From 4a618cb5d065d67a899891d826b2b06cf5220982 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Rafael=20L=C3=BCder?= <rlueder@pm.me>
Date: Tue, 28 Apr 2026 13:21:58 -0500
Subject: [PATCH] chore(templates): adicionar environment gate npm-publish no
 _publish.yml

---
 .github/workflows/_publish.yml          | 8 ++++++++
 templates/github/workflows/_publish.yml | 8 ++++++++
 2 files changed, 16 insertions(+)

diff --git a/.github/workflows/_publish.yml b/.github/workflows/_publish.yml
index 3ff174e..428ecf2 100644
--- a/.github/workflows/_publish.yml
+++ b/.github/workflows/_publish.yml
@@ -23,6 +23,14 @@ jobs:
   publish:
     name: Publish
     runs-on: ubuntu-latest
+    # `environment: npm-publish` puts a human-in-the-loop gate in front
+    # of every npm publish to `@precisa-saude/*`. Configure required
+    # reviewers in Settings → Environments → npm-publish; without
+    # reviewers configured the gate is informational only (deployment
+    # marker shows in Actions UI but doesn't block). The job pauses on
+    # "waiting" until approved.
+    environment:
+      name: npm-publish
     # `id-token: write` is for Sigstore attestations (`--provenance`),
     # NOT for npm auth. Auth uses `NPM_TOKEN` org-secret — OIDC trusted
     # publishing was evaluated and rejected because it requires manual
diff --git a/templates/github/workflows/_publish.yml b/templates/github/workflows/_publish.yml
index 3ff174e..b12d725 100644
--- a/templates/github/workflows/_publish.yml
+++ b/templates/github/workflows/_publish.yml
@@ -23,6 +23,14 @@ jobs:
   publish:
     name: Publish
     runs-on: ubuntu-latest
+    # `environment: npm-publish` puts a human-in-the-loop gate in front
+    # of every npm publish to `@precisa-saude/*`. Configure required
+    # reviewers in each consumer repo's Settings → Environments →
+    # npm-publish; without reviewers configured the gate is informational
+    # only (deployment marker shows in Actions UI but doesn't block).
+    # The job pauses on "waiting" until approved.
+    environment:
+      name: npm-publish
     # `id-token: write` is for Sigstore attestations (`--provenance`),
     # NOT for npm auth. Auth uses `NPM_TOKEN` org-secret — OIDC trusted
     # publishing was evaluated and rejected because it requires manual