Proceed With Care: How to Use Approval Gates in Pipelines
While DevOps automation aims to eliminate most human intervention in the CI/CD DevOps pipeline, you can’t always cut people completely out of the process. There are still times when you’ll want an expert, hands-on review to assure that everything is as it should be before allowing your pipeline to proceed further.
That’s why JFrog Pipelines empowers DevOps teams to include approval gates in their CI/CD pipelines, to give key personnel the power to prevent mistakes from cascading into production binaries.
Use Cases for Approval Gates
When are approval gates necessary? That depends on your organization and its particular concerns. Here are some possible requirements where approval gates in Pipelines might be used:
- A security team is required to audit and approve applications before they are released to production by the SRE team.
- A build must be approved by the product, security, and quality assurance teams before being deployed into production.
- A production engineer must verify that all the dependent components of an application are ready/compatible before promotion or deployment.
- Security and QA teams must validate updated artifacts before they are released for consumption by other development teams.
- A quality assurance team needs the development team to approve artifacts before running tests.
Creating Approval Gates
You can configure a manual approval gate for any step in your pipeline configuration YAML.
When a step has an approval gate configured, it will suspend execution and set its status to Pending. The required user(s) must then manually approve (or reject) for the step to complete (or cancel).
If the step is cancelled, then Pipelines will treat it as failed and no subsequent steps will be executed.
Simple Approval Gate
An approval gate can be specified in the configuration
section of any Pipelines step, using the requiresApproval
key.
In its simplest usage, you can just set the value of requiresApproval
to true
.
steps:
- name: approvalGatesStep
type: Bash
configuration:
requiresApproval: true
In this mode, any user with execute permissions for the pipeline can approve or reject the step. If no action is taken within 24 hours, the step will automatically be cancelled and no subsequent steps will be executed.
Complex Approval Gate
In a simple approval gate, no user is notified outside of the Pipelines UI that approval is required; the user must watch the pipeline execute to see the step’s pending status.
This isn’t very practical for most real-world circumstances. Approvers need to be notified, through the collaboration tools that they use every day, that their action is required.
It’s also likely that approvals will need to be made by a specific person, or by multiple people.
For these reasons, the requiresApproval
key can be configured with any or all of these additional properties:
approvers
– List of users who can approve or reject the step.notifications
– List of notifications sent through SMTP and/or Slack when the step enters Pending status.timeoutSeconds
– Maximum time the step can hold Pending status before being cancelled.
- name: npm_publish_step
type: npmPublish
configuration:
requiresApproval:
approvers:
- mtwain # Artifactory user
- jcheever # Artifactory user
notifications:
- integrationName: mySlack_Int # Slack integration
timeoutSeconds: 43200 # 12 hours
Running Approval Gates
So you have your approval gate set up in a step. What happens when the pipeline runs?
When our pipeline executes, the approval gate configured in our npmPublish
step will suspend execution, enter Pending status, and send notification (in this case, to Slack).
The link in the notification will display the Pipeline History view for the current run, which reflects the currently Pending status of the step.
When you view the log for the Pending step, an Approve/Reject button is available.
Clicking Approve/Reject reveals options to approve or reject, along with an opportunity to register a comment about the action.
When you Approve, you are asked to confirm.
Stop, Look, Click
An approval gate in Pipelines empowers DevOps engineers to use the expertise of the people who make the software development lifecycle work an integral part of their CI/CD pipelines. Through automated notifications and an easy-to-follow UI, you can make sure that any needed manual oversight gets done by those authorized to perform it.
This feature is only the latest way that JFrog Pipelines helps your organization to practice and enforce CI/CD the way that you have decided you need to. Whether it’s creating your own custom extensions or templates, or out-of-the-box integrations with the many tools that you use, Pipelines enables you to build the working patterns that suit you best.
Have you tried Pipelines CI/CD yet? If not, start for free!