docs(webapp): warn that DEPLOY_IMAGE_OVERRIDE is single-tenant only

No behavior change. Adds a strong warning to env.server.ts docstring
+ changeset entry explaining the foot-gun for multi-tenant installs.

Co-authored-by: Cursor <cursoragent@cursor.com>

Author: ConProgramming

.changeset/deploy-image-override-multi-tenant-warning.md

@@ -0,0 +1,7 @@
+---
+"trigger.dev": minor
+---
+
+webapp: clarify DEPLOY_IMAGE_OVERRIDE is single-tenant only
+
+The `DEPLOY_IMAGE_OVERRIDE` env var forces every deployment finalized by the webapp to use the configured image, ignoring the registry config / per-deployment image computation. Useful for self-hosted single-tenant installs where CI builds one canonical tasks image; dangerous on cloud / multi-tenant where deployments come from untrusted user code. No behavior change — just adds a strong warning docstring to `apps/webapp/app/env.server.ts` calling out the multi-tenant foot-gun.

apps/webapp/app/env.server.ts

@@ -434,15 +434,28 @@ const EnvironmentSchema = z
 
     DEPLOY_IMAGE_PLATFORM: z.string().default("linux/amd64"),
     /**
-     * Full image reference override - bypasses auto-generation of image tags.
-     * When set, every deployment uses this exact image reference instead of
+     * DEPLOY_IMAGE_OVERRIDE — full image reference override; bypasses
+     * auto-generation of image tags. When set, every deployment finalized
+     * by this webapp instance uses this exact image reference instead of
      * being routed through `getDeploymentImageRef` (ECR repo creation,
      * per-project tagging, isEcr/repoCreated detection, etc).
      *
-     * Intended for self-hosted setups where images are produced by a separate
-     * pipeline (e.g. CI builds + signs the image, the webapp just references
-     * it). Should NOT be set in multi-tenant deployments because every project
-     * shares the same image digest.
+     * ⚠️  WARNING: SINGLE-TENANT ONLY. ⚠️
+     *
+     * When set, every deployment finalized by this webapp instance will be
+     * wired to this image, regardless of which org / project triggered it.
+     * This is a foot-gun for any multi-tenant trigger.dev install
+     * (including Cloud) where deployments come from untrusted user code:
+     * one operator-set value silently overrides every tenant's per-project
+     * image. Only enable when BOTH of the following hold:
+     *   - You control the build pipeline producing the image (e.g. your CI
+     *     builds + pushes a single canonical tasks image per release), AND
+     *   - The install serves only your own org's projects (self-hosted,
+     *     single-tenant).
+     *
+     * For cloud / multi-tenant: leave unset. The deployment image is
+     * normally computed per-deployment from the registry config and the
+     * deploy version, which keeps tenants isolated.
      *
      * Empty string is treated as unset.
      *