Creating custom deployment protection rules

Use GitHub Apps to automate protecting deployments with third-party systems.

谁可以使用此功能?

自定义部署保护规则在所有计划的公共存储库中可用。 要访问专用存储库或内部存储库中的自定义部署保护规则,必须使用 GitHub Enterprise。

本文内容

Prerequisites

注意

自定义部署保护规则目前为 公共预览版,可能随时更改。

For general information about deployment protection rules, see Deploying with GitHub Actions.

Creating a custom deployment protection rule with GitHub Apps

  1. Create a GitHub App. For more information, see 注册 GitHub 应用. Configure the GitHub App as follows.

    1. Optionally, in the Callback URL text field under "Identifying and authorizing users," enter the callback URL. For more information, see 关于用户授权回调 URL.
    2. Under "Permissions," select Repository permissions.
    3. To the right of "Actions," click the drop down menu and select Access: Read-only.
      Screenshot of the "Repository permissions" section for a new GitHub App. The Actions permission shows "Read-only" and is outlined in orange.
    4. To the right of "Deployments," click the drop down menu and select Access: Read and write.
      Screenshot of the "Repository permissions" section for a new GitHub App. The Deployments permission shows "Read and write" and is outlined in orange.
    5. Under "Subscribe to events," select Deployment protection rule.
      Screenshot of the "Subscribe to events section" section for a new GitHub App. The checkbox for the Deployment protection rule is outlined in orange.

  2. Install the custom deployment protection rule in your repositories and enable it for use. For more information, see Configuring custom deployment protection rules.

Approving or rejecting deployments

Once a workflow reaches a job that references an environment that has the custom deployment protection rule enabled, GitHub sends a POST request to a URL you configure containing the deployment_protection_rule payload. You can write your deployment protection rule to automatically send REST API requests that approve or reject the deployment based on the deployment_protection_rule payload. Configure your REST API requests as follows.

  1. Validate the incoming POST request. For more information, see 验证 Webhook 交付.

  2. Use a JSON Web Token to authenticate as a GitHub App. For more information, see 验证为 GitHub 应用程序.

  3. Using the installation ID from the deployment_protection_rule webhook payload, generate an install token. For more information, see 关于使用 GitHub 应用进行身份验证.

    curl --request POST \
--url "http(s)://HOSTNAME/api/v3/app/installations/INSTALLATION_ID/ACCESS_TOKENS" \
--header "Accept: application/vnd.github+json" \
--header "Authorization: Bearer {jwt}" \
--header "Content-Type: application/json" \
--data \
'{ \
   "repository_ids": [321], \
   "permissions": { \
      "deployments": "write" \
   } \
}'

  4. Optionally, to add a status report without taking any other action to GitHub, send a POST request to /repos/OWNER/REPO/actions/runs/RUN_ID/deployment_protection_rule. In the request body, omit the state. For more information, see 工作流运行的 REST API 终结点. You can post a status report on the same deployment up to 10 times. Status reports support Markdown formatting and can be up to 1024 characters long.

  5. To approve or reject a request, send a POST request to /repos/OWNER/REPO/actions/runs/RUN_ID/deployment_protection_rule. In the request body, set the state property to either approved or rejected. For more information, see 工作流运行的 REST API 终结点.

  6. Optionally, request the status of an approval for a workflow run by sending a GET request to /repos/OWNER/REPOSITORY_ID/actions/runs/RUN_ID/approvals. For more information, see 工作流运行的 REST API 终结点.

  7. Optionally, review the deployment on GitHub. For more information, see Reviewing deployments.