ci: gate NuGet publish behind a required-reviewer environment (#299)#335
Merged
Conversation
Addresses #299 (tech-debt B8). - nuget.yml: run the publish job in the `release` GitHub Environment so a required reviewer must approve real publishes (a `v*` tag push or a `dry_run=false` manual run). The conditional `environment:` expression resolves to no environment for `workflow_dispatch` dry-runs, so they stay ungated. - Verified `master` branch protection already requires the `build` + CodeQL status checks, so Renovate auto-merge is gated by CI. Retired B8 from known-issues and documented the verification. - Documented the one-time `release` environment setup (required reviewer, NUGET_API_KEY scoped as an environment secret) and the release-time approval pause in RELEASING.md.
🔬 TestGlance✅ 262 passed across 1 job — 100.0% · ⏱️ 2.7s
🟡 build — details✅ 262 passed vs
Updated 2026-06-30T21:34:25.258Z |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Addresses #299 (tech-debt B8): verify Renovate auto-merge branch protection, and add a publish approval gate.
What I found (verified against the live repo via
gh api)masterprotection requires the status checksbuild,Analyze (csharp),Analyze (actions)(required_status_checks.contexts). Renovate PRs run on same-repo branches, so every non-major auto-merge is already gated by a green build + CodeQL. Documented the finding and retired B8.github-pagesenvironment existed; the publish job had noenvironment:.What this PR does
.github/workflows/nuget.yml— thepublishjob now runs in thereleaseGitHub Environment:v*tag push (or adry_run=falsemanual run) pauses on Review deployments until a required reviewer approves.workflow_dispatchdry-runs stay ungated (expression resolves to no environment)..agents/known-issues.md— removed the resolved B8 row..agents/build-release-ci.md— rewrote the two B8 OPS notes (gate now exists; branch protection verified) and added a reproducible one-time setup runbook.RELEASING.md— documented the approval pause in the release flow.No public API change;
CHANGELOG.mdleft untouched (auto-generated byrelease.sh).Repo settings (done / pending)
releaseenvironment with required reviewer@maximn(prevent_self_review: falseso a solo maintainer can approve their own release; no deployment-branch policy so the tag-push and manual publish paths both work). The gate is live now — without this, GitHub would auto-create the env with no rules and the gate would be a no-op.NUGET_API_KEYto areleaseenvironment secret (defense-in-depth, per the chosen approach). This needs the secret value, so it's a maintainer step — runbook inbuild-release-ci.md:Verification
nuget.ymlis valid YAML; walked theenvironment:expression through tag-push / dry-run / manual-publish cases.gh apithat thereleaseenvironment now has arequired_reviewersrule.workflow_dispatchwithdry_run=trueruns ungated; adry_run=falserun pauses on "Review deployments".