feat: deployment approval UI and backend handlers (#5256)

* feat: deployment approval UI and backend handlers

Add the complete approval/rejection flow for gated deployments:

Backend (ctrl service):
- Add ApproveDeployment and RejectDeployment RPCs to DeployService proto
- Implement approve handler: validates status, updates to pending, records
  approval, triggers deploy workflow via Restate
- Implement reject handler: validates status, updates to failed
- Add FindAppBuildSettingByAppEnv SQL query for approval flow

Dashboard:
- Add awaiting_approval to deployment status badges, filters, and collection
- Add DeploymentApprovalBanner component with approve/reject buttons
- Show banner on deployment detail page when awaiting approval
- Add tRPC mutations for approve/reject calling ctrl service
- Add deployment.approve and deployment.reject audit log events

* feat: add rejected status to dashboard UI

- Add 'rejected' to deployment status badges, filters, and collections
- Add DeploymentRejectedBanner with red error styling
- Show rejected banner on deployment detail page
- Add rejected to grouped status filter with error color

* feat: dashboard authorize page and cleanup old approval UI

Remove deployment approval/rejection banners, status badge configs,
filter options, and tRPC routes for awaiting_approval/rejected statuses.

Add /projects/[projectId]/authorize page that reads branch from URL
params and calls AuthorizeDeployment RPC. Add authorize tRPC route.

* fix: use correct Loading import from @unkey/ui

* fix: pass through actual error message from ctrl service

* fix: add GitHub App credentials to ctrl-api config

The ctrl API needs GitHub App credentials to fetch branch HEAD
when authorizing deployments from external contributors.

* fix: remove stale approval/rejected statuses, extract shared ctrl client

- Remove awaiting_approval and rejected from deployment statuses, filters,
  and status badge configs (no longer used — authorization is handled via
  GitHub Check Runs, not deployment status)
- Remove deployment.approve and deployment.reject audit log events
- Delete unused duplicate deployment-status-badge.tsx in table components
- Fix broken page.tsx referencing undefined awaitingApproval/rejected vars
- Extract createCtrlClient helper to deduplicate identical ctrl client
  creation boilerplate across 9 trpc router files

* feat: redesign deployment authorization page

Centered layout with GitHub + shield icons, commit details card showing
branch/SHA/message/sender from URL query params, proper Button components,
success/error states, and non-member handling hint.

* feat: link branch, commit SHA, and sender to GitHub on authorize page

* refactor: use nuqs for authorize page search params, remove null fallbacks

* fix: pass commit SHA through authorization flow and validate on frontend

Frontend now validates SHA format (40-char hex) before allowing authorization
and passes it to the backend which verifies it matches the branch HEAD.

* feat: show dedicated stale commit UI when branch has moved

Instead of a generic error, show a clear message explaining the branch
has new commits and direct the user to GitHub to find the latest
authorization link.

* feat: redirect to latest commit authorization when stale

Instead of telling the user to check GitHub, parse the new HEAD SHA
from the backend error and offer a direct "View Latest Commit" button
that navigates to the updated authorize page.

* fix: reset mutation state before navigating to latest commit

* fix: resolve TypeScript null check on authorize.error

* fix: use optional chain instead of non-null assertion for biome lint

* [autofix.ci] apply automated fixes

* feat: rewrite authorize page to use deploymentId, fetch deployment from DB

- Rewrite authorize page to take single deploymentId search param
- Fetch deployment details from DB via getById instead of URL params
- Handle awaiting_approval, already authorized, and failed states
- Simplify authorize mutation input to just deploymentId
- Add gitCommitMessage, gitCommitAuthorHandle, gitCommitAuthorAvatarUrl, projectId to getById response
- Register getById in tRPC router

* fix: replace dots with X icon in authorization connection indicator

* feat: move approval UI inline on deployment detail page

Replace the separate /authorize page with an inline DeploymentApproval
component shown when deployment status is awaiting_approval. Delete the
standalone authorize page. Add awaiting_approval to deriveStatusFromSteps
valid statuses so it doesn't fall back to pending.

* [autofix.ci] apply automated fixes

---------

Co-authored-by: autofix-ci[bot] <114827586+autofix-ci[bot]@users.noreply.github.com>

Author: Flo4604

dev/config/ctrl-api.toml

@@ -14,3 +14,5 @@ admin_url = "http://restate:9070"
 
 [github]
 webhook_secret = "${UNKEY_GITHUB_APP_WEBHOOK_SECRET}"
+app_id = ${UNKEY_GITHUB_APP_ID}
+private_key_pem = """${UNKEY_GITHUB_PRIVATE_KEY_PEM}"""

dev/k8s/manifests/ctrl-api.yaml

@@ -24,6 +24,8 @@ data:
 
     [github]
     webhook_secret = "${UNKEY_GITHUB_APP_WEBHOOK_SECRET}"
+    app_id = ${UNKEY_GITHUB_APP_ID}
+    private_key_pem = """${UNKEY_GITHUB_PRIVATE_KEY_PEM}"""
 
 ---
 apiVersion: apps/v1
@@ -70,6 +72,18 @@ spec:
                   name: github-credentials
                   key: UNKEY_GITHUB_APP_WEBHOOK_SECRET
                   optional: true
+            - name: UNKEY_GITHUB_PRIVATE_KEY_PEM
+              valueFrom:
+                secretKeyRef:
+                  name: github-credentials
+                  key: UNKEY_GITHUB_PRIVATE_KEY_PEM
+                  optional: true
+            - name: UNKEY_GITHUB_APP_ID
+              valueFrom:
+                secretKeyRef:
+                  name: github-credentials
+                  key: UNKEY_GITHUB_APP_ID
+                  optional: true
           volumeMounts:
             - name: config
               mountPath: /etc/unkey

web/apps/dashboard/app/(app)/[workspaceSlug]/projects/[projectId]/(overview)/deployments/[deploymentId]/(deployment-progress)/deployment-approval.tsx

@@ -0,0 +1,126 @@
+"use client";
+
+import type { Deployment } from "@/lib/collections/deploy/deployments";
+import { trpc } from "@/lib/trpc/client";
+import {
+  CircleXMark,
+  CodeBranch,
+  CodeCommit,
+  Github,
+  ShieldAlert,
+  User,
+  XMark,
+} from "@unkey/icons";
+import { Button } from "@unkey/ui";
+import { useProjectData } from "../../../data-provider";
+
+export function DeploymentApproval({ deployment }: { deployment: Deployment }) {
+  const { refetchDeployments } = useProjectData();
+
+  const authorize = trpc.deploy.deployment.authorize.useMutation({
+    onSuccess: () => {
+      refetchDeployments();
+    },
+  });
+
+  const shortSha = deployment.gitCommitSha?.slice(0, 7) ?? "";
+
+  return (
+    <div className="flex items-center justify-center min-h-[40vh]">
+      <div className="w-full max-w-md space-y-6">
+        {/* Logo connection indicator */}
+        <div className="flex items-center justify-center gap-4">
+          <div className="flex items-center justify-center w-12 h-12 rounded-full border border-border bg-background">
+            <Github iconSize="xl-thin" />
+          </div>
+          <div className="flex items-center gap-1.5">
+            <div className="w-6 border-t border-dashed border-warning-9" />
+            <div className="flex items-center justify-center w-6 h-6 rounded-full bg-warning-3 border border-warning-6">
+              <XMark iconSize="sm-regular" className="text-warning-9" />
+            </div>
+            <div className="w-6 border-t border-dashed border-warning-9" />
+          </div>
+          <div className="flex items-center justify-center w-12 h-12 rounded-full border border-border bg-background">
+            <ShieldAlert iconSize="xl-thin" className="text-warning-9" />
+          </div>
+        </div>
+
+        {/* Title */}
+        <div className="text-center space-y-2">
+          <h1 className="text-xl font-semibold text-content">Authorization Required</h1>
+          <p className="text-sm text-content-subtle">
+            An external contributor pushed a commit. A team member must authorize this deployment
+            before it can proceed.
+          </p>
+        </div>
+
+        {/* Commit details */}
+        <div className="border border-border rounded-lg divide-y divide-border">
+          {deployment.gitBranch && (
+            <div className="flex items-center gap-3 px-4 py-3">
+              <CodeBranch iconSize="md-thin" className="text-content-subtle shrink-0" />
+              <span className="text-sm text-content-subtle">Branch</span>
+              <span className="ml-auto text-sm font-mono text-content bg-background-subtle px-2 py-0.5 rounded">
+                {deployment.gitBranch}
+              </span>
+            </div>
+          )}
+
+          {shortSha && (
+            <div className="flex items-center gap-3 px-4 py-3">
+              <CodeCommit iconSize="md-thin" className="text-content-subtle shrink-0" />
+              <span className="text-sm text-content-subtle">Commit</span>
+              <span className="ml-auto text-sm font-mono text-content bg-background-subtle px-2 py-0.5 rounded">
+                {shortSha}
+              </span>
+            </div>
+          )}
+
+          {deployment.gitCommitMessage && (
+            <div className="px-4 py-3">
+              <p className="text-sm text-content truncate">{deployment.gitCommitMessage}</p>
+            </div>
+          )}
+
+          {deployment.gitCommitAuthorHandle && (
+            <div className="flex items-center gap-3 px-4 py-3">
+              {deployment.gitCommitAuthorAvatarUrl ? (
+                <img
+                  src={deployment.gitCommitAuthorAvatarUrl}
+                  alt={deployment.gitCommitAuthorHandle}
+                  className="w-5 h-5 rounded-full shrink-0"
+                />
+              ) : (
+                <User iconSize="md-thin" className="text-content-subtle shrink-0" />
+              )}
+              <span className="text-sm text-content">{deployment.gitCommitAuthorHandle}</span>
+            </div>
+          )}
+        </div>
+
+        {/* Error */}
+        {authorize.error && (
+          <div className="flex items-start gap-2 p-3 bg-error-3 border border-error-6 rounded-lg">
+            <CircleXMark iconSize="md-thin" className="text-error-9 mt-0.5 shrink-0" />
+            <p className="text-sm text-error-11">{authorize.error.message}</p>
+          </div>
+        )}
+
+        {/* Action */}
+        <Button
+          variant="primary"
+          size="xlg"
+          className="w-full"
+          loading={authorize.isLoading}
+          onClick={() => authorize.mutate({ deploymentId: deployment.id })}
+        >
+          Authorize Deployment
+        </Button>
+
+        <p className="text-xs text-center text-content-subtle">
+          Only workspace members can authorize deployments.
+        </p>
+      </div>
+    </div>
+  );
+}

web/apps/dashboard/app/(app)/[workspaceSlug]/projects/[projectId]/(overview)/deployments/[deploymentId]/deployment-utils.ts

@@ -10,6 +10,7 @@ const DEPLOYMENT_STATUSES: ReadonlySet<string> = new Set<DeploymentStatus>([
   "finalizing",
   "ready",
   "failed",
+  "awaiting_approval",
 ]);
 
 function isDeploymentStatus(value: string): value is DeploymentStatus {
@@ -20,6 +21,11 @@ export function deriveStatusFromSteps(
   steps: StepsData | undefined,
   fallback: string,
 ): DeploymentStatus {
+  // awaiting_approval is authoritative from the DB — steps can't derive it
+  if (fallback === "awaiting_approval") {
+    return "awaiting_approval";
+  }
+
   if (!steps) {
     return isDeploymentStatus(fallback) ? fallback : "pending";
   }

web/apps/dashboard/app/(app)/[workspaceSlug]/projects/[projectId]/(overview)/deployments/[deploymentId]/page.tsx

@@ -4,6 +4,7 @@ import { useEffect, useMemo } from "react";
 import { DeploymentDomainsCard } from "../../../components/deployment-domains-card";
 import { ProjectContentWrapper } from "../../../components/project-content-wrapper";
 import { useProjectData } from "../../data-provider";
+import { DeploymentApproval } from "./(deployment-progress)/deployment-approval";
 import { DeploymentInfo } from "./(deployment-progress)/deployment-info";
 import { DeploymentProgress } from "./(deployment-progress)/deployment-progress";
 import { DeploymentNetworkSection } from "./(overview)/components/sections/deployment-network-section";
@@ -15,10 +16,11 @@ export default function DeploymentOverview() {
   const { refetchDomains } = useProjectData();
 
   const ready = deployment.status === "ready";
+  const awaitingApproval = deployment.status === "awaiting_approval";
 
   const stepsQuery = trpc.deploy.deployment.steps.useQuery(
     { deploymentId: deployment.id },
-    { refetchInterval: ready ? false : 1_000, refetchOnWindowFocus: false },
+    { refetchInterval: ready || awaitingApproval ? false : 1_000, refetchOnWindowFocus: false },
   );
 
   const derivedStatus = useMemo(
@@ -33,6 +35,17 @@ export default function DeploymentOverview() {
     }
   }, [ready, refetchDomains, stepsQuery.refetch]);
 
+  if (awaitingApproval) {
+    return (
+      <ProjectContentWrapper centered>
+        <DeploymentInfo statusOverride={derivedStatus} />
+        <div className="animate-fade-slide-in">
+          <DeploymentApproval deployment={deployment} />
+        </div>
+      </ProjectContentWrapper>
+    );
+  }
+
   return (
     <ProjectContentWrapper centered>
       <DeploymentInfo statusOverride={derivedStatus} />

web/apps/dashboard/lib/ctrl-client.ts

@@ -0,0 +1,28 @@
+import { env } from "@/lib/env";
+import type { DescService } from "@bufbuild/protobuf";
+import { type Client, createClient } from "@connectrpc/connect";
+import { createConnectTransport } from "@connectrpc/connect-web";
+import { TRPCError } from "@trpc/server";
+
+export function createCtrlClient<T extends DescService>(service: T): Client<T> {
+  const { CTRL_URL, CTRL_API_KEY } = env();
+  if (!CTRL_URL || !CTRL_API_KEY) {
+    throw new TRPCError({
+      code: "PRECONDITION_FAILED",
+      message: "ctrl service is not configured",
+    });
+  }
+
+  return createClient(
+    service,
+    createConnectTransport({
+      baseUrl: CTRL_URL,
+      interceptors: [
+        (next) => (req) => {
+          req.header.set("Authorization", `Bearer ${CTRL_API_KEY}`);
+          return next(req);
+        },
+      ],
+    }),
+  );
+}

web/apps/dashboard/lib/trpc/routers/deploy/custom-domains/add.ts

@@ -1,9 +1,8 @@
 import { CustomDomainService } from "@/gen/proto/ctrl/v1/custom_domain_pb";
+import { createCtrlClient } from "@/lib/ctrl-client";
 import { db } from "@/lib/db";
-import { env } from "@/lib/env";
 import { ratelimit, withRatelimit, workspaceProcedure } from "@/lib/trpc/trpc";
-import { Code, ConnectError, createClient } from "@connectrpc/connect";
-import { createConnectTransport } from "@connectrpc/connect-web";
+import { Code, ConnectError } from "@connectrpc/connect";
 import { TRPCError } from "@trpc/server";
 import { z } from "zod";
 
@@ -17,13 +16,7 @@ export const addCustomDomain = workspaceProcedure
     }),
   )
   .mutation(async ({ input, ctx }) => {
-    const { CTRL_URL, CTRL_API_KEY } = env();
-    if (!CTRL_URL || !CTRL_API_KEY) {
-      throw new TRPCError({
-        code: "PRECONDITION_FAILED",
-        message: "ctrl service is not configured",
-      });
-    }
+    const ctrl = createCtrlClient(CustomDomainService);
 
     // Verify project belongs to workspace
     const project = await db.query.projects.findFirst({
@@ -60,19 +53,6 @@ export const addCustomDomain = workspaceProcedure
 
     const appId = environment.appId;
 
-    const ctrl = createClient(
-      CustomDomainService,
-      createConnectTransport({
-        baseUrl: CTRL_URL,
-        interceptors: [
-          (next) => (req) => {
-            req.header.set("Authorization", `Bearer ${CTRL_API_KEY}`);
-            return next(req);
-          },
-        ],
-      }),
-    );
-
     try {
       const response = await ctrl.addCustomDomain({
         workspaceId: ctx.workspace.id,

web/apps/dashboard/lib/trpc/routers/deploy/custom-domains/delete.ts

@@ -1,9 +1,7 @@
 import { CustomDomainService } from "@/gen/proto/ctrl/v1/custom_domain_pb";
+import { createCtrlClient } from "@/lib/ctrl-client";
 import { db } from "@/lib/db";
-import { env } from "@/lib/env";
 import { ratelimit, withRatelimit, workspaceProcedure } from "@/lib/trpc/trpc";
-import { createClient } from "@connectrpc/connect";
-import { createConnectTransport } from "@connectrpc/connect-web";
 import { TRPCError } from "@trpc/server";
 import { z } from "zod";
 
@@ -16,13 +14,7 @@ export const deleteCustomDomain = workspaceProcedure
     }),
   )
   .mutation(async ({ input, ctx }) => {
-    const { CTRL_URL, CTRL_API_KEY } = env();
-    if (!CTRL_URL || !CTRL_API_KEY) {
-      throw new TRPCError({
-        code: "PRECONDITION_FAILED",
-        message: "ctrl service is not configured",
-      });
-    }
+    const ctrl = createCtrlClient(CustomDomainService);
 
     // Verify project belongs to workspace
     const project = await db.query.projects.findFirst({
@@ -60,19 +52,6 @@ export const deleteCustomDomain = workspaceProcedure
       });
     }
 
-    const ctrl = createClient(
-      CustomDomainService,
-      createConnectTransport({
-        baseUrl: CTRL_URL,
-        interceptors: [
-          (next) => (req) => {
-            req.header.set("Authorization", `Bearer ${CTRL_API_KEY}`);
-            return next(req);
-          },
-        ],
-      }),
-    );
-
     try {
       await ctrl.deleteCustomDomain({
         workspaceId: ctx.workspace.id,

web/apps/dashboard/lib/trpc/routers/deploy/custom-domains/retry.ts

@@ -1,9 +1,7 @@
 import { CustomDomainService } from "@/gen/proto/ctrl/v1/custom_domain_pb";
+import { createCtrlClient } from "@/lib/ctrl-client";
 import { db } from "@/lib/db";
-import { env } from "@/lib/env";
 import { ratelimit, withRatelimit, workspaceProcedure } from "@/lib/trpc/trpc";
-import { createClient } from "@connectrpc/connect";
-import { createConnectTransport } from "@connectrpc/connect-web";
 import { TRPCError } from "@trpc/server";
 import { z } from "zod";
 
@@ -16,13 +14,7 @@ export const retryVerification = workspaceProcedure
     }),
   )
   .mutation(async ({ input, ctx }) => {
-    const { CTRL_URL, CTRL_API_KEY } = env();
-    if (!CTRL_URL || !CTRL_API_KEY) {
-      throw new TRPCError({
-        code: "PRECONDITION_FAILED",
-        message: "ctrl service is not configured",
-      });
-    }
+    const ctrl = createCtrlClient(CustomDomainService);
 
     // Verify project belongs to workspace
     const project = await db.query.projects.findFirst({
@@ -60,19 +52,6 @@ export const retryVerification = workspaceProcedure
       });
     }
 
-    const ctrl = createClient(
-      CustomDomainService,
-      createConnectTransport({
-        baseUrl: CTRL_URL,
-        interceptors: [
-          (next) => (req) => {
-            req.header.set("Authorization", `Bearer ${CTRL_API_KEY}`);
-            return next(req);
-          },
-        ],
-      }),
-    );
-
     try {
       const response = await ctrl.retryVerification({
         workspaceId: ctx.workspace.id,