Skip to content

ci: gate NuGet publish behind a required-reviewer environment (#299)#335

Merged
maximn merged 1 commit into
masterfrom
fix/299-nuget-publish-approval-gate
Jun 30, 2026
Merged

ci: gate NuGet publish behind a required-reviewer environment (#299)#335
maximn merged 1 commit into
masterfrom
fix/299-nuget-publish-approval-gate

Conversation

@maximn

@maximn maximn commented Jun 30, 2026

Copy link
Copy Markdown
Owner

Addresses #299 (tech-debt B8): verify Renovate auto-merge branch protection, and add a publish approval gate.

What I found (verified against the live repo via gh api)

  • Renovate branch protection — already compliant, no change needed. master protection requires the status checks build, Analyze (csharp), Analyze (actions) (required_status_checks.contexts). Renovate PRs run on same-repo branches, so every non-major auto-merge is already gated by a green build + CodeQL. Documented the finding and retired B8.
  • NuGet publish — no gate existed. Only a github-pages environment existed; the publish job had no environment:.

What this PR does

  • .github/workflows/nuget.yml — the publish job now runs in the release GitHub Environment:
    environment: ${{ (github.event_name == 'push' || inputs.dry_run == false) && 'release' || '' }}
    A v* tag push (or a dry_run=false manual run) pauses on Review deployments until a required reviewer approves. workflow_dispatch dry-runs stay ungated (expression resolves to no environment).
  • .agents/known-issues.md — removed the resolved B8 row.
  • .agents/build-release-ci.md — rewrote the two B8 OPS notes (gate now exists; branch protection verified) and added a reproducible one-time setup runbook.
  • RELEASING.md — documented the approval pause in the release flow.

No public API change; CHANGELOG.md left untouched (auto-generated by release.sh).

Repo settings (done / pending)

  • Created the release environment with required reviewer @maximn (prevent_self_review: false so a solo maintainer can approve their own release; no deployment-branch policy so the tag-push and manual publish paths both work). The gate is live now — without this, GitHub would auto-create the env with no rules and the gate would be a no-op.
  • Move NUGET_API_KEY to a release environment secret (defense-in-depth, per the chosen approach). This needs the secret value, so it's a maintainer step — runbook in build-release-ci.md:
    gh secret set NUGET_API_KEY --env release --repo maximn/google-maps   # prompts for value
    gh secret delete NUGET_API_KEY --repo maximn/google-maps              # only after a gated publish succeeds
    Until then the env-gated publish job reads the existing repo secret, so publishing and the gate both work.

Verification

  • nuget.yml is valid YAML; walked the environment: expression through tag-push / dry-run / manual-publish cases.
  • Confirmed via gh api that the release environment now has a required_reviewers rule.
  • Suggested manual check: a workflow_dispatch with dry_run=true runs ungated; a dry_run=false run pauses on "Review deployments".

Addresses #299 (tech-debt B8).

- nuget.yml: run the publish job in the `release` GitHub Environment so a
  required reviewer must approve real publishes (a `v*` tag push or a
  `dry_run=false` manual run). The conditional `environment:` expression
  resolves to no environment for `workflow_dispatch` dry-runs, so they
  stay ungated.
- Verified `master` branch protection already requires the `build` +
  CodeQL status checks, so Renovate auto-merge is gated by CI. Retired
  B8 from known-issues and documented the verification.
- Documented the one-time `release` environment setup (required reviewer,
  NUGET_API_KEY scoped as an environment secret) and the release-time
  approval pause in RELEASING.md.
@github-actions

Copy link
Copy Markdown

🔬 TestGlance

✅ 262 passed across 1 job — 100.0% · ⏱️ 2.7s

Job Result Pass rate Duration Health
build 262/262 · 100.0% 2.7s Report
🟡 build — details

✅ 262 passed
████████████████ 100.0%
⏱️ 2.7s

vs master

Metric master PR Delta
Pass rate 100.0% 100.0% +0.0%
Duration 2.3s 2.7s +18.1%

📄 HTML Report


Updated 2026-06-30T21:34:25.258Z

@maximn maximn merged commit b9cce48 into master Jun 30, 2026
7 checks passed
@maximn maximn deleted the fix/299-nuget-publish-approval-gate branch June 30, 2026 21:42
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant