How to have both security and flexibility when it comes to deployment?
Having the capability to deploy to any feature branch is good for QAs, since they can test the app even before it's code reviewed.
Branch-protected deployment is secure but not flexible enough.
Feature branch deployment with restricted access to deployment environment.
.gitlab-ci.yml
to prevent from further editing, unless it has been reviewed. But this doesn't prevent other file from accessing the environment variables, eg, In Android, there is build.gradle
which you can access any env vars.It is preferably to have #3 solution but we're not sure how can this be achieve securely.
My issue is specific for mobile deployments (iOS & Android) if it helps.
The 1st point seems to be the most viable option to have both security and flexibility when it comes to deployment. The only concern here, which is pretty serious is security as anyone can get access to secret information.
Well, it's a pity people still store their secrets this way in repos where access control is a challenge. Ideally, secrets need to be dynamically injected into a pipeline and stored in a vault. If you can do that, the 1st option is the best way out. There are many articles out there on how dynamic secrets are managed like this for instance: https://ozone.one/blog/basics-of-dynamic-kubernetes-secrets-management-ozone/
Good luck!
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.