Problem
`_deploy-testnet.yml` deploys whenever `github.event_name == 'pull_request'` is true and the calling workflow opted into `deploy-on-pr: true`. There is no approval gate, no environment scoping, and no way to require reviewer sign-off before a deploy uses `PRIVATE_KEY`.
The original spec (`docs/specs/ci-cd-automated-deployments.md`) calls this out explicitly: "Testnet: deploy on approved PR to main."
Today an approval gate is missing, which means:
- Any PR author can trigger a deploy that consumes `PRIVATE_KEY` by toggling `deploy-on-pr` in the calling workflow.
- A protected-environment review/wait gate is not enforceable from this side.
Proposal
- Add an `environment` input to `_deploy-testnet.yml` (default `testnet`) and to the orchestrator's `deploy-testnet` job.
- Document in README how consumers should configure protected environments (required reviewers, deployment branch policies) so secrets can only be used after a maintainer approves the deployment run.
- Optionally: emit a clearer error when `PRIVATE_KEY` is missing — the protected-environment scoping makes the secret only available after approval, so we want the workflow to fail closed with a useful message during dry runs.
## Out of scope
- A mainnet workflow, which would also use environments. Tracked separately.
Problem
`_deploy-testnet.yml` deploys whenever `github.event_name == 'pull_request'` is true and the calling workflow opted into `deploy-on-pr: true`. There is no approval gate, no environment scoping, and no way to require reviewer sign-off before a deploy uses `PRIVATE_KEY`.
The original spec (`docs/specs/ci-cd-automated-deployments.md`) calls this out explicitly: "Testnet: deploy on approved PR to main."
Today an approval gate is missing, which means:
Proposal
## Out of scope- A mainnet workflow, which would also use environments. Tracked separately.