What are the security concerns of the following scenario? (this is one of those crazy ideas that someone will try, and maybe a it's a good idea, and maybe it's a terrible idea...)
You have Rails app at example.com, and an action at https://example.com/admin/update_app
This action has the following requirements:
This action does the following
Don't send the password. The app could be compromised and trojaned or the filtering could fail. Instead, grant the web app read-only access to the repository via a separate account or public access.
Don't restart the server if there are no changes. Then the action is secure even without access control: unless the developer has authorized the update by updating the stable branch, nothing happens. If the stable branch is not so stable, create a separate production branch for this.
Stop the webserver before doing the update. The app might not be secure or safe to use as a mix of files from different versions.
Make sure the web server doesn't serve any metadata files left by the VCS.