feat: secrets CLI MVP — add/search/delete with PostgreSQL JSONB

- Single `secrets` table with namespace/kind/name/tags/metadata/encrypted - Auto-migrate on startup using uuidv7() primary keys and GIN indexes - CLI commands: add (upsert, @file support), search (full-text + tags), delete - Multi-platform Gitea Actions: debian (x86_64-musl), darwin-arm64, windows - continue-on-error + timeout-minutes=30 for offline runner tolerance - VS Code tasks.json for local build/test/seed - AGENTS.md for AI context Made-with: Cursor
2026-03-18 14:10:45 +08:00
parent 3b5e26213c
commit 102e394914
16 changed files with 3656 additions and 544 deletions
--- a/scripts/setup-gitea-actions.sh
+++ b/scripts/setup-gitea-actions.sh
@@ -0,0 +1,177 @@
+#!/usr/bin/env bash
+#
+# 为 refining/secrets 仓库配置 Gitea Actions 所需的 Secrets 和 Variables
+# 参考: .gitea/workflows/secrets.yml
+#
+# 所需配置:
+#   - secrets.RELEASE_TOKEN  (必选) Release 上传用，值为 Gitea PAT
+#   - vars.WEBHOOK_URL       (可选) 飞书通知
+#
+# 注意: Gitea 不允许 secret/variable 名以 GITEA_ 或 GITHUB_ 开头，故使用 RELEASE_TOKEN
+#
+# 用法:
+#   1. 从 ~/.config/gitea/config.env 读取 GITEA_URL, GITEA_TOKEN, GITEA_WEBHOOK_URL
+#   2. 或通过环境变量覆盖: GITEA_TOKEN（作为 RELEASE_TOKEN 的值）, WEBHOOK_URL
+#   3. 或使用 secrets CLI 获取: 需 DATABASE_URL，从 refining/service gitea 读取
+#
+
+set -e
+
+OWNER="refining"
+REPO="secrets"
+
+# 解析参数
+USE_SECRETS_CLI=false
+while [[ $# -gt 0 ]]; do
+  case $1 in
+    --from-secrets) USE_SECRETS_CLI=true; shift ;;
+    -h|--help)
+      echo "用法: $0 [--from-secrets]"
+      echo ""
+      echo "  --from-secrets  从 secrets CLI (refining/service gitea) 获取 token 和 webhook_url"
+      echo "                  否则从 ~/.config/gitea/config.env 读取"
+      echo ""
+      echo "环境变量覆盖:"
+      echo "  GITEA_URL        Gitea 实例地址"
+      echo "  GITEA_TOKEN      用于 Release 上传的 PAT (创建 RELEASE_TOKEN secret)"
+      echo "  WEBHOOK_URL      飞书 Webhook URL (创建 variable，可选)"
+      exit 0
+      ;;
+    *) shift ;;
+  esac
+done
+
+# 加载配置
+load_config() {
+  local config="$HOME/.config/gitea/config.env"
+  if [[ -f "$config" ]]; then
+    # shellcheck source=/dev/null
+    source "$config"
+  fi
+}
+
+# 从 secrets CLI 获取 gitea 凭据
+fetch_from_secrets() {
+  if ! command -v secrets &>/dev/null; then
+    echo "❌ secrets CLI 未找到，请先构建: cargo build --release" >&2
+    return 1
+  fi
+  # 输出 JSON 格式便于解析；需要 --show-secrets
+  # secrets 当前无 JSON 输出，用简单解析
+  local out
+  out=$(secrets search -n refining --kind service -q gitea --show-secrets 2>/dev/null || true)
+  if [[ -z "$out" ]]; then
+    echo "❌ 未找到 refining/service gitea 记录" >&2
+    return 1
+  fi
+  # 简化：从 metadata 和 secrets 中提取，实际格式需根据 search 输出调整
+  # 此处仅作占位，实际解析较复杂；建议用户优先用 config.env
+  echo "⚠️  --from-secrets 暂不支持自动解析，请使用 config.env 或环境变量" >&2
+  return 1
+}
+
+load_config
+
+# 优先使用环境变量
+if [[ -n "$GITEA_TOKEN" && -z "$GITEA_URL" ]]; then
+  echo "❌ 请设置 GITEA_URL (或确保 config.env 中有)" >&2
+  exit 1
+fi
+
+if [[ -z "$GITEA_URL" ]]; then
+  echo "❌ GITEA_URL 未配置"
+  echo "   请创建 ~/.config/gitea/config.env 或设置环境变量" >&2
+  exit 1
+fi
+
+# 去掉 URL 尾部斜杠
+GITEA_URL="${GITEA_URL%/}"
+# 确保使用 /api/v1 基础路径（若用户只写了根 URL）
+[[ "$GITEA_URL" != *"/api/v1"* ]] || true
+
+API_BASE="${GITEA_URL}/api/v1"
+
+# 获取 GITEA_TOKEN（作为 workflow 中 secrets.RELEASE_TOKEN 的值）
+if [[ -z "$GITEA_TOKEN" ]]; then
+  if $USE_SECRETS_CLI; then
+    fetch_from_secrets || exit 1
+  fi
+  echo "❌ GITEA_TOKEN 未配置"
+  echo "   在 ~/.config/gitea/config.env 中设置，或 export GITEA_TOKEN=xxx" >&2
+  echo "   Token 需具备 repo 写权限（创建 Release、上传附件）" >&2
+  exit 1
+fi
+
+echo "━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━"
+echo "配置 Gitea Actions: $OWNER/$REPO"
+echo "━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━"
+echo ""
+
+# 1. 创建 Secret: RELEASE_TOKEN
+echo "1. 创建 Secret: RELEASE_TOKEN"
+encoded=$(echo -n "$GITEA_TOKEN" | base64)
+resp=$(curl -s -w "\n%{http_code}" -X PUT \
+  -H "Authorization: token $GITEA_TOKEN" \
+  -H "Content-Type: application/json" \
+  -d "{\"data\":\"${encoded}\"}" \
+  "${API_BASE}/repos/${OWNER}/${REPO}/actions/secrets/RELEASE_TOKEN")
+http_code=$(echo "$resp" | tail -n1)
+body=$(echo "$resp" | sed '$d')
+
+if [[ "$http_code" == "200" || "$http_code" == "201" || "$http_code" == "204" ]]; then
+  echo "   ✓ RELEASE_TOKEN 已创建/更新"
+else
+  echo "   ❌ 失败 (HTTP $http_code)" >&2
+  echo "$body" | jq -r '.message // .' 2>/dev/null || echo "$body" >&2
+  exit 1
+fi
+
+# 2. 创建/更新 Variable: WEBHOOK_URL（可选）
+WEBHOOK_VALUE="${WEBHOOK_URL:-$GITEA_WEBHOOK_URL}"
+if [[ -n "$WEBHOOK_VALUE" ]]; then
+  echo ""
+  echo "2. 创建/更新 Variable: WEBHOOK_URL"
+  resp=$(curl -s -w "\n%{http_code}" -X POST \
+    -H "Authorization: token $GITEA_TOKEN" \
+    -H "Content-Type: application/json" \
+    -d "{\"value\":\"${WEBHOOK_VALUE}\"}" \
+    "${API_BASE}/repos/${OWNER}/${REPO}/actions/variables/WEBHOOK_URL")
+  http_code=$(echo "$resp" | tail -n1)
+  body=$(echo "$resp" | sed '$d')
+
+  if [[ "$http_code" == "200" || "$http_code" == "201" || "$http_code" == "204" ]]; then
+    echo "   ✓ WEBHOOK_URL 已创建/更新"
+  elif [[ "$http_code" == "409" ]]; then
+    # 变量已存在，用 PUT 更新
+    resp=$(curl -s -w "\n%{http_code}" -X PUT \
+      -H "Authorization: token $GITEA_TOKEN" \
+      -H "Content-Type: application/json" \
+      -d "{\"value\":\"${WEBHOOK_VALUE}\"}" \
+      "${API_BASE}/repos/${OWNER}/${REPO}/actions/variables/WEBHOOK_URL")
+    http_code=$(echo "$resp" | tail -n1)
+    if [[ "$http_code" == "200" || "$http_code" == "204" ]]; then
+      echo "   ✓ WEBHOOK_URL 已更新"
+    else
+      echo "   ⚠ 更新失败 (HTTP $http_code)" >&2
+    fi
+  else
+    echo "   ⚠ 失败 (HTTP $http_code)，飞书通知将不可用" >&2
+  fi
+else
+  echo ""
+  echo "2. 跳过 WEBHOOK_URL（未配置 GITEA_WEBHOOK_URL 或 WEBHOOK_URL）"
+  echo "   飞书通知将不可用；如需可后续在仓库 Settings → Variables 中添加"
+fi
+
+echo ""
+echo "━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━"
+echo "✓ 配置完成"
+echo "━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━"
+echo ""
+echo "Workflow 将使用:"
+echo "  - secrets.RELEASE_TOKEN  创建 Release 并上传二进制"
+echo "  - vars.WEBHOOK_URL     发送飞书通知（如已配置）"
+echo ""
+echo "推送代码触发构建:"
+echo "  git push origin main"
+echo ""