![]() ![]() The only workaround I know of is to set them all to only run "specified builds" and add all other builds to the other agent(s). This is one downside of Teamcity using Agent compatible configurations options: if you leave your other build agent(s) as compatible with all builds, then the production deployment may be attempted from one of them if free. (Of course you'll also want to ensure your developers don't have permissions to modify agent configuration.) I would install a build agent that is able to deploy to the target system(s), and then use the "compatible builds" feature of that agent in the TeamCity UI to make it only compatible with your production deployment build. It can have an artifact dependency on the main build, and you can even have it used "last pinned build" so developers can control what's even available. Using the roles and permissions in Teamcity, you can have a project that only your deployment team has access to. How do others manage automated deployment security? I've haven't had much luck finding resources on TeamCity security/deployment best practices, but I can't imagine we're the only company in this situation. We don't want developers having access to the username/password in a build script, nor do we want every build agent running as this account since developers could create a build that uses it to deploy to production. ![]() ![]() The Web Deploy service needs to be authenticated with a local admin account on the production server. ![]() We could create a TeamCity project that only administrators have access to, but we also have to address Web Deploy security. However, we'd like to allow them to simply click "Run" on a build configuration, but we're not sure how to secure that button. Our current approach is to have TeamCity build a web deployment package, which the administrator can download and install on the production web server. The tricky part is deploying to a production web server - our policy dictates that developers cannot deploy to production, only a system administrator can. It will build, test and deploy web applications via Web Deploy to dev and qa web servers. My team uses TeamCity for continuous integration. ![]()
0 Comments
Leave a Reply. |
Details
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |