ci(release): gate release-trigger on the release environment (#23662)

dkirov-dd · claude · web-flow · commit 58c447b5f8f8 · 2026-05-11T15:10:34.000Z
* ci(release): gate release-trigger on the release environment

The prepare job in release-dispatch.yml creates tags before reaching the
environment: release gate on the dispatch job. Adding environment: release
to the calling dispatch job in release-trigger.yml ensures GitHub's
deployment protection runs before the reusable workflow's jobs start,
so tagging requires manual approval.

Co-Authored-By: Claude Sonnet 4.6 (1M context) &lt;noreply@anthropic.com&gt;

* ci(release): gate release-trigger on the release environment

Add environment: release to the dispatch job that calls the reusable
release-dispatch.yml workflow. GitHub's deployment protection now runs
before any of the reusable workflow's jobs start, so the prepare step
(which creates tags) requires manual approval.

The inner environment: release on release-dispatch.yml's dispatch job
is removed in integrations-core — a single gate at the trigger level
is sufficient.

Co-Authored-By: Claude Sonnet 4.6 (1M context) &lt;noreply@anthropic.com&gt;

* ci(release): gate release-trigger via intermediate approve job

environment: release cannot be used on a job that calls a reusable
workflow (uses:). Instead, add an explicit approve job that holds the
environment gate; the dispatch job depends on it, so the reusable
workflow's prepare step (which creates tags) cannot run until a
reviewer approves the deployment.

Remove the previously-added environment: release from the dispatch
job (invalid) and the inner environment: release from release-dispatch.yml
(redundant — a single gate is sufficient).

Co-Authored-By: Claude Sonnet 4.6 (1M context) &lt;noreply@anthropic.com&gt;

---------

Co-authored-by: Claude Sonnet 4.6 (1M context) &lt;noreply@anthropic.com&gt;
diff --git a/.github/workflows/release-dispatch.yml b/.github/workflows/release-dispatch.yml
@@ -96,7 +96,6 @@ jobs:
     needs: prepare
     if: needs.prepare.outputs.has_packages == 'true' && !inputs.dry-run
     runs-on: ubuntu-latest
-    environment: release
 
     strategy:
       matrix:
diff --git a/.github/workflows/release-trigger.yml b/.github/workflows/release-trigger.yml
@@ -54,9 +54,17 @@ jobs:
             echo "is-stable-release=false" >> "$GITHUB_OUTPUT"
           fi
 
+  approve:
+    name: Await release approval
+    needs: context
+    runs-on: ubuntu-latest
+    environment: release
+    steps:
+      - run: echo "Release approved"
+
   dispatch:
     name: Release
-    needs: context
+    needs: [context, approve]
     uses: ./.github/workflows/release-dispatch.yml
     with:
       source-repo: integrations-core
