netlify: document deploy-preview security for forked pull requests#2166
Open
wallrj-cyberark wants to merge 1 commit into
Open
netlify: document deploy-preview security for forked pull requests#2166wallrj-cyberark wants to merge 1 commit into
wallrj-cyberark wants to merge 1 commit into
Conversation
cert-manager-prow
Bot
added
the
dco-signoff: yes
Contributor
|
[APPROVALNOTIFIER] This PR is NOT APPROVED This pull-request has been approved by: The full list of commands accepted by this bot can be found here. DetailsNeeds approval from an approver in each of these files:Approvers can indicate their approval by writing |
cert-manager-prow
Bot
added
the
size/S
✅ Deploy Preview for cert-manager ready!Built without sensitive environment variables
To edit notification comments on pull requests, go to your Netlify project configuration. |
wallrj-cyberark
force-pushed
the
netlify-fork-deploy-preview-security
branch
from
fd4c1f1 to
4870129
Compare
cert-manager-prow
Bot
added
size/XS
Contributor
There was a problem hiding this comment.
Pull request overview
Documents the security posture around Netlify deploy previews for forked pull requests, clarifying that untrusted fork code can run on Netlify build infrastructure and that deploy-preview (and global build) environments must only contain public values.
Changes:
- Adds an in-file security note explaining why secrets must not be placed in deploy-preview or global build environments.
- Introduces an explicit
[context.deploy-preview.environment]block to make the deploy-preview environment scope visible/auditable.
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
A security review noted that Netlify builds deploy previews for pull requests from public forks automatically, which runs contributor code (next.config.js, package.json scripts and bundled JavaScript) on Netlify's build infrastructure before any maintainer review (CWE-829). The site is already configured so those builds only ever receive public values: the sensitive-variable policy withholds sensitive variables from untrusted deploys, and no secret variable is scoped to the deploy-preview context. This records that posture in netlify.toml and adds an explicit [context.deploy-preview.environment] block, so future changes do not inadvertently expose secrets to fork previews. Signed-off-by: Richard Wall <richard.wall@cyberark.com>
wallrj-cyberark
force-pushed
the
netlify-fork-deploy-preview-security
branch
from
4870129 to
48707fe
Compare
cert-manager-prow
Bot
added
size/S
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Motivation
A security review flagged that Netlify builds deploy previews for pull requests from public forks automatically (CWE-829):
next buildruns the fork'snext.config.js,package.jsonscripts and bundled JavaScript on Netlify's build infrastructure before any maintainer reviews the diff. Because a fork pull request controls the whole checkout — includingnetlify.toml— no configuration committed here can block that build on its own.What this changes
This makes no change to build behaviour. It records, in source, the security posture that already protects the site, and guards against a future regression:
netlify.tomlexplaining that fork deploy previews run untrusted code and must therefore only ever receive public values.[context.deploy-preview.environment]block and a note asking contributors not to add secrets to it or to[build.environment]. Secrets belong in[context.production.environment]or a production-scoped Netlify UI variable, so fork previews never receive them.The protection itself lives in the site's Netlify settings, which were verified as part of this work:
NEXT_PUBLIC_*,NODE_VERSION,NETLIFY_NEXT_PLUGIN_SKIP).Testing
netlify.tomlparses cleanly (validated with a TOML parser).[context.deploy-preview.environment]block.