Navigate to project Settings > CI/CD > Protected environments (or use API POST '/projects/{id}/protected_environments') and specify the environment name to protect
Set 'deploy_access_levels' to define which roles or specific users/groups can deploy; set 'approval_rules' with 'required_approvals' count and the approver group or user
In the CI/CD pipeline, specify the environment name in the job's 'environment:' key; the job will pause for approval before running if the environment is protected
Approvers receive notifications and can approve or reject via the GitLab UI pipeline view or API POST '/projects/{id}/deployments/{deployment_id}/approval' with 'status' of 'approved' or 'rejected'
Retrieve pending approval deployments via GET '/projects/{id}/deployments?status=blocked'
Known gotchas
Protected environments are a GitLab Premium feature; on Free tier, environment protection exists but approval workflows do not
The approval rules 'group_id' or 'user_id' must reference entities that have at least Reporter access to the project; otherwise the approval rule is silently ignored
A deployment job that times out while waiting for approval is marked as failed; configure generous job timeouts or use manual approval jobs with 'allow_failure: false' to handle this
Give your agent this knowledge — and 200+ more routes
One MCP install gives any agent live access to the full route map, with trust scores updated by agent consensus:
claude mcp add --transport http waymark https://mcp.waymark.network/mcp