feat: 0.6.0 — 事务/版本化/类型化/inject/run
Some checks failed
Secrets CLI - Build & Release / 版本 & Release (push) Successful in 2s
Secrets CLI - Build & Release / 质量检查 (fmt / clippy / test) (push) Successful in 1m37s
Secrets CLI - Build & Release / Build (aarch64-apple-darwin) (push) Successful in 37s
Secrets CLI - Build & Release / Build (x86_64-unknown-linux-musl) (push) Successful in 50s
Secrets CLI - Build & Release / 发布草稿 Release (push) Successful in 2s
Secrets CLI - Build & Release / Build (x86_64-pc-windows-msvc) (push) Has been cancelled
Some checks failed
Secrets CLI - Build & Release / 版本 & Release (push) Successful in 2s
Secrets CLI - Build & Release / 质量检查 (fmt / clippy / test) (push) Successful in 1m37s
Secrets CLI - Build & Release / Build (aarch64-apple-darwin) (push) Successful in 37s
Secrets CLI - Build & Release / Build (x86_64-unknown-linux-musl) (push) Successful in 50s
Secrets CLI - Build & Release / 发布草稿 Release (push) Successful in 2s
Secrets CLI - Build & Release / Build (x86_64-pc-windows-msvc) (push) Has been cancelled
- 写路径事务化:add/update/delete 与 audit 同事务,update CAS 并发保护 - 版本化与回滚:secrets_history 表、version 字段、history/rollback 命令 - 类型化字段:key:=<json> 支持数字、布尔、数组、对象 - 临时 env 模式:inject 输出 KEY=VALUE,run 向子进程注入 - inject/run 至少需一个过滤条件;search -o env 使用 shell_quote;JSON 输出含 version Made-with: Cursor
This commit is contained in:
voson
134
AGENTS.md
134
AGENTS.md
@@ -10,17 +10,19 @@ secrets/
|
||||
main.rs # CLI 入口,clap 命令定义,auto-migrate,--verbose 全局参数
|
||||
output.rs # OutputMode 枚举 + TTY 检测(TTY→text,非 TTY→json-compact)
|
||||
config.rs # 配置读写:~/.config/secrets/config.toml(database_url)
|
||||
db.rs # PgPool 创建 + 建表/索引(幂等,含 audit_log + kv_config)
|
||||
db.rs # PgPool 创建 + 建表/索引(幂等,含 audit_log + kv_config + secrets_history)
|
||||
crypto.rs # AES-256-GCM 加解密、Argon2id 派生、OS 钥匙串
|
||||
models.rs # Secret 结构体(sqlx::FromRow + serde)
|
||||
audit.rs # 审计写入:向 audit_log 表记录所有写操作
|
||||
models.rs # Secret 结构体(sqlx::FromRow + serde,含 version 字段)
|
||||
audit.rs # 审计写入:log_tx(事务内)/ log(池,保留备用)
|
||||
commands/
|
||||
init.rs # init 命令:主密钥初始化(每台设备一次)
|
||||
add.rs # add 命令:upsert,支持 --meta key=value / --secret key=@file / -o json
|
||||
add.rs # add 命令:upsert,事务化,含历史快照,支持 key:=json 类型化值
|
||||
config.rs # config 命令:set-db / show / path(持久化 database_url)
|
||||
search.rs # search 命令:多条件查询,-f/-o/--summary/--limit/--offset/--sort
|
||||
delete.rs # delete 命令
|
||||
update.rs # update 命令:增量更新(合并 tags/metadata/encrypted)
|
||||
search.rs # search 命令:多条件查询,公开 fetch_rows / build_env_map
|
||||
delete.rs # delete 命令:事务化,含历史快照
|
||||
update.rs # update 命令:增量更新,CAS 并发保护,含历史快照
|
||||
rollback.rs # rollback / history 命令:版本回滚与历史查看
|
||||
run.rs # inject / run 命令:临时环境变量注入
|
||||
scripts/
|
||||
setup-gitea-actions.sh # 配置 Gitea Actions 变量与 Secrets
|
||||
.gitea/workflows/
|
||||
@@ -46,12 +48,30 @@ secrets (
|
||||
tags TEXT[] NOT NULL DEFAULT '{}', -- 灵活标签: ["aliyun","hongkong"]
|
||||
metadata JSONB NOT NULL DEFAULT '{}', -- 明文描述: ip, desc, domains, location...
|
||||
encrypted BYTEA NOT NULL DEFAULT '\x', -- AES-256-GCM 密文: nonce(12B)||ciphertext+tag
|
||||
version BIGINT NOT NULL DEFAULT 1, -- 乐观锁版本号,每次写操作自增
|
||||
created_at TIMESTAMPTZ NOT NULL DEFAULT NOW(),
|
||||
updated_at TIMESTAMPTZ NOT NULL DEFAULT NOW(),
|
||||
UNIQUE(namespace, kind, name)
|
||||
)
|
||||
```
|
||||
|
||||
```sql
|
||||
secrets_history (
|
||||
id BIGINT GENERATED ALWAYS AS IDENTITY PRIMARY KEY,
|
||||
secret_id UUID NOT NULL, -- 对应 secrets.id
|
||||
namespace VARCHAR(64) NOT NULL,
|
||||
kind VARCHAR(64) NOT NULL,
|
||||
name VARCHAR(256) NOT NULL,
|
||||
version BIGINT NOT NULL, -- 被快照时的版本号
|
||||
action VARCHAR(16) NOT NULL, -- 'add' | 'update' | 'delete' | 'rollback'
|
||||
tags TEXT[] NOT NULL DEFAULT '{}',
|
||||
metadata JSONB NOT NULL DEFAULT '{}',
|
||||
encrypted BYTEA NOT NULL DEFAULT '\x', -- 快照时的加密密文
|
||||
actor VARCHAR(128) NOT NULL DEFAULT '',
|
||||
created_at TIMESTAMPTZ NOT NULL DEFAULT NOW()
|
||||
)
|
||||
```
|
||||
|
||||
```sql
|
||||
kv_config (
|
||||
key TEXT PRIMARY KEY, -- 如 'argon2_salt'
|
||||
@@ -224,6 +244,13 @@ secrets add -n refining --kind service --name gitea \
|
||||
secrets add -n ricnsmart --kind service --name mqtt \
|
||||
-m host=mqtt.ricnsmart.com -m port=1883 \
|
||||
-s password=@./mqtt_password.txt
|
||||
|
||||
# 使用类型化值(key:=<json>)存储非字符串类型
|
||||
secrets add -n refining --kind service --name prometheus \
|
||||
-m scrape_interval:=15 \
|
||||
-m enabled:=true \
|
||||
-m labels:='["prod","metrics"]' \
|
||||
-s api_key=abc123
|
||||
```
|
||||
|
||||
---
|
||||
@@ -284,6 +311,98 @@ secrets delete -n ricnsmart --kind server --name i-old-server-id
|
||||
|
||||
---
|
||||
|
||||
### history — 查看变更历史
|
||||
|
||||
```bash
|
||||
# 参数说明
|
||||
# -n / --namespace refining | ricnsmart
|
||||
# --kind server | service
|
||||
# --name 记录名
|
||||
# --limit 返回条数(默认 20)
|
||||
|
||||
# 查看某条记录的历史版本列表
|
||||
secrets history -n refining --kind service --name gitea
|
||||
|
||||
# 查最近 5 条
|
||||
secrets history -n refining --kind service --name gitea --limit 5
|
||||
|
||||
# JSON 输出
|
||||
secrets history -n refining --kind service --name gitea -o json
|
||||
```
|
||||
|
||||
---
|
||||
|
||||
### rollback — 回滚到指定版本
|
||||
|
||||
```bash
|
||||
# 参数说明
|
||||
# -n / --namespace refining | ricnsmart
|
||||
# --kind server | service
|
||||
# --name 记录名
|
||||
# --to-version <N> 目标版本号(省略则恢复最近一次快照)
|
||||
|
||||
# 撤销上次修改(回滚到最近一次快照)
|
||||
secrets rollback -n refining --kind service --name gitea
|
||||
|
||||
# 回滚到版本 3
|
||||
secrets rollback -n refining --kind service --name gitea --to-version 3
|
||||
```
|
||||
|
||||
---
|
||||
|
||||
### inject — 输出临时环境变量
|
||||
|
||||
敏感值仅打印到 stdout,不持久化、不写入当前 shell。
|
||||
|
||||
```bash
|
||||
# 参数说明
|
||||
# -n / --namespace refining | ricnsmart
|
||||
# --kind server | service
|
||||
# --name 记录名
|
||||
# --tag 按 tag 过滤(可重复)
|
||||
# --prefix 变量名前缀(留空则以记录 name 作前缀)
|
||||
# -o / --output text(默认 KEY=VALUE)| json | json-compact
|
||||
|
||||
# 打印单条记录的所有变量(KEY=VALUE 格式)
|
||||
secrets inject -n refining --kind service --name gitea
|
||||
|
||||
# 自定义前缀
|
||||
secrets inject -n refining --kind service --name gitea --prefix GITEA
|
||||
|
||||
# JSON 格式(适合管道或脚本解析)
|
||||
secrets inject -n refining --kind service --name gitea -o json
|
||||
|
||||
# eval 注入当前 shell(谨慎使用)
|
||||
eval $(secrets inject -n refining --kind service --name gitea)
|
||||
```
|
||||
|
||||
---
|
||||
|
||||
### run — 向子进程注入 secrets 并执行命令
|
||||
|
||||
secrets 仅作用于子进程环境,不修改当前 shell,进程退出码透传。
|
||||
|
||||
```bash
|
||||
# 参数说明
|
||||
# -n / --namespace refining | ricnsmart
|
||||
# --kind server | service
|
||||
# --name 记录名
|
||||
# --tag 按 tag 过滤(可重复)
|
||||
# --prefix 变量名前缀
|
||||
# -- <command> 执行的命令及参数
|
||||
|
||||
# 向脚本注入单条记录的 secrets
|
||||
secrets run -n refining --kind service --name gitea -- ./deploy.sh
|
||||
|
||||
# 按 tag 批量注入(多条记录合并)
|
||||
secrets run --tag production -- env | grep -i token
|
||||
|
||||
# 验证注入了哪些变量
|
||||
secrets run -n refining --kind service --name gitea -- printenv
|
||||
```
|
||||
|
||||
---
|
||||
|
||||
### config — 配置管理(无需主密钥)
|
||||
|
||||
```bash
|
||||
@@ -366,6 +485,7 @@ cargo fmt -- --check && cargo clippy -- -D warnings && cargo test
|
||||
- 新版本自动打 Tag(格式 `secrets-<version>`)并上传二进制到 Gitea Release
|
||||
- 通知:飞书 Webhook(`vars.WEBHOOK_URL`)
|
||||
- 所需 secrets/vars:`RELEASE_TOKEN`(Release 上传,Gitea PAT)、`vars.WEBHOOK_URL`(通知,可选)
|
||||
- **注意**:Gitea Actions 的 Secret/Variable 创建时,`data`/`value` 字段需传入**原始值**,不要使用 base64 编码
|
||||
|
||||
## 环境变量
|
||||
|
||||
|
||||
Reference in New Issue
Block a user