From b8bc5b182d523004c5f2dce0c7d2984c6bf95a1f Mon Sep 17 00:00:00 2001 From: lukeocodes Date: Mon, 4 May 2026 23:15:30 +0100 Subject: [PATCH] ci: remove workflow_dispatch from web-production Manual production deploys can ship a landing page advertising a version not yet published to PyPI. Lock production deploys to the workflow_call path from release.yml, which is itself gated on a real root v* tag and fires AFTER PyPI publish completes. --- .github/workflows/web-production.yml | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/.github/workflows/web-production.yml b/.github/workflows/web-production.yml index bc607d0..85d4811 100644 --- a/.github/workflows/web-production.yml +++ b/.github/workflows/web-production.yml @@ -5,8 +5,13 @@ on: # Using workflow_call avoids the GitHub Actions limitation where # GITHUB_TOKEN-created releases do not trigger release: published # in other workflows. + # + # workflow_dispatch is intentionally omitted: deploying main outside + # the release pipeline can ship a landing page that advertises a + # version not yet published to PyPI (the cli.deepgram.com vs PyPI + # skew that broke installs in May 2026). Production deploys must be + # gated on a real root v* tag. workflow_call: - workflow_dispatch: # Only one production deploy at a time; never cancel in-progress concurrency: