fix(deploy): avoid logging multiline secrets

.gitea/workflows/build-production-docker.yml

@@ -26,7 +26,6 @@ jobs:
           test -n "${{ secrets.AWS_REGION }}"
           test -n "${{ secrets.AWS_ACCOUNT_ID }}"
           test -n "${{ secrets.ECR_REPOSITORY }}"
-          test -n "${{ secrets.DEPLOY_SSH_KEY }}"
 
       - name: Build backend production image
         run: |
@@ -101,7 +100,8 @@ jobs:
             aws ecr batch-delete-image \
               --region "${AWS_REGION}" \
               --repository-name "${ECR_REPOSITORY}" \
-              --image-ids "${image_ids}" >/dev/null
+              --image-ids "${image_ids}" >/dev/null \
+              || echo "Warning: ECR image cleanup failed; ensure the CI AWS user has ecr:BatchDeleteImage" >&2
           fi
 
           docker push "${ecr_image}:latest"
@@ -111,14 +111,21 @@ jobs:
     runs-on: wsl2-docker-host
     steps:
       - name: Validate deploy configuration
+        env:
+          DEPLOY_SSH_KEY: ${{ secrets.DEPLOY_SSH_KEY }}
+          DEPLOY_HOST: ${{ secrets.DEPLOY_HOST }}
+          DEPLOY_USER: ${{ secrets.DEPLOY_USER }}
+          AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }}
+          AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
+          AWS_REGION: ${{ secrets.AWS_REGION }}
         run: |
           set -euo pipefail
-          test -n "${{ secrets.DEPLOY_SSH_KEY }}"
-          test -n "${{ secrets.DEPLOY_HOST }}"
-          test -n "${{ secrets.DEPLOY_USER }}"
-          test -n "${{ secrets.AWS_ACCESS_KEY_ID }}"
-          test -n "${{ secrets.AWS_SECRET_ACCESS_KEY }}"
-          test -n "${{ secrets.AWS_REGION }}"
+          test -n "${DEPLOY_SSH_KEY}"
+          test -n "${DEPLOY_HOST}"
+          test -n "${DEPLOY_USER}"
+          test -n "${AWS_ACCESS_KEY_ID}"
+          test -n "${AWS_SECRET_ACCESS_KEY}"
+          test -n "${AWS_REGION}"
 
       - name: Deploy production server
         env:
@@ -128,11 +135,12 @@ jobs:
           AWS_REGION: ${{ secrets.AWS_REGION }}
           DEPLOY_HOST: ${{ secrets.DEPLOY_HOST }}
           DEPLOY_USER: ${{ secrets.DEPLOY_USER }}
+          DEPLOY_SSH_KEY: ${{ secrets.DEPLOY_SSH_KEY }}
         run: |
           set -euo pipefail
 
           install -m 700 -d ~/.ssh
-          printf '%s\n' '${{ secrets.DEPLOY_SSH_KEY }}' > ~/.ssh/eryao_deploy_key
+          printf '%s\n' "${DEPLOY_SSH_KEY}" > ~/.ssh/eryao_deploy_key
           chmod 600 ~/.ssh/eryao_deploy_key
           ssh-keyscan -H "${DEPLOY_HOST}" >> ~/.ssh/known_hosts
 

deploy/README.md

@@ -174,6 +174,8 @@ DEPLOY_USER
 `DEPLOY_SSH_KEY` 是已加入生产机器 `ubuntu` 用户 `~/.ssh/authorized_keys` 的部署专用私钥。
 当前生产机器对应：`DEPLOY_HOST=18.218.38.213`，`DEPLOY_USER=ubuntu`。
 
+CI 的 AWS 用户需要至少允许 ECR 登录、建仓库、推送镜像、列出镜像，以及为了覆盖式清理旧镜像所需的 `ecr:BatchDeleteImage`。如果缺少 `ecr:BatchDeleteImage`，部署仍可继续推送 `latest`，但 ECR 旧镜像不会被清空。
+
 如需手动更新，在生产机器执行：
 
 ```bash