From f5f27d049605ae30d43fb820829e9c5efcb69b3c Mon Sep 17 00:00:00 2001
From: qzl <qzl@example.com>
Date: Thu, 30 Apr 2026 11:20:13 +0800
Subject: [PATCH] fix(deploy): avoid logging multiline secrets

---
 .gitea/workflows/build-production-docker.yml | 26 +++++++++++++-------
 deploy/README.md                             |  2 ++
 2 files changed, 19 insertions(+), 9 deletions(-)

diff --git a/.gitea/workflows/build-production-docker.yml b/.gitea/workflows/build-production-docker.yml
index a67e285..43fc6b7 100644
--- a/.gitea/workflows/build-production-docker.yml
+++ b/.gitea/workflows/build-production-docker.yml
@@ -26,7 +26,6 @@ jobs:
           test -n "${{ secrets.AWS_REGION }}"
           test -n "${{ secrets.AWS_ACCOUNT_ID }}"
           test -n "${{ secrets.ECR_REPOSITORY }}"
-          test -n "${{ secrets.DEPLOY_SSH_KEY }}"
 
       - name: Build backend production image
         run: |
@@ -101,7 +100,8 @@ jobs:
             aws ecr batch-delete-image \
               --region "${AWS_REGION}" \
               --repository-name "${ECR_REPOSITORY}" \
-              --image-ids "${image_ids}" >/dev/null
+              --image-ids "${image_ids}" >/dev/null \
+              || echo "Warning: ECR image cleanup failed; ensure the CI AWS user has ecr:BatchDeleteImage" >&2
           fi
 
           docker push "${ecr_image}:latest"
@@ -111,14 +111,21 @@ jobs:
     runs-on: wsl2-docker-host
     steps:
       - name: Validate deploy configuration
+        env:
+          DEPLOY_SSH_KEY: ${{ secrets.DEPLOY_SSH_KEY }}
+          DEPLOY_HOST: ${{ secrets.DEPLOY_HOST }}
+          DEPLOY_USER: ${{ secrets.DEPLOY_USER }}
+          AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }}
+          AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
+          AWS_REGION: ${{ secrets.AWS_REGION }}
         run: |
           set -euo pipefail
-          test -n "${{ secrets.DEPLOY_SSH_KEY }}"
-          test -n "${{ secrets.DEPLOY_HOST }}"
-          test -n "${{ secrets.DEPLOY_USER }}"
-          test -n "${{ secrets.AWS_ACCESS_KEY_ID }}"
-          test -n "${{ secrets.AWS_SECRET_ACCESS_KEY }}"
-          test -n "${{ secrets.AWS_REGION }}"
+          test -n "${DEPLOY_SSH_KEY}"
+          test -n "${DEPLOY_HOST}"
+          test -n "${DEPLOY_USER}"
+          test -n "${AWS_ACCESS_KEY_ID}"
+          test -n "${AWS_SECRET_ACCESS_KEY}"
+          test -n "${AWS_REGION}"
 
       - name: Deploy production server
         env:
@@ -128,11 +135,12 @@ jobs:
           AWS_REGION: ${{ secrets.AWS_REGION }}
           DEPLOY_HOST: ${{ secrets.DEPLOY_HOST }}
           DEPLOY_USER: ${{ secrets.DEPLOY_USER }}
+          DEPLOY_SSH_KEY: ${{ secrets.DEPLOY_SSH_KEY }}
         run: |
           set -euo pipefail
 
           install -m 700 -d ~/.ssh
-          printf '%s\n' '${{ secrets.DEPLOY_SSH_KEY }}' > ~/.ssh/eryao_deploy_key
+          printf '%s\n' "${DEPLOY_SSH_KEY}" > ~/.ssh/eryao_deploy_key
           chmod 600 ~/.ssh/eryao_deploy_key
           ssh-keyscan -H "${DEPLOY_HOST}" >> ~/.ssh/known_hosts
 
diff --git a/deploy/README.md b/deploy/README.md
index a637e7a..84aa518 100644
--- a/deploy/README.md
+++ b/deploy/README.md
@@ -174,6 +174,8 @@ DEPLOY_USER
 `DEPLOY_SSH_KEY` 是已加入生产机器 `ubuntu` 用户 `~/.ssh/authorized_keys` 的部署专用私钥。
 当前生产机器对应：`DEPLOY_HOST=18.218.38.213`，`DEPLOY_USER=ubuntu`。
 
+CI 的 AWS 用户需要至少允许 ECR 登录、建仓库、推送镜像、列出镜像，以及为了覆盖式清理旧镜像所需的 `ecr:BatchDeleteImage`。如果缺少 `ecr:BatchDeleteImage`，部署仍可继续推送 `latest`，但 ECR 旧镜像不会被清空。
+
 如需手动更新，在生产机器执行：
 
 ```bash
-- 
2.43.7