xiaoquan
b358dbdab1
- deploy.yml 从 secrets 动态生成 .env,部署后自动删除 - docker-compose.prod.yml 支持全部业务配置注入(短信/微信/支付宝等) - .env.example 只保留 GITEA_RUNNER_TOKEN,其他密钥全部迁移到 Secrets - 更新 deploy/README.md 文档,完整列出 Secrets 配置清单 服务器上不再存储任何密码文件,安全性大幅提升 Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
135 lines
4.6 KiB
YAML
135 lines
4.6 KiB
YAML
name: Deploy
|
|
|
|
on:
|
|
push:
|
|
branches:
|
|
- prod
|
|
- test
|
|
|
|
env:
|
|
NODE_ENV: production
|
|
|
|
jobs:
|
|
install:
|
|
runs-on: [self-hosted, rent-deploy]
|
|
steps:
|
|
- uses: actions/checkout@v4
|
|
|
|
- name: Install dependencies
|
|
run: |
|
|
npm install -g pnpm
|
|
pnpm config set store-dir .pnpm-store
|
|
pnpm install --frozen-lockfile
|
|
|
|
- name: Cache pnpm store
|
|
uses: actions/cache@v4
|
|
with:
|
|
path: .pnpm-store
|
|
key: pnpm-${{ hashFiles('pnpm-lock.yaml') }}
|
|
|
|
build:
|
|
runs-on: [self-hosted, rent-deploy]
|
|
needs: install
|
|
steps:
|
|
- uses: actions/checkout@v4
|
|
|
|
- name: Restore pnpm cache
|
|
uses: actions/cache@v4
|
|
with:
|
|
path: .pnpm-store
|
|
key: pnpm-${{ hashFiles('pnpm-lock.yaml') }}
|
|
|
|
- name: Build shared packages
|
|
run: |
|
|
npm install -g pnpm
|
|
pnpm config set store-dir .pnpm-store
|
|
pnpm install --frozen-lockfile
|
|
pnpm --filter @rent/shared-types build
|
|
pnpm --filter @rent/shared-utils build
|
|
|
|
- name: Build server
|
|
run: pnpm --filter @rent/server build
|
|
|
|
- name: Build merchant-admin
|
|
run: pnpm --filter @rent/merchant-admin build
|
|
|
|
- name: Build platform-admin
|
|
run: pnpm --filter @rent/platform-admin build
|
|
|
|
- name: Build website
|
|
run: pnpm --filter @rent/official-website build
|
|
|
|
deploy-production:
|
|
runs-on: [self-hosted, rent-deploy]
|
|
needs: build
|
|
if: github.ref == 'refs/heads/prod'
|
|
steps:
|
|
- uses: actions/checkout@v4
|
|
|
|
- name: Generate .env from secrets
|
|
run: |
|
|
cat > deploy/docker/.env.prod << 'EOF'
|
|
PROD_DB_PASSWORD=${{ secrets.PROD_DB_PASSWORD }}
|
|
PROD_JWT_SECRET=${{ secrets.PROD_JWT_SECRET }}
|
|
PROD_JWT_EXPIRES_IN=${{ secrets.PROD_JWT_EXPIRES_IN }}
|
|
PROD_JWT_REFRESH_EXPIRES_IN=${{ secrets.PROD_JWT_REFRESH_EXPIRES_IN }}
|
|
PROD_SMS_ACCESS_KEY_ID=${{ secrets.PROD_SMS_ACCESS_KEY_ID }}
|
|
PROD_SMS_ACCESS_KEY_SECRET=${{ secrets.PROD_SMS_ACCESS_KEY_SECRET }}
|
|
PROD_SMS_SIGN_NAME=${{ secrets.PROD_SMS_SIGN_NAME }}
|
|
PROD_SMS_TEMPLATE_CODE=${{ secrets.PROD_SMS_TEMPLATE_CODE }}
|
|
PROD_WECHAT_APPID=${{ secrets.PROD_WECHAT_APPID }}
|
|
PROD_WECHAT_SECRET=${{ secrets.PROD_WECHAT_SECRET }}
|
|
PROD_WECHAT_MCHID=${{ secrets.PROD_WECHAT_MCHID }}
|
|
PROD_WECHAT_SERIAL_NO=${{ secrets.PROD_WECHAT_SERIAL_NO }}
|
|
PROD_WECHAT_APIV3_KEY=${{ secrets.PROD_WECHAT_APIV3_KEY }}
|
|
PROD_WECHAT_PRIVATE_KEY=${{ secrets.PROD_WECHAT_PRIVATE_KEY }}
|
|
PROD_WECHAT_PAY_NOTIFY_URL=${{ secrets.PROD_WECHAT_PAY_NOTIFY_URL }}
|
|
PROD_WECHAT_REFUND_NOTIFY_URL=${{ secrets.PROD_WECHAT_REFUND_NOTIFY_URL }}
|
|
PROD_ALIPAY_APPID=${{ secrets.PROD_ALIPAY_APPID }}
|
|
PROD_ALIPAY_PRIVATE_KEY=${{ secrets.PROD_ALIPAY_PRIVATE_KEY }}
|
|
PROD_API_BASE_URL=${{ secrets.PROD_API_BASE_URL }}
|
|
EOF
|
|
chmod 600 deploy/docker/.env.prod
|
|
|
|
- name: Deploy to production
|
|
run: |
|
|
echo "部署到生产环境..."
|
|
cd deploy/docker
|
|
docker-compose -f docker-compose.prod.yml --env-file .env.prod down --remove-orphans
|
|
docker-compose -f docker-compose.prod.yml --env-file .env.prod build --parallel
|
|
docker-compose -f docker-compose.prod.yml --env-file .env.prod up -d
|
|
docker image prune -f
|
|
echo "等待服务启动..."
|
|
sleep 10
|
|
docker-compose -f docker-compose.prod.yml --env-file .env.prod ps
|
|
rm -f .env.prod
|
|
|
|
deploy-test:
|
|
runs-on: [self-hosted, rent-deploy]
|
|
needs: build
|
|
if: github.ref == 'refs/heads/test'
|
|
steps:
|
|
- uses: actions/checkout@v4
|
|
|
|
- name: Generate .env from secrets
|
|
run: |
|
|
cat > deploy/docker/.env.test << 'EOF'
|
|
TEST_DB_PASSWORD=${{ secrets.TEST_DB_PASSWORD }}
|
|
TEST_JWT_SECRET=${{ secrets.TEST_JWT_SECRET }}
|
|
TEST_API_BASE_URL=${{ secrets.TEST_API_BASE_URL }}
|
|
EOF
|
|
chmod 600 deploy/docker/.env.test
|
|
|
|
- name: Deploy to test
|
|
run: |
|
|
echo "部署到测试环境..."
|
|
cd deploy/docker
|
|
docker-compose -f docker-compose.test.yml --env-file .env.test down --remove-orphans
|
|
docker-compose -f docker-compose.test.yml --env-file .env.test build --parallel
|
|
docker-compose -f docker-compose.test.yml --env-file .env.test up -d
|
|
docker image prune -f
|
|
echo "等待服务启动..."
|
|
sleep 10
|
|
docker-compose -f docker-compose.test.yml --env-file .env.test ps
|
|
rm -f .env.test
|