workflow.deploywithoutapproval

Flags deploy, release, publish, or registry-push steps without an approval signal in the same workflow.

Why It Matters

Deployment capability changes external systems. A protected environment, manual approval, or equivalent gate should sit before production-impacting steps.

Review

Bad:

- name: Deploy
  run: terraform apply

Good:

environment: production
steps:
  - name: Deploy
    run: terraform apply

Framework Note

Build, plan, preview, and package-only commands are excluded unless the same step also contains a deploy marker.