Skip to content

[FAQ] Add: external admission authority via environment protection rules#28936

Merged
pelikhan merged 2 commits intomainfrom
faq/issue-484-d1de2b86fc397d40
Apr 28, 2026
Merged

[FAQ] Add: external admission authority via environment protection rules#28936
pelikhan merged 2 commits intomainfrom
faq/issue-484-d1de2b86fc397d40

Conversation

@chrizbo
Copy link
Copy Markdown
Collaborator

@chrizbo chrizbo commented Apr 28, 2026

Adds a new FAQ entry under the Guardrails section addressing whether external human approval can be required before safe outputs are applied.

What changed

New entry: "Can I require external human approval before safe outputs are applied?"

The entry:

  • Clarifies the distinction between guardrail validation (internal) and external admission authority
  • Explains that GitHub Environment protection rules on custom safe output jobs provide a genuine external admission boundary
  • Includes a minimal YAML example showing how to configure an environment-gated custom safe output job
  • Honestly notes that the admission policy is still defined internally by repository owners, even though each execution admission can require external approval

Source

Sourced from community discussion feedback captured in github/agentic-workflows#484. This is a new entry — no existing FAQ entry covered external admission authority.

Type

New FAQ entry added to existing Guardrails section.

Generated by Feedback Question Answerer · ● 934.8K ·

@chrizbo
Add FAQ: external admission authority via environment protection rules
d275be6 
Adds a new entry under Guardrails answering the question of whether
external human approval can be required before safe outputs are applied.
Explains the guardrail-vs-admission distinction and documents the
GitHub Environment protection rules pattern for fail-closed external
admission gates using custom safe output jobs.

Closes github/agentic-workflows#484

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
@github-actions
Copy link
Copy Markdown
Contributor

github-actions Bot commented Apr 28, 2026

Smoke Temporary ID encountered failures. Check the logs for details.

@github-actions
Copy link
Copy Markdown
Contributor

github-actions Bot commented Apr 28, 2026

✅ smoke-ci: safeoutputs CLI comment + comment-memory run (25052645435)

Generated by Smoke CI for issue #28936 ·

@github-actions
Copy link
Copy Markdown
Contributor

github-actions Bot commented Apr 28, 2026

Comment Memory

CI lights the path\nGreen checks bloom at dawn\nQuiet bots still sing

Note

This comment is managed by comment memory.

It stores persistent context for this thread in the code block at the top of this comment.
Edit only the text inside the backtick fences; workflow metadata and the footer are regenerated automatically.

Learn more about comment memory

Generated by Smoke CI for issue #28936 ·

@github-actions github-actions Bot mentioned this pull request Apr 28, 2026
Open
pelikhan
pelikhan reviewed Apr 28, 2026
View reviewed changes
Comment thread docs/src/content/docs/reference/faq.md
For a fail-closed **external admission gate** before sensitive operations like deployments or credential use, apply **[GitHub Environment protection rules](https://docs.github.com/en/actions/managing-workflow-runs-and-deployments/managing-deployments/managing-environments-for-deployment#required-reviewers)** to a [custom safe output job](/gh-aw/reference/custom-safe-outputs/). The job pauses until a designated reviewer outside the workflow system explicitly approves. No approval means no execution.

```yaml wrap
safe-outputs:
Copy link
Copy Markdown
Collaborator

@pelikhan pelikhan Apr 28, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@copilot declare job that needs detection and add this job to safe-outputs.needs to interleave manual confirmation before the safe outputs job

Copy link
Copy Markdown
Contributor

Copilot AI Apr 28, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Updated in f2438b3. The example now declares a top-level approval-gate job with needs: detection (so it runs after automated threat scanning) and uses safe-outputs.needs: [approval-gate] to interleave the manual reviewer confirmation before the built-in safe_outputs job runs.

@pelikhan
docs(faq): update admission gate example to use needs:detection and s…
f2438b3 
…afe-outputs.needs

Agent-Logs-Url: https://github.com/github/gh-aw/sessions/7f90a3d5-3450-4da8-b7fc-673093cdfe0e

Co-authored-by: pelikhan <4175913+pelikhan@users.noreply.github.com>
Copilot AI requested a review from pelikhan April 28, 2026 14:29
@pelikhan pelikhan marked this pull request as ready for review April 28, 2026 14:31
Copilot AI review requested due to automatic review settings April 28, 2026 14:31
@pelikhan pelikhan merged commit c33cb48 into main Apr 28, 2026
11 checks passed
@pelikhan pelikhan deleted the faq/issue-484-d1de2b86fc397d40 branch April 28, 2026 14:32
@pelikhan pelikhan mentioned this pull request Apr 28, 2026
Draft
@github-actions github-actions Bot mentioned this pull request Apr 28, 2026
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@pelikhan pelikhan pelikhan approved these changes

Copilot code review Copilot Awaiting requested review from Copilot

+1 more reviewer

Copilot code review Copilot Copilot left review comments

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

automated faq-update

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@chrizbo @pelikhan