build: split deploy to unstable main workflow

.github/workflows/deploy-master-staging.yaml

@@ -3,13 +3,14 @@ on:
   push:
     branches:
       - main
-      - ci/staging/**
   workflow_dispatch:
+
+permissions: {}
+
 jobs:
   build:
-    runs-on: ubuntu-22.04
+    runs-on: ubuntu-24.04
     permissions:
-      id-token: write # needed by aws-actions/configure-aws-credentials
       contents: read
     outputs:
       CUSTOM_VERSION: ${{ env.CUSTOM_VERSION }}
@@ -32,19 +33,44 @@ jobs:
       - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
         with:
           persist-credentials: false
+
       - name: Set custom version
         run: |
           HASH=$(git rev-parse --short HEAD)
           CURRENT_VERSION=$(jq -r .version package.json)
           RELEASE="${CURRENT_VERSION}-${HASH}"
           echo "CUSTOM_VERSION=${RELEASE}" >> $GITHUB_ENV
           echo "SENTRY_RELEASE=${RELEASE}" >> $GITHUB_ENV
+
       - uses: pnpm/action-setup@fc06bc1257f339d1d5d8b3a19a8cae5388b55320 # v5.0.0
+        with:
+          # Explicitly disables cache to ensure cache is always disabled
+          cache: false
+
       - name: Setup Node
-        uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4.4.0
+        uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6.3.0
         with:
           node-version-file: "package.json"
-          cache: "pnpm"
+          # Cache is intentionally disabled for security.
+          #
+          # GitHub Actions cache doesn't provide any trust boundary:
+          # - Any workflow that can run in this repository (e.g., pull_request
+          #   or push events) can populate cache entries (using any cache keys)
+          # - A trusted workflow (like this build job) can then later restore
+          #   that cache and execute or deploy malicious content
+          #
+          # This enables cache poisoning, meaning someone could inject
+          # malicious NPM dependencies or malicious binaries (by replacing
+          # the node or npm executable with a malicious one) then leading to
+          # code execution during build or compromised deployments (e.g.,
+          # implanting backdoors inside the JS or HTML files generated
+          # during `pnpm run build`)
+          #
+          # Since this workflow deploys to AWS, it must not consume artifacts
+          # from shared cache.
+          package-manager-cache: false
+          cache: ""
+
       - name: Package
         timeout-minutes: 15
         run: |
@@ -54,6 +80,31 @@ jobs:
         run: |
           pnpm run build
 
+      - name: Upload Build
+        uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0
+        with:
+          name: "build"
+          path: "build/"
+          if-no-files-found: error
+          retention-days: 7
+
+  deploy:
+    runs-on: ubuntu-24.04
+    needs: [build]
+
+    environment:
+      deployment: false
+      name: deploy-staging
+
+    permissions:
+      id-token: write
+
+    steps:
+      - uses: actions/download-artifact@70fc10c6e5e1ce46ad2ea6f2b72d43f7d47b13c3 # v8.0.0
+        with:
+          name: build
+          path: build/
+
       - name: Configure AWS Credentials
         uses: aws-actions/configure-aws-credentials@7474bc4690e29a8392af63c5b98e7449536d5c3a # v4.3.1
         with:
@@ -85,14 +136,14 @@ jobs:
           CDN_DISTRIBUTIONS: ${{ secrets.AWS_CLOUD_STAGING_CDN_DISTRIBUTIONS }}
 
   notify-slack:
-    needs: build
+    needs: [build, deploy]
     if: always()
     permissions: {}
     uses: saleor/saleor-internal-actions/.github/workflows/notify-slack.yaml@eb0c692da7bf13f5e1a82c17488b24c514dd10a1 # v1.10.0
     with:
       type: deployment
       ref: ${{ needs.build.outputs.CUSTOM_VERSION || github.ref_name }}
-      status: ${{ needs.build.result }}
+      status: ${{ needs.deploy.result }}
       product: dashboard
       environment: saleor-master-staging
       mention_on: failure