External Repositories
Support & Considerations
Additional notes about Pantheon's external repository integration, including assumptions, limitations, and support information.
This page outlines important assumptions, current limitations, and support information for Pantheon's external repository integration. Review these considerations before implementing it for your projects.
Assumptions
Multidev is available to customers with Gold or higher plans
The external repository integration is designed to work with Multidev environments. Multidev is available to customers on Gold or higher plans. If you are on a lower plan, you can still use the integration, but you will not be able to use the Multidev features.
Build processes happen on Pantheon
Our separate GitHub Action is designed for more customized workflows that might involve building code elsewhere and deploying to Pantheon. The external repository integration is designed for teams that want to use Pantheon as their build server.
Currently, Pantheon executes a composer install command through our Integrated Composer feature.
If you need compilation of front-end assets in your WordPress or Drupal theme through something like npm run build you should use our GitHub Action now and follow this item on our roadmap for eventual inclusion of such functionality within a Pantheon-prodived build step.
Security and Permissions
The main purpose of Pantheon's external repository integration is to create a mapping between a repository on GitHub or GitLab and a website on Pantheon. Configuring the integration requires granting Pantheon access to one or more repositories. This access is tracked at the Pantheon Workspace level.
People who are members of a Pantheon Workspace and have the Developer role or higher can see all sites in the Workspace. This means they can see sites on Pantheon even if their corresponding VCS account does not have permission to view the site's repository.
GitHub
When configuring the GitHub Application you will have the choice between granting access to individually selected repositories or "all" repositories within your GitHub organization. Selecting "all repositories" can be more convenient because it allows for faster creation of new repositories and sites. However, by granting Pantheon the "all repositories" permission you also grant that permission to every member of the Pantheon Workspace who has a Developer role or higher. Depending on the size and nature of your company, you may not want your Pantheon Workspace members to have this permission, especially if they are not members of your GitHub organization.
GitLab
GitLab supports two token types for this integration, each with different access scope:
- Personal Access Token — The
apiscope on a personal access token grants complete read and write access to all groups and projects the token owner belongs to. This cannot be restricted to specific groups or repositories. Use this token type with caution if the token owner has broad access to GitLab resources. - Group Access Token — Scoped to a specific group and its subprojects only. This is the recommended option when you want to limit Pantheon's access to a single GitLab group. The token must have
apiandwrite_repositoryscopes and a Maintainer role or higher to create repositories and manage webhooks. Group Access Tokens require a GitLab Premium or Ultimate subscription on GitLab.com; they are available on any tier for self-managed GitLab instances.
Limitations
No On Server Development (SFTP Mode)
New sites using Pantheon's external repository integration do not support "SFTP Mode" which allows version controlled files to be altered via SFTP or simply by the CMS changing files, as is common with operations like drush config-export. We know this limitation will stop some teams from using this integration and we are seeking feedback on how important it is to support this style of working when using 3rd party repositories.
Support
For questions and feedback about the external repository integration, please use Pantheon Support.
More Resources
- Pantheon Support - Learn about Pantheon's support offerings
- Multidev - Common questions about Multidev environments
- Next.js Documentation - Official Next.js documentation