mirror of
https://github.com/we-promise/sure.git
synced 2026-06-01 08:49:01 +00:00
ci(preview): isolate preview deployment tooling (#2025)
* ci(preview): isolate deployment tooling Keep PR preview source separate from the deployment toolchain by building a temporary deploy workspace from base-revision preview metadata and PR-owned source. Add a focused CI guard so future preview workflow edits preserve the trusted tooling split. * ci(preview): harden workflow guard checks Address CodeRabbit feedback by making the preview deploy guard assertions collision-proof and more resilient to equivalent GitHub Actions expression and workspace path forms. * ci(preview): normalize workflow guard paths * ci(preview): defer workflow guard validation * revert(preview): restore workflow guard validation * ci(preview): gate preview deployments
This commit is contained in:
ghost
3
.github/workflows/ci.yml
vendored
3
.github/workflows/ci.yml
vendored
@@ -20,6 +20,9 @@ jobs:
|
||||
- name: Scan for security vulnerabilities in Ruby dependencies
|
||||
run: bin/brakeman --no-pager
|
||||
|
||||
- name: Validate preview deploy workflow hardening
|
||||
run: ruby bin/preview_deploy_security_check.rb
|
||||
|
||||
scan_js:
|
||||
runs-on: ubuntu-latest
|
||||
timeout-minutes: 10
|
||||
|
||||
Reference in New Issue
Block a user