Simplify deploy preview authorization to label-only check#431
Open
Simplify deploy preview authorization to label-only check#431
Conversation
- Block auto-deployment when sensitive files modified (workflows, Dockerfile, etc.) - Restrict auto-deploy to write/admin collaborators (not read-only) - Add resource limit checks (max 10 preview services, 50 Docker images) - Support preview-specific secrets to limit damage from exfiltration - Add comprehensive security documentation in CI_SECURITY.md - Update project-config.yml with security configuration section
Simplify security by requiring manual label for every PR, not just external contributors. This prevents any malicious code from deploying without explicit maintainer approval.
Remove extra complexity: - Remove dangerous file detection (label check is sufficient) - Remove preview-specific secrets - Remove resource limit checks - Simplify documentation Only maintainers can add labels, so label = authorization.
lmcrean
requested review from
adi-ray,
josephk-O and
violaberg
as code owners
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Description
This PR simplifies the branch preview deployment authorization workflow by removing the collaborator permission check and making the
deploy-previewlabel the sole authorization mechanism.Changes Made
Workflow Security (
deploy-branch-preview.yml)deploy-previewlabel presencepull_request_targetprotectionDocumentation
CI_SECURITY.mdexplaining the security model:pull_request_targetprevents workflow bypass attacksproject-config.ymlto document actual required secrets (removedGCP_PROJECT_ID, addedJWT_SECRET,REFRESH_SECRET,NEON_DATABASE_URL,GEMINI_API_KEY)Cleanup
reusable-deploy.ymlSecurity Rationale
The new approach is simpler and more secure:
pull_request_targetensures the main branch version of the workflow always executes, preventing attackers from modifying the check in their PRHow to Test
N/A - This is a configuration and documentation change. The workflow behavior is tested through GitHub Actions execution on PRs.
Checklist
mainbranch and resolved any merge conflictsCI_SECURITY.mdAdditional Notes
The simplified authorization model trades the flexibility of auto-deployment-after-approval for stronger security guarantees. Maintainers must now explicitly add the
deploy-previewlabel for each deployment, but this ensures conscious review of each PR before deployment resources are allocated.https://claude.ai/code/session_01FbfjQ4xZfUoxAdodg9yHd8