diff --git a/.gitea/workflows/secrets.yml b/.gitea/workflows/secrets.yml index 7e37d04..bfc04d2 100644 --- a/.gitea/workflows/secrets.yml +++ b/.gitea/workflows/secrets.yml @@ -7,7 +7,6 @@ on: - 'crates/**' - 'Cargo.toml' - 'Cargo.lock' - # systemd / 部署模板变更也应跑构建(产物无变时可快速跳过 check) - 'deploy/**' - '.gitea/workflows/**' @@ -25,6 +24,7 @@ env: CARGO_NET_RETRY: 10 CARGO_TERM_COLOR: always RUST_BACKTRACE: short + MUSL_TARGET: x86_64-unknown-linux-musl jobs: version: @@ -138,6 +138,7 @@ jobs: echo "release_id=" >> "$GITHUB_OUTPUT" fi + # check 与 build-linux 并行执行,互不阻塞 check: name: 质量检查 (fmt / clippy / test) needs: [version] @@ -165,6 +166,7 @@ jobs: ~/.cargo/registry/index ~/.cargo/registry/cache ~/.cargo/git/db + target key: cargo-check-${{ env.RUST_TOOLCHAIN }}-${{ hashFiles('Cargo.lock') }} restore-keys: | cargo-check-${{ env.RUST_TOOLCHAIN }}- @@ -175,8 +177,8 @@ jobs: - run: cargo test --locked build-linux: - name: Build Linux (secrets-mcp, musl) - needs: [version, check] + name: Build Linux (musl) + needs: [version] runs-on: debian timeout-minutes: 25 steps: @@ -191,7 +193,7 @@ jobs: source "$HOME/.cargo/env" 2>/dev/null || true rustup toolchain install "${RUST_TOOLCHAIN}" --profile minimal rustup default "${RUST_TOOLCHAIN}" - rustup target add x86_64-unknown-linux-musl --toolchain "${RUST_TOOLCHAIN}" + rustup target add ${{ env.MUSL_TARGET }} --toolchain "${RUST_TOOLCHAIN}" rustc -V cargo -V @@ -204,15 +206,23 @@ jobs: ~/.cargo/registry/index ~/.cargo/registry/cache ~/.cargo/git/db - key: cargo-x86_64-unknown-linux-musl-${{ env.RUST_TOOLCHAIN }}-${{ hashFiles('Cargo.lock') }} + target + key: cargo-${{ env.MUSL_TARGET }}-${{ env.RUST_TOOLCHAIN }}-${{ hashFiles('Cargo.lock') }} restore-keys: | - cargo-x86_64-unknown-linux-musl-${{ env.RUST_TOOLCHAIN }}- - cargo-x86_64-unknown-linux-musl- + cargo-${{ env.MUSL_TARGET }}-${{ env.RUST_TOOLCHAIN }}- + cargo-${{ env.MUSL_TARGET }}- - name: 构建 secrets-mcp (musl) run: | - cargo build --release --locked --target x86_64-unknown-linux-musl -p secrets-mcp - strip target/x86_64-unknown-linux-musl/release/${{ env.MCP_BINARY }} + cargo build --release --locked --target ${{ env.MUSL_TARGET }} -p secrets-mcp + strip target/${{ env.MUSL_TARGET }}/release/${{ env.MCP_BINARY }} + + - name: 上传构建产物 + uses: actions/upload-artifact@v3 + with: + name: ${{ env.MCP_BINARY }}-linux-musl + path: target/${{ env.MUSL_TARGET }}/release/${{ env.MCP_BINARY }} + retention-days: 3 - name: 上传 Release 产物 if: needs.version.outputs.release_id != '' @@ -221,7 +231,7 @@ jobs: run: | [ -z "$RELEASE_TOKEN" ] && exit 0 tag="${{ needs.version.outputs.tag }}" - bin="target/x86_64-unknown-linux-musl/release/${{ env.MCP_BINARY }}" + bin="target/${{ env.MUSL_TARGET }}/release/${{ env.MCP_BINARY }}" archive="${{ env.MCP_BINARY }}-${tag}-x86_64-linux-musl.tar.gz" tar -czf "$archive" -C "$(dirname "$bin")" "$(basename "$bin")" sha256sum "$archive" > "${archive}.sha256" @@ -231,70 +241,21 @@ jobs: curl -fsS -H "Authorization: token $RELEASE_TOKEN" \ -F "attachment=@${archive}.sha256" "$release_url" - - name: 飞书通知 - if: always() - env: - WEBHOOK_URL: ${{ vars.WEBHOOK_URL }} - run: | - [ -z "$WEBHOOK_URL" ] && exit 0 - command -v jq >/dev/null 2>&1 || (sudo apt-get update -qq && sudo apt-get install -y -qq jq) - tag="${{ needs.version.outputs.tag }}" - commit=$(git log -1 --pretty=format:"%s" 2>/dev/null || echo "N/A") - url="${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_number }}" - result="${{ job.status }}" - if [ "$result" = "success" ]; then icon="✅"; else icon="❌"; fi - msg="secrets-mcp linux 构建${icon} - 版本:${tag} - 提交:${commit} - 作者:${{ github.actor }} - 详情:${url}" - payload=$(jq -n --arg text "$msg" '{msg_type: "text", content: {text: $text}}') - curl -sS -H "Content-Type: application/json" -X POST -d "$payload" "$WEBHOOK_URL" - deploy-mcp: name: 部署 secrets-mcp - needs: [version, build-linux] - # 部署目标由仓库 Actions 配置:vars.DEPLOY_HOST / vars.DEPLOY_USER;私钥 secrets.DEPLOY_SSH_KEY(PEM 原文,勿 base64) - # (可用 scripts/setup-gitea-actions.sh 或 Gitea API 写入,勿写进本文件) - # Google OAuth / SERVER_MASTER_KEY / SECRETS_DATABASE_URL 等勿写入 CI,请在 ECS 上 - # /opt/secrets-mcp/.env 配置(见 deploy/.env.example)。 - # 若仓库 main 仍为纯 CLI、仅 feat/mcp 含本 workflow,请去掉条件里的 main,避免误部署。 - if: needs.build-linux.result == 'success' && (github.ref == 'refs/heads/main' || github.ref == 'refs/heads/feat/mcp' || github.ref == 'refs/heads/mcp') + needs: [version, check, build-linux] + if: | + needs.check.result == 'success' && + needs.build-linux.result == 'success' && + (github.ref == 'refs/heads/main' || github.ref == 'refs/heads/feat/mcp' || github.ref == 'refs/heads/mcp') runs-on: debian timeout-minutes: 10 steps: - - uses: actions/checkout@v4 - - - name: 安装 Rust - run: | - if ! command -v rustup >/dev/null 2>&1; then - curl --proto '=https' --tlsv1.2 -sSf https://sh.rustup.rs | sh -s -- -y --default-toolchain "${RUST_TOOLCHAIN}" - echo "$HOME/.cargo/bin" >> "$GITHUB_PATH" - fi - source "$HOME/.cargo/env" 2>/dev/null || true - sudo apt-get update -qq && sudo apt-get install -y -qq pkg-config musl-tools - rustup toolchain install "${RUST_TOOLCHAIN}" --profile minimal - rustup default "${RUST_TOOLCHAIN}" - rustup target add x86_64-unknown-linux-musl --toolchain "${RUST_TOOLCHAIN}" - rustc -V - cargo -V - - - name: 缓存 Cargo - uses: actions/cache@v4 + - name: 下载构建产物 + uses: actions/download-artifact@v3 with: - path: | - ~/.cargo/registry/index - ~/.cargo/registry/cache - ~/.cargo/git/db - key: cargo-x86_64-unknown-linux-musl-${{ env.RUST_TOOLCHAIN }}-${{ hashFiles('Cargo.lock') }} - restore-keys: | - cargo-x86_64-unknown-linux-musl-${{ env.RUST_TOOLCHAIN }}- - cargo-x86_64-unknown-linux-musl- - - - name: 构建 secrets-mcp - run: | - cargo build --release --locked --target x86_64-unknown-linux-musl -p secrets-mcp - strip target/x86_64-unknown-linux-musl/release/${{ env.MCP_BINARY }} + name: ${{ env.MCP_BINARY }}-linux-musl + path: /tmp/artifact - name: 部署到阿里云 ECS env: @@ -312,7 +273,7 @@ jobs: SCP="scp -i /tmp/deploy_key -o StrictHostKeyChecking=no" - $SCP target/x86_64-unknown-linux-musl/release/${{ env.MCP_BINARY }} \ + $SCP /tmp/artifact/${{ env.MCP_BINARY }} \ "${DEPLOY_USER}@${DEPLOY_HOST}:/tmp/secrets-mcp.new" ssh -i /tmp/deploy_key -o StrictHostKeyChecking=no "${DEPLOY_USER}@${DEPLOY_HOST}" " @@ -333,13 +294,11 @@ jobs: [ -z "$WEBHOOK_URL" ] && exit 0 command -v jq >/dev/null 2>&1 || (sudo apt-get update -qq && sudo apt-get install -y -qq jq) tag="${{ needs.version.outputs.tag }}" - commit=$(git log -1 --pretty=format:"%s" 2>/dev/null || echo "N/A") url="${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_number }}" result="${{ job.status }}" if [ "$result" = "success" ]; then icon="✅"; else icon="❌"; fi msg="secrets-mcp 部署${icon} 版本:${tag} - 提交:${commit} 作者:${{ github.actor }} 详情:${url}" payload=$(jq -n --arg text "$msg" '{msg_type: "text", content: {text: $text}}') @@ -347,22 +306,21 @@ jobs: publish-release: name: 发布草稿 Release - needs: [version, build-linux] + needs: [version, check, build-linux] if: always() && needs.version.outputs.release_id != '' runs-on: debian timeout-minutes: 5 steps: - - uses: actions/checkout@v4 - - name: 发布草稿 env: RELEASE_TOKEN: ${{ secrets.RELEASE_TOKEN }} run: | [ -z "$RELEASE_TOKEN" ] && exit 0 + check_r="${{ needs.check.result }}" linux_r="${{ needs.build-linux.result }}" - if [ "$linux_r" != "success" ]; then - echo "linux 构建未成功,保留草稿 Release" + if [ "$check_r" != "success" ] || [ "$linux_r" != "success" ]; then + echo "质量检查或构建未成功(check=${check_r}, build=${linux_r}),保留草稿 Release" exit 0 fi @@ -394,13 +352,16 @@ jobs: [ -z "$commit" ] && commit="${{ github.sha }}" url="${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_number }}" + check_r="${{ needs.check.result }}" linux_r="${{ needs.build-linux.result }}" publish_r="${{ job.status }}" icon() { case "$1" in success) echo "✅";; skipped) echo "⏭";; *) echo "❌";; esac; } - if [ "$linux_r" = "success" ] && [ "$publish_r" = "success" ]; then + if [ "$check_r" = "success" ] && [ "$linux_r" = "success" ] && [ "$publish_r" = "success" ]; then status="发布成功 ✅" + elif [ "$check_r" != "success" ]; then + status="检查失败 ❌" elif [ "$linux_r" != "success" ]; then status="构建失败 ❌" else @@ -415,7 +376,7 @@ jobs: msg="secrets-mcp ${status} ${version_line} - linux $(icon "$linux_r") | Release $(icon "$publish_r") + check $(icon "$check_r") | linux $(icon "$linux_r") | Release $(icon "$publish_r") 提交:${commit} 作者:${{ github.actor }} 详情:${url}"