Due to an influx of spam, we have had to temporarily disable account registrations. Please write an email to firstname.lastname@example.org, with your desired username, if you want to get access. Sorry for the inconvenience.
The idea is to always deploy to dev if the pipeline succeeds and to offer the option to deploy to production manually if the master pipeline succeeds. I also suggest changing the branch names to be a bit more intuitive:
develop would be the new integration branch which would automatically deploy to aur-dev.archlinux.org upon successful completion while
master would be semi-automatic and the authorized developer would manually have to click deploy upon successful testing completion.
The "automatic" part would work like this:
script part runs
id_rsa to make this connection to the
deployme user on the other machine.
deployme user would have the corresponding public key in a command-limited entry in its
.ssh/authorized_keys file that would look like this:
command="/path/to/aurweb/deploy/deployme.sh" <public key> GitLab automatic deployments aur.archlinux.org key.
Both branches would be protected so only a limited number of people can merge stuff to it. Additionally, the production environment would be protected and only a few hand-picked developers would even be able to deploy to it: https://docs.gitlab.com/ee/ci/environments/protected_environments.html
The command-restricted SSH keys ensure that even if somehow the private key would be exposed, all the attacker could do is keep deploying AUR.