Search code examples
github-actions

Can I have an external tool approving Github (Actions) deployments?

I use Github Actions + environments in my project.

However, there is a requirement that the reviewers to deploy in each environment must approve it in an external tool.

I can make all REST integrations easily...

My question is: Can I have a generic service_account in Github perform this approval?

for example:

  • github actions workflow to deploy is triggered
  • A rest api call to notify external tool that an approval is needed
  • github actions workflow stops waiting approval
  • Some specific person (Joe) approves the deploy in the external tool
  • external tool makes a rest api call to notify github that the approval is OK. This is done using a generic user_service account with admin privileges.
Solution

  • You would need two jobs in parallel for the approval from the github workflow performing the deploy:

    • The frist one to ask for the manual approval (that would wait for the external tool callback to continue).
    • The other one to send the request to the external tool.

    Then, from the external tool, to call the workflow back with the approval / denied message (from Joe), you could use this Github API endpoint for review pending deployments (you would need a PAT for that, could be user service account from you GitHub Organization / Team).

    From the API Documentation:

    Approve or reject pending deployments that are waiting on approval by a required reviewer. Required reviewers with read access to the repository contents and deployments can use this endpoint. Required reviewers must authenticate using an access token with the repo scope to use this endpoint.

    Request curl:

    curl -L \
  -X POST \
  -H "Accept: application/vnd.github+json" \
  -H "Authorization: Bearer <YOUR-TOKEN>"\
  -H "X-GitHub-Api-Version: 2022-11-28" \
  https://api.github.com/repos/OWNER/REPO/actions/runs/RUN_ID/pending_deployments \
  -d '{"environment_ids":[161171787],"state":"approved","comment":"Ship it!"}'

    Note

    It's a bit different from what you asked, as the GitHub Action workflow wouldn't stop waiting approval, but that would be a way for the external tool to have the control regarding what is approved or not.