debian-mirror-gitlab/doc/ci/environments/deployment_approvals.md
2022-03-02 08:16:31 +05:30

4.8 KiB

stage group info description
Release Release To determine the technical writer assigned to the Stage/Group associated with this page, see https://about.gitlab.com/handbook/engineering/ux/technical-writing/#assignments Require approvals prior to deploying to a Protected Environment

Deployment approvals (PREMIUM)

Introduced in GitLab 14.7 with a flag named deployment_approvals. Disabled by default.

WARNING: This feature is in an alpha stage and subject to change without prior notice.

It may be useful to require additional approvals before deploying to certain protected environments (for example, production). This pre-deployment approval requirement is useful to accommodate testing, security, or compliance processes that must happen before each deployment.

When a protected environment requires one or more approvals, all deployments to that environment become blocked and wait for the required approvals before running.

NOTE: See the epic for planned features.

Requirements

Configure deployment approvals for a project

To configure deployment approvals for a project:

  1. Create a deployment job.
  2. Require approvals for a protected environment.

Create a deployment job

Create a deployment job in the .gitlab-ci.yaml file of the desired project. The job does not need to be manual (when: manual).

Example:

stages:
  - deploy

production:
  stage: deploy
  script:
    - 'echo "Deploying to ${CI_ENVIRONMENT_NAME}"'
  environment:
    name: ${CI_JOB_NAME}

Require approvals for a protected environment

NOTE: At this time, only API-based configuration is available. UI-based configuration is planned for the near future. See issue.

Use the Protected Environments API to create an environment with required_approval_count > 0. After this is set, all jobs deploying to this environment automatically go into a blocked state and wait for approvals before running.

Example:

curl --header 'Content-Type: application/json' --request POST \
     --data '{"name": "production", "deploy_access_levels": [{"group_id": 9899826}], "required_approval_count": 1}' \
     --header "PRIVATE-TOKEN: <your_access_token>" \
     "https://gitlab.example.com/api/v4/projects/22034114/protected_environments"

To protect, update, or unprotect an environment, you must have at least the Maintainer role.

Approve or reject a deployment

NOTE: This functionality is currently only available through the API. UI is planned for the near future. See issue.

A blocked deployment is enqueued as soon as it receives the required number of approvals. A single rejection causes the deployment to fail. The creator of a deployment cannot approve it, even if they have permission to deploy.

Using the Deployments API, users who are allowed to deploy to the protected environment can approve or reject a blocked deployment.

Example:

curl --data "status=approved" \
     --header "PRIVATE-TOKEN: <your_access_token>" "https://gitlab.example.com/api/v4/projects/1/deployments/1/approval"

How to see blocked deployments

Using the UI

  1. On the top bar, select Menu > Projects and find your project.
  2. On the left sidebar, select Deployments > Environments.
  3. Select the environment being deployed to.
  4. Look for the blocked label.

Using the API

Use the Deployments API to see deployments. The status field indicates if a deployment is blocked.

For details about other GitLab features aimed at protecting deployments, see safe deployments.