Skip to content
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension


Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
1 change: 0 additions & 1 deletion .github/workflows/deploy-production.yml
Original file line number Diff line number Diff line change
Expand Up @@ -105,7 +105,6 @@ jobs:
/^backend\/scripts\/deploy\//,
/^backend\/scripts\/.*(deploy|release|import|publish|search|sitemap|llms|queue)/i,
/^backend\/database\//,
/^backend\/config\//,
/^backend\/content_assets\//,
Comment on lines 107 to 108

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

P1 Badge Keep risky config files on the manual deploy path

For a PR that changes only a high-impact config file such as backend/config/database.php, backend/config/queue.php, or backend/config/payments.php and is not manually labeled, removing the backend/config/** matcher means none of the path patterns match, so this guard will set auto_deploy_allowed to true and proceed with production deploy after CI. That bypasses the same manual-review boundary this workflow still enforces for database, queue, payment/secret-adjacent changes elsewhere; consider allowing only known-safe config files like gotenberg.php or adding explicit deny patterns for the risky config files.

Useful? React with 👍 / 👎.

/^content_packages\//,
/^backend\/docs\/seo\//,
Expand Down
12 changes: 12 additions & 0 deletions backend/tests/Sre/DeployStorageAndDatabaseConfigTest.php
Original file line number Diff line number Diff line change
Expand Up @@ -54,6 +54,18 @@ public function deploy_nginx_static_media_route_skips_when_static_location_alrea
$this->assertStringNotContainsString('mktemp /etc/nginx/sites-enabled', $source);
}

#[Test]
public function production_auto_deploy_policy_allows_backend_config_changes_but_keeps_hard_risk_paths(): void
{
$source = $this->readRepoFile('.github/workflows/deploy-production.yml');

$this->assertStringNotContainsString('/^backend\\/config\\//', $source);
$this->assertStringContainsString('/^backend\\/database\\//', $source);
$this->assertStringContainsString('/^\\.github\\/workflows\\//', $source);
$this->assertStringContainsString('/(^|\\/)\\.env($|\\.|-)/', $source);
$this->assertStringContainsString('/(^|\\/).*secret.*$/i', $source);
}

private function readRepoFile(string $relativePath): string
{
$path = dirname(__DIR__, 3).'/'.$relativePath;
Expand Down