Limiting which repo member can trigger an action

I’m planning a build/deploy process that will trigger deploys to a test/staging/production environment based on the branch pushed to, but I want to make sure only some people with access to the repo can push to production.

I think I can just look at GITHUB_ACTOR and prevent an accidental deploy to the wrong branch based on that, but am I correct that there’s not much I can do to completely lock that down, since anyone with repo access, could just modify the Action config to remove any checks I add to it?

@jschuur ,

You can set the Branch protection rules for the production branch. there is an option " Restrict who can push to matching branches" can be used to specify people, teams or apps allowed to push to matching branches.

1 Like

Fantastic! This is perfect, thanks!