Skip to content

preview-build: separate build, deploy, and link index into distinct jobs#2890

Draft
reakaleek wants to merge 3 commits intomainfrom
fix/preview-build-security
Draft

preview-build: separate build, deploy, and link index into distinct jobs#2890
reakaleek wants to merge 3 commits intomainfrom
fix/preview-build-security

Conversation

@reakaleek
Copy link
Member

@reakaleek reakaleek commented Mar 12, 2026

What

  • Split the monolithic build job into three separate jobs: build, deploy, and update-link-index, each with minimal permissions
  • Add a vale-report job to isolate pull-requests: write from the build and vale lint jobs
  • Remove the unused free-disk-space input

Why

  • The build job currently requires deployments: write and id-token: write even for fork PRs that cannot deploy, which grants unnecessary privileges
  • Separating concerns lets fork PRs run builds without elevated permissions, and limits blast radius if any single job is compromised
  • Artifact-based handoff between jobs makes the data flow explicit and auditable

Notes

  • Build output is passed between jobs via actions/upload-artifact / actions/download-artifact
  • Fork PRs now get a warning message instead of silently skipping deployment
  • The deploy job only runs when the build succeeds and the PR is from the same repository

Made with Cursor

@reakaleek
Separate preview build, deploy, and link index update into distinct jobs
074b276 
Split the monolithic build job into build, deploy, and update-link-index
jobs with minimal permissions per job. Move deployment creation and S3
upload out of the build job so fork PRs can still run builds without
needing write permissions. Add artifact upload/download to pass build
output between jobs. Remove unused free-disk-space input. Split vale
reporting into its own job with scoped pull-requests:write permission.

Made-with: Cursor
@reakaleek reakaleek requested a review from a team as a code owner March 12, 2026 12:19
@reakaleek reakaleek requested a review from technige March 12, 2026 12:19
@reakaleek reakaleek added the ci label Mar 12, 2026
@reakaleek reakaleek marked this pull request as draft March 12, 2026 13:32
@github-actions
Copy link

github-actions bot commented Mar 13, 2026

🔍 Preview links for changed docs

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@cotti cotti cotti approved these changes

@theletterf theletterf theletterf approved these changes

@technige technige Awaiting requested review from technige technige is a code owner automatically assigned from elastic/docs-engineering

Assignees

No one assigned

Labels

ci

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@reakaleek @cotti @theletterf