Cartoon gears and neon rolling marbles rolling through a track

Advanced automated deployment protection rules in Actions

Bekah Whittle
Bekah Whittle // Director, Field Services // GitHub

In this guide you'll learn how to use GitHub Actions for scalable deployments. We'll show you how to deploy across different environments and how to use GitHub Marketplace for more advanced needs. The goal is to make sure your deployment strategies can grow and adapt with your business. Along the way, Itaú Unibanco and TELUS will share the deployment parameters that have helped advance their business.

In this guide, you will learn how to:

  • Set deployment protection rules to secure your deployments

  • Gain manual control over deployments through workflow_dispatch

  • How to capture essential post-deployment data with deployment_outputs

Set automated deployment protection rules in Actions

Deployment protection rules serve as vital safeguards to ensure that deployments are executed securely and accurately. These rules can act as checkpoints, confirming that every deployment adheres to best practices and company-specific criteria. Here's a breakdown:

Required reviewers

Designate specific team members to review and approve deployments. This ensures changes align with company standards, adding an extra layer of verification. For instance, you might require a senior developer's approval before any deployment goes live.

Wait timer

Implement a set waiting period before any deployment Action. This can be crucial for critical deployments, allowing teams an opportunity to double-check or wait for off-peak hours to deploy, thus minimizing potential disruptions.

Custom rules

Create custom rules tailored to your organization or use third-party apps. For instance, ensure server loads are below a specific threshold before deploying or use an existing app to integrate such functionality.

Branch deployment control

Specify which branches are eligible for deployment. This ensures only mature, tested, and stable code is deployed. For example, allow only branches named release-* for deployment to maintain clear and consistent deployable code.

Safeguarding your credentials is one of the most impactful measures to secure your deployments. Think of it like securing your physical workspace – you wouldn't leave your password on a post-it note for everyone to see. Similarly, storing sensitive information in source code exposes it to anyone with access. We use organization secrets to handle commonly used confidential info that way we can easily revoke and rotate them when we need. Our dev teams use repository secrets for sensitive data tied to specific repositories, that way only those with permission to those repositories can access them.

Abigail Climacosa
Abigail Climacosa // Software Engineer // TELUS

Validate deployment parameters

Validating deployment parameters prior to execution is crucial for efficient and precise software deployment. By identifying discrepancies and inaccuracies at the onset, teams can eliminate wasted time troubleshooting and ensure that deployments proceed based on accurate and reliable data. This proactive step not only maintains the consistency of the deployment pipeline but also bolsters confidence in the overall system.

At Itaú, we've found that using Actions lets us check for problems early. We do this when developers start working on a new feature. Doing these checks ahead of time helps us avoid issues later, like delays or failed deployments. So, it's really helpful to use Actions to make sure everything is set up right from the start.

Gabriel Galeazzi
Gabriel Galeazzi // IT Engineering Specialist // Itaú Unibanco

Workflow_dispatch

The workflow_dispatch event in Actions empowers developers with enhanced manual control over deployments. It provides a method to manually trigger the execution of a workflow from GitHub's interface, making it more interactive and flexible for deployment needs. 

By leveraging workflow_dispatch, you can input specific deployment parameters directly into the GitHub UI. For instance, parameters like the app container image, app type, and app name can be easily configured. This not only offers the flexibility to make on-the-fly adjustments but also ensures that the deployed content aligns with what's intended.

Deployment_outputs

deployment_outputs captures essential data after executing a deployment on Actions. It stores key details, such as the plan name, environment name, container image, and registry login, in a structured outputs file, like deployment_outputs.json. This ensures easy access to crucial post-deployment information, streamlining any subsequent steps or verifications.

Leveraging the marketplace for enhanced deployments

The Actions Marketplace is a powerful tool that offers a plethora of actions tailored to streamline and optimize your deployments. By searching the marketplace, you can easily find actions that suit specific deployment needs, from deploying to platforms like Azure to more nuanced processes like canary or blue-green deployments. For instance, by simply searching for "Azure" or "deployment" within the marketplace, you're presented with a variety of actions, such as creating an AKS cluster or other Azure-specific tasks. By utilizing these pre-built actions, you can significantly simplify your deployment processes, ensuring a smoother and more efficient deployment flow.

The GitHub Marketplace is an excellent resource for enhancing your CI/CD pipeline and rapidly adopting industry best practices. When initially looking for a way to add security scanning for our container images, we searched the Marketplace and quickly found five options that could handle the job.

Gabriel Galeazzi
Gabriel Galeazzi // IT Engineering Specialist // Itaú Unibanco

Up next: Intermediate automation module wrap-up

Ready to tie it all together? Don't miss our recap that synthesizes the entire learning pathway on the use of intermediate GitHub Actions.