akanealw/Charon
1
0
Fork 0
Code Issues Pull Requests Actions 5 Packages Projects Releases Wiki Activity
Files
main
Charon/docs/implementation/github_environment_protection_setup.md
akanealw eec8c28fb3
Some checks failed
Go Benchmark / Performance Regression Check (push) Has been cancelled
Details
Cerberus Integration / Cerberus Security Stack Integration (push) Has been cancelled
Details
Upload Coverage to Codecov / Backend Codecov Upload (push) Has been cancelled
Details
Upload Coverage to Codecov / Frontend Codecov Upload (push) Has been cancelled
Details
CodeQL - Analyze / CodeQL analysis (go) (push) Has been cancelled
Details
CodeQL - Analyze / CodeQL analysis (javascript-typescript) (push) Has been cancelled
Details
CrowdSec Integration / CrowdSec Bouncer Integration (push) Has been cancelled
Details
Docker Build, Publish & Test / build-and-push (push) Has been cancelled
Details
Quality Checks / Auth Route Protection Contract (push) Has been cancelled
Details
Quality Checks / Codecov Trigger/Comment Parity Guard (push) Has been cancelled
Details
Quality Checks / Backend (Go) (push) Has been cancelled
Details
Quality Checks / Frontend (React) (push) Has been cancelled
Details
Rate Limit integration / Rate Limiting Integration (push) Has been cancelled
Details
Security Scan (PR) / Trivy Binary Scan (push) Has been cancelled
Details
Supply Chain Verification (PR) / Verify Supply Chain (push) Has been cancelled
Details
WAF integration / Coraza WAF Integration (push) Has been cancelled
Details
Docker Build, Publish & Test / Security Scan PR Image (push) Has been cancelled
Details
Repo Health Check / Repo health (push) Has been cancelled
Details
History Rewrite Dry-Run / Dry-run preview for history rewrite (push) Has been cancelled
Details
Prune Renovate Branches / prune (push) Has been cancelled
Details
Renovate / renovate (push) Has been cancelled
Details
Nightly Build & Package / sync-development-to-nightly (push) Has been cancelled
Details
Nightly Build & Package / Trigger Nightly Validation Workflows (push) Has been cancelled
Details
Nightly Build & Package / build-and-push-nightly (push) Has been cancelled
Details
Nightly Build & Package / test-nightly-image (push) Has been cancelled
Details
Nightly Build & Package / verify-nightly-supply-chain (push) Has been cancelled
Details
Update GeoLite2 Checksum / update-checksum (push) Has been cancelled
Details
Container Registry Prune / prune-ghcr (push) Has been cancelled
Details
Container Registry Prune / prune-dockerhub (push) Has been cancelled
Details
Container Registry Prune / summarize (push) Has been cancelled
Details
Supply Chain Verification / Verify SBOM (push) Has been cancelled
Details
Supply Chain Verification / Verify Release Artifacts (push) Has been cancelled
Details
Supply Chain Verification / Verify Docker Image Supply Chain (push) Has been cancelled
Details
Monitor Caddy Major Release / check-caddy-major (push) Has been cancelled
Details
Weekly Nightly to Main Promotion / Verify Nightly Branch Health (push) Has been cancelled
Details
Weekly Nightly to Main Promotion / Create Promotion PR (push) Has been cancelled
Details
Weekly Nightly to Main Promotion / Trigger Missing Required Checks (push) Has been cancelled
Details
Weekly Nightly to Main Promotion / Notify on Failure (push) Has been cancelled
Details
Weekly Nightly to Main Promotion / Workflow Summary (push) Has been cancelled
Details
Weekly Security Rebuild / Security Rebuild & Scan (push) Has been cancelled
Details
changed perms
2026-04-22 18:19:14 +00:00

4.4 KiB
Executable File
Raw Permalink Blame History

GitHub Environment Protection Setup

Status: Manual Configuration Required Priority: HIGH Estimated Time: 30 minutes

Overview

This document provides instructions for setting up GitHub environment protection rules for the release job in the GoReleaser workflow. This adds an additional security layer to prevent unauthorized or accidental releases.

Why This Is Important

Currently, the release-goreleaser.yml workflow has broad permissions (contents: write, packages: write) without environment protection. This means:

  • Anyone with write access can trigger a release
  • No approval gate exists before publishing to production
  • No audit trail for release decisions

Environment protection adds:

  • Required reviewers before release
  • Restricted to specific branches/tags
  • Audit log of approvals
  • Prevention of accidental releases

Setup Instructions

Step 1: Access Repository Settings

  1. Navigate to: https://github.com/Wikid82/Charon/settings/environments
  2. Click "New environment"

Step 2: Create "release" Environment

  1. Environment name: release
  2. Click "Configure environment"

Step 3: Configure Protection Rules

Required Reviewers

  1. Under "Environment protection rules", enable "Required reviewers"
  2. Add at least 1-2 trusted maintainers who must approve releases
  3. Recommended reviewers:
    • Repository owner (@Wikid82)
    • Senior maintainers with release authority

Deployment Branches and Tags

  1. Under "Deployment branches and tags", select "Protected branches and tags only"
  2. This ensures releases can only be triggered from tags matching v* pattern
  3. Click "Add deployment branch or tag rule"
  4. Pattern: v* (matches v1.0.0, v2.1.3-beta, etc.)

Wait Timer (Optional)

  1. "Wait timer": Consider adding a 5-minute wait timer for additional safety
  2. This provides a brief window to cancel accidental releases

Step 4: Update Workflow File

The workflow file already references the environment in the correct location. No code changes needed:

jobs:
  goreleaser:
    runs-on: ubuntu-latest
    environment:
      name: release
      url: https://github.com/${{ github.repository }}/releases
    permissions:
      contents: write
      packages: write

Step 5: Test the Setup

  1. Create a test tag: git tag v0.0.1-test && git push origin v0.0.1-test
  2. Verify the workflow run pauses for approval
  3. Check that the approval request appears in GitHub UI
  4. Approve the deployment to complete the test
  5. Delete the test tag: git tag -d v0.0.1-test && git push origin :refs/tags/v0.0.1-test

Verification Checklist

After setup, verify:

  • Environment "release" exists in repository settings
  • Required reviewers are configured (at least 1)
  • Deployment is restricted to v* tags
  • Test release workflow shows approval gate
  • Approval notifications are sent to reviewers
  • Audit log shows approval history

Troubleshooting

Workflow Fails with "Environment not found"

Cause: Environment name mismatch between workflow file and GitHub settings Fix: Ensure environment name is exactly release (case-sensitive)

No Approval Request Shown

Cause: User might be self-approving or environment protection not saved Fix:

  1. Verify protection rules are enabled
  2. Ensure reviewer is not the same as the person who triggered the workflow
  3. Check GitHub notifications settings

Can't Add Reviewers

Cause: Insufficient repository permissions Fix: You must be a repository admin to configure environments

Additional Security Recommendations

Consider also implementing:

  1. Branch Protection: Require PR reviews before merging to main
  2. CODEOWNERS: Define release approval owners in .github/CODEOWNERS
  3. Signed Commits: Require GPG-signed commits for release tags
  4. 2FA: Enforce 2FA for all users with write access

Related Documentation

Status

  • Documentation created
  • Environment created in GitHub UI
  • Required reviewers added
  • Deployment branch rules configured
  • Test release approval flow validated

Next Action: Repository admin must complete Steps 1-5 in GitHub UI.

Reference in New Issue View Git Blame Copy Permalink