Stop AI coding agents from shipping production changes you didn't authorize.

When Cursor / Codex / Copilot / Claude Code opens a PR that touches deploy/, .github/workflows/, or any path you mark sensitive, Deploy Gate blocks the merge until a named human signs an approval and produces a signed receipt that proves who authorized what against which policy.

• ⛔ Fails closed by default for production environments
• ✍️ Ed25519-signed receipts bound to the exact action
• ⚡ <200ms enforcement in the GitHub status check
• 🆓 MIT-licensed action

"GitHub asks 'did a reviewer approve?' Deploy Gate asks 'did a named human authorize this exact AI action?' and gives you signed proof."

Add to your workflow:

# .github/workflows/deploy-gate.yml
name: Deploy Gate

on:
  pull_request:
    branches: [main]

jobs:
  gate:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4
      - uses: permission-protocol/deploy-gate@v2
        with:
          pp-api-key: ${{ secrets.PP_API_KEY }}

Free for unlimited signers and unlimited public repos. Paid tiers add policy controls and audit retention. See pricing.

1. Get API key at https://app.permissionprotocol.com
2. Add secret:

gh secret set PP_API_KEY -b "pp_live_..."

3. Open a PR and watch deploy-sensitive changes block until approval

Full install guide: INSTALL.md

AI agents are moving from "suggest text" to "take actions": committing code, modifying workflows, and deploying to production. GitHub controls like branch protection, environments, and required reviewers gate humans, not agents.

Deploy Gate is the missing primitive: a deterministic gate keyed to the exact action the agent is taking, with a signed authority receipt as the audit artifact.

When audit time comes, you do not want to hand over a mutable PR comment thread. You want a chain of signed receipts that can be independently verified.

v2 defaults to fail-closed when the Permission Protocol API is unavailable. A security tool that fails open in a network blip is not a security tool.

Inputs:

• fail-mode: closed (default) or open — only honored in non-production environments.
• production-environments: comma-separated environment names treated as production, default production,prod,live.
• fail-open-timeout: API timeout in seconds. It controls timeout duration only, not failure policy.

• BREAKING: defaults to fail-closed. To restore v1 behavior, set fail-mode: open and remove production-environments.

Block -> Approve -> Verify -> Merge.

PR opened
   │
   ▼
Deploy Gate checks for valid receipt
   │
   ├── Receipt exists ----------> Merge allowed
   │
   └── No receipt --------------> Blocked
                                     │
                                     ▼
                              PR comment with approval link
                                     │
                                     ▼
                              Human approves + signs
                                     │
                                     ▼
                              Re-run CI -> Merge allowed

• Blocks risky PRs with a required status check
• Posts a PR comment with a direct approval link
• Unblocks the PR instantly after approval
• Produces a tamper-evident approval receipt

• Trust + compliance: https://permissionprotocol.com/trust
• Support: https://permissionprotocol.com/contact
• Live demo: https://permissionprotocol.com/r/demo
• Reference verifier (CLI): https://github.com/permission-protocol/pp-cli

MIT - see LICENSE