Git, GitHub & GitHub Actions
by Sergey Okinchuk
Secrets and Encrypted ValuesReusable Workflows and Composite Actions
GitHub Actions in Depth
Topic 57

Environments and Continuous Deployment

CI/CD

An environment is a named deployment target — staging, production — that carries its own secrets, protection rules, and deployment history. Attaching one to a job is what turns a plain CI run into controlled CD: required reviewers, wait timers, and branch restrictions all hang off the environment, not the workflow file.

The advantage is that the gates live with the target rather than the pipeline. A deploy job that names environment: production automatically resolves production's secrets and obeys production's approval rules, no matter which workflow invoked it.

Declaring an Environment

Add environment: production to a job and its secret lookups resolve to that environment's scope. The job appears in the environment's deployment history, and any protection rule configured on the environment applies before the job's steps run.

A gated deploy job
jobs:
  deploy:
    needs: [build, test]
    runs-on: ubuntu-latest
    environment: production
    steps:
      - uses: actions/checkout@v4
      - run: ./deploy.sh
        env:
          TOKEN: ${{ secrets.DEPLOY_TOKEN }}

Protection Rules

An environment can require reviewers — named people or teams who must approve before the job proceeds — plus an optional wait timer and a list of branches allowed to deploy. Required reviewers are the actual control; the wait timer only delays.

Deployment Gates

When a job hits a protected environment, it pauses and waits for approval. The run records who approved and when, so there is an audit trail tying each production deploy to a human decision rather than an automatic merge.

Environment Secrets and Variables

Secrets and variables scoped to an environment are visible only to jobs that name it. That is what keeps production credentials out of staging jobs and out of pull-request CI — a PR job that never declares environment: production cannot read its secrets.

Deployment History and Rollback

The environment tab tracks every deployment and shows the active version, so before promoting a new build you can confirm what is currently live and, if needed, identify the revision to roll back to.

Common Mistakes
  • Putting production credentials in repo secrets instead of environment secrets, so every job — including PR CI — can read them.
  • Leaving the production environment with no required reviewers, so any merge to main auto-deploys with no human gate.
  • Allowing all branches to deploy to production instead of restricting to main via the environment's branch policy.
  • Treating a wait timer as a security control when it only delays — reviewers are the actual gate.
  • Wiring deploy as a step inside the test job rather than a separate job with needs: and environment:, so it cannot be gated independently.
Best Practices
  • Keep production credentials in environment secrets, never at repo level.
  • Require manual reviewers on the production environment so a human approves before each deploy.
  • Restrict the production environment to the main branch with deployment branch rules.
  • Make deploy a distinct job gated by needs: [build, test] and an environment:.
  • Check the deployment history tab to confirm the active revision before promoting a new one.
Comparable toolsGitLab CI/CD environments, protected environments, deployment approvalsCircleCI restricted contexts and approval jobsAzure Pipelines environments with approvals and checksJenkins the input step and stages

Knowledge Check

What do environment protection rules buy over a plain deploy job?

  • Required reviewers, wait timers, and branch restrictions that gate the deploy before its steps run
  • Faster deploys by skipping the build cache entirely and reusing the previous run's already-built artifacts
  • Automatic rollback to the last green deployment whenever any step fails
  • A second isolated copy of the repository reserved for staging deploys

Why do environment secrets isolate production from PR CI?

  • They are visible only to jobs that name that environment, which a PR CI job does not
  • They are encrypted with a stronger algorithm than ordinary repository secrets use
  • PR jobs are blocked from running entirely until the environment is approved
  • They are rotated to fresh values on every pull request opened

What is the difference between a wait timer and required reviewers?

  • A wait timer only delays the deploy; required reviewers are the actual approval gate
  • A wait timer needs reviewer approval, while required reviewers just add a fixed delay
  • They are two interchangeable names for the same single protection control
  • A wait timer applies only to staging and required reviewers only to production

How do branch policies on an environment prevent unauthorized deploys?

  • They restrict which branches may deploy to the environment, so only main can reach production
  • They delete any feature branch that attempts a deploy to the environment
  • They require every branch to pass its full set of CI status checks before it is allowed to merge
  • They encrypt the deploy script separately for each branch that runs it

You got correct