Skip to content

How to Set Up GitHub Actions Environment Protection Rules

DodaTech 2 min read

In this tutorial, you'll learn about How to Set Up GitHub Actions Environment Protection Rules. We cover key concepts, practical examples, and best practices.

The Problem

Anyone with write access to your repository can run a workflow that deploys to production with no approval gate. A mistaken deployment from the wrong branch or a rogue PR can take down your site, corrupt the database, or leak sensitive data. GitHub Environments fix this by adding protection rules — required reviewers, branch restrictions, and wait timers — that must pass before a deployment job runs.

Quick Fix

1. Create a production Environment with protection rules

In your GitHub repository:

Settings → Environments → New environment
Name: production

Configure these protection rules:

✅ Required reviewers (add 2 team members)
   Search: @devops-team
✅ Wait timer (set 5 minutes)
✅ Deployment branches (selected branches only)
   Branch: main, release/*

Click "Save protection rules".

2. Reference the environment in your workflow

name: Deploy
on:
  push:
    branches: [main]

jobs:
  deploy:
    runs-on: ubuntu-latest
    environment: production
    steps:
      - uses: actions/checkout@v4

      - name: Deploy application
        run: |
          echo "Deploying to production..."
          # Call your actual deployment script
          # ./scripts/deploy.sh production

3. Add environment-scoped secrets

Settings → Environments → production → Environment secrets
Add: PROD_API_KEY
Add: PROD_DB_URL

Access them in your workflow:

- name: Use production secrets
  run: |
    echo "Deploying with API key ${{ secrets.PROD_API_KEY }}"
    curl -X POST https://api.prod.example.com/deploy \
      -H "Authorization: Bearer ${{ secrets.PROD_API_KEY }}"

4. Set up a staging-to-production pipeline

jobs:
  deploy-staging:
    runs-on: ubuntu-latest
    environment: staging
    steps:
      - run: echo "Deploying to staging..."

  run-tests:
    needs: deploy-staging
    runs-on: ubuntu-latest
    steps:
      - run: echo "Running integration tests..."

  deploy-production:
    needs: run-tests
    runs-on: ubuntu-latest
    environment: production
    steps:
      - run: echo "Deploying to production..."

5. Verify that protection is active

Push a commit to a branch that is not in the allowed list (e.g., feature/test). The workflow run shows:

⏳ Waiting for approval from required reviewers
This deployment requires approval from @devops-team before proceeding.

Expected behavior: The deployment job is queued and will not proceed until a reviewer approves it.

6. Use environment URLs for deployment tracking

jobs:
  deploy:
    environment:
      name: production
      url: https://example.com
    runs-on: ubuntu-latest
    steps:
      - run: echo "Deployed to ${{ environment.url }}"

The environment URL appears in the GitHub Actions log and in the Environments list.

7. Monitor environment deployments in the GitHub dashboard

Navigate to Settings → Environments → production → Active deployments to see all currently deployed releases. Use this to track which version is live and roll back if needed.

Prevention

  • Always set required reviewers on production environments — at least two for critical systems
  • Use wait timer (5-10 minutes) to give a cancellation window after accidental triggers
  • Scope environment secrets tightly — do not reuse staging secrets in production
  • Audit the deployment log in the Actions tab to verify that protection rules fired correctly
  • Set deployment branches to main and release/* only — no direct feature branch deploys to production

Built by the developers of DodaTech

Doda Browser, DodaZIP & Durga Antivirus Pro