Deployment approvals

Version history
  • Introduced in GitLab 14.7 with a flag named deployment_approvals. Disabled by default.
  • Generally available in GitLab 14.8. Feature flag deployment_approvals removed.

You can require additional approvals for deployments to protected environments. Deployments are blocked until all required approvals are given.

Use deployment approvals to accommodate testing, security, or compliance processes. For example, you might want to require approvals for deployments to production environments.

Configure deployment approvals

You can require approvals for deployments to protected environments in a project.

To configure deployment approvals for a project:

  1. Create a deployment job in the .gitlab-ci.yml file of your project:

    stages:
      - deploy
    
    production:
      stage: deploy
      script:
        - 'echo "Deploying to ${CI_ENVIRONMENT_NAME}"'
      environment:
        name: ${CI_JOB_NAME}
    

    The job does not need to be manual (when: manual).

  2. Add the required approval rules.

The environments in your project require approval before deployment.

Unified approval setting (deprecated)

Version history
  • UI configuration removed in GitLab 15.11.
caution
This feature was deprecated in GitLab 16.1 and is planned for removal in 17.0. Use multiple approval rules instead. This change is a breaking change.

To configure approvals for a protected environment:

  • Using the REST API, set the required_approval_count field to 1 or more.

After this is configured, all jobs deploying to this environment automatically go into a blocked state and wait for approvals before running. Ensure that the number of required approvals is less than the number of users allowed to deploy.

Example:

curl --header 'Content-Type: application/json' --request POST \
     --data '{"name": "production", "deploy_access_levels": [{"group_id": 9899826}], "required_approval_count": 1}' \
     --header "PRIVATE-TOKEN: <your_access_token>" \
     "https://gitlab.example.com/api/v4/projects/22034114/protected_environments"
note
To protect, update, or unprotect an environment, you must have at least the Maintainer role.

Multiple approval rules

Version history
  • Using the REST API.
    • deploy_access_levels represents which entity can execute the deployment job.
    • approval_rules represents which entity can approve the deployment job.
  • Using the UI.
    • Allowed to deploy sets which entities can execute the deployment job.
    • Approvers sets which entities can approve the deployment job.

After this is configured, all jobs deploying to this environment automatically go into a blocked state and wait for approvals before running. Ensure that the number of required approvals is less than the number of users allowed to deploy. Once a deployment job is approved, it must be run manually.

A configuration that uses the REST API might look like:

curl --header 'Content-Type: application/json' --request POST \
     --data '{"name": "production", "deploy_access_levels": [{"group_id": 138}], "approval_rules": [{"group_id": 134}, {"group_id": 135, "required_approvals": 2}]}' \
     --header "PRIVATE-TOKEN: <your_access_token>" \
     "https://gitlab.example.com/api/v4/groups/128/protected_environments"

With this setup:

  • The operator group (group_id: 138) has permission to execute the deployment jobs to the production environment in the organization (group_id: 128).
  • The QA tester group (group_id: 134) and security group (group_id: 135) have permission to approve the deployment jobs to the production environment in the organization (group_id: 128).
  • Unless two approvals from security group and one approval from QA tester group have been collected, the operator group can’t execute the deployment jobs.
note
To protect, update, or unprotect an environment, you must have at least the Maintainer role.

Migrate to multiple approval rules

You can migrate a protected environment from unified approval rules to multiple approval rules. Unified approval rules allow all entities that can deploy to an environment to approve deployment jobs. To migrate to multiple approval rules, create a new approval rule for each entity allowed to deploy to the environment.

To migrate with the UI:

  1. On the left sidebar, select Search or go to and find your project.
  2. Select Settings > CI/CD.
  3. Expand Protected environments.
  4. From the Environment list, select your environment.
  5. For each entity allowed to deploy to the environment:
    1. Select Add approval rules.
    2. In the modal window, select which entity is allowed to approve the deployment job.
    3. Enter the number of required approvals.
    4. Select Save.

Each deployment requires the specified number of approvals from each entity.

For example, the Production environment below requires five total approvals, and allows deployments from only the group Very Important Group and the user Administrator:

unified approval rules

To migrate, create rules for the Very Important Group and Administrator. To preserve the number of required approvals, set the number of required approvals for Very Important Group to four and Administrator to one. The new rules require Administrator to approve every deployment job in Production.

multiple approval rules

Allow self-approval

Version history

By default, the user who triggers a deployment pipeline can’t also approve the deployment job. To allow self-approval of a deployment job:

  1. On the left sidebar, select Search or go to and find your project.
  2. Select Settings > CI/CD.
  3. Expand Protected environments.
  4. From the Approval options, select the Allow pipeline triggerer to approve deployment checkbox.

Approve or reject a deployment

Introduced in GitLab 14.9

Using either the GitLab UI or the API, you can:

  • Approve a deployment to allow it to proceed.
  • Reject a deployment to prevent it.
note
GitLab administrators can approve or reject all deployments.

Approve or reject a deployment using the UI

Prerequisites:

  • Permission to deploy to the protected environment.

To approve or reject a deployment to a protected environment using the UI:

  1. On the left sidebar, select Search or go to and find your project.
  2. Select Operate > Environments.
  3. Select the environment’s name.
  4. In the deployment’s row, select Approval options (). Before approving or rejecting the deployment, you can view the number of approvals granted and remaining, also who has approved or rejected it.
  5. Optional. Add a comment which describes your reason for approving or rejecting the deployment.
  6. Select Approve or Reject.

Approve or reject a deployment using the API

Prerequisites:

  • Permission to deploy to the protected environment.

To approve or reject a deployment to a protected environment using the API, pass the required attributes. For more details, see Approve or reject a blocked deployment.

Example:

curl --data "status=approved&comment=Looks good to me" \
     --header "PRIVATE-TOKEN: <your_access_token>" "https://gitlab.example.com/api/v4/projects/1/deployments/1/approval"

View the approval details of a deployment

Prerequisites:

  • Permission to deploy to the protected environment.

A deployment to a protected environment can only proceed after all required approvals have been granted.

To view the approval details of a deployment:

  1. On the left sidebar, select Search or go to and find your project.
  2. Select Operate > Environments.
  3. Select the environment’s name.
  4. In the deployment’s row, select Approval options ().

The approval status details are shown:

  • Eligible approvers
  • Number of approvals granted, and number of approvals required
  • Users who have granted approval
  • History of approvals or rejections

How to see blocked deployments

Using the UI

  1. On the left sidebar, select Search or go to and find your project.
  2. Select Operate > Environments.
  3. Select the environment being deployed to.
  4. Look for the blocked label.

Using the API

Use the Deployments API to see deployments.

  • The status field indicates if a deployment is blocked.
  • When the unified approval setting is configured:
    • The pending_approval_count field indicates how many approvals are remaining to run a deployment.
    • The approvals field contains the deployment’s approvals.
  • When the multiple approval rules is configured:
    • The approval_summary field contains the current approval status per rule.