Add a "release-gate" step to the release workflow#18804
Merged
Conversation
zanieb
commented
Apr 1, 2026
zanieb
commented
Apr 1, 2026
Comment on lines
-111
to
+122
| if: ${{ needs.plan.outputs.publishing == 'true' || fromJson(needs.plan.outputs.val).ci.github.pr_run_mode == 'upload' || inputs.tag == 'dry-run' }} | ||
| - release-gate | ||
| if: ${{ always() && needs.plan.result == 'success' && (needs.release-gate.result == 'success' || needs.release-gate.result == 'skipped') && (needs.plan.outputs.publishing == 'true' || fromJson(needs.plan.outputs.val).ci.github.pr_run_mode == 'upload' || inputs.tag == 'dry-run') }} |
Member
Author
There was a problem hiding this comment.
This fixes dry-run Docker builds, which probably weren't working before. Oops!
Member
There was a problem hiding this comment.
Not critical for this PR, but we could probably simplify these conditions a bit with the new case() function:
https://docs.github.com/en/actions/reference/workflows-and-actions/expressions#case
woodruffw
approved these changes
Apr 1, 2026
Gankra
reviewed
Apr 1, 2026
Comment on lines
+59
to
+61
| environment: | ||
| name: release-gate | ||
| deployment: false |
Contributor
There was a problem hiding this comment.
Can we add a comment or something to this? This is Absolute Sorcery and without the context of this PR looks like a noop task.
zanieb
added a commit
to astral-sh/ruff
that referenced
this pull request
Apr 2, 2026
Mirrors astral-sh/uv#18804 You can see the environment policies I'll apply following merge at https://github.com/astral-sh/github-policies/tree/main/environments Also updates the Docker workflow to avoid using release secrets when not pushing.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
3 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
The way this works is
release-gateis an environment which requires approval from another person in the organizationreleaseenvironment forreleaseenvironment because we run many child jobs during releasesreleaseenvironment uses a deployment protection rule which queries a GitHub App we managerelease-gatejob was successful in the same workflow and approves or denies accordinglyThe GitHub App's source is at https://github.com/open-security-tools/ost-environment-gate and includes another explanation of what's going on in this process.
We don't make the release-gate block everything, so builds can start at least while we wait for the release-gate to be approved.