Add deploy gate demo workflow

[rodchalski]

Summary

• add the Deploy Gate workflow to the demo template
• document required PP_API_KEY and PP_REQUEST_CREATE_TOKEN secrets
• make the fallback activation repo match the one-person external activation script

Verification

• inspected workflow and README changes
• no package/test suite in this repo

[github-actions]

🔒 Permission Protocol

✅ Approved — human authorization recorded. View receipt

---

Approval brief

Why this change: This change updates .github/workflows/deploy-gate.yml, but the product intent needs manual confirmation from the diff or PR author.

What changes for users/operators: This PR changes ci/cd surface; the exact user/operator flow could not be inferred safely from the diff alone.

Blast radius:

• Affected: Build, routing, or release behavior
• Not indicated: auth, database, billing, secrets

⚠️ Why approval is required

Behavior for changed surface may differ if this change is wrong

• Risk: 🔴 High — CI/CD
• Impact: Behavior for changed surface may differ if this change is wrong
• Files: .github/workflows/deploy-gate.yml, README.md
• Status: ✅ Approved — receipt

---

✅ View authorization receipt →

_{Authorization is recorded. Keep the checks below as deploy/merge verification evidence.}

---

✅ Verify before authorizing

• Identify the caller or user flow for .github/workflows/deploy-gate.yml before approving.
• Exercise the changed surface with a valid and invalid request and confirm the response is expected.

📋 Why was this flagged?

• Changed file: .github/workflows/deploy-gate.yml
• Detected CI/CD signal: Touches CI pipelines, automation, or release workflow configuration.
• Flow could not be inferred safely from available evidence.

---

_{🔒 Permission Protocol · Decision: approved with human authorization}

[permission-protocol]

🔒 Permission Protocol

🚨 Human authorization required. To add a Deploy Gate workflow to the demo template and document the required secrets for the Permission Protocol integration Because pRs targeting main will trigger a Permission Protocol check. If changes touch protected paths like deploy/ or .github/wo.

---

Approval brief

Why this change: To add a Deploy Gate workflow to the demo template and document the required secrets for the Permission Protocol integration

What changes for users/operators: A new GitHub Action workflow is added that triggers on pull requests to main. Users are now required to configure both PP_API_KEY and PP_REQUEST_CREATE_TOKEN secrets in their repository settings

Blast radius:

• Affected: Build, routing, or release behavior
• Not indicated: auth, database, billing, secrets

⚠️ Why approval is required

PRs targeting main will trigger a Permission Protocol check. If changes touch protected paths like deploy/ or .github/wo

• Risk: 🔴 High — CI/CD
• Impact: PRs targeting main will trigger a Permission Protocol check. If changes touch protected paths like deploy/ or .github/wo
• Files: .github/workflows/deploy-gate.yml, README.md
• Status: ⛔ Awaiting authorization

---

👉 🔓 Authorize this change →

_{Authorize only after the checks below match what you see in the diff and preview.}

---

✅ Verify before authorizing

• Confirm that PP_API_KEY and PP_REQUEST_CREATE_TOKEN are configured in the repository secrets
• Verify that the protected-paths regex '^(deploy/|.github/workflows/)' matches the intended sensitive directories

📋 Why was this flagged?

• The PR adds a Deploy Gate demo workflow to the template
• A new workflow file is created at .github/workflows/deploy-gate.yml
• The workflow triggers on pull requests targeting the main branch

---

_{🔒 Permission Protocol · Decision: approval required by policy}

[github-actions]

✅ Permission Protocol: Approved
View receipt →