Skip to content

fix(ci): restrict dev releases to commits on main#94

Merged
Takaros999 merged 1 commit intomainfrom
takis/tighten-dev-release
Feb 16, 2026
Merged

fix(ci): restrict dev releases to commits on main#94
Takaros999 merged 1 commit intomainfrom
takis/tighten-dev-release

Conversation

@Takaros999
Copy link
Contributor

@Takaros999 Takaros999 commented Feb 16, 2026

Summary

Previously, anyone with write access could trigger a dev release from any branch or provide a commit SHA from unmerged code. Even though these are dev previews, publishing unreviewed code is a supply chain risk.

This adds two layers of protection to all 4 publish workflows: a job-level guard that restricts workflow_dispatch to the main branch, and a git merge-base --is-ancestor check that validates the target commit actually exists on main.

Part of DEV-2676

Prevent publishing dev preview releases from unmerged code by adding
two layers of protection to all publish workflows: a job-level branch
guard that requires workflow_dispatch to run from main, and a git
ancestry check that validates the target commit is reachable from
origin/main.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
@vercel
Copy link

vercel bot commented Feb 16, 2026

The latest updates on your projects. Learn more about Vercel for GitHub.

Project Deployment Actions Updated (UTC)
idkit-js-example Ready Ready Preview, Comment Feb 16, 2026 0:12am

Request Review

@Takaros999 Takaros999 merged commit 6c18e86 into main Feb 16, 2026
13 checks passed
@Takaros999 Takaros999 deleted the takis/tighten-dev-release branch February 16, 2026 14:11
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants

Comments