Cheat Sheet logoCheat Sheet Today
CI/CD Pipelines: Security, Secrets, and Governance/Require approval for production release

Add environment rules or manual gates before prod deploys.

Back to sheetBrowse commands
Sign in to save
Section: Reduce pipeline risk

Require approval for production release

text
text
Protect the production environment.
Require reviewers for prod deploy jobs.
Separate CI from production credentials.
Explanation

Human approval is still one of the most effective controls for high-impact environments.

View in sheet →

Learn the surrounding workflow

Compare similar commands or jump into common fixes when this command is part of a bigger troubleshooting path.

Compare commandsView fixes

Related commands

Same sheet · prioritizing Reduce pipeline risk
Be careful with untrusted pull requests
Avoid exposing secrets to code from forks.
OpenIn sheetyamlsame section
Pin actions to a version or commit
Avoid floating references for critical workflow dependencies.
OpenIn sheetyamlsame section
Use least-privilege permissions in GitHub Actions
Explicitly scope the token for each workflow or job.
OpenIn sheetyaml1 tag match
Use OIDC instead of long-lived cloud keys
Exchange a short-lived identity token for cloud credentials.
OpenIn sheetyaml1 tag match
Protect production variables in GitLab
Restrict sensitive variables to protected branches or tags.
OpenIn sheetyaml