Forge is used by agencies all over the world to provision servers and deploy sites on behalf of their clients.
Currently, when Forge provisions a server, that server's SSH key is added to the SSH keys of the Forge user's connected source control providers. This allows the server to clone any repository that the user has access to.
However, sometimes you may wish to only grant the Forge user access to clone a specific repository. This is typically accomplished by adding an SSH key to that repository's "Deploy Keys" on the repository's GitHub, GitLab, or Bitbucket dashboard.
Beginning today, you may opt-out of having a server's SSH key added to your source control provider account. Instead, when adding a new site to the server, you may choose to generate a Deploy Key for that application. Once the key has been generated, you can add it to the repository of your choice via your source control provider's dashboard - allowing the server to clone that specific repository.
In summary, we're introducing two new security enhancements to Forge:
- You may now choose to provision a server without adding its SSH key to your connected source control providers.
- You may choose to create a Deploy Key for newly created sites. Forge will configure SSH to always use that deploy key when cloning or pulling that site's repository.
You can learn more about these changes at https://forge.laravel.com/docs/1.0/servers/ssh.html.
If you don’t have a Forge account, now is a great time to sign up! Forge allows you to painlessly create and manage PHP servers which include MySQL, Redis, Memcached, database backups, and everything else you need to run robust, modern Laravel applications.