Merge dev into main: fix deployment secret handling

Avoid logging multiline deploy secrets and document ECR cleanup permissions.
fix(deploy): avoid logging multiline secrets
2026-04-30 11:20:21 +08:00 · 2026-04-30 11:20:13 +08:00
2 changed files with 19 additions and 9 deletions
@@ -26,7 +26,6 @@ jobs:
          test -n "${{ secrets.AWS_REGION }}"
          test -n "${{ secrets.AWS_ACCOUNT_ID }}"
          test -n "${{ secrets.ECR_REPOSITORY }}"
-          test -n "${{ secrets.DEPLOY_SSH_KEY }}"

      - name: Build backend production image
        run: |
@@ -101,7 +100,8 @@ jobs:
            aws ecr batch-delete-image \
              --region "${AWS_REGION}" \
              --repository-name "${ECR_REPOSITORY}" \
-              --image-ids "${image_ids}" >/dev/null
+              --image-ids "${image_ids}" >/dev/null \
+              || echo "Warning: ECR image cleanup failed; ensure the CI AWS user has ecr:BatchDeleteImage" >&2
          fi

          docker push "${ecr_image}:latest"
@@ -111,14 +111,21 @@ jobs:
    runs-on: wsl2-docker-host
    steps:
      - name: Validate deploy configuration
+        env:
+          DEPLOY_SSH_KEY: ${{ secrets.DEPLOY_SSH_KEY }}
+          DEPLOY_HOST: ${{ secrets.DEPLOY_HOST }}
+          DEPLOY_USER: ${{ secrets.DEPLOY_USER }}
+          AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }}
+          AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
+          AWS_REGION: ${{ secrets.AWS_REGION }}
        run: |
          set -euo pipefail
-          test -n "${{ secrets.DEPLOY_SSH_KEY }}"
-          test -n "${{ secrets.DEPLOY_HOST }}"
-          test -n "${{ secrets.DEPLOY_USER }}"
-          test -n "${{ secrets.AWS_ACCESS_KEY_ID }}"
-          test -n "${{ secrets.AWS_SECRET_ACCESS_KEY }}"
-          test -n "${{ secrets.AWS_REGION }}"
+          test -n "${DEPLOY_SSH_KEY}"
+          test -n "${DEPLOY_HOST}"
+          test -n "${DEPLOY_USER}"
+          test -n "${AWS_ACCESS_KEY_ID}"
+          test -n "${AWS_SECRET_ACCESS_KEY}"
+          test -n "${AWS_REGION}"

      - name: Deploy production server
        env:
@@ -128,11 +135,12 @@ jobs:
          AWS_REGION: ${{ secrets.AWS_REGION }}
          DEPLOY_HOST: ${{ secrets.DEPLOY_HOST }}
          DEPLOY_USER: ${{ secrets.DEPLOY_USER }}
+          DEPLOY_SSH_KEY: ${{ secrets.DEPLOY_SSH_KEY }}
        run: |
          set -euo pipefail

          install -m 700 -d ~/.ssh
-          printf '%s\n' '${{ secrets.DEPLOY_SSH_KEY }}' > ~/.ssh/eryao_deploy_key
+          printf '%s\n' "${DEPLOY_SSH_KEY}" > ~/.ssh/eryao_deploy_key
          chmod 600 ~/.ssh/eryao_deploy_key
          ssh-keyscan -H "${DEPLOY_HOST}" >> ~/.ssh/known_hosts

@@ -174,6 +174,8 @@ DEPLOY_USER
 `DEPLOY_SSH_KEY` 是已加入生产机器 `ubuntu` 用户 `~/.ssh/authorized_keys` 的部署专用私钥。
 当前生产机器对应：`DEPLOY_HOST=18.218.38.213`，`DEPLOY_USER=ubuntu`。

+CI 的 AWS 用户需要至少允许 ECR 登录、建仓库、推送镜像、列出镜像，以及为了覆盖式清理旧镜像所需的 `ecr:BatchDeleteImage`。如果缺少 `ecr:BatchDeleteImage`，部署仍可继续推送 `latest`，但 ECR 旧镜像不会被清空。
+
 如需手动更新，在生产机器执行：

 ```bash
Author	SHA1	Message	Date
qzl	786acfe010	Merge dev into main: fix deployment secret handling Build production Docker image / build-backend-image (push) Successful in 53s Details Build production Docker image / deploy-production (push) Failing after 6s Details Avoid logging multiline deploy secrets and document ECR cleanup permissions.	2026-04-30 11:20:21 +08:00
qzl	f5f27d0496	fix(deploy): avoid logging multiline secrets	2026-04-30 11:20:13 +08:00