Skip to content

manuelsampedro1/deploy-gate

Β 
Β 

Folders and files

NameName
Last commit message
Last commit date

Latest commit

Β 

History

38 Commits
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 

Repository files navigation

Deploy Gate

Stop AI coding agents from shipping production changes you didn't authorize.

When Cursor / Codex / Copilot / Claude Code opens a PR that touches deploy/, .github/workflows/, or any path you mark sensitive, Deploy Gate blocks the merge until a named human signs an approval and produces a signed receipt that proves who authorized what against which policy.

  • β›” Fails closed by default for production environments
  • ✍️ Ed25519-signed receipts bound to the exact action
  • ⚑ <200ms enforcement in the GitHub status check
  • πŸ†“ MIT-licensed action

"GitHub asks 'did a reviewer approve?' Deploy Gate asks 'did a named human authorize this exact AI action?' and gives you signed proof."

Quickstart

No package install is required to use the action.

Add to your workflow:

# .github/workflows/deploy-gate.yml
name: Deploy Gate

on:
  pull_request:
    branches: [main]

jobs:
  gate:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4
      - uses: permission-protocol/deploy-gate@v2
        with:
          pp-api-key: ${{ secrets.PP_API_KEY }}

Free for unlimited signers and unlimited public repos. Paid tiers add policy controls and audit retention. See pricing.

Blocked PR

  1. Get API key at https://app.permissionprotocol.com
  2. Add secret:
gh secret set PP_API_KEY -b "pp_live_..."
  1. Open a PR and watch deploy-sensitive changes block until approval

Full install guide: INSTALL.md

Why this exists

AI agents are moving from "suggest text" to "take actions": committing code, modifying workflows, and deploying to production. GitHub controls like branch protection, environments, and required reviewers gate humans, not agents.

Deploy Gate is the missing primitive: a deterministic gate keyed to the exact action the agent is taking, with a signed authority receipt as the audit artifact.

When audit time comes, you do not want to hand over a mutable PR comment thread. You want a chain of signed receipts that can be independently verified.

Failure modes

v2 defaults to fail-closed when the Permission Protocol API is unavailable. A security tool that fails open in a network blip is not a security tool.

Environment fail-mode Result on API unavailable
Production (production, prod, live by default) closed or open (forced to closed) ❌ Fails closed. No deploy.
Non-production (staging, preview, etc.) closed (default) ❌ Fails closed. No deploy.
Non-production open (opt-in) βœ… Pass with ::warning:: log

Inputs:

  • fail-mode: closed (default) or open β€” only honored in non-production environments.
  • production-environments: comma-separated environment names treated as production, default production,prod,live.
  • fail-open-timeout: API timeout in seconds. It controls timeout duration only, not failure policy.

Release notes (v2)

  • BREAKING: defaults to fail-closed. To restore v1 behavior, set fail-mode: open and remove production-environments.

How it works

Block -> Approve -> Verify -> Merge.

PR opened
   β”‚
   β–Ό
Deploy Gate checks for valid receipt
   β”‚
   β”œβ”€β”€ Receipt exists ----------> Merge allowed
   β”‚
   └── No receipt --------------> Blocked
                                     β”‚
                                     β–Ό
                              PR comment with approval link
                                     β”‚
                                     β–Ό
                              Human approves + signs
                                     β”‚
                                     β–Ό
                              Re-run CI -> Merge allowed

What it does

  • Blocks risky PRs with a required status check
  • Posts a PR comment with a direct approval link
  • Unblocks the PR instantly after approval
  • Produces a tamper-evident approval receipt

Comparison

Option Human authorization on AI action Cryptographic proof Default under outage
GitHub required reviewer only Partial No Often workflow-dependent
PR comments + screenshots No No Open to mutation
Deploy Gate Yes Yes (Ed25519 receipt) Fails closed for production

Resources

Verification

Run the repository checks before changing the action contract, install guide, or examples:

make test
make build
make lint

What those checks cover:

  • make test: validates the public action.yml inputs, outputs, composite runtime, and fail-closed contract.
  • make build: validates required docs, example workflow, and visual assets.
  • make lint: syntax-checks the repository verification scripts.

License

MIT - see LICENSE

About

πŸ” One-line deploy authorization for AI-driven CI/CD. No receipt = No merge.

Resources

License

Stars

0 stars

Watchers

0 watching

Forks

Packages

 
 
 

Contributors

Languages

  • Python 94.6%
  • Makefile 5.4%