar 12, 2024 Author

Uh oh!

Uh oh!

AlistairGempf May 20, 2025

Uh oh!

Richiban Jun 24, 2026

maxnorth
Mar 11, 2024

Replies: 2 comments 1 reply

maxnorth
Mar 12, 2024
Author

AlistairGempf
May 20, 2025