This new approach requires a user from an environment reviewer list to review and approve the workflow before it can run. A benefit is that we can have a fine-grained control over this list compared to the list of users who can add labels to a PR (every users with Write permissions).
This approach requires the reviewer to approve ALL commits, compared to the label-based system that only needs the user to add the label once. Hence, a benefit of this approach is to save compute time.
Approaching the workflows takes more clicks (4-5) than when using a label.
Step 1
The "Sonar Scan" task requires an approval because the workflow needs access to a secret SONAR_TOKEN that could potentially be extracted by an ill-intentioned user.
Step 2
Click on "Details" for the "Sonar Scan" task. Note the orange clock icon that indicates that the workflow is waiting on a manual review.
Step 3
Click on "Review pending deployments"
Step 4
Approve the Sonar deployment.
Requires branches to be up-to-date
At least one check must be marked as Required in the branch protection to enable this feature.
The Developer has two options to update their feature branch:
Option 1: Click on "Update with merge commit". If more local development is required, the user can then do git pull to pull the update to their local feature branch.
Option 2: Update the feature branch with main from their local development environment, then git push to push the changes to the remote.
Related to #2590
Preview
Environment reviewer-based solution
This new approach requires a user from an environment reviewer list to review and approve the workflow before it can run. A benefit is that we can have a fine-grained control over this list compared to the list of users who can add labels to a PR (every users with Write permissions).
This approach requires the reviewer to approve ALL commits, compared to the label-based system that only needs the user to add the label once. Hence, a benefit of this approach is to save compute time.
Approaching the workflows takes more clicks (4-5) than when using a label.
Step 1
The "Sonar Scan" task requires an approval because the workflow needs access to a secret
SONAR_TOKEN
that could potentially be extracted by an ill-intentioned user.Step 2
Click on "Details" for the "Sonar Scan" task. Note the orange clock icon that indicates that the workflow is waiting on a manual review.
Step 3
Click on "Review pending deployments"
Step 4
Approve the Sonar deployment.
Requires branches to be up-to-date
At least one check must be marked as Required in the branch protection to enable this feature.
The Developer has two options to update their feature branch:
git pull
to pull the update to their local feature branch.main
from their local development environment, thengit push
to push the changes to the remote.