github
diff --git a/‎README.md
+2 b/‎README.md
+2
diff --git a/‎__tests__/functions/deployment-confirmation.test.js
+383 b/‎__tests__/functions/deployment-confirmation.test.js
+383
@@ -301,6 +301,8 @@ As seen above, we have two steps. One for a noop deploy, and one for a regular d
 | `enforced_deployment_order` | `false` | `""` | A comma separated list of environments that must be deployed in a specific order. Example: `"development,staging,production"`. If this is set then you cannot deploy to latter environments unless the former ones have a successful and active deployment on the latest commit first - See the [enforced deployment order docs](./docs/enforced-deployment-order.md) for more details |
 | `use_security_warnings` | `false` | `"true"` | Whether or not to leave security related warnings in log messages during deployments. Default is `"true"` |
 | `allow_non_default_target_branch_deployments` | `false` | `"false"` | Whether or not to allow deployments of pull requests that target a branch other than the default branch (aka stable branch) as their merge target. By default, this Action would reject the deployment of a branch named `feature-branch` if it was targeting `foo` instead of `main` (or whatever your default branch is). This option allows you to override that behavior and be able to deploy any branch in your repository regardless of the target branch. This option is potentially unsafe and should be used with caution as most default branches contain branch protection rules. Often times non-default branches do not contain these same branch protection rules. Follow along in this [issue thread](https://github.com/github/branch-deploy/issues/340) to learn more. |
+| `deployment_confirmation` | `false` | `"false"` | Whether or not to require an additional confirmation before a deployment can continue. Default is `"false"`. If your project requires elevated security, it is highly recommended to enable this option - especially in open source projects where you might be deploying forks. |
+| `deployment_confirmation_timeout` | `false` | `60` | The number of seconds to wait for a deployment confirmation before timing out. Default is `60` seconds (1 minute). |
 
 ## Outputs 📤
 
 
@@ -0,0 +1,383 @@
+import * as core from '@actions/core'
+import {COLORS} from '../../src/functions/colors'
+import {deploymentConfirmation} from '../../src/functions/deployment-confirmation'
+import {API_HEADERS} from '../../src/functions/api-headers'
+
+var context
+var octokit
+var data
+
+beforeEach(() => {
+  jest.clearAllMocks()
+
+  jest.spyOn(core, 'info').mockImplementation(() => {})
+  jest.spyOn(core, 'debug').mockImplementation(() => {})
+  jest.spyOn(core, 'warning').mockImplementation(() => {})
+  jest.spyOn(core, 'setFailed').mockImplementation(() => {})
+
+  // Mock setTimeout to execute immediately
+  jest.spyOn(global, 'setTimeout').mockImplementation(fn => fn())
+
+  // Mock Date.now to control time progression
+  const mockDate = new Date('2024-10-21T19:11:18Z').getTime()
+  jest.spyOn(Date, 'now').mockReturnValue(mockDate)
+
+  process.env.GITHUB_SERVER_URL = 'https://github.com'
+  process.env.GITHUB_RUN_ID = '12345'
+
+  context = {
+    actor: 'monalisa',
+    repo: {
+      owner: 'corp',
+      repo: 'test'
+    },
+    issue: {
+      number: 1
+    },
+    payload: {
+      comment: {
+        body: '.deploy',
+        id: 123,
+        user: {
+          login: 'monalisa'
+        },
+        created_at: '2024-10-21T19:11:18Z',
+        updated_at: '2024-10-21T19:11:18Z',
+        html_url:
+          'https://github.com/corp/test/pull/123#issuecomment-1231231231'
+      }
+    }
+  }
+
+  octokit = {
+    rest: {
+      reactions: {
+        createForIssueComment: jest.fn().mockResolvedValue({
+          data: {}
+        }),
+        listForIssueComment: jest.fn().mockResolvedValue({
+          data: []
+        })
+      },
+      issues: {
+        createComment: jest.fn().mockResolvedValue({
+          data: {
+            id: 124
+          }
+        }),
+        updateComment: jest.fn().mockResolvedValue({
+          data: {}
+        })
+      }
+    }
+  }
+
+  data = {
+    deployment_confirmation_timeout: 60,
+    deploymentType: 'branch',
+    environment: 'production',
+    environmentUrl: 'https://example.com',
+    log_url: 'https://github.com/corp/test/actions/runs/12345',
+    ref: 'cool-branch',
+    sha: 'abc123',
+    isVerified: true,
+    noopMode: false,
+    isFork: false,
+    body: '.deploy',
+    params: 'param1=1,param2=2',
+    parsed_params: {
+      param1: '1',
+      param2: '2'
+    }
+  }
+})
+
+test('successfully prompts for deployment confirmation and gets confirmed by the original actor', async () => {
+  // Mock that the user adds a +1 reaction
+  octokit.rest.reactions.listForIssueComment.mockResolvedValueOnce({
+    data: [
+      {
+        user: {login: 'monalisa'},
+        content: '+1'
+      }
+    ]
+  })
+
+  const result = await deploymentConfirmation(context, octokit, data)
+
+  expect(result).toBe(true)
+  expect(octokit.rest.issues.createComment).toHaveBeenCalledWith({
+    body: expect.stringContaining('Deployment Confirmation Required'),
+    issue_number: 1,
+    owner: 'corp',
+    repo: 'test',
+    headers: API_HEADERS
+  })
+  expect(core.debug).toHaveBeenCalledWith(
+    'deployment confirmation comment id: 124'
+  )
+  expect(core.info).toHaveBeenCalledWith(
+    `🕒 waiting ${COLORS.highlight}60${COLORS.reset} seconds for deployment confirmation`
+  )
+  expect(core.info).toHaveBeenCalledWith(
+    `✅ deployment confirmed by ${COLORS.highlight}monalisa${COLORS.reset} - sha: ${COLORS.highlight}abc123${COLORS.reset}`
+  )
+
+  expect(octokit.rest.reactions.listForIssueComment).toHaveBeenCalledWith({
+    comment_id: 124,
+    owner: 'corp',
+    repo: 'test',
+    headers: API_HEADERS
+  })
+
+  expect(octokit.rest.issues.updateComment).toHaveBeenCalledWith({
+    body: expect.stringContaining('✅ Deployment confirmed by __monalisa__'),
+    comment_id: 124,
+    owner: 'corp',
+    repo: 'test',
+    headers: API_HEADERS
+  })
+})
+
+test('successfully prompts for deployment confirmation and gets confirmed by the original actor with some null data params in the issue comment', async () => {
+  data.params = null
+  data.parsed_params = null
+  data.environmentUrl = null
+
+  // Mock that the user adds a +1 reaction
+  octokit.rest.reactions.listForIssueComment.mockResolvedValueOnce({
+    data: [
+      {
+        user: {login: 'monalisa'},
+        content: '+1'
+      }
+    ]
+  })
+
+  const result = await deploymentConfirmation(context, octokit, data)
+
+  expect(result).toBe(true)
+  expect(octokit.rest.issues.createComment).toHaveBeenCalledWith({
+    body: expect.stringContaining('"url": null'),
+    issue_number: 1,
+    owner: 'corp',
+    repo: 'test',
+    headers: API_HEADERS
+  })
+  expect(core.debug).toHaveBeenCalledWith(
+    'deployment confirmation comment id: 124'
+  )
+  expect(core.info).toHaveBeenCalledWith(
+    `🕒 waiting ${COLORS.highlight}60${COLORS.reset} seconds for deployment confirmation`
+  )
+  expect(core.info).toHaveBeenCalledWith(
+    `✅ deployment confirmed by ${COLORS.highlight}monalisa${COLORS.reset} - sha: ${COLORS.highlight}abc123${COLORS.reset}`
+  )
+
+  expect(octokit.rest.reactions.listForIssueComment).toHaveBeenCalledWith({
+    comment_id: 124,
+    owner: 'corp',
+    repo: 'test',
+    headers: API_HEADERS
+  })
+
+  expect(octokit.rest.issues.updateComment).toHaveBeenCalledWith({
+    body: expect.stringContaining('✅ Deployment confirmed by __monalisa__'),
+    comment_id: 124,
+    owner: 'corp',
+    repo: 'test',
+    headers: API_HEADERS
+  })
+})
+
+test('user rejects the deployment with thumbs down', async () => {
+  // Mock that the user adds a -1 reaction
+  octokit.rest.reactions.listForIssueComment.mockResolvedValueOnce({
+    data: [
+      {
+        user: {login: 'monalisa'},
+        content: '-1'
+      }
+    ]
+  })
+
+  const result = await deploymentConfirmation(context, octokit, data)
+
+  expect(result).toBe(false)
+  expect(octokit.rest.issues.createComment).toHaveBeenCalled()
+  expect(octokit.rest.reactions.listForIssueComment).toHaveBeenCalled()
+
+  expect(octokit.rest.issues.updateComment).toHaveBeenCalledWith({
+    body: expect.stringContaining('❌ Deployment rejected by __monalisa__'),
+    comment_id: 124,
+    owner: 'corp',
+    repo: 'test',
+    headers: API_HEADERS
+  })
+
+  expect(core.setFailed).toHaveBeenCalledWith(
+    `❌ deployment rejected by ${COLORS.highlight}monalisa${COLORS.reset}`
+  )
+})
+
+test('deployment confirmation times out after no response', async () => {
+  // Mock empty reactions list (no user reaction)
+  octokit.rest.reactions.listForIssueComment.mockResolvedValue({
+    data: []
+  })
+
+  // Mock Date.now to first return start time, then timeout
+  Date.now
+    .mockReturnValueOnce(new Date('2024-10-21T19:11:18Z').getTime()) // Start time
+    .mockReturnValue(new Date('2024-10-21T19:12:30Z').getTime()) // After timeout
+
+  const result = await deploymentConfirmation(context, octokit, data)
+
+  expect(result).toBe(false)
+  expect(octokit.rest.issues.createComment).toHaveBeenCalled()
+
+  expect(octokit.rest.issues.updateComment).toHaveBeenCalledWith({
+    body: expect.stringContaining('⏱️ Deployment confirmation timed out'),
+    comment_id: 124,
+    owner: 'corp',
+    repo: 'test',
+    headers: API_HEADERS
+  })
+
+  expect(core.setFailed).toHaveBeenCalledWith(
+    `⏱️ deployment confirmation timed out after ${COLORS.highlight}60${COLORS.reset} seconds`
+  )
+})
+
+test('ignores reactions from other users', async () => {
+  // First call returns reactions from other users
+  octokit.rest.reactions.listForIssueComment.mockResolvedValueOnce({
+    data: [
+      {
+        user: {login: 'other-user'},
+        content: '+1'
+      }
+    ]
+  })
+
+  // Second call includes the original actor's reaction
+  octokit.rest.reactions.listForIssueComment.mockResolvedValueOnce({
+    data: [
+      {
+        user: {login: 'other-user'},
+        content: '+1'
+      },
+      {
+        user: {login: 'monalisa'},
+        content: '+1'
+      }
+    ]
+  })
+
+  const result = await deploymentConfirmation(context, octokit, data)
+
+  expect(result).toBe(true)
+  expect(octokit.rest.reactions.listForIssueComment).toHaveBeenCalledTimes(2)
+  expect(octokit.rest.issues.updateComment).toHaveBeenCalledWith({
+    body: expect.stringContaining('✅ Deployment confirmed by __monalisa__'),
+    comment_id: 124,
+    owner: 'corp',
+    repo: 'test',
+    headers: API_HEADERS
+  })
+  expect(core.debug).toHaveBeenCalledWith(
+    'ignoring reaction from other-user, expected monalisa'
+  )
+  expect(core.info).toHaveBeenCalledWith(
+    `✅ deployment confirmed by ${COLORS.highlight}monalisa${COLORS.reset} - sha: ${COLORS.highlight}abc123${COLORS.reset}`
+  )
+})
+
+test('ignores non thumbsUp/thumbsDown reactions from the original actor', async () => {
+  // Mock reactions list with various reaction types from original actor
+  octokit.rest.reactions.listForIssueComment.mockResolvedValueOnce({
+    data: [
+      {
+        user: {login: 'monalisa'},
+        content: 'confused'
+      },
+      {
+        user: {login: 'monalisa'},
+        content: 'eyes'
+      },
+      {
+        user: {login: 'monalisa'},
+        content: 'rocket'
+      }
+    ]
+  })
+
+  // Add a thumbs up in the second poll
+  octokit.rest.reactions.listForIssueComment.mockResolvedValueOnce({
+    data: [
+      {
+        user: {login: 'monalisa'},
+        content: 'confused'
+      },
+      {
+        user: {login: 'monalisa'},
+        content: 'eyes'
+      },
+      {
+        user: {login: 'monalisa'},
+        content: 'rocket'
+      },
+      {
+        user: {login: 'monalisa'},
+        content: '+1'
+      }
+    ]
+  })
+
+  const result = await deploymentConfirmation(context, octokit, data)
+
+  expect(result).toBe(true)
+  expect(octokit.rest.reactions.listForIssueComment).toHaveBeenCalledTimes(2)
+
+  // Verify that debug was called for each ignored reaction type
+  expect(core.debug).toHaveBeenCalledWith('ignoring reaction: confused')
+  expect(core.debug).toHaveBeenCalledWith('ignoring reaction: eyes')
+  expect(core.debug).toHaveBeenCalledWith('ignoring reaction: rocket')
+
+  // Verify final confirmation happened
+  expect(octokit.rest.issues.updateComment).toHaveBeenCalledWith({
+    body: expect.stringContaining('✅ Deployment confirmed by __monalisa__'),
+    comment_id: 124,
+    owner: 'corp',
+    repo: 'test',
+    headers: API_HEADERS
+  })
+})
+
+test('handles API errors gracefully', async () => {
+  // First call throws error
+  octokit.rest.reactions.listForIssueComment.mockRejectedValueOnce(
+    new Error('API error')
+  )
+
+  // Second call succeeds with valid reaction
+  octokit.rest.reactions.listForIssueComment.mockResolvedValueOnce({
+    data: [
+      {
+        user: {login: 'monalisa'},
+        content: '+1'
+      }
+    ]
+  })
+
+  const result = await deploymentConfirmation(context, octokit, data)
+
+  expect(result).toBe(true)
+  expect(core.warning).toHaveBeenCalledWith(
+    'temporary failure when checking for reactions on the deployment confirmation comment: API error'
+  )
+  expect(octokit.rest.reactions.listForIssueComment).toHaveBeenCalledTimes(2)
+  expect(core.info).toHaveBeenCalledWith(
+    `✅ deployment confirmed by ${COLORS.highlight}monalisa${COLORS.reset} - sha: ${COLORS.highlight}abc123${COLORS.reset}`
+  )
+})