|
|
|
|
|
|
by skatsubo
239 days ago
|
|
|
> This allows any member of the public with a GitHub account to deploy any arbitrary code to that subdomain without any review or approval from the Immich team. This part is not correct: the "preview" label can be set only by collaborators. > a subdomain of a domain that they also use for production traffic To clarify this part: the only production traffic that immich.cloud serves are static map tiles (tiles.immich.cloud) Overall, I share your concerns, and as you already mentioned, a dedicated "immich.build" domain is the way to go. |
|
|
That's good & is a decent starting point. A decent second step might be to have the Github Actions workflow also check the approval status of the PR before deploying (requiring all collaborators to be constantly aware that the risk of applying a label is similar to that of an approval seems less viable)