ci: scope Netlify secrets to netlify-preview environment#13614
Merged
Conversation
Move NETLIFY_AUTH_TOKEN and NETLIFY_SITE_ID out of repository-level secrets and into a dedicated GitHub Environment (netlify-preview), so the secrets are only available to the workflows that actually deploy PR previews — and only when the configured branch / reviewer protections allow. The matching environment must exist in repo Settings → Environments with the two secrets defined before this change is merged.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
What
Move
NETLIFY_AUTH_TOKENandNETLIFY_SITE_IDout of repository-level secrets and into a dedicated GitHub Environment namednetlify-preview. The two preview-deploy workflows now declareenvironment: netlify-preview, so they can only see those secrets when the environment's branch / reviewer protections allow.Why
Repository-level secrets are exposed to every workflow run on every branch. Scoping deploy/publish secrets to GitHub Environments is part of the security hardening for this repo (companion to the existing
npmjs:@ui5/webcomponentsenvironment used byrelease.yaml).Files changed
.github/workflows/deploy-preview.yaml→deploy-previewjob now usesenvironment: netlify-preview.github/workflows/reset-preview-deploy.yaml→cleanup-previewjob now usesenvironment: netlify-previewRequired action before merge
The
netlify-previewenvironment must exist in Settings → Environments with:NETLIFY_AUTH_TOKENNETLIFY_SITE_IDAfter this merges and the next preview deploy succeeds, the repository-level copies of
NETLIFY_AUTH_TOKENandNETLIFY_SITE_IDshould be deleted.Out of scope
UI5_WEBCOMP_BOT_GH_TOKENis intentionally left at the repository level for now — it is consumed by several non-deploy workflows (issue automation, etc.) and migrating it is a separate refactor.