Use this action to automatically approve workflow jobs that reference an environment with a "Required reviewers" protection rule. The action has two settings:
environment_allow_list
specifies which environments to automatically approve deployments to.actor_allow_list
specifies which users/actors triggering a deployment that should be automatically approved.
An deployment must be both to an environment in the environment_allow_list
AND from an actor in actor_allow_list
or it will not be automatically approved and instead will require manual review as described in Github's Reviewing deployments help article.
For more information on general use of Github Environments and using them for deployments in Github Actions see Github's Using environments for deployment article.
In order to Approve a protected environment as a required reviewer you must use a personal access token created at https://github.com/settings/developers. The default GITHUB_TOKEN
in Github Actions does not have sufficient permissions. The user who issues the token must be a Required Reviewer for the Environment protection rule as described here.
For classic tokens it requires the "repo" scope. You'll need the following permissions if you're using a fine-grained access token:
- Actions: Read-only:
- Deployments: Read-only
For reference, below are the endpoints used and what permissions are needed are in Github's fine-grained tokens here reference.
GET /repos/{owner}/{repo}/actions/runs
GET /repos/{owner}/{repo}/actions/runs/{run_id}/pending_deployments
POST /repos/{owner}/{repo}/actions/runs/{run_id}/pending_deployments
endpoint
I tried using ${{ secrets.GITHUB_TOKEN }}
with permissions: write-all
in a Github Actions workflow to avoid using a PAT but still got errors when attempting the approval.
Go to https://github.com/{owner}/{repo}/settings/secrets/actions
for your repo and create a new Repository Secret and put the Personal Access Token from above there. In the example workflow below I used the name GH_TOKEN_FOR_AUTO_APPROVING_DEPLOYS
for the secret.
# using triggers for every deployment and allowed manually
# docs on these triggers:
# https://docs.github.com/en/actions/using-workflows/events-that-trigger-workflows#deployment
# https://docs.github.com/en/actions/using-workflows/events-that-trigger-workflows#workflow_dispatch
on: [deployment, workflow_dispatch]
jobs:
auto_approve:
runs-on: ubuntu-latest
steps:
- name: Auto Approve Deploys
# you can use any @vN.N.N tag from https://github.com/activescott/automate-environment-deployment-approval/releases
uses: activescott/automate-environment-deployment-approval@main
with:
github_token: ${{ secrets.GH_TOKEN_FOR_AUTO_APPROVING_DEPLOYS }}
environment_allow_list: |
aws-test
aws-prod
# the below automatically approves dependabot and anything submitted by the Github user with login "activescott"
actor_allow_list: |
dependabot[bot]
activescott
First, you'll need to have a reasonably modern version of
node
handy. This won't work with versions older than 9, for instance.
Install the dependencies
npm install
Build the typescript and package it for distribution
npm run build && npm run package
Run the tests โ๏ธ
npm test
See the toolkit documentation for the various packages.
We use semantic-release to consistently release semver-compatible versions. This project deploys to production as well as pre-release releases to Github. Each of the below branches correspond to the following release/pre-release status:
branch | release or pre-release |
---|---|
main | production |
beta | pre-release |
To trigger a release use a Conventional Commit following Angular Commit Message Conventions on one of the above branches.