Comparison
Release Passport vs GitHub and GitLab environments
GitHub and GitLab environments control who can approve a deploy target. Release Passport works as an external gate that keeps that approval as one signal, then evaluates runtime, GitOps, rollback, artifact, incident, and report evidence before the production promotion proceeds.
GitHub/GitLab environments
What the existing tool should keep doing.
It does not replace branch protection, environment secrets, or CI job permissions.
It does not approve a human change by itself; customer policy decides when approvals are required.
It does not need owner billing or package administration code inside the customer runtime.
Release Passport
What Release Passport adds.
A signed passport with source SHA, artifact digest, policy version, actor, reasons, and timestamps.
Runtime checks from scoped Kubernetes, GitOps, metrics, logs, and incident sources.
Decisions beyond approved/not approved: ALLOW, ALLOW_WITH_CANARY, REQUIRE_APPROVAL, HOLD, BLOCK, and ROLLBACK_RECOMMENDED.
Audit-friendly retention and sanitized exports for release review.
How to use them together.
Keep environment approvals in the CI system for human authorization.
Run releasepassport gate after build and before the protected environment deployment job.
Attach approval state, source SHA, image digest, release ID, and target environment to the passport.
Start in shadow mode so teams can compare approval outcomes with evidence outcomes.
Recommended release flow.
- 1CI builds, tests, signs, and records immutable artifact identity.
- 2Environment approval remains in GitHub or GitLab.
- 3Release Passport evaluates the broader release evidence in server mode.
- 4The pipeline promotes, holds, requires approval, blocks, or starts canary based on the configured threshold.
Boundary check.
Customer installs run the self-hosted console, API, worker, CLI gate path, scoped connectors, RBAC, audit log, retention controls, signed artifacts, and provenance checks. Owner checkout, payment, license issuance, and package entitlement administration stay outside the customer runtime.