The idea is to always deploy to dev if the pipeline succeeds and to offer the option to deploy to production manually if the master pipeline succeeds. I also suggest changing the branch names to be a bit more intuitive: develop would be the new integration branch which would automatically deploy to aur-dev.archlinux.org upon successful completion while master would be semi-automatic and the authorized developer would manually have to click deploy upon successful testing completion.
The "automatic" part would work like this:
- The
scriptpart runsssh deployme@aur.archlinux.org. - The runner would use a secret-injected private key
id_rsato make this connection to thedeploymeuser on the other machine. - The other machine's
deploymeuser would have the corresponding public key in a command-limited entry in its.ssh/authorized_keysfile that would look like this:command="/path/to/aurweb/deploy/deployme.sh" <public key> GitLab automatic deployments aur.archlinux.org key.
Both branches would be protected so only a limited number of people can merge stuff to it. Additionally, the production environment would be protected and only a few hand-picked developers would even be able to deploy to it: https://docs.gitlab.com/ee/ci/environments/protected_environments.html
The command-restricted SSH keys ensure that even if somehow the private key would be exposed, all the attacker could do is keep deploying AUR.