From 9cebbd7587e2ae5321ac68c74eab189b228c858b Mon Sep 17 00:00:00 2001 From: voson Date: Sat, 21 Mar 2026 09:10:05 +0800 Subject: [PATCH] =?UTF-8?q?ci:=20=E6=94=AF=E6=8C=81=E6=9E=84=E5=BB=BA?= =?UTF-8?q?=E9=87=8D=E8=B7=91=E5=B9=B6=E8=B7=B3=E8=BF=87=E9=87=8D=E5=A4=8D?= =?UTF-8?q?=E5=8F=91=E7=89=88?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit 让 workflow 根据变更范围区分发版构建与仅验证构建,并补充手动触发入口,避免已有版本 tag 阻塞缓存恢复后的重跑验证。 Made-with: Cursor --- .gitea/workflows/secrets.yml | 86 +++++++++++++++++++++++++++++++++--- 1 file changed, 80 insertions(+), 6 deletions(-) diff --git a/.gitea/workflows/secrets.yml b/.gitea/workflows/secrets.yml index 7e37d04..b8eb019 100644 --- a/.gitea/workflows/secrets.yml +++ b/.gitea/workflows/secrets.yml @@ -10,6 +10,13 @@ on: # systemd / 部署模板变更也应跑构建(产物无变时可快速跳过 check) - 'deploy/**' - '.gitea/workflows/**' + workflow_dispatch: + inputs: + release_build: + description: "同时执行版本发布、打 tag 与部署" + required: false + type: boolean + default: false concurrency: group: ${{ github.workflow }}-${{ github.ref }} @@ -27,8 +34,66 @@ env: RUST_BACKTRACE: short jobs: + changes: + name: 检测变更范围 + runs-on: debian + outputs: + build_required: ${{ steps.scope.outputs.build_required }} + release_required: ${{ steps.scope.outputs.release_required }} + steps: + - uses: actions/checkout@v4 + with: + fetch-depth: 0 + + - name: 计算构建 / 发版范围 + id: scope + shell: bash + run: | + set -euo pipefail + + build_required=false + release_required=false + + if [ "${{ github.event_name }}" = "workflow_dispatch" ]; then + build_required=true + release_required="${{ inputs.release_build }}" + else + before="${{ github.event.before }}" + if [ -z "$before" ] || [ "$before" = "0000000000000000000000000000000000000000" ]; then + before=$(git rev-parse HEAD^ 2>/dev/null || true) + fi + + if [ -n "$before" ]; then + changed_files=$(git diff --name-only "$before" "${{ github.sha }}") + else + changed_files=$(git show --pretty='' --name-only "${{ github.sha }}") + fi + + echo "changed files:" + printf '%s\n' "$changed_files" + + while IFS= read -r file; do + [ -z "$file" ] && continue + case "$file" in + crates/*|Cargo.toml|Cargo.lock) + release_required=true + build_required=true + ;; + deploy/*|.gitea/workflows/*) + build_required=true + ;; + esac + done <<< "$changed_files" + fi + + echo "build_required=${build_required}" >> "$GITHUB_OUTPUT" + echo "release_required=${release_required}" >> "$GITHUB_OUTPUT" + echo "build_required=${build_required}, release_required=${release_required}" + version: name: 版本 & Release + needs: [changes] + if: needs.changes.outputs.release_required == 'true' runs-on: debian outputs: version: ${{ steps.ver.outputs.version }} @@ -140,7 +205,10 @@ jobs: check: name: 质量检查 (fmt / clippy / test) - needs: [version] + needs: [changes, version] + if: | + needs.changes.outputs.build_required == 'true' && + (needs.changes.outputs.release_required != 'true' || needs.version.result == 'success') runs-on: debian timeout-minutes: 15 steps: @@ -176,7 +244,11 @@ jobs: build-linux: name: Build Linux (secrets-mcp, musl) - needs: [version, check] + needs: [changes, version, check] + if: | + needs.changes.outputs.build_required == 'true' && + needs.check.result == 'success' && + (needs.changes.outputs.release_required != 'true' || needs.version.result == 'success') runs-on: debian timeout-minutes: 25 steps: @@ -239,6 +311,7 @@ jobs: [ -z "$WEBHOOK_URL" ] && exit 0 command -v jq >/dev/null 2>&1 || (sudo apt-get update -qq && sudo apt-get install -y -qq jq) tag="${{ needs.version.outputs.tag }}" + [ -z "$tag" ] && tag="build-only" commit=$(git log -1 --pretty=format:"%s" 2>/dev/null || echo "N/A") url="${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_number }}" result="${{ job.status }}" @@ -253,13 +326,13 @@ jobs: deploy-mcp: name: 部署 secrets-mcp - needs: [version, build-linux] + needs: [changes, version, build-linux] # 部署目标由仓库 Actions 配置:vars.DEPLOY_HOST / vars.DEPLOY_USER;私钥 secrets.DEPLOY_SSH_KEY(PEM 原文,勿 base64) # (可用 scripts/setup-gitea-actions.sh 或 Gitea API 写入,勿写进本文件) # Google OAuth / SERVER_MASTER_KEY / SECRETS_DATABASE_URL 等勿写入 CI,请在 ECS 上 # /opt/secrets-mcp/.env 配置(见 deploy/.env.example)。 # 若仓库 main 仍为纯 CLI、仅 feat/mcp 含本 workflow,请去掉条件里的 main,避免误部署。 - if: needs.build-linux.result == 'success' && (github.ref == 'refs/heads/main' || github.ref == 'refs/heads/feat/mcp' || github.ref == 'refs/heads/mcp') + if: needs.changes.outputs.release_required == 'true' && needs.build-linux.result == 'success' && (github.ref == 'refs/heads/main' || github.ref == 'refs/heads/feat/mcp' || github.ref == 'refs/heads/mcp') runs-on: debian timeout-minutes: 10 steps: @@ -333,6 +406,7 @@ jobs: [ -z "$WEBHOOK_URL" ] && exit 0 command -v jq >/dev/null 2>&1 || (sudo apt-get update -qq && sudo apt-get install -y -qq jq) tag="${{ needs.version.outputs.tag }}" + [ -z "$tag" ] && tag="build-only" commit=$(git log -1 --pretty=format:"%s" 2>/dev/null || echo "N/A") url="${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_number }}" result="${{ job.status }}" @@ -347,8 +421,8 @@ jobs: publish-release: name: 发布草稿 Release - needs: [version, build-linux] - if: always() && needs.version.outputs.release_id != '' + needs: [changes, version, build-linux] + if: needs.changes.outputs.release_required == 'true' && always() && needs.version.outputs.release_id != '' runs-on: debian timeout-minutes: 5 steps: