qzl/eryao
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

fix(deploy): avoid logging multiline secrets

Browse Source
This commit is contained in:
qzl
2026-04-30 11:20:13 +08:00
parent c2ba1442a3
commit f5f27d0496
2 changed files with 19 additions and 9 deletions
Download Patch File Download Diff File Expand all files Collapse all files
.gitea/workflows/build-production-docker.yml
+17 -9
View File
@@ -26,7 +26,6 @@ jobs:
test -n "${{ secrets.AWS_REGION }}" test -n "${{ secrets.AWS_REGION }}"
test -n "${{ secrets.AWS_ACCOUNT_ID }}" test -n "${{ secrets.AWS_ACCOUNT_ID }}"
test -n "${{ secrets.ECR_REPOSITORY }}" test -n "${{ secrets.ECR_REPOSITORY }}"
test -n "${{ secrets.DEPLOY_SSH_KEY }}"
- name: Build backend production image - name: Build backend production image
run: | run: |
@@ -101,7 +100,8 @@ jobs:
aws ecr batch-delete-image \ aws ecr batch-delete-image \
--region "${AWS_REGION}" \ --region "${AWS_REGION}" \
--repository-name "${ECR_REPOSITORY}" \ --repository-name "${ECR_REPOSITORY}" \
--image-ids "${image_ids}" >/dev/null --image-ids "${image_ids}" >/dev/null \
|| echo "Warning: ECR image cleanup failed; ensure the CI AWS user has ecr:BatchDeleteImage" >&2
fi fi
docker push "${ecr_image}:latest" docker push "${ecr_image}:latest"
@@ -111,14 +111,21 @@ jobs:
runs-on: wsl2-docker-host runs-on: wsl2-docker-host
steps: steps:
- name: Validate deploy configuration - name: Validate deploy configuration
env:
DEPLOY_SSH_KEY: ${{ secrets.DEPLOY_SSH_KEY }}
DEPLOY_HOST: ${{ secrets.DEPLOY_HOST }}
DEPLOY_USER: ${{ secrets.DEPLOY_USER }}
AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }}
AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
AWS_REGION: ${{ secrets.AWS_REGION }}
run: | run: |
set -euo pipefail set -euo pipefail
test -n "${{ secrets.DEPLOY_SSH_KEY }}" test -n "${DEPLOY_SSH_KEY}"
test -n "${{ secrets.DEPLOY_HOST }}" test -n "${DEPLOY_HOST}"
test -n "${{ secrets.DEPLOY_USER }}" test -n "${DEPLOY_USER}"
test -n "${{ secrets.AWS_ACCESS_KEY_ID }}" test -n "${AWS_ACCESS_KEY_ID}"
test -n "${{ secrets.AWS_SECRET_ACCESS_KEY }}" test -n "${AWS_SECRET_ACCESS_KEY}"
test -n "${{ secrets.AWS_REGION }}" test -n "${AWS_REGION}"
- name: Deploy production server - name: Deploy production server
env: env:
@@ -128,11 +135,12 @@ jobs:
AWS_REGION: ${{ secrets.AWS_REGION }} AWS_REGION: ${{ secrets.AWS_REGION }}
DEPLOY_HOST: ${{ secrets.DEPLOY_HOST }} DEPLOY_HOST: ${{ secrets.DEPLOY_HOST }}
DEPLOY_USER: ${{ secrets.DEPLOY_USER }} DEPLOY_USER: ${{ secrets.DEPLOY_USER }}
DEPLOY_SSH_KEY: ${{ secrets.DEPLOY_SSH_KEY }}
run: | run: |
set -euo pipefail set -euo pipefail
install -m 700 -d ~/.ssh install -m 700 -d ~/.ssh
printf '%s\n' '${{ secrets.DEPLOY_SSH_KEY }}' > ~/.ssh/eryao_deploy_key printf '%s\n' "${DEPLOY_SSH_KEY}" > ~/.ssh/eryao_deploy_key
chmod 600 ~/.ssh/eryao_deploy_key chmod 600 ~/.ssh/eryao_deploy_key
ssh-keyscan -H "${DEPLOY_HOST}" >> ~/.ssh/known_hosts ssh-keyscan -H "${DEPLOY_HOST}" >> ~/.ssh/known_hosts
deploy/README.md
+2
View File
@@ -174,6 +174,8 @@ DEPLOY_USER
`DEPLOY_SSH_KEY` 是已加入生产机器 `ubuntu` 用户 `~/.ssh/authorized_keys` 的部署专用私钥。 `DEPLOY_SSH_KEY` 是已加入生产机器 `ubuntu` 用户 `~/.ssh/authorized_keys` 的部署专用私钥。
当前生产机器对应:`DEPLOY_HOST=18.218.38.213``DEPLOY_USER=ubuntu` 当前生产机器对应:`DEPLOY_HOST=18.218.38.213``DEPLOY_USER=ubuntu`
CI 的 AWS 用户需要至少允许 ECR 登录、建仓库、推送镜像、列出镜像,以及为了覆盖式清理旧镜像所需的 `ecr:BatchDeleteImage`。如果缺少 `ecr:BatchDeleteImage`,部署仍可继续推送 `latest`,但 ECR 旧镜像不会被清空。
如需手动更新,在生产机器执行: 如需手动更新,在生产机器执行:
```bash ```bash