gh-deploy-pipeline

The proposed approach aligns with best practices for secure CI/CD secret management: eliminate long-lived deploy credentials from repository secrets, leverage ephemeral CI identity via OIDC, rely on a centralized runtime secret store for application credentials, and include a guarded smoke test to prevent credential leakage. Success hinges on precise configuration of OIDC scopes, secure secret-loading mechanisms, and strict log redaction. Potential failure modes include misconfigured secret loading, inadvertent secret exposure in logs, or insufficient isolation between deploy-time and runtime credentials.

The design presents a solid approach to lane-aware deployments with per-app artifact promotion and an explicit manual re-deploy path. Key security factors to enforce include strict provenance verification, concurrency controls to prevent race conditions, strict path-based change detection to avoid cross-app leakage, and robust least-privilege configurations for OIDC deployments. Enhance the design with artifact signing, explicit approvals, and thorough logging to strengthen supply-chain integrity.