A GitHub App built with Probot to approve deployments via reviews from maintainers
Deploynaut functions as a GitHub App, managing deployment approvals via custom deployment protection rules.
Deployments are approved by submitting an approved review, or a /deploy
command in a commented review.
- Validates deployment source and context when triggered on a protected environment.
- Auto-approves or requests manual approval based on event type.
Deployments are auto-approved if:
- They triggered by a previously approved commit SHA (including pull request merges).
- They are initiated by an allowlisted user (e.g., Renovate) who is:
- The author of the commit that triggered the deployment.
- Listed in the
BYPASS_USERS
IDs.
For manual approvals:
- An eligible reviewer submits a review.
- Commented reviews need to start with
/deploy
. - Approved reviews do not need to match any string.
- Commented reviews need to start with
- The app approves pending deployments matching the reviewed commit SHA.
Reviewers must:
- Have repository write access or higher.
- Not be the commit author or committer.
- Not be a bot account.
Key security features include:
- Using commit SHA as the review source of truth.
- Ensuring comment integrity (unmodified since creation).
- Maintaining stateless operations.
- Preventing TOCTOU attacks with atomic operations.
- Requiring different actors for commit and approval.
- Developer opens a PR and triggers a deployment.
- App receives a deployment protection rule event.
- If not auto-approved, the app comments on the PR with instructions.
- Eligible reviewer submits a commentedreview with
/deploy
. - App validates the approval and enables deployment.
# Install dependencies
npm install
# Run the bot
npm start
# 1. Build container
docker build -t deploynaut .
# 2. Start container
docker run --env-file .env deploynaut
Probot configuration variables are documented here.
Note
When deploying to production and using a custom domain (not smee), the Callback URL in the GitHub App needs to include TLD + WEBHOOK_PATH.
e.g. https://my-custom-domain.com/api/github/webhooks
Additional environment variables specific to this app:
-
BYPASS_ACTORS
: A comma-separated list of GitHub user IDs to bypass the approval process.For users, you can find the ID by visiting
https://api.github.com/users/<username>
For apps, you can find the ID by visitinghttps://api.github.com/users/<app-name>%5Bbot%5D
If you have suggestions for how deploynaut could be improved, or want to report a bug, open an issue! We'd love all and any contributions.
For more, check out the Contributing Guide.
This project is licensed under Apache 2.0 - see the LICENSE file for details.