Add a comment explaining the release-gate workflow (#18816)

2026-05-06 08:56:53 -04:00 · 2026-04-02 08:16:49 -05:00
parent 3b19c24740
commit 85c7e234b5
1 changed files with 6 additions and 0 deletions
@@ -53,9 +53,15 @@ env:

 jobs:
  release-gate:
+    # N.B. This name should not change, it is used for downstream checks.
    name: release-gate
    if: ${{ inputs.tag != 'dry-run' }}
    runs-on: ubuntu-latest
+    # This environment requires a 2-factor approval, i.e., the workflow must be approved by another
+    # team member. GitHub fires approval events on every job that deploys to an environment, so we
+    # have a dedicated environment for this purpose instead of using the `release` environment.
+    # We use a GitHub App with a deployment protection rule webhook to ensure that the `release`
+    # environment is only approved when the `release-gate` job succeeds.
    environment:
      name: release-gate
      deployment: false