How to Set Up GitHub Actions Environment Protection Rules
In this tutorial, you'll learn about How to Set Up GitHub Actions Environment Protection Rules. We cover key concepts, practical examples, and best practices.
The Problem
Anyone with write access to your repository can run a workflow that deploys to production with no approval gate. A mistaken deployment from the wrong branch or a rogue PR can take down your site, corrupt the database, or leak sensitive data. GitHub Environments fix this by adding protection rules — required reviewers, branch restrictions, and wait timers — that must pass before a deployment job runs.
Quick Fix
1. Create a production Environment with protection rules
In your GitHub repository:
Settings → Environments → New environment
Name: production
Configure these protection rules:
✅ Required reviewers (add 2 team members)
Search: @devops-team
✅ Wait timer (set 5 minutes)
✅ Deployment branches (selected branches only)
Branch: main, release/*
Click "Save protection rules".
2. Reference the environment in your workflow
name: Deploy
on:
push:
branches: [main]
jobs:
deploy:
runs-on: ubuntu-latest
environment: production
steps:
- uses: actions/checkout@v4
- name: Deploy application
run: |
echo "Deploying to production..."
# Call your actual deployment script
# ./scripts/deploy.sh production
3. Add environment-scoped secrets
Settings → Environments → production → Environment secrets
Add: PROD_API_KEY
Add: PROD_DB_URL
Access them in your workflow:
- name: Use production secrets
run: |
echo "Deploying with API key ${{ secrets.PROD_API_KEY }}"
curl -X POST https://api.prod.example.com/deploy \
-H "Authorization: Bearer ${{ secrets.PROD_API_KEY }}"
4. Set up a staging-to-production pipeline
jobs:
deploy-staging:
runs-on: ubuntu-latest
environment: staging
steps:
- run: echo "Deploying to staging..."
run-tests:
needs: deploy-staging
runs-on: ubuntu-latest
steps:
- run: echo "Running integration tests..."
deploy-production:
needs: run-tests
runs-on: ubuntu-latest
environment: production
steps:
- run: echo "Deploying to production..."
5. Verify that protection is active
Push a commit to a branch that is not in the allowed list (e.g., feature/test). The workflow run shows:
⏳ Waiting for approval from required reviewers
This deployment requires approval from @devops-team before proceeding.
Expected behavior: The deployment job is queued and will not proceed until a reviewer approves it.
6. Use environment URLs for deployment tracking
jobs:
deploy:
environment:
name: production
url: https://example.com
runs-on: ubuntu-latest
steps:
- run: echo "Deployed to ${{ environment.url }}"
The environment URL appears in the GitHub Actions log and in the Environments list.
7. Monitor environment deployments in the GitHub dashboard
Navigate to Settings → Environments → production → Active deployments to see all currently deployed releases. Use this to track which version is live and roll back if needed.
Prevention
- Always set
required reviewerson production environments — at least two for critical systems - Use
wait timer(5-10 minutes) to give a cancellation window after accidental triggers - Scope environment secrets tightly — do not reuse staging secrets in production
- Audit the deployment log in the Actions tab to verify that protection rules fired correctly
- Set deployment branches to
mainandrelease/*only — no direct feature branch deploys to production
Built by the developers of DodaTech
Doda Browser, DodaZIP & Durga Antivirus Pro