Revert "ci: move production deploy to declarative setup, #3063
Conversation
Appwrite WebsiteProject ID: Website (appwrite/website)Project ID: Tip Git integration provides automatic deployments with optional PR comments |
Greptile SummaryThis PR reverts #3061, which had migrated the production deployment from a direct Helm/Kubernetes approach to a declarative GitOps setup. Production goes back to deploying via
Confidence Score: 3/5The revert restores a working deployment path but reintroduces unpinned third-party actions that run with access to sensitive production secrets. The functional deployment logic looks correct — the Helm/kubectl approach is standard and the secret-injection steps use --dry-run=client | apply idempotently. The main concern is that all third-party action references are now unpinned mutable tags, including actions that run with access to DigitalOcean, GHCR, and Statsig credentials. This was an improvement that #3061 made and is now lost in the revert. Both workflow files need SHA pins re-added to all third-party action references; production.yml also has three dead env vars worth cleaning up.
|
| Filename | Overview |
|---|---|
| .github/workflows/production.yml | Reverts declarative GitOps deploy to a direct Helm/Kubernetes deploy; drops SHA-pinned action references in favor of mutable version tags and leaves three unused env vars. |
| .github/workflows/staging.yml | Keeps declarative GitOps approach for staging but drops SHA-pinned action references and changes the target file from default.yaml to fra1.yaml; job-level concurrency group removed (workflow-level concurrency still protects). |
Reviews (1): Last reviewed commit: "Revert "ci: move production deploy to de..." | Re-trigger Greptile
![greptile-apps[bot]](https://avatars.githubusercontent.com/in/867647?s=60&v=4){kind=small}
| uses: actions/checkout@v4 | ||
|
|
||
| - name: Login to DockerHub | ||
| uses: docker/login-action@c94ce9fb468520275223c153574b00df6fe4bcc9 # v3.7.0 | ||
| uses: docker/login-action@v3 | ||
| with: | ||
| registry: ghcr.io | ||
| username: ${{ github.actor }} | ||
| password: ${{ secrets.GITHUB_TOKEN }} | ||
|
|
||
| - name: Build and push | ||
| uses: docker/build-push-action@10e90e3645eae34f1e60eeb005ba3a3d33f178e8 # v6.19.2 | ||
| uses: docker/build-push-action@v6 |
There was a problem hiding this comment.
This revert drops the SHA-pinned action references that PR #3061 introduced (e.g., actions/checkout@34e114876..., docker/build-push-action@10e90e36...) in favor of mutable version tags (@v4, @v3, @v6). Mutable tags can be silently redirected by a compromised or hijacked upstream account, meaning the next deployment run could execute attacker-controlled code with access to all the secrets passed in this workflow (DIGITALOCEAN_ACCESS_TOKEN, GHCR_TOKEN, STATSIG_SERVER_SECRET, etc.). The same regression affects every unpinned action in staging.yml.
| TAG: ${{ github.event.release.tag_name || github.sha }} | ||
| STACK_FILE: docker/production.yml | ||
| REPOSITORY: website | ||
| REGISTRY_USERNAME: christyjacob4 |
There was a problem hiding this comment.
STACK_FILE, REPOSITORY, and REGISTRY_USERNAME are declared in env but are never referenced by any step in the workflow. These appear to be leftovers from an older docker-compose-style deployment approach and can be safely removed to keep the workflow clean.
Note: If this suggestion doesn't match your team's coding style, reply to this and let me know. I'll remember it for next time!
2 participants
Reverts #3061