Skip to content

deploy: allow backend config changes through auto deploy guard#2580

Merged
fermatmind merged 1 commit into
mainfrom
codex/fap-api-allow-backend-config-auto-deploy
Jul 1, 2026
Merged

deploy: allow backend config changes through auto deploy guard#2580
fermatmind merged 1 commit into
mainfrom
codex/fap-api-allow-backend-config-auto-deploy

Conversation

@fermatmind

Copy link
Copy Markdown
Owner

What changed

  • Removed backend/config/** from the production auto-deploy policy guard risky path list.
  • Added an SRE contract test proving backend config paths are no longer blocked while hard-risk paths still remain guarded.

Why

Recent backend runtime changes that only touch config, such as backend/config/gotenberg.php, should be eligible for automatic production deploy after CI. The guard still blocks workflow, database, script deploy/release/import, content asset, CMS/search/sitemap/llms/service, env, and secret paths.

Validation

  • php artisan test tests/Sre/DeployStorageAndDatabaseConfigTest.php
  • ./vendor/bin/pint --dirty
  • git diff --check

Deferred

  • No deployment triggered manually.
  • No server env, DB/CMS, cache, queue, content import, sitemap/llms/SEO runtime, or production data change.

Note

This PR itself modifies .github/workflows/deploy-production.yml, so it is expected to remain subject to the manual deploy path for this one workflow-policy change.

@chatgpt-codex-connector chatgpt-codex-connector Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: 8a550292b9

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

  • Open a pull request for review
  • Mark a draft as ready
  • Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

Comment on lines 107 to 108
/^backend\/database\//,
/^backend\/config\//,
/^backend\/content_assets\//,

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

P1 Badge Keep risky config files on the manual deploy path

For a PR that changes only a high-impact config file such as backend/config/database.php, backend/config/queue.php, or backend/config/payments.php and is not manually labeled, removing the backend/config/** matcher means none of the path patterns match, so this guard will set auto_deploy_allowed to true and proceed with production deploy after CI. That bypasses the same manual-review boundary this workflow still enforces for database, queue, payment/secret-adjacent changes elsewhere; consider allowing only known-safe config files like gotenberg.php or adding explicit deny patterns for the risky config files.

Useful? React with 👍 / 👎.

@fermatmind fermatmind merged commit b3ab3ad into main Jul 1, 2026
15 checks passed
@fermatmind fermatmind deleted the codex/fap-api-allow-backend-config-auto-deploy branch July 1, 2026 15:29
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant