Is it possible to limit which repositories can be deployed? #172
Comments
|
You're going to need access to their code and know where to put it. I'm planning on having the incoming webhooks check your secret tokens soonish. |
|
Secret tokens sounds good, but if someone exposes the secret than you're vulnerable. What about public github projects? Isn't it possible to just create public github repo and modify Capfile to do something bad (send HEROKU_API_KEY, DEPLOYMENT_PRIVATE_KEY to someone)? I think it would be better if new repositories were disabled by default and you needed to run something like |
|
I'm working on bring this to hubot-deploy and it likely won't land in heaven. |
|
Just wanted to chime in on this issue, I've made some changes to our heaven-fork that checks the secret token provided from the webhook. The code is in no way clean or tested, but if it stil interesting to get it merged into this repo I can put down an effort to make a PR. |
|
@heim that'd be awesome |
|
@atmos I'll put it on my list, guess I'll be able to do it over the weekend. Haven't done any Rails programming for a couple of years, but I guess it's just like learning to ride a bike. 🚲 |
Looking from the documentation it is not clear how is this controlled. To me it looks like anyone can register webhook in Github with http://my-heaven-server/events and deploy their applications on my private servers. Is heaven secure, can someone explain how the security works here?
The text was updated successfully, but these errors were encountered: