a765dcc428
Some checks failed
Secrets CLI - Build & Release / 版本 & Release (push) Successful in 2s
Secrets CLI - Build & Release / 质量检查 (fmt / clippy / test) (push) Successful in 1m37s
Secrets CLI - Build & Release / Build (aarch64-apple-darwin) (push) Successful in 37s
Secrets CLI - Build & Release / Build (x86_64-unknown-linux-musl) (push) Successful in 50s
Secrets CLI - Build & Release / 发布草稿 Release (push) Successful in 2s
Secrets CLI - Build & Release / Build (x86_64-pc-windows-msvc) (push) Has been cancelled
- 写路径事务化:add/update/delete 与 audit 同事务,update CAS 并发保护 - 版本化与回滚:secrets_history 表、version 字段、history/rollback 命令 - 类型化字段:key:=<json> 支持数字、布尔、数组、对象 - 临时 env 模式:inject 输出 KEY=VALUE,run 向子进程注入 - inject/run 至少需一个过滤条件;search -o env 使用 shell_quote;JSON 输出含 version Made-with: Cursor
183 lines
6.4 KiB
Bash
Executable File
183 lines
6.4 KiB
Bash
Executable File
#!/usr/bin/env bash
|
||
#
|
||
# 为 refining/secrets 仓库配置 Gitea Actions 所需的 Secrets 和 Variables
|
||
# 参考: .gitea/workflows/secrets.yml
|
||
#
|
||
# 所需配置:
|
||
# - secrets.RELEASE_TOKEN (必选) Release 上传用,值为 Gitea PAT
|
||
# - vars.WEBHOOK_URL (可选) 飞书通知
|
||
#
|
||
# 注意:
|
||
# - Gitea 不允许 secret/variable 名以 GITEA_ 或 GITHUB_ 开头,故使用 RELEASE_TOKEN
|
||
# - Secret/Variable 的 data/value 字段需传入原始值,不要使用 base64 编码
|
||
#
|
||
# 用法:
|
||
# 1. 从 ~/.config/gitea/config.env 读取 GITEA_URL, GITEA_TOKEN, GITEA_WEBHOOK_URL
|
||
# 2. 或通过环境变量覆盖: GITEA_TOKEN(作为 RELEASE_TOKEN 的值), WEBHOOK_URL
|
||
# 3. 或使用 secrets CLI 获取: 需 DATABASE_URL,从 refining/service gitea 读取
|
||
#
|
||
|
||
set -e
|
||
|
||
OWNER="refining"
|
||
REPO="secrets"
|
||
|
||
# 解析参数
|
||
USE_SECRETS_CLI=false
|
||
while [[ $# -gt 0 ]]; do
|
||
case $1 in
|
||
--from-secrets) USE_SECRETS_CLI=true; shift ;;
|
||
-h|--help)
|
||
echo "用法: $0 [--from-secrets]"
|
||
echo ""
|
||
echo " --from-secrets 从 secrets CLI (refining/service gitea) 获取 token 和 webhook_url"
|
||
echo " 否则从 ~/.config/gitea/config.env 读取"
|
||
echo ""
|
||
echo "环境变量覆盖:"
|
||
echo " GITEA_URL Gitea 实例地址"
|
||
echo " GITEA_TOKEN 用于 Release 上传的 PAT (创建 RELEASE_TOKEN secret)"
|
||
echo " WEBHOOK_URL 飞书 Webhook URL (创建 variable,可选)"
|
||
exit 0
|
||
;;
|
||
*) shift ;;
|
||
esac
|
||
done
|
||
|
||
# 加载配置
|
||
load_config() {
|
||
local config="$HOME/.config/gitea/config.env"
|
||
if [[ -f "$config" ]]; then
|
||
# shellcheck source=/dev/null
|
||
source "$config"
|
||
fi
|
||
}
|
||
|
||
# 从 secrets CLI 获取 gitea 凭据
|
||
fetch_from_secrets() {
|
||
if ! command -v secrets &>/dev/null; then
|
||
echo "❌ secrets CLI 未找到,请先构建: cargo build --release" >&2
|
||
return 1
|
||
fi
|
||
# 输出 JSON 格式便于解析;需要 --show-secrets
|
||
# secrets 当前无 JSON 输出,用简单解析
|
||
local out
|
||
out=$(secrets search -n refining --kind service -q gitea --show-secrets 2>/dev/null || true)
|
||
if [[ -z "$out" ]]; then
|
||
echo "❌ 未找到 refining/service gitea 记录" >&2
|
||
return 1
|
||
fi
|
||
# 简化:从 metadata 和 secrets 中提取,实际格式需根据 search 输出调整
|
||
# 此处仅作占位,实际解析较复杂;建议用户优先用 config.env
|
||
echo "⚠️ --from-secrets 暂不支持自动解析,请使用 config.env 或环境变量" >&2
|
||
return 1
|
||
}
|
||
|
||
load_config
|
||
|
||
# 优先使用环境变量
|
||
if [[ -n "$GITEA_TOKEN" && -z "$GITEA_URL" ]]; then
|
||
echo "❌ 请设置 GITEA_URL (或确保 config.env 中有)" >&2
|
||
exit 1
|
||
fi
|
||
|
||
if [[ -z "$GITEA_URL" ]]; then
|
||
echo "❌ GITEA_URL 未配置"
|
||
echo " 请创建 ~/.config/gitea/config.env 或设置环境变量" >&2
|
||
exit 1
|
||
fi
|
||
|
||
# 去掉 URL 尾部斜杠
|
||
GITEA_URL="${GITEA_URL%/}"
|
||
# 确保使用 /api/v1 基础路径(若用户只写了根 URL)
|
||
[[ "$GITEA_URL" != *"/api/v1"* ]] || true
|
||
|
||
API_BASE="${GITEA_URL}/api/v1"
|
||
|
||
# 获取 GITEA_TOKEN(作为 workflow 中 secrets.RELEASE_TOKEN 的值)
|
||
if [[ -z "$GITEA_TOKEN" ]]; then
|
||
if $USE_SECRETS_CLI; then
|
||
fetch_from_secrets || exit 1
|
||
fi
|
||
echo "❌ GITEA_TOKEN 未配置"
|
||
echo " 在 ~/.config/gitea/config.env 中设置,或 export GITEA_TOKEN=xxx" >&2
|
||
echo " Token 需具备 repo 写权限(创建 Release、上传附件)" >&2
|
||
exit 1
|
||
fi
|
||
|
||
echo "━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━"
|
||
echo "配置 Gitea Actions: $OWNER/$REPO"
|
||
echo "━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━"
|
||
echo ""
|
||
|
||
# 1. 创建 Secret: RELEASE_TOKEN
|
||
# 注意: Gitea Actions API 的 data 字段需传入原始值,不要使用 base64 编码
|
||
echo "1. 创建 Secret: RELEASE_TOKEN"
|
||
secret_payload=$(jq -n --arg t "$GITEA_TOKEN" '{data: $t}')
|
||
resp=$(curl -s -w "\n%{http_code}" -X PUT \
|
||
-H "Authorization: token $GITEA_TOKEN" \
|
||
-H "Content-Type: application/json" \
|
||
-d "$secret_payload" \
|
||
"${API_BASE}/repos/${OWNER}/${REPO}/actions/secrets/RELEASE_TOKEN")
|
||
http_code=$(echo "$resp" | tail -n1)
|
||
body=$(echo "$resp" | sed '$d')
|
||
|
||
if [[ "$http_code" == "200" || "$http_code" == "201" || "$http_code" == "204" ]]; then
|
||
echo " ✓ RELEASE_TOKEN 已创建/更新"
|
||
else
|
||
echo " ❌ 失败 (HTTP $http_code)" >&2
|
||
echo "$body" | jq -r '.message // .' 2>/dev/null || echo "$body" >&2
|
||
exit 1
|
||
fi
|
||
|
||
# 2. 创建/更新 Variable: WEBHOOK_URL(可选)
|
||
# 注意: Secret 和 Variable 均使用原始值,不要 base64 编码
|
||
WEBHOOK_VALUE="${WEBHOOK_URL:-$GITEA_WEBHOOK_URL}"
|
||
if [[ -n "$WEBHOOK_VALUE" ]]; then
|
||
echo ""
|
||
echo "2. 创建/更新 Variable: WEBHOOK_URL"
|
||
var_payload=$(jq -n --arg v "$WEBHOOK_VALUE" '{value: $v}')
|
||
resp=$(curl -s -w "\n%{http_code}" -X POST \
|
||
-H "Authorization: token $GITEA_TOKEN" \
|
||
-H "Content-Type: application/json" \
|
||
-d "$var_payload" \
|
||
"${API_BASE}/repos/${OWNER}/${REPO}/actions/variables/WEBHOOK_URL")
|
||
http_code=$(echo "$resp" | tail -n1)
|
||
body=$(echo "$resp" | sed '$d')
|
||
|
||
if [[ "$http_code" == "200" || "$http_code" == "201" || "$http_code" == "204" ]]; then
|
||
echo " ✓ WEBHOOK_URL 已创建/更新"
|
||
elif [[ "$http_code" == "409" ]]; then
|
||
# 变量已存在,用 PUT 更新
|
||
resp=$(curl -s -w "\n%{http_code}" -X PUT \
|
||
-H "Authorization: token $GITEA_TOKEN" \
|
||
-H "Content-Type: application/json" \
|
||
-d "$var_payload" \
|
||
"${API_BASE}/repos/${OWNER}/${REPO}/actions/variables/WEBHOOK_URL")
|
||
http_code=$(echo "$resp" | tail -n1)
|
||
if [[ "$http_code" == "200" || "$http_code" == "204" ]]; then
|
||
echo " ✓ WEBHOOK_URL 已更新"
|
||
else
|
||
echo " ⚠ 更新失败 (HTTP $http_code)" >&2
|
||
fi
|
||
else
|
||
echo " ⚠ 失败 (HTTP $http_code),飞书通知将不可用" >&2
|
||
fi
|
||
else
|
||
echo ""
|
||
echo "2. 跳过 WEBHOOK_URL(未配置 GITEA_WEBHOOK_URL 或 WEBHOOK_URL)"
|
||
echo " 飞书通知将不可用;如需可后续在仓库 Settings → Variables 中添加"
|
||
fi
|
||
|
||
echo ""
|
||
echo "━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━"
|
||
echo "✓ 配置完成"
|
||
echo "━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━"
|
||
echo ""
|
||
echo "Workflow 将使用:"
|
||
echo " - secrets.RELEASE_TOKEN 创建 Release 并上传二进制"
|
||
echo " - vars.WEBHOOK_URL 发送飞书通知(如已配置)"
|
||
echo ""
|
||
echo "推送代码触发构建:"
|
||
echo " git push origin main"
|
||
echo ""
|