Branch Filter for Environment Protection Rules

The recently announced environment protection rules and environment secrets feature is interesting. However, one big capability it is missing is the ability to specify a branch filter as an environment protection rule. Example: Specify workflows triggered from main branch are the only ones to access certain environment secrets. This way it can be combined with existing branch protection rules to only deploy code that’s been reviewed and merged to a specific branch like main.


Yes this is one of the items we want to add before we exist the beta.


@chrispat Are there any plans of rolling this out to private repos of paid plans other than Enterprise?

1 Like

@chrispat I have the same question: are Environments (including protection rules, required reviewers and env secrets) going to be available for private repos in other paid plans besides Enterprise level?

Our org is on the Github Team plan and we would really like to take advantage of these features. We’re trying to show that we can migrate from Jenkins to GitHub Actions completely.


Is there any way to make branch filter rules apply to tags?

Given GitHub does not have a concept of protected tags we decided to only include branches in the matching for Environments. If protected tags come in the figure we will likely update the environment rules.

While I get that, given that builds can be kicked off by a push to a tag (and a release), it would be REALLY helpful to be able to apply to tags so that you can control what tags are allowed to kick off certain builds–regardless of a tags “protected” status.

I wanted to point that GitHub has released this functionality in case anybody missed it or ends up here later.