Skip to content

Gate testnet deploy on a GitHub Environment with required reviewers #41

Description

@rubydusa

Problem

`_deploy-testnet.yml` deploys whenever `github.event_name == 'pull_request'` is true and the calling workflow opted into `deploy-on-pr: true`. There is no approval gate, no environment scoping, and no way to require reviewer sign-off before a deploy uses `PRIVATE_KEY`.

The original spec (`docs/specs/ci-cd-automated-deployments.md`) calls this out explicitly: "Testnet: deploy on approved PR to main."

Today an approval gate is missing, which means:

  • Any PR author can trigger a deploy that consumes `PRIVATE_KEY` by toggling `deploy-on-pr` in the calling workflow.
  • A protected-environment review/wait gate is not enforceable from this side.

Proposal

  1. Add an `environment` input to `_deploy-testnet.yml` (default `testnet`) and to the orchestrator's `deploy-testnet` job.
  2. Document in README how consumers should configure protected environments (required reviewers, deployment branch policies) so secrets can only be used after a maintainer approves the deployment run.
  3. Optionally: emit a clearer error when `PRIVATE_KEY` is missing — the protected-environment scoping makes the secret only available after approval, so we want the workflow to fail closed with a useful message during dry runs.

## Out of scope

- A mainnet workflow, which would also use environments. Tracked separately.

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions