[mdaniel]

This area is near and dear to my heart, and I would offer that the solution isn't to decouple CD over into its own special little thing but rather to make the CD "multi factor" in that it must be "sub":"repo:octo-org/octo-repo:environment:prod"[1] and feel free to sprinkle in any other [fun claims][] you'd like to harden that system

1: https://docs.github.com/en/actions/security-for-github-actio...

fun claims: https://github.com/github/actions-oidc-debugger#readme

[ashishb]

Doable but I would prefer a complete isolation for simplicity.

[thund]

there are ways to isolate code from CI from CD, it's just not as easy as setting up the classic repo. One can use multiple repos for example, or run CI and CD with different products.