fix(deploy): avoid logging multiline secrets

2026-04-30 11:20:13 +08:00
parent c2ba1442a3
commit f5f27d0496
2 changed files with 19 additions and 9 deletions
@@ -26,7 +26,6 @@ jobs:
          test -n "${{ secrets.AWS_REGION }}"
          test -n "${{ secrets.AWS_ACCOUNT_ID }}"
          test -n "${{ secrets.ECR_REPOSITORY }}"
-          test -n "${{ secrets.DEPLOY_SSH_KEY }}"

      - name: Build backend production image
        run: |
@@ -101,7 +100,8 @@ jobs:
            aws ecr batch-delete-image \
              --region "${AWS_REGION}" \
              --repository-name "${ECR_REPOSITORY}" \
-              --image-ids "${image_ids}" >/dev/null
+              --image-ids "${image_ids}" >/dev/null \
+              || echo "Warning: ECR image cleanup failed; ensure the CI AWS user has ecr:BatchDeleteImage" >&2
          fi

          docker push "${ecr_image}:latest"
@@ -111,14 +111,21 @@ jobs:
    runs-on: wsl2-docker-host
    steps:
      - name: Validate deploy configuration
+        env:
+          DEPLOY_SSH_KEY: ${{ secrets.DEPLOY_SSH_KEY }}
+          DEPLOY_HOST: ${{ secrets.DEPLOY_HOST }}
+          DEPLOY_USER: ${{ secrets.DEPLOY_USER }}
+          AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }}
+          AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
+          AWS_REGION: ${{ secrets.AWS_REGION }}
        run: |
          set -euo pipefail
-          test -n "${{ secrets.DEPLOY_SSH_KEY }}"
-          test -n "${{ secrets.DEPLOY_HOST }}"
-          test -n "${{ secrets.DEPLOY_USER }}"
-          test -n "${{ secrets.AWS_ACCESS_KEY_ID }}"
-          test -n "${{ secrets.AWS_SECRET_ACCESS_KEY }}"
-          test -n "${{ secrets.AWS_REGION }}"
+          test -n "${DEPLOY_SSH_KEY}"
+          test -n "${DEPLOY_HOST}"
+          test -n "${DEPLOY_USER}"
+          test -n "${AWS_ACCESS_KEY_ID}"
+          test -n "${AWS_SECRET_ACCESS_KEY}"
+          test -n "${AWS_REGION}"

      - name: Deploy production server
        env:
@@ -128,11 +135,12 @@ jobs:
          AWS_REGION: ${{ secrets.AWS_REGION }}
          DEPLOY_HOST: ${{ secrets.DEPLOY_HOST }}
          DEPLOY_USER: ${{ secrets.DEPLOY_USER }}
+          DEPLOY_SSH_KEY: ${{ secrets.DEPLOY_SSH_KEY }}
        run: |
          set -euo pipefail

          install -m 700 -d ~/.ssh
-          printf '%s\n' '${{ secrets.DEPLOY_SSH_KEY }}' > ~/.ssh/eryao_deploy_key
+          printf '%s\n' "${DEPLOY_SSH_KEY}" > ~/.ssh/eryao_deploy_key
          chmod 600 ~/.ssh/eryao_deploy_key
          ssh-keyscan -H "${DEPLOY_HOST}" >> ~/.ssh/known_hosts