-
Notifications
You must be signed in to change notification settings - Fork 16
There are a few aspects to that question:
-
The PullPreview action itself is fully open-source. Which means you can audit the source code to make sure we're not shipping your cloud credentials (AWS or Hetzner) or your code somewhere.
-
GitHub actions don't run for pull requests originating from forked repositories (source). This means your cloud credentials can't be read by an external contributor committing a specifically-crafted workflow file.
-
For Lightsail users, we recommend GitHub OIDC-based role assumption (short-lived AWS credentials) as shown in Recommended AWS Configuration.
For Hetzner users, use a dedicatedHCLOUD_TOKENwith the minimum required scope and setHETZNER_CA_KEYto a dedicated SSH CA private key (generated once and stored in Secrets).
If it looks simple, then it's good. However, you can have a look at the code yourself and see that there is a fair amount of complexities to orchestrate to get to the point where you have a server running the latest version of the code at all times. You are free to use another solution or code your own, but I'm not ashamed of asking money for what I think is a valuable and non-trivial tool.