Approval Process for Production Environments

To provide System Administrators and DevOps teams with an additional layer of protection against human error and unauthorized access, an approval process should be configured for production environments.

The list of individuals eligible to approve GitHub workflows is defined by the repository-level variable GH_APPROVERS. Each approver must be a valid GitHub account holder and added as a collaborator to the infrastructure repository.

Approval can be enabled for specific environments by setting the APPROVAL_REQUIRED variable to true. It is strongly recommended to enforce this requirement in production environments to mitigate the risk of accidental deployments or environment resets, which may lead to the deletion of citizen data.

The infrastructure repository should have issues enabled to facilitate the approval process.

Workflow execution

As demonstrated in the screenshot below, when approval is enabled for an environment, workflow execution will be paused. An issue will be automatically created within the infrastructure repository, and a link to this issue will appear in the workflow log.

The GitHub issue will contain a detailed description outlining exactly what needs approval.

Once the necessary approvals have been received, the workflow execution will resume.