-
Notifications
You must be signed in to change notification settings - Fork 23
ci: add environment: production to publish and build-image jobs #490
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
base: main
Are you sure you want to change the base?
Changes from all commits
File filter
Filter by extension
Conversations
Jump to
Diff view
Diff view
There are no files selected for viewing
| Original file line number | Diff line number | Diff line change |
|---|---|---|
|
|
@@ -8,6 +8,7 @@ on: | |
| jobs: | ||
| publish: | ||
| runs-on: ubuntu-latest | ||
| environment: production | ||
|
Author
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. 🟡 Verify the This job is triggered by
When configuring the environment:
Two more job-specific notes:
|
||
| permissions: | ||
| contents: write | ||
| id-token: write | ||
|
|
||
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
🟠 A required-reviewer gate here will stall the daily unattended rebuild — the highest-impact caveat of this PR.
This workflow is explicitly designed to run unattended on a schedule. From this file's own header:
Once the
productionenvironment has required reviewers — the stated intent of this PR — every trigger (this cron andpushtomain) creates a pending deployment that waits for a human. The nightly run will:Net effect: the automation this container exists for silently stops running.
Secondary issue — build-only validation is gated too.
workflow_dispatchexposespush_to_ghcr: false("validate the Dockerfile without publishing"). Because the gate sits at the job level, even a no-publish validation run now needs production approval, despite releasing nothing.Options (pick per intent):
@latestrefreshes aren't what you want a human to approve.)If the intent genuinely is "a human approves every image push, nightly included," this is working as designed — but that contradicts the header's "daily rebuild" purpose, so please confirm.