ci(release): gate signed release on the release environment (#2249)

The Desktop release fires on any desktop-v* tag push and consumes the
repo-level signing secrets, so any write-access collaborator can cut a
signed prod build. Reference the `release` environment from the build
jobs so a designated reviewer must approve before the secrets are used.
Takes effect once required reviewers are configured on that environment.

Co-authored-by: Claude Opus 4.8 <noreply@anthropic.com>
This commit is contained in:
Harshit Singh Bhandari 2026-06-28 23:24:43 +05:30 committed by GitHub
parent 01406eddca
commit 2c377dcb7e
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
1 changed files with 6 additions and 0 deletions

View File

@ -41,6 +41,11 @@ jobs:
matrix:
os: [macos-latest, windows-latest, ubuntu-latest]
runs-on: ${{ matrix.os }}
# Gates the signed release behind the `release` environment's required
# reviewers: any write-access user can push a desktop-v* tag, but only
# designated approvers can let the build that consumes the signing secrets
# proceed. Configure reviewers in repo Settings > Environments > release.
environment: release
permissions:
contents: write
defaults:
@ -157,6 +162,7 @@ jobs:
# finishes before publish-feed, but the feed is not gated on it.
release-intel:
runs-on: macos-13
environment: release # same approval gate as the matrix release job
permissions:
contents: write
defaults: