Creating custom deployment protection rules

Use GitHub Apps to automate protecting deployments with third-party systems.

Prerequisites

For general information about deployment protection rules, see Deploying with GitHub Actions.

Creating a custom deployment protection rule with GitHub Apps

1. Create a GitHub App. For more information, see Registering a GitHub App. Configure the GitHub App as follows.

   1. Optionally, in the Callback URL text field under "Identifying and authorizing users," enter the callback URL. For more information, see About the user authorization callback URL.
   2. Under "Permissions," select Repository permissions.
   3. To the right of "Actions," click the drop down menu and select Access: Read-only.
      
   4. To the right of "Deployments," click the drop down menu and select Access: Read and write.
      
   5. Under "Subscribe to events," select Deployment protection rule.
      

2. Install the custom deployment protection rule in your repositories and enable it for use. For more information, see Configuring custom deployment protection rules.

Approving or rejecting deployments

Once a workflow reaches a job that references an environment that has the custom deployment protection rule enabled, GitHub sends a POST request to a URL you configure containing the deployment_protection_rule payload. You can write your deployment protection rule to automatically send REST API requests that approve or reject the deployment based on the deployment_protection_rule payload. Configure your REST API requests as follows.

Custom deployment protection rules are not compatible when a workflow job's environment is set to deployment: false. For more information, see Deploying with GitHub Actions.

1. Validate the incoming POST request. For more information, see Validating webhook deliveries.

2. Use a JSON Web Token to authenticate as a GitHub App. For more information, see Authenticating as a GitHub App.

3. Using the installation ID from the deployment_protection_rule webhook payload, generate an install token. For more information, see About authentication with a GitHub App.

   curl --request POST \
   --url "https://api.github.com/app/installations/INSTALLATION_ID/ACCESS_TOKENS" \
   --header "Accept: application/vnd.github+json" \
   --header "Authorization: Bearer {jwt}" \
   --header "Content-Type: application/json" \
   --data \
   '{ \
      "repository_ids": [321], \
      "permissions": { \
         "deployments": "write" \
      } \
   }'
   

4. Optionally, to add a status report without taking any other action to GitHub, send a POST request to /repos/OWNER/REPO/actions/runs/RUN_ID/deployment_protection_rule. In the request body, omit the state. For more information, see REST API endpoints for workflow runs. You can post a status report on the same deployment up to 10 times. Status reports support Markdown formatting and can be up to 1024 characters long.

5. To approve or reject a request, send a POST request to /repos/OWNER/REPO/actions/runs/RUN_ID/deployment_protection_rule. In the request body, set the state property to either approved or rejected. For more information, see REST API endpoints for workflow runs.

6. Optionally, request the status of an approval for a workflow run by sending a GET request to /repos/OWNER/REPOSITORY_ID/actions/runs/RUN_ID/approvals. For more information, see REST API endpoints for workflow runs.

7. Optionally, review the deployment on GitHub. For more information, see Reviewing deployments.

Publishing custom deployment protection rules in the GitHub Marketplace

You can publish your GitHub App to the GitHub Marketplace to allow developers to discover suitable protection rules and install it across their GitHub repositories. Or you can browse existing custom deployment protection rules to suit your needs. For more information, see About GitHub Marketplace for apps and Listing an app on GitHub Marketplace.