diff --git a/.github/workflows/_publish.yml b/.github/workflows/_publish.yml
index 3ff174e..428ecf2 100644
--- a/.github/workflows/_publish.yml
+++ b/.github/workflows/_publish.yml
@@ -23,6 +23,14 @@ jobs:
   publish:
     name: Publish
     runs-on: ubuntu-latest
+    # `environment: npm-publish` puts a human-in-the-loop gate in front
+    # of every npm publish to `@precisa-saude/*`. Configure required
+    # reviewers in Settings → Environments → npm-publish; without
+    # reviewers configured the gate is informational only (deployment
+    # marker shows in Actions UI but doesn't block). The job pauses on
+    # "waiting" until approved.
+    environment:
+      name: npm-publish
     # `id-token: write` is for Sigstore attestations (`--provenance`),
     # NOT for npm auth. Auth uses `NPM_TOKEN` org-secret — OIDC trusted
     # publishing was evaluated and rejected because it requires manual
diff --git a/templates/github/workflows/_publish.yml b/templates/github/workflows/_publish.yml
index 3ff174e..b12d725 100644
--- a/templates/github/workflows/_publish.yml
+++ b/templates/github/workflows/_publish.yml
@@ -23,6 +23,14 @@ jobs:
   publish:
     name: Publish
     runs-on: ubuntu-latest
+    # `environment: npm-publish` puts a human-in-the-loop gate in front
+    # of every npm publish to `@precisa-saude/*`. Configure required
+    # reviewers in each consumer repo's Settings → Environments →
+    # npm-publish; without reviewers configured the gate is informational
+    # only (deployment marker shows in Actions UI but doesn't block).
+    # The job pauses on "waiting" until approved.
+    environment:
+      name: npm-publish
     # `id-token: write` is for Sigstore attestations (`--provenance`),
     # NOT for npm auth. Auth uses `NPM_TOKEN` org-secret — OIDC trusted
     # publishing was evaluated and rejected because it requires manual