Github actions with Manual Approval Jobs
Lets say we use terraform and github actions for ci/cd.
We will have plan and apply steps like below
name: 'Terraform'
on: [push, pull_request]
jobs:
check_lint:
#....
check_vulnerability:
needs: check_lint
#...
plan_and_apply:
name: 'Plan and Apply'
runs-on: ubuntu-latest
needs: check_vulnerability
steps:
- name: Checkout
uses: actions/checkout@v2
- name: Setup Terraform
uses: hashicorp/setup-terraform@v1
- name: Terraform Init
run: terraform init
- name: Terraform Plan
run: terraform plan
- name: Terraform Apply
run: terraform apply -auto-approve
How to make it approval based ?
Using github environments feature
Steps:
- Create new environment
your repo > Settings > Environments - Add the Required reviewers and save protection rule (refer below image)
- [Optionally] Control from which branch the deployments can happen using
Deployment branchessection
Refer the image below: Creating a
prod-envwith required reviewers to bedineshba
Split single job into two inside same workflow:
name: 'Terraform'
on: [push, pull_request]
jobs:
check_lint:
#....
check_vulnerability:
needs: check_lint
#...
plan:
name: 'Plan'
runs-on: ubuntu-latest
needs: check_vulnerability
steps:
- name: Checkout
uses: actions/checkout@v2
- name: Setup Terraform
uses: hashicorp/setup-terraform@v1
- name: Terraform Init
run: terraform init
- name: Terraform Plan
run: terraform plan
apply:
name: 'Apply'
runs-on: ubuntu-latest
needs: plan
environment:
name: prod-env
# As prod-env required reviewers is `dineshba`,
# it will wait for approval from dineshba
steps:
#... checkout, setup, init terraform steps like plan
- name: Terraform Apply
run: terraform apply -auto-approve
After the plan stage, github actions will send notification/email to configured reviewers. After it is approved, apply stage will run