diff --git a/.github/workflows/deploy-production.yml b/.github/workflows/deploy-production.yml index aa8ca0f13..46249e44b 100644 --- a/.github/workflows/deploy-production.yml +++ b/.github/workflows/deploy-production.yml @@ -105,7 +105,6 @@ jobs: /^backend\/scripts\/deploy\//, /^backend\/scripts\/.*(deploy|release|import|publish|search|sitemap|llms|queue)/i, /^backend\/database\//, - /^backend\/config\//, /^backend\/content_assets\//, /^content_packages\//, /^backend\/docs\/seo\//, diff --git a/backend/tests/Sre/DeployStorageAndDatabaseConfigTest.php b/backend/tests/Sre/DeployStorageAndDatabaseConfigTest.php index 703bbb516..cbead11b2 100644 --- a/backend/tests/Sre/DeployStorageAndDatabaseConfigTest.php +++ b/backend/tests/Sre/DeployStorageAndDatabaseConfigTest.php @@ -54,6 +54,18 @@ public function deploy_nginx_static_media_route_skips_when_static_location_alrea $this->assertStringNotContainsString('mktemp /etc/nginx/sites-enabled', $source); } + #[Test] + public function production_auto_deploy_policy_allows_backend_config_changes_but_keeps_hard_risk_paths(): void + { + $source = $this->readRepoFile('.github/workflows/deploy-production.yml'); + + $this->assertStringNotContainsString('/^backend\\/config\\//', $source); + $this->assertStringContainsString('/^backend\\/database\\//', $source); + $this->assertStringContainsString('/^\\.github\\/workflows\\//', $source); + $this->assertStringContainsString('/(^|\\/)\\.env($|\\.|-)/', $source); + $this->assertStringContainsString('/(^|\\/).*secret.*$/i', $source); + } + private function readRepoFile(string $relativePath): string { $path = dirname(__DIR__, 3).'/'.$relativePath;