How to avoid deploying firebase hosting from developers machines?

Question

I am currently using GitHub Actions to automate deploys to production, however, developers also have access to deploy code directly from their machines to production. I am wondering how to avoid this situation and only allow new updates to our hosting instance when it comes from an automated PR approval on GitHub.

The current workflow for developers is:

1. Create a new dev branch based on an assigned issue on GitHub
2. Develop code changes and test it on localhost via Firebase Emulators
3. Commit code changes to GitHub and creates a PR
4. GitHub Actions kicks in to deploy code changes in a preview channel for approval
5. After code review, PR is approved and code changes get deployed automatically to production

Since developers are required to provide firebase production credentials to initializeApp({...}) - there is no way to avoid a team member from deploying code directly from their machines to production.

Firebase client SDK for Javascript does not allow an app to be initialized withou real project credentials, which means there is no way to initialize an app "only for emulation".

Any thoughts on how to fix this?

Answer 1

Create a new Google account that is only used to deploy and change the developer permissions to only have read access to the production apps.