diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index 7ae8b3e153c4c..addcb2b97df7a 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -53,9 +53,15 @@ env:
 
 jobs:
   release-gate:
+    # N.B. This name should not change, it is used for downstream checks.
     name: release-gate
     if: ${{ inputs.tag != 'dry-run' }}
     runs-on: ubuntu-latest
+    # This environment requires a 2-factor approval, i.e., the workflow must be approved by another
+    # team member. GitHub fires approval events on every job that deploys to an environment, so we
+    # have a dedicated environment for this purpose instead of using the `release` environment.
+    # We use a GitHub App with a deployment protection rule webhook to ensure that the `release`
+    # environment is only approved when the `release-gate` job succeeds.
     environment:
       name: release-gate
       deployment: false