ci: 恢复 secrets workflow 为标准发版流程

Made-with: Cursor

.gitea/workflows/secrets.yml

@@ -10,13 +10,6 @@ on:
       # systemd / 部署模板变更也应跑构建（产物无变时可快速跳过 check）
       - 'deploy/**'
       - '.gitea/workflows/**'
-  workflow_dispatch:
-    inputs:
-      release_build:
-        description: "同时执行版本发布、打 tag 与部署"
-        required: false
-        type: boolean
-        default: false
 
 concurrency:
   group: ${{ github.workflow }}-${{ github.ref }}
@@ -34,66 +27,8 @@ env:
   RUST_BACKTRACE: short
 
 jobs:
-  changes:
-    name: 检测变更范围
-    runs-on: debian
-    outputs:
-      build_required: ${{ steps.scope.outputs.build_required }}
-      release_required: ${{ steps.scope.outputs.release_required }}
-    steps:
-      - uses: actions/checkout@v4
-        with:
-          fetch-depth: 0
-
-      - name: 计算构建 / 发版范围
-        id: scope
-        shell: bash
-        run: |
-          set -euo pipefail
-
-          build_required=false
-          release_required=false
-
-          if [ "${{ github.event_name }}" = "workflow_dispatch" ]; then
-            build_required=true
-            release_required="${{ inputs.release_build }}"
-          else
-            before="${{ github.event.before }}"
-            if [ -z "$before" ] || [ "$before" = "0000000000000000000000000000000000000000" ]; then
-              before=$(git rev-parse HEAD^ 2>/dev/null || true)
-            fi
-
-            if [ -n "$before" ]; then
-              changed_files=$(git diff --name-only "$before" "${{ github.sha }}")
-            else
-              changed_files=$(git show --pretty='' --name-only "${{ github.sha }}")
-            fi
-
-            echo "changed files:"
-            printf '%s\n' "$changed_files"
-
-            while IFS= read -r file; do
-              [ -z "$file" ] && continue
-              case "$file" in
-                crates/*|Cargo.toml|Cargo.lock)
-                  release_required=true
-                  build_required=true
-                  ;;
-                deploy/*|.gitea/workflows/*)
-                  build_required=true
-                  ;;
-              esac
-            done <<< "$changed_files"
-          fi
-
-          echo "build_required=${build_required}" >> "$GITHUB_OUTPUT"
-          echo "release_required=${release_required}" >> "$GITHUB_OUTPUT"
-          echo "build_required=${build_required}, release_required=${release_required}"
-
   version:
     name: 版本 & Release
-    needs: [changes]
-    if: needs.changes.outputs.release_required == 'true'
     runs-on: debian
     outputs:
       version: ${{ steps.ver.outputs.version }}
@@ -205,10 +140,7 @@ jobs:
 
   check:
     name: 质量检查 (fmt / clippy / test)
-    needs: [changes, version]
-    if: |
-      needs.changes.outputs.build_required == 'true' &&
-      (needs.changes.outputs.release_required != 'true' || needs.version.result == 'success')
+    needs: [version]
     runs-on: debian
     timeout-minutes: 15
     steps:
@@ -244,11 +176,7 @@ jobs:
 
   build-linux:
     name: Build Linux (secrets-mcp, musl)
-    needs: [changes, version, check]
-    if: |
-      needs.changes.outputs.build_required == 'true' &&
-      needs.check.result == 'success' &&
-      (needs.changes.outputs.release_required != 'true' || needs.version.result == 'success')
+    needs: [version, check]
     runs-on: debian
     timeout-minutes: 25
     steps:
@@ -311,7 +239,6 @@ jobs:
           [ -z "$WEBHOOK_URL" ] && exit 0
           command -v jq >/dev/null 2>&1 || (sudo apt-get update -qq && sudo apt-get install -y -qq jq)
           tag="${{ needs.version.outputs.tag }}"
-          [ -z "$tag" ] && tag="build-only"
           commit=$(git log -1 --pretty=format:"%s" 2>/dev/null || echo "N/A")
           url="${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_number }}"
           result="${{ job.status }}"
@@ -326,13 +253,13 @@ jobs:
 
   deploy-mcp:
     name: 部署 secrets-mcp
-    needs: [changes, version, build-linux]
+    needs: [version, build-linux]
     # 部署目标由仓库 Actions 配置：vars.DEPLOY_HOST / vars.DEPLOY_USER；私钥 secrets.DEPLOY_SSH_KEY（PEM 原文，勿 base64）
     # （可用 scripts/setup-gitea-actions.sh 或 Gitea API 写入，勿写进本文件）
     # Google OAuth / SERVER_MASTER_KEY / SECRETS_DATABASE_URL 等勿写入 CI，请在 ECS 上
     # /opt/secrets-mcp/.env 配置（见 deploy/.env.example）。
     # 若仓库 main 仍为纯 CLI、仅 feat/mcp 含本 workflow，请去掉条件里的 main，避免误部署。
-    if: needs.changes.outputs.release_required == 'true' && needs.build-linux.result == 'success' && (github.ref == 'refs/heads/main' || github.ref == 'refs/heads/feat/mcp' || github.ref == 'refs/heads/mcp')
+    if: needs.build-linux.result == 'success' && (github.ref == 'refs/heads/main' || github.ref == 'refs/heads/feat/mcp' || github.ref == 'refs/heads/mcp')
     runs-on: debian
     timeout-minutes: 10
     steps:
@@ -406,7 +333,6 @@ jobs:
           [ -z "$WEBHOOK_URL" ] && exit 0
           command -v jq >/dev/null 2>&1 || (sudo apt-get update -qq && sudo apt-get install -y -qq jq)
           tag="${{ needs.version.outputs.tag }}"
-          [ -z "$tag" ] && tag="build-only"
           commit=$(git log -1 --pretty=format:"%s" 2>/dev/null || echo "N/A")
           url="${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_number }}"
           result="${{ job.status }}"
@@ -421,8 +347,8 @@ jobs:
 
   publish-release:
     name: 发布草稿 Release
-    needs: [changes, version, build-linux]
-    if: needs.changes.outputs.release_required == 'true' && always() && needs.version.outputs.release_id != ''
+    needs: [version, build-linux]
+    if: always() && needs.version.outputs.release_id != ''
     runs-on: debian
     timeout-minutes: 5
     steps: