xiaoquan/rent
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

feat: 精简 CI/CD 密钥,业务密钥迁移到数据库管理

Browse Source 
- Gitea Secrets 只保留 5 个基础密钥(DB密码、JWT、加密密钥)
- 删除 deploy.yml 中所有业务密钥的 secrets 注入
- docker-compose 移除业务环境变量,只保留 DB/JWT/ENCRYPTION_KEY
- 业务密钥(微信/支付宝/短信等)通过后台「系统密钥」页面管理
- 改用 export 方式注入环境变量,不再写 .env 文件
- 更新部署文档

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
This commit is contained in:
xiaoquan
2026-06-02 12:06:43 +08:00
parent 3b75e26599
commit fefd64957d
4 changed files with 30 additions and 97 deletions
Download Patch File Download Diff File Expand all files Collapse all files
.gitea/workflows/deploy.yml
+14 -44
View File
@@ -66,43 +66,20 @@ jobs:
steps:
- uses: actions/checkout@v4
- name: Generate .env from secrets
run: |
cat > deploy/docker/.env.prod << 'EOF'
PROD_DB_PASSWORD=${{ secrets.PROD_DB_PASSWORD }}
PROD_JWT_SECRET=${{ secrets.PROD_JWT_SECRET }}
PROD_JWT_EXPIRES_IN=${{ secrets.PROD_JWT_EXPIRES_IN }}
PROD_JWT_REFRESH_EXPIRES_IN=${{ secrets.PROD_JWT_REFRESH_EXPIRES_IN }}
PROD_SMS_ACCESS_KEY_ID=${{ secrets.PROD_SMS_ACCESS_KEY_ID }}
PROD_SMS_ACCESS_KEY_SECRET=${{ secrets.PROD_SMS_ACCESS_KEY_SECRET }}
PROD_SMS_SIGN_NAME=${{ secrets.PROD_SMS_SIGN_NAME }}
PROD_SMS_TEMPLATE_CODE=${{ secrets.PROD_SMS_TEMPLATE_CODE }}
PROD_WECHAT_APPID=${{ secrets.PROD_WECHAT_APPID }}
PROD_WECHAT_SECRET=${{ secrets.PROD_WECHAT_SECRET }}
PROD_WECHAT_MCHID=${{ secrets.PROD_WECHAT_MCHID }}
PROD_WECHAT_SERIAL_NO=${{ secrets.PROD_WECHAT_SERIAL_NO }}
PROD_WECHAT_APIV3_KEY=${{ secrets.PROD_WECHAT_APIV3_KEY }}
PROD_WECHAT_PRIVATE_KEY=${{ secrets.PROD_WECHAT_PRIVATE_KEY }}
PROD_WECHAT_PAY_NOTIFY_URL=${{ secrets.PROD_WECHAT_PAY_NOTIFY_URL }}
PROD_WECHAT_REFUND_NOTIFY_URL=${{ secrets.PROD_WECHAT_REFUND_NOTIFY_URL }}
PROD_ALIPAY_APPID=${{ secrets.PROD_ALIPAY_APPID }}
PROD_ALIPAY_PRIVATE_KEY=${{ secrets.PROD_ALIPAY_PRIVATE_KEY }}
PROD_API_BASE_URL=${{ secrets.PROD_API_BASE_URL }}
EOF
chmod 600 deploy/docker/.env.prod
- name: Deploy to production
run: |
echo "部署到生产环境..."
cd deploy/docker
docker-compose -f docker-compose.prod.yml --env-file .env.prod down --remove-orphans
docker-compose -f docker-compose.prod.yml --env-file .env.prod build --parallel
docker-compose -f docker-compose.prod.yml --env-file .env.prod up -d
export PROD_DB_PASSWORD="${{ secrets.PROD_DB_PASSWORD }}"
export PROD_JWT_SECRET="${{ secrets.PROD_JWT_SECRET }}"
export ENCRYPTION_KEY="${{ secrets.ENCRYPTION_KEY }}"
docker-compose -f docker-compose.prod.yml down --remove-orphans
docker-compose -f docker-compose.prod.yml build --parallel
docker-compose -f docker-compose.prod.yml up -d
docker image prune -f
echo "等待服务启动..."
sleep 10
docker-compose -f docker-compose.prod.yml --env-file .env.prod ps
rm -f .env.prod
docker-compose -f docker-compose.prod.yml ps
deploy-test:
runs-on: [self-hosted, rent-deploy]
@@ -111,24 +88,17 @@ jobs:
steps:
- uses: actions/checkout@v4
- name: Generate .env from secrets
run: |
cat > deploy/docker/.env.test << 'EOF'
TEST_DB_PASSWORD=${{ secrets.TEST_DB_PASSWORD }}
TEST_JWT_SECRET=${{ secrets.TEST_JWT_SECRET }}
TEST_API_BASE_URL=${{ secrets.TEST_API_BASE_URL }}
EOF
chmod 600 deploy/docker/.env.test
- name: Deploy to test
run: |
echo "部署到测试环境..."
cd deploy/docker
docker-compose -f docker-compose.test.yml --env-file .env.test down --remove-orphans
docker-compose -f docker-compose.test.yml --env-file .env.test build --parallel
docker-compose -f docker-compose.test.yml --env-file .env.test up -d
export TEST_DB_PASSWORD="${{ secrets.TEST_DB_PASSWORD }}"
export TEST_JWT_SECRET="${{ secrets.TEST_JWT_SECRET }}"
export ENCRYPTION_KEY="${{ secrets.ENCRYPTION_KEY }}"
docker-compose -f docker-compose.test.yml down --remove-orphans
docker-compose -f docker-compose.test.yml build --parallel
docker-compose -f docker-compose.test.yml up -d
docker image prune -f
echo "等待服务启动..."
sleep 10
docker-compose -f docker-compose.test.yml --env-file .env.test ps
rm -f .env.test
docker-compose -f docker-compose.test.yml ps