{"id":13480796,"url":"https://github.com/trstringer/manual-approval","last_synced_at":"2025-05-14T14:09:27.204Z","repository":{"id":37498476,"uuid":"473819360","full_name":"trstringer/manual-approval","owner":"trstringer","description":"Pause your GitHub Actions workflow and request manual approval from set approvers before continuing","archived":false,"fork":false,"pushed_at":"2025-05-10T15:10:46.000Z","size":94,"stargazers_count":510,"open_issues_count":47,"forks_count":122,"subscribers_count":7,"default_branch":"main","last_synced_at":"2025-05-10T16:23:54.855Z","etag":null,"topics":["actions","deployment","devops","github","github-actions","release","release-automation","release-management","workflow","workflows"],"latest_commit_sha":null,"homepage":"","language":"Go","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/trstringer.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":"CONTRIBUTING.md","funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null}},"created_at":"2022-03-25T00:43:53.000Z","updated_at":"2025-05-10T15:10:33.000Z","dependencies_parsed_at":"2024-05-31T17:23:37.645Z","dependency_job_id":"13d481e9-990f-4385-9264-a77b224a2744","html_url":"https://github.com/trstringer/manual-approval","commit_stats":{"total_commits":55,"total_committers":13,"mean_commits":4.230769230769231,"dds":"0.23636363636363633","last_synced_commit":"d2e412d84000579996fd00d7834a817f92af19d3"},"previous_names":[],"tags_count":18,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/trstringer%2Fmanual-approval","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/trstringer%2Fmanual-approval/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/trstringer%2Fmanual-approval/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/trstringer%2Fmanual-approval/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/trstringer","download_url":"https://codeload.github.com/trstringer/manual-approval/tar.gz/refs/heads/main","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":254160325,"owners_count":22024568,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["actions","deployment","devops","github","github-actions","release","release-automation","release-management","workflow","workflows"],"created_at":"2024-07-31T17:00:45.112Z","updated_at":"2025-05-14T14:09:22.193Z","avatar_url":"https://github.com/trstringer.png","language":"Go","readme":"\n# Manual Workflow Approval\n\n[![ci](https://github.com/trstringer/manual-approval/actions/workflows/ci.yaml/badge.svg)](https://github.com/trstringer/manual-approval/actions/workflows/ci.yaml)\n\nPause a GitHub Actions workflow and require manual approval from one or more approvers before continuing.\n\nThis is a very common feature for a deployment or release pipeline, and while [this functionality is available from GitHub](https://docs.github.com/en/actions/managing-workflow-runs/reviewing-deployments), it requires the use of environments and if you want to use this for private repositories, then you need GitHub Enterprise. This action provides manual approval without the use of environments, and is freely available to use on private repositories.\n\n*Note: This approval duration is subject to the broader 35 day timeout for a workflow, as well as usage costs. So keep that in mind when figuring out how quickly an approver must respond. See [limitations](#limitations) for more information.*\n\nThe way this action works is the following:\n\n1. Workflow comes to the `manual-approval` action.\n1. `manual-approval` will create an issue in the containing repository and assign it to the `approvers`.\n1. If and once all approvers respond with an approved keyword, the workflow will continue.\n1. If any of the approvers responds with a denied keyword, then the workflow will exit with a failed status.\n\n* Approval keywords - \"approve\", \"approved\", \"lgtm\", \"yes\"\n* Denied keywords - \"deny\", \"denied\", \"no\"\n\nThese are case insensitive with optional punctuation either a period or an exclamation mark.\n\nIn all cases, `manual-approval` will close the initial GitHub issue.\n\n## Usage\n\n```yaml\nsteps:\n - uses: trstringer/manual-approval@v1\n with:\n secret: ${{ github.TOKEN }}\n approvers: user1,user2,org-team1\n minimum-approvals: 1\n issue-title: \"Deploying v1.3.5 to prod from staging\"\n issue-body: \"Please approve or deny the deployment of version v1.3.5.\"\n exclude-workflow-initiator-as-approver: false\n fail-on-denial: true\n additional-approved-words: ''\n additional-denied-words: ''\n```\n\n* `approvers` is a comma-delimited list of all required approvers. An approver can either be a user or an org team. (*Note: Required approvers must have the ability to be set as approvers in the repository. If you add an approver that doesn't have this permission then you would receive an HTTP/402 Validation Failed error when running this action*)\n* `minimum-approvals` is an integer that sets the minimum number of approvals required to progress the workflow. Defaults to ALL approvers.\n* `issue-title` is a string that will be appended to the title of the issue.\n* `issue-body` is a string that will be prepended to the body of the issue.\n* `exclude-workflow-initiator-as-approver` is a boolean that indicates if the workflow initiator (determined by the `GITHUB_ACTOR` environment variable) should be filtered from the final list of approvers. This is optional and defaults to `false`. Set this to `true` to prevent users in the `approvers` list from being able to self-approve workflows.\n* `fail-on-denial` is a boolean that indicates if the workflow should fail if any approver denies the approval. This is optional and defaults to `true`. Set this to `false` to allow the workflow to continue if any approver denies the approval.\n* `additional-approved-words` is a comma separated list of strings to expand the dictionary of words that indicate approval. This is optional and defaults to an empty string.\n* `additional-denied-words` is a comma separated list of strings to expand the dictionary of words that indicate denial. This is optional and defaults to an empty string.\n\n### Outputs\n\n* `approval_status` is a string that indicates the final status of the approval. This will be either `approved` or `denied`.\n\n### Creating Issues in a different repository\n\n```yaml\nsteps:\n - uses: trstringer/manual-approval@v1\n with:\n secret: ${{ github.TOKEN }}\n approvers: user1,user2,org-team1\n minimum-approvals: 1\n issue-title: \"Deploying v1.3.5 to prod from staging\"\n issue-body: \"Please approve or deny the deployment of version v1.3.5.\"\n exclude-workflow-initiator-as-approver: false\n additional-approved-words: ''\n additional-denied-words: ''\n target-repository: repository-name\n target-repository-owner: owner-id\n```\n- if either of `target-repository` or `target-repository-owner` is missing or is an empty string then the issue will be created in the same repository where this step is used.\n\n### Using Custom Words\n\nGitHub has a rich library of emojis, and these all work in additional approved words or denied words. Some values GitHub will store in their text version - i.e. `:shipit:`. Other emojis, GitHub will store in their unicode emoji form, like ✅.\nFor a seamless experience, it is recommended that you add the custom words to a GitHub comment, and then copy it back out of the comment into your actions configuration yaml.\n\n## Org team approver\n\nIf you want to have `approvers` set to an org team, then you need to take a different approach. The default [GitHub Actions automatic token](https://docs.github.com/en/actions/security-guides/automatic-token-authentication#permissions-for-the-github_token) does not have the necessary permissions to list out team members. If you would like to use this then you need to generate a token from a GitHub App with the correct set of permissions.\n\nCreate a GitHub App with **read-only access to organization members**. Once the app is created, add a repo secret with the app ID. In the GitHub App settings, generate a private key and add that as a secret in the repo as well. You can get the app token by using the [`tibdex/github-app-token`](https://github.com/tibdex/github-app-token) GitHub Action:\n\n*Note: The GitHub App tokens expire after 1 hour which implies duration for the approval cannot exceed 60 minutes or the job will fail due to bad credentials. See [docs](https://docs.github.com/en/rest/apps/apps#create-an-installation-access-token-for-an-app).*\n\n```yaml\njobs:\n myjob:\n runs-on: ubuntu-latest\n steps:\n - name: Generate token\n id: generate_token\n uses: tibdex/github-app-token@v1\n with:\n app_id: ${{ secrets.APP_ID }}\n private_key: ${{ secrets.APP_PRIVATE_KEY }}\n - name: Wait for approval\n uses: trstringer/manual-approval@v1\n with:\n secret: ${{ steps.generate_token.outputs.token }}\n approvers: myteam\n minimum-approvals: 1\n```\n\n## Timeout\n\nIf you'd like to force a timeout of your workflow pause, you can specify `timeout-minutes` at either the [step](https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#jobsjob_idstepstimeout-minutes) level or the [job](https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#jobsjob_idtimeout-minutes) level.\n\nFor instance, if you want your manual approval step to timeout after an hour you could do the following:\n\n```yaml\nsteps:\n - uses: trstringer/manual-approval@v1\n timeout-minutes: 60\n ...\n```\n\n## Permissions\n\nFor the action to create a new issue in your project, please ensure that the action has write permissions on issues. You may have to add the following to your workflow:\n\n```yaml\npermissions:\n issues: write\n```\n\nFor more information on permissions, please look at the [GitHub documentation](https://docs.github.com/en/actions/using-jobs/assigning-permissions-to-jobs).\n\n## Limitations\n\n* While the workflow is paused, it will still continue to consume a concurrent job allocation out of the [max concurrent jobs](https://docs.github.com/en/actions/learn-github-actions/usage-limits-billing-and-administration#usage-limits).\n* A paused job is still running compute/instance/virtual machine and will continue to incur costs.\n* Expirations (also mentioned elsewhere in this document):\n * A job (including a paused job) will be failed [after 6 hours, and a workflow will be failed after 35 days](https://docs.github.com/en/actions/learn-github-actions/usage-limits-billing-and-administration#usage-limits).\n * GitHub App tokens expire after 1 hour which implies duration for the approval cannot exceed 60 minutes or the job will fail due to bad credentials. See [docs](https://docs.github.com/en/rest/apps/apps#create-an-installation-access-token-for-an-app)\n\n## Development\n\n### Running test code\n\nTo test out your code in an action, you need to build the image and push it to a different container registry repository. For instance, if I want to test some code I won't build the image with the main image repository. Prior to this, comment out the label binding the image to a repo:\n\n```dockerfile\n# LABEL org.opencontainers.image.source https://github.com/trstringer/manual-approval\n```\n\nBuild the image:\n\n```shell\nVERSION=1.7.1-rc.1 make IMAGE_REPO=ghcr.io/trstringer/manual-approval-test build\n```\n\n*Note: The image version can be whatever you want, as this image wouldn't be pushed to production. It is only for testing.*\n\nPush the image to your container registry:\n\n```shell\nVERSION=1.7.1-rc.1 make IMAGE_REPO=ghcr.io/trstringer/manual-approval-test push\n```\n\nTo test out the image you will need to modify `action.yaml` so that it points to your new image that you're testing:\n\n```yaml\n image: docker://ghcr.io/trstringer/manual-approval-test:1.7.0-rc.1\n```\n\nThen to test out the image, run a workflow specifying your dev branch:\n\n```yaml\n- name: Wait for approval\n uses: your-github-user/manual-approval@your-dev-branch\n with:\n secret: ${{ secrets.GITHUB_TOKEN }}\n approvers: trstringer\n```\n\nFor `uses`, this should point to your repo and dev branch.\n\n*Note: To test out the action that uses an approver that is an org team, refer to the [org team approver](#org-team-approver) section for instructions.*\n\n### Create a release\n\n1. Build the new version's image: `$ VERSION=1.7.0 make build`\n2. Push the new image: `$ VERSION=1.7.0 make push`\n3. Create a release branch and modify `action.yaml` to point to the new image\n4. Open and merge a PR to add these changes to the default branch\n5. Make sure to fetch the new changes into your local repo: `$ git checkout main \u0026\u0026 git fetch origin \u0026\u0026 git merge origin main`\n6. Delete the `v1` tag locally and remotely: `$ git tag -d v1 \u0026\u0026 git push --delete origin v1`\n7. Create and push new tags: `$ git tag v1.7.0 \u0026\u0026 git tag v1 \u0026\u0026 git push origin --tags`\n8. Create the GitHub project release\n","funding_links":[],"categories":["Go"],"sub_categories":[],"project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Ftrstringer%2Fmanual-approval","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Ftrstringer%2Fmanual-approval","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Ftrstringer%2Fmanual-approval/lists"}