CI/CD & Supply Chain Intermediate 12 min read

Securing CD Promotion Gates and Approval Workflows

continuous-delivery deployment-gates approval-workflows change-management four-eyes-principle

Securing CD Promotion Gates and Approval Workflows

Problem

Fully automatic promotion — the practice of deploying every green build straight to production without a human checkpoint — is a convenience that dissolves several security controls at once. When code flows uninterrupted from a feature branch merge to a live cluster, the following assumptions silently break:

  • Supply chain attacks reach production automatically. A compromised dependency, a tampered container image, or a malicious build action that passes automated tests will be deployed without any human ever reviewing what artifact is actually running.
  • No verification that the right artifact is being deployed. A green pipeline proves that tests passed against a particular commit. It does not prove that the image being deployed matches that commit, that the image has not been replaced in the registry between build and deploy, or that the SLSA provenance chain is intact.
  • Audit trail gaps. Compliance frameworks require evidence that a named, authorized person approved a change before it reached production. A fully automated pipeline leaves no such evidence.
  • No change-freeze enforcement. Automatic promotion ignores maintenance windows, release freezes, and incident response periods unless an explicit gate checks for them.

The countermeasure is a layered promotion gate: a sequence of checkpoints that a release must pass before advancing to the next environment. Some gates are automated (policy checks that run without human input); others require explicit human approval. Both are necessary. Automated gates enforce objective criteria consistently; human approval gates enforce judgment, accountability, and compliance.

Target systems: GitHub Actions with environment protection rules; GitLab CI/CD with protected environments; Argo CD with sync waves, sync hooks, and ApplicationSet generators; Argo Rollouts and Flagger for canary analysis; OPA/Gatekeeper or Kyverno for admission-time policy; any organization subject to SOC 2 Type II, PCI-DSS, or ISO 27001 change management controls.

Threat Model

  • Adversary 1 — Supply chain attacker: A package in the build dependency tree is compromised. The malicious version passes unit tests. Without a gate that checks SLSA provenance, checks the SBOM for CVEs, and verifies image signatures, the compromised artifact is promoted to production automatically.
  • Adversary 2 — Insider threat bypassing review: A developer with pipeline write access modifies the workflow YAML to remove or short-circuit the approval step on a hotfix branch, then merges their own change to production without peer review.
  • Adversary 3 — Approval impersonation: A team’s approval workflow requires one reviewer from any member of a large group. An attacker who compromises any account in that group can self-approve their own change if the reviewer restriction is not set to require a different person from the author.
  • Adversary 4 — Canary bypass: A malicious or buggy workload produces error rates just below the configured threshold during the canary window, passes the gate, and is then promoted to 100% of traffic.
  • Adversary 5 — Emergency change abuse: Emergency change procedures bypass the normal approval workflow. Without a compensating control, emergency changes become the preferred path for unauthorized deployments with no audit trail.
  • Access level: Adversaries 1 and 4 operate through the normal pipeline. Adversary 2 needs repository write access. Adversary 3 needs a compromised account in the approver group. Adversary 5 needs knowledge of the emergency procedure and access to trigger a deployment.
  • Objective: Deploy malicious or unauthorized workloads to production while evading or circumventing change control.
  • Blast radius: Depends on workload — ranges from data exfiltration via compromised dependency to full cluster compromise via privileged container.

Configuration

Step 1: GitHub Actions Environment Protection Rules

GitHub Actions environments are the primary mechanism for promotion gates on GitHub-hosted pipelines. A job that targets an environment named production will not run until the environment’s protection rules are satisfied.

Navigate to: Repository Settings → Environments → production

Configure:

[x] Required reviewers
    Add specific people or teams. Minimum: 2 reviewers.
    These must be different from the person who triggered the workflow.
    Recommended: add a dedicated "Production Approvers" team, not individuals.

[x] Prevent self-review
    Ensures the workflow author cannot approve their own deployment.

[x] Wait timer: 10 minutes
    Introduces a mandatory delay between workflow trigger and deployment start.
    Gives the security team time to cancel a suspicious deployment even if
    automated reviewers approve quickly.

[x] Deployment branches and tags
    Select: "Selected branches and tags"
    Add rule: main
    This prevents deployment from feature branches, even if a workflow
    targets the production environment.

The corresponding workflow step:

# .github/workflows/deploy.yml

jobs:
  deploy-production:
    needs: [test, scan, sign]        # Automated gates must pass first.
    environment:
      name: production
      url: https://app.example.com
    runs-on: ubuntu-latest
    permissions:
      id-token: write                # For OIDC cloud auth only.
      contents: read
    steps:
      - uses: actions/checkout@v4
        with:
          ref: ${{ github.sha }}     # Pin to exact commit, not a mutable ref.
      - name: Verify image signature
        run: |
          cosign verify \
            --certificate-identity-regexp "https://github.com/${{ github.repository }}" \
            --certificate-oidc-issuer "https://token.actions.githubusercontent.com" \
            "${{ env.IMAGE_REF }}"
      - name: Deploy
        run: ./scripts/deploy.sh production

Key hardening points for the workflow file itself:

  • All action references use pinned SHA digests (uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683), not mutable tags. A mutable tag can be silently updated to point to a malicious commit.
  • The deploy-production job lists needs: [test, scan, sign]. If any upstream job fails, the deployment job does not run, and the environment approval request is never triggered.
  • The approval step cannot be skipped by modifying the workflow YAML alone — the environment protection rules are stored outside the repository in GitHub’s infrastructure and are not affected by changes to workflow files. This is the critical architectural property that prevents pipeline-as-code bypass.

Step 2: GitLab Protected Environments with Manual Approval Jobs

In GitLab, environment protection is enforced through protected environments combined with when: manual deployment jobs.

# .gitlab-ci.yml

stages:
  - test
  - scan
  - approve
  - deploy

automated-checks:
  stage: scan
  script:
    - trivy image --exit-code 1 --severity HIGH,CRITICAL "$IMAGE_REF"
    - cosign verify --key cosign.pub "$IMAGE_REF"
    - slsa-verifier verify-image "$IMAGE_REF" \
        --source-uri "gitlab.com/$CI_PROJECT_PATH" \
        --source-branch main

deploy-production:
  stage: deploy
  environment:
    name: production
    url: https://app.example.com
  when: manual
  allow_failure: false
  rules:
    - if: $CI_COMMIT_BRANCH == "main"
  script:
    - ./scripts/deploy.sh production

In GitLab Settings → CI/CD → Protected Environments, configure the production environment:

Allowed to deploy: Role: Maintainer
                   Also add specific "production-approvers" group

Required approval count: 2

Approval rules:
  Rule 1: Group "security-team" — 1 required approval
  Rule 2: Group "platform-leads" — 1 required approval

The when: manual directive means the deploy job requires a human to click “Run” in the GitLab UI. The protected environment configuration means that only members of the specified groups can click that button. The pipeline cannot advance past the deploy-production job without their action, regardless of any change to .gitlab-ci.yml.

Step 3: Argo CD Sync Waves and PreSync Hooks as Automated Gates

For GitOps workflows where Argo CD manages deployments, sync waves and resource hooks act as automated promotion gates within a sync operation.

# A PreSync Job that runs automated checks before any application resource is applied.
# If this Job fails, Argo CD aborts the sync and does not apply the application manifests.

apiVersion: batch/v1
kind: Job
metadata:
  name: pre-deploy-policy-check
  annotations:
    argocd.argoproj.io/hook: PreSync
    argocd.argoproj.io/hook-delete-policy: BeforeHookCreation
    argocd.argoproj.io/sync-wave: "-10"   # Runs before any application manifests.
spec:
  template:
    spec:
      restartPolicy: Never
      containers:
        - name: policy-check
          image: ghcr.io/example/policy-checker:sha256-abc123
          env:
            - name: IMAGE_REF
              value: "ghcr.io/example/app:$(APP_VERSION)"
          command:
            - /bin/sh
            - -c
            - |
              # Verify cosign signature.
              cosign verify \
                --certificate-identity-regexp "https://github.com/example/app" \
                --certificate-oidc-issuer "https://token.actions.githubusercontent.com" \
                "$IMAGE_REF"

              # Verify SLSA provenance level 3.
              slsa-verifier verify-image "$IMAGE_REF" \
                --source-uri "github.com/example/app" \
                --source-branch main

              # Check for critical CVEs via Trivy.
              trivy image --exit-code 1 --severity CRITICAL "$IMAGE_REF"

              echo "All pre-sync checks passed."

For the human approval gate in Argo CD, use the argocd.argoproj.io/hook: Sync annotation combined with a Job that calls an external approval API (PagerDuty, ServiceNow, Jira) and polls for approval before exiting:

apiVersion: batch/v1
kind: Job
metadata:
  name: change-approval-gate
  annotations:
    argocd.argoproj.io/hook: Sync
    argocd.argoproj.io/sync-wave: "0"     # Runs before application manifests (wave 1+).
spec:
  template:
    spec:
      restartPolicy: Never
      serviceAccountName: approval-gate-sa  # Read-only SA; no cluster-admin.
      containers:
        - name: approval-check
          image: ghcr.io/example/approval-checker:sha256-def456
          env:
            - name: SERVICENOW_URL
              valueFrom:
                secretKeyRef:
                  name: approval-gate-creds
                  key: servicenow-url
          command:
            - /bin/sh
            - -c
            - |
              # Calls ServiceNow API, looks for an approved change record
              # matching APP_NAME + VERSION + TARGET_ENV. Exits 0 if approved,
              # non-zero if pending, rejected, or expired. Argo CD aborts sync
              # on non-zero exit.
              /bin/check-change-approval \
                --app "$APP_NAME" \
                --version "$APP_VERSION" \
                --environment production \
                --timeout 3600

Step 4: Canary Analysis Gates with Argo Rollouts and Flagger

Canary analysis gates automate the judgment of whether a new version is safe to promote based on real traffic metrics, not just synthetic tests.

Argo Rollouts canary with Prometheus analysis:

apiVersion: argoproj.io/v1alpha1
kind: Rollout
metadata:
  name: payments-service
spec:
  strategy:
    canary:
      steps:
        - setWeight: 5           # Route 5% of traffic to the new version.
        - pause: {duration: 5m}  # Observe for 5 minutes.
        - analysis:
            templates:
              - templateName: error-rate-check
        - setWeight: 20
        - pause: {duration: 10m}
        - analysis:
            templates:
              - templateName: error-rate-check
              - templateName: p99-latency-check
        - setWeight: 100         # Full promotion only after all analyses pass.

---
apiVersion: argoproj.io/v1alpha1
kind: AnalysisTemplate
metadata:
  name: error-rate-check
spec:
  metrics:
    - name: error-rate
      interval: 1m
      successCondition: result[0] < 0.01    # Less than 1% error rate.
      failureLimit: 3                        # Abort after 3 consecutive failures.
      provider:
        prometheus:
          address: http://prometheus.monitoring:9090
          query: |
            sum(rate(http_requests_total{status=~"5..",app="payments-service",
              version="{{args.stable-hash}}"}[2m])) /
            sum(rate(http_requests_total{app="payments-service",
              version="{{args.stable-hash}}"}[2m]))

The key security property: if the canary metrics fail at any step, Argo Rollouts automatically reverts to the stable version and marks the rollout as Degraded. No human intervention is required to prevent a bad version from reaching 100% of traffic. The analysis results are stored as AnalysisRun objects in Kubernetes, providing an auditable record of every promotion decision.

Step 5: Change Freeze Enforcement

Automated gates can check a change calendar before allowing promotion to proceed. This enforces change freeze windows without relying on human memory.

#!/usr/bin/env python3
# check-change-freeze.py
# Called from the promotion gate job. Exits non-zero during freeze windows.

import sys
import requests
from datetime import datetime, timezone

CHANGE_CALENDAR_API = "https://itsm.example.com/api/change-calendar"

def is_freeze_active(environment: str) -> bool:
    now = datetime.now(timezone.utc).isoformat()
    response = requests.get(
        f"{CHANGE_CALENDAR_API}/check",
        params={"environment": environment, "at": now},
        headers={"Authorization": f"Bearer {get_token()}"},
        timeout=10,
    )
    response.raise_for_status()
    data = response.json()
    return data.get("freeze_active", False), data.get("reason", "")

freeze_active, reason = is_freeze_active("production")
if freeze_active:
    print(f"GATE BLOCKED: Change freeze is active for production. Reason: {reason}")
    print("To proceed, raise an emergency change request and obtain explicit approval.")
    sys.exit(1)

print("Change freeze check passed.")
sys.exit(0)

In GitHub Actions, call this check as an explicit step before the deployment job:

jobs:
  pre-deploy-checks:
    runs-on: ubuntu-latest
    steps:
      - name: Check change freeze
        run: python3 check-change-freeze.py
        env:
          ITSM_TOKEN: ${{ secrets.ITSM_TOKEN }}

  deploy-production:
    needs: pre-deploy-checks
    environment: production
    # ... rest of deployment job

Step 6: Preventing Approval Gate Bypass via Pipeline-as-Code

The most critical architectural decision in promotion gate design is ensuring that the gate enforcement lives outside the repository the attacker can modify.

What can be bypassed by modifying workflow YAML:

  • A job step that runs an approval script (run: ./check-approval.sh) — the step can be deleted.
  • A needs: dependency on a scan job — the dependency can be removed.
  • A wait or sleep call in a shell script — trivially deleted.

What cannot be bypassed by modifying workflow YAML:

  • GitHub Actions environment protection rules (stored in GitHub’s infrastructure, not in the repository).
  • GitLab protected environment configuration (stored in GitLab’s project settings, not in .gitlab-ci.yml).
  • Branch protection rules requiring specific status checks before merge.

To protect against an insider who modifies the workflow file itself:

# In GitHub: Settings → Branches → Branch protection rules → main

[x] Require a pull request before merging
    [x] Required approvals: 2
    [x] Dismiss stale pull request approvals when new commits are pushed
    [x] Require review from Code Owners

# In CODEOWNERS:
.github/workflows/  @org/platform-security-team

This means any change to the workflow files must be reviewed and approved by the platform security team before it can be merged to main. Combined with environment protection rules, an attacker would need to:

  1. Compromise an account in the platform security team to approve the CODEOWNERS-protected workflow change, AND
  2. Also compromise an account in the production approvers group to bypass the environment protection rule.

These are different people, satisfying the segregation of duties requirement.

Step 7: SOC 2 and PCI-DSS Compliance Requirements

Both SOC 2 Type II (Change Management criteria CC8.1) and PCI-DSS v4.0 (Requirements 6.3.2, 6.4.2) require:

  1. Documented approval: A named individual authorized the change before it reached production.
  2. Segregation of duties: The person who wrote the code is not the same person who approved the deployment.
  3. Audit trail: The approval record is tamper-evident and retained for the required period.

GitHub Actions environments satisfy these requirements when configured correctly:

  • The deployment log records who approved the deployment, at what time, and from which workflow run.
  • Prevent self-review enforces segregation of duties at the platform level.
  • GitHub provides organization-level audit logs (available via the audit log API) that capture all environment approval events and cannot be deleted by repository administrators.

For PCI-DSS in-scope systems, supplement platform-level logs with an external audit record:

- name: Record approval to audit log
  run: |
    curl -X POST "$AUDIT_LOG_ENDPOINT" \
      -H "Authorization: Bearer $AUDIT_TOKEN" \
      -H "Content-Type: application/json" \
      -d '{
        "event": "production_deployment_approved",
        "approver": "${{ github.event.review.user.login }}",
        "approved_at": "${{ github.event.review.submitted_at }}",
        "run_id": "${{ github.run_id }}",
        "sha": "${{ github.sha }}",
        "environment": "production",
        "artifact": "${{ env.IMAGE_REF }}"
      }'
  env:
    AUDIT_TOKEN: ${{ secrets.AUDIT_LOG_TOKEN }}

Store this external audit record in a write-once, append-only system (AWS CloudTrail, Splunk with tamper-evident storage, or a dedicated audit database with no delete permissions granted to the CI/CD service account).

Step 8: Emergency Change Procedures with Audit Trail

Emergency changes — hotfixes during active incidents — create pressure to skip the approval workflow. The correct response is not to remove the gate but to provide an expedited path that still leaves a complete audit trail.

Design the emergency procedure as a distinct workflow path:

# .github/workflows/emergency-deploy.yml
# Triggered only via workflow_dispatch (manual trigger), never automatically.

on:
  workflow_dispatch:
    inputs:
      incident_ticket:
        description: "Incident ticket number (required)"
        required: true
      justification:
        description: "Brief justification for emergency deployment"
        required: true
      approver_github_handle:
        description: "GitHub handle of the approving manager"
        required: true

jobs:
  emergency-deploy:
    environment: production-emergency   # Separate environment with its own protection rules.
    runs-on: ubuntu-latest
    steps:
      - name: Validate incident ticket
        run: |
          # Calls ITSM API to confirm the ticket exists, is open, and is a P1/P2.
          python3 validate-incident.py \
            --ticket "${{ inputs.incident_ticket }}" \
            --min-severity P2
        env:
          ITSM_TOKEN: ${{ secrets.ITSM_TOKEN }}

      - name: Record emergency change initiation
        run: |
          python3 record-audit-event.py \
            --event emergency_deployment_initiated \
            --actor "${{ github.actor }}" \
            --incident "${{ inputs.incident_ticket }}" \
            --justification "${{ inputs.justification }}" \
            --sha "${{ github.sha }}"

      - name: Deploy
        run: ./scripts/deploy.sh production

      - name: Record emergency change completion
        if: always()
        run: |
          python3 record-audit-event.py \
            --event emergency_deployment_completed \
            --status "${{ job.status }}" \
            --actor "${{ github.actor }}" \
            --incident "${{ inputs.incident_ticket }}"

The production-emergency environment has a shorter reviewer list (on-call manager plus one security team member), bypassing the normal two-team approval, but still requires at least one non-author approval and generates a full audit trail. The incident ticket requirement creates a paper trail in the ITSM system linking the deployment to a documented incident.

Post-incident, schedule a mandatory review of all emergency changes within 48 hours to verify that the deployed code was appropriate and to formally close the change record.

Verification

After configuring promotion gates, verify that the gates are actually enforced:

# 1. Confirm environment protection rules are set (GitHub CLI).
gh api repos/:owner/:repo/environments/production \
  --jq '{
    reviewers: .reviewers | map(.reviewer.login),
    wait_timer: .wait_timer,
    prevent_self_review: .prevent_self_review,
    deployment_branch_policy: .deployment_branch_policy
  }'

# 2. Verify no workflow can target the production environment from a feature branch.
# Expected: deployment_branch_policy.protected_branches == true
#           OR deployment_branch_policy.custom_branch_policies == [{name: "main"}]

# 3. Check GitLab protected environment configuration.
curl --header "PRIVATE-TOKEN: $GITLAB_TOKEN" \
  "https://gitlab.example.com/api/v4/projects/:id/protected_environments/production" \
  | jq '{
    required_approval_count: .required_approval_count,
    approval_rules: .approval_rules | map({group: .group.name, required_approvals: .required_approvals})
  }'

# 4. Confirm Argo CD PreSync hooks are present and fail-safe.
kubectl get application payments-service -n argocd \
  -o jsonpath='{.status.operationState.syncResult.resources[*]}' \
  | jq 'select(.hookPhase == "PreSync") | {name, status, message}'

# 5. Review recent deployment approvals to confirm segregation of duties.
# In GitHub, audit log for the last 30 days:
gh api orgs/:org/audit-log \
  --paginate \
  --field phrase="action:environment.add_protection_rule OR action:deployment.create" \
  | jq 'select(.environment == "production") | {actor, created_at, deployment_id}'

Summary

Automatic promotion to production is not a minor configuration choice — it is a structural gap that lets supply chain compromises, unauthorized changes, and unreviewed workloads reach production without any human awareness. The controls in this article create a layered gate:

Layer Mechanism Bypass Resistance
Automated quality checks Trivy scan, cosign verify, SLSA verification Must pass before human approval is triggered
Human approval gate GitHub environment protection / GitLab protected env Stored outside the repository; cannot be removed by modifying pipeline YAML
Author self-approval prevention prevent_self_review / GitLab approval rules Enforced at the platform level, not in application code
Change freeze check ITSM calendar API called from pre-deploy job Blocks deployment during maintenance windows without human intervention
Canary analysis gate Argo Rollouts AnalysisRun / Flagger metrics Automatic rollback if error rate exceeds threshold during promotion
Emergency path Separate workflow with incident ticket validation Expedited but not bypassed; full audit trail preserved
Audit trail External write-once log + platform audit log Satisfies SOC 2 CC8.1 and PCI-DSS 6.4.2 evidence requirements

The critical architectural rule: approval enforcement must live in platform configuration (environment protection rules, protected environment settings), not in pipeline YAML. Any gate that lives only in a script or a job step can be deleted by the person who wrote the code. A gate that lives in platform settings requires a different person with a different role to remove — which is the definition of segregation of duties.