mirror of
https://github.com/we-promise/sure.git
synced 2026-05-31 16:29:03 +00:00
e28b883107
* ci(preview): split PR image builds from trusted deploys * ci(preview): harden preview artifact handoff Move the preview image artifact into the trusted preview workflow as a no-secret build job, gate deployment on base-trusted workflow definitions, and keep Cloudflare credentials isolated to the deploy-only job. Also fail closed when the pushed image reference is not written into wrangler.toml and expand the preview deploy guard to enforce the same-run artifact and permission boundaries. * ci(preview): move preview builds out of privileged trigger * ci(preview): avoid secret-shaped wrangler env assignments * ci(preview): keep wrangler credential env explicit