Enhance Workflow Security by Limiting Permissions and Adding OIDC Tok… #20

	name: cd_permanent_preview

	on:
	push:
	branches:
	- main

	# Ensures permanent preview deployment has minimal read-only permissions for security
	permissions:
	contents: read # Read-only access to repo contents for safer workflows
	id-token: write # Allow OIDC tokens for secure cloud authentication

	jobs:
	deploy:
	runs-on: ubuntu-latest
	concurrency:
	group: cd-permanent-preview
	cancel-in-progress: true
	steps:
	- name: Checkout app
	uses: actions/checkout@v3
	with:
	path: app

	- name: Checkout github-ci
	uses: actions/checkout@v3
	with:
	repository: jalantechnologies/github-ci
	path: platform
	ref: v3.2.6

	- name: Build Docker image
	id: build
	uses: ./platform/.github/actions/build
	with:
	app_name: flask-react-app
	tag: preview
	context: app/.
	docker_registry: ${{ vars.DOCKER_REGISTRY }}
	docker_username: ${{ vars.DOCKER_USERNAME }}
	docker_password: ${{ secrets.DOCKER_PASSWORD }}

	- name: Deploy to permanent preview
	uses: ./platform/.github/actions/deploy
	with:
	app_name: flask-react-app
	app_env: preview
	app_hostname: preview.flask-react-template.platform.bettrhq.com
	branch: main
	deploy_id: ${{ github.run_number }}
	deploy_root: app/lib/kube
	deploy_labels: gh/env=preview
	deploy_image: ${{ steps.build.outputs.image_ref }}
	docker_registry: ${{ vars.DOCKER_REGISTRY }}
	docker_username: ${{ vars.DOCKER_USERNAME }}
	docker_password: ${{ secrets.DOCKER_PASSWORD }}
	do_access_token: ${{ secrets.DO_ACCESS_TOKEN }}
	do_cluster_id: ${{ vars.DO_CLUSTER_ID }}
	doppler_token: ${{ secrets.DOPPLER_PREVIEW_TOKEN }}

Provide feedback