Production deploys shows PR-based deploy-previews

For netlify site using custom domain

For production deploys I see deploy previews instead of production deploys (see screenshot below):

When I click on the ‘>’ beside ‘Production deploys’ in the ‘Site overview’ I see that the filter that is used is ‘main’.

The deploy previews seen in the screenshot were generated from a PR from the main branch of a GitHub fork: of

It looks to me like the ‘Production deploy’ listing doesn’t take into account the source repo (in this case a fork & PR) and just looks for the main repo’s default branch (main in this case).

This is expected behaviour at the moment. The branch filter on the deploy page filters deploys based n the branch, and since the associated branch with those deploys is main, they show-up there, just like this one as an example:

Since the heading ‘Production deploys’ doesn’t match the actual displayed preview (deploy previews that happen to be on main in a different repo that creates a PR against your repo) I’d argue this is not expected behaviour nor intended behaviour.

If I manually filter, this is perhaps expected behaviour, but not for those automatic filters that one doesn’t control, the heading suggests one will be seeing different deploys than one actually does.

It’s more like a UI String issue then than a bug. Clicking on “Production deploy” simply filters deploys based on the production branch. This works for probably 99% of the users. You were the first case I saw in about 2 years to create a PR from main branch to some other branch.

I can ask the devs to change the title from “Production deploys” to “Deploys fro production branch” or something similar, but the behaviour won’t change and is expected.

From reviewing your setup, it appears more like you’re trying to get around the Git Contributor pricing policies, so if an unexpected usage of the service causes a small-ish issue, I would not be surprised.

If this is in fact deployed to production this is a security issue. I’ll explain.

I have public open source project

A user on GitHub who I only know as mesetka created a GitHub Pull Request from their fork GitHub - mesetka/image-handling-mod-hugo-dfd: A Hugo module for handling images and image-related functionality for themes from the main branch of their fork.

This is all without me knowing or expecting it, it’s a normal open source contribution thing that happens.

It should only have created a deploy preview not a production deploy, because this PR has not yet been merged into main, and was unsolicited.

If this got deployed to as a production deploy that means for any public project all a malicious user has to do is create a PR on a main branch of a fork of the repo, and they would be able replace the project’s production website!

That would be bad.

I am certainly not trying to get around any pricing structure, I’m just doing normal open source stuff, which Netlify has said elsewhere is supported and that public open source contributors will be free.

@fool I think this needs you to look at, perhaps (I wouldn’t normally tag you, but this is a bit alarming).

It’s not. It’s labelled as a “Deploy Preview”. I explained the behaviour of showing production deploys before. Ignoring the label, it’s only showing all deploys associated with the production branch. Consider the screenshot I shared above:

The filter is filtering deploys with the branch h2-on-long-webinar-titles. It shows the associated Deploy Preview along with the branch deploy. This is because, each Git-based deploy has a branch associated with it. When you click on “production deploys”, it shows you all deploys associated with the production branch, including any deploy previews made on that branch.

As long as it says “Deploy preview”, it’s not a Production deploy. So, there’s no security issue here.

That’s what it has done.

Published deploy shows a badge alongside it. In your case, it doesn’t. I feel there’s some unnecessary confusion here and probably an attempt to prove this is an issue, when it’s not.

Furthermore, you always have an option to “Lock publishing”: Manage deploys | Netlify Docs, so it won’t be overridden by other deploys unless you manually publish.

It is not the production branch. It is someone else’s repository, not a production branch of my repository. I have no control over their choice branch name; they used main because that is the GitHub default, at a guess.

a branch on danielfdickinson/production-branch is a production branch (in my case named main as is usual). mesetka/production-branch is not a branch created by me, and is not a production branch, and never should be considered as such. It has the same name as the ‘tail’ of my production branch danielfdickinson/main but is not that branch. main on a different repo is not the same branch. Period. Full stop.

If the code is assuming it is, in any fashion, it is wrong.

There is confusion for three reasons:

  1. The title doesn’t match what is being displayed in the list
  2. You started accusing me of trying to get around pricing policy.
  3. You do not seem to understand or acknowledge the actual issue, however minor.

I’m not asking for dropping everything and an urgent change, I was simply, initially trying to point out an error so it could get on a work plan.

I do not know why you have made such an issue of my report, and I did get confused, particularly after your second reply, and having limited internet access for a while due to a recent storm in my area.

Your repo has PRs open from some other branch to your production branch. It’s not the branch name of the fork, but the fact that you’re getting a PR on your main branch that’s making the difference:

When GitHub sends a webhook to Netlify, it sends the associated branch to be main - which is your production branch.

As you can see, the deploy gets associated with the main branch:


The deploy log even says it’s a deploy preview: Netlify App

Yes, but main on your repo is your production branch.

There’s no assumption, it’s literally seen on GitHub.

Like I mentioned, it’s only UI text that’s incorrect. The functionality is not.

Sorry you feel that way, but I can’t call it an issue when there’s none (apart from the UI text change that I suggested above - that is the minor issue that I have already acknowledged).

First, I apologize for my tone earlier, I guess I was feeling a bit down/frustrated. That said, you don’t have the best ‘bedside manner’ either.

To the issue: “Deploys from production” would be the confusing as well. It implies the deploy is coming from the actual production branch (that is, it doesn’t sound like a PR), rather than another branch. That is part of why I felt like you didn’t understand the issue.

I would suggest that your team think carefully (maybe pull in an English and/or Marketing major) about how to phrase it to avoid confusion.

The reason the branch is open to outside commits is that it is an open source project. This is standard practice in the open-source world, and AIUI is perfectly legitimate under the Netlify pricing structure. (If I’m wrong on that I’d rather @SamO or @luke let me know, as you and I do not seem to communicate well).

Maybe “Deploys targeted for production” would be a string that would work.

In any event, I think you need to do a postmortem of this and other interactions to understand why so many users get frustrated with you more than other support staff (There is something about your ‘tone’ when you write that rubs quite few users the wrong way) and work on improving that.