grosser
commented
6 years ago not possible, sounds like an interesting feature, but might take a lot of new logic/UI to add :/
/cc @zendesk/bre
Open danihodovic opened 6 years ago
grosser
commented
6 years ago not possible, sounds like an interesting feature, but might take a lot of new logic/UI to add :/
/cc @zendesk/bre
jason-rutherford
commented
6 years ago One possible workaround might be to lock the stage and use the PRODUCTION_STAGE_LOCK_REQUIRES_ADMIN=1 feature here . I'm not sure if that helps in your situation but I thought it is worth mentioning.
danihodovic
commented
6 years ago @jason-rutherford That would require us to lock production on every deploy which is not ideal.
grosser
commented
6 years ago Possible solutions:
danihodovic
commented
6 years ago overhaul the permission system to be finer-grained / allow random things like "deploy production" / "manage secrets" etc (effort: high / hackyness: low)
Sounds like the best option, but if we're the only team with this use-case it might be better to leave it as is and not introduce additional complexity.
grosser
commented
6 years ago yeah ... we've come a long way with this simple system and reworking it to accommodate 1 new usecase seems a bit extreme
On Sat, Sep 8, 2018 at 5:15 AM Dani Hodovic notifications@github.com wrote:
overhaul the permission system to be finer-grained / allow random things like "deploy production" / "manage secrets" etc (effort: high / hackyness: low)
Sounds like the best option, but if we're the only team with this use-case it might be better to leave it as is and not introduce additional complexity.
— You are receiving this because you commented. Reply to this email directly, view it on GitHub https://github.com/zendesk/samson/issues/2840#issuecomment-419637846, or mute the thread https://github.com/notifications/unsubscribe-auth/AAAsZw5l8OlCQ-SG2XFNn3HfexOVWpaFks5uY7TTgaJpZM4VHXki .
ibrahima
commented
5 years ago Hmm, I'd be interested in this for the same reason. The current state is fine as long as you trust your teammates to not do stuff they shouldn't be doing, but it'd make me feel a little safer if junior developers couldn't deploy to production (this is more of an issue when adding new teammates IMO).
Hmm. Another option is to make the staging environment a separate project, and then set up project-specific roles for that project. It's a little uglier I guess but it would solve the problem without any new features.
grosser
commented
5 years ago can enable BUDDY_CHECK_FEATURE=1 so nobody can deploy to prod alone :)
ibrahima
commented
5 years ago Hmm, does that apply to admins too? We aren't using buddy checks but that could be useful for us, I just wouldn't want admins to be restricted to that.
grosser
commented
5 years ago applies to everyone ... since it's kinda good practice ... can be bypassed for emergencies, then need to setup email for notification
I would like to restrict deployment access per stage or environment. An example use case is to allow junior developers to deploy to staging and senior developers to deploy to production.
Is this possible? I've looked around in the docs and played with the UI and I found nothing.