Prevent self reviews for secure deployments across Actions environmen…

…ts - [GA] (#44155)
ebfork · Oct 16, 2023 · f23c0f3 · f23c0f3
1 parent 541d625
commit f23c0f3
Show file tree

Hide file tree

Showing 3 changed files with 15 additions and 0 deletions.
diff --git a/...eployment/targeting-different-environments/using-environments-for-deployment.md b/...eployment/targeting-different-environments/using-environments-for-deployment.md
@@ -50,6 +50,8 @@ Third-party systems can be observability systems, change management systems, cod
 
 Use required reviewers to require a specific person or team to approve workflow jobs that reference the environment. You can list up to six users or teams as reviewers. The reviewers must have at least read access to the repository. Only one of the required reviewers needs to approve the job for it to proceed.
 
+{% ifversion deployments-prevent-self-approval %}You also have the option to prevent self-reviews for deployments to protected environments. If you enable this setting, users who initiate a deployment cannot approve the deployment job, even if they are a required reviewer. This ensures that deployments to protected environments are always reviewed by more than one person.{% endif %}
+
 For more information on reviewing jobs that reference an environment with required reviewers, see "[AUTOTITLE](/actions/managing-workflow-runs/reviewing-deployments)."
 
 {% ifversion fpt %}{% note %}
@@ -190,6 +192,7 @@ Variables stored in an environment are only available to workflow jobs that refe
 1. Optionally, specify people or teams that must approve workflow jobs that use this environment. For more information, see "[Required reviewers](#required-reviewers)."
    1. Select **Required reviewers**.
    1. Enter up to 6 people or teams. Only one of the required reviewers needs to approve the job for it to proceed.
+   {% ifversion deployments-prevent-self-approval %}1. Optionally, to prevent users from approving workflows runs that they triggered, select **Prevent self-review**.{% endif %}
    1. Click **Save protection rules**.
 1. Optionally, specify the amount of time to wait before allowing workflow jobs that use this environment to proceed. For more information, see "[Wait timer](#wait-timer)."
    1. Select **Wait timer**.

diff --git a/content/actions/managing-workflow-runs/reviewing-deployments.md b/content/actions/managing-workflow-runs/reviewing-deployments.md
@@ -26,6 +26,12 @@ For more information about environments and required approvals, see "[AUTOTITLE]
    - To approve the job, click **Approve and deploy**. Once a job is approved (and any other deployment protection rules have passed), the job will proceed. At this point, the job can access any secrets stored in the environment.
    - To reject the job, click **Reject**. If a job is rejected, the workflow will fail.
 
+{% ifversion deployments-prevent-self-approval %}{% note %}
+
+**Note:** If the targeted environment is configured to prevent self-approvals for deployments, you will not be able to approve a deployment from a workflow run you initiated. For more information, see "[AUTOTITLE](/actions/deployment/targeting-different-environments/using-environments-for-deployment#required-reviewers)."
+
+{% endnote %}{% endif %}
+
 {% ifversion actions-break-glass %}
 
 ## Bypassing deployment protection rules

diff --git a/data/features/deployments-prevent-self-approval.yml b/data/features/deployments-prevent-self-approval.yml
@@ -0,0 +1,6 @@
+# Reference: #12088
+# Documentation for preventing self-review of deployments to protected environments
+versions:
+  fpt: '*'
+  ghec: '*'
+  ghes: '>=3.11'