From 46a4d7157dccc2810d46bee6c943f9868b2dc1a0 Mon Sep 17 00:00:00 2001 From: Huarch Date: Fri, 24 Apr 2026 16:01:08 +0800 Subject: [PATCH] ci: harden test tag guards Use direct shell checks on github.ref_name inside workflow steps so test tags skip registry login, image push, and deploy webhook regardless of Gitea expression behavior. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> --- .gitea/workflows/package.yml | 26 ++++++++++++++++++++------ memery.md | 2 ++ 2 files changed, 22 insertions(+), 6 deletions(-) diff --git a/.gitea/workflows/package.yml b/.gitea/workflows/package.yml index eef9682..f95d688 100644 --- a/.gitea/workflows/package.yml +++ b/.gitea/workflows/package.yml @@ -75,8 +75,14 @@ jobs: } >> "$GITHUB_ENV" - name: Login to Gitea Container Registry - if: ${{ !endsWith(github.ref_name, '-test') }} run: | + case "${{ github.ref_name }}" in + *-test) + echo "Test tag detected; skipping registry login." + exit 0 + ;; + esac + echo "${{ secrets.REGISTRY_PASSWORD }}" | docker login "$REGISTRY_HOST" \ --username "${{ secrets.REGISTRY_USERNAME }}" \ --password-stdin @@ -97,16 +103,24 @@ jobs: --build-arg NEXT_PUBLIC_MAPBOX_TOKEN="${{ secrets.NEXT_PUBLIC_MAPBOX_TOKEN }}" \ --build-arg NEXT_PUBLIC_TIANDITU_TOKEN="${{ secrets.NEXT_PUBLIC_TIANDITU_TOKEN }}" \ . - if [ "${{ endsWith(github.ref_name, '-test') }}" = "true" ]; then - echo "Test tag detected; build completed without pushing images." - exit 0 - fi + case "${{ github.ref_name }}" in + *-test) + echo "Test tag detected; build completed without pushing images." + exit 0 + ;; + esac docker push "${IMAGE_NAME}:${IMAGE_TAG}" docker push "${IMAGE_NAME}:latest" - name: Notify Deploy Server - if: ${{ success() && !endsWith(github.ref_name, '-test') }} run: | + case "${{ github.ref_name }}" in + *-test) + echo "Test tag detected; skipping deploy webhook." + exit 0 + ;; + esac + curl -fsSL -X POST "${{ vars.DEPLOY_WEBHOOK_URL }}" \ -H "Content-Type: application/json" \ -H "Authorization: Bearer ${{ secrets.DEPLOY_WEBHOOK_TOKEN }}" \ diff --git a/memery.md b/memery.md index e93b1b8..de0ead5 100644 --- a/memery.md +++ b/memery.md @@ -13,5 +13,7 @@ - **Applied fix for image naming:** lowercased `REPOSITORY_PATH` during image metadata normalization so image tags remain valid even when the Gitea owner or repository name contains uppercase letters. - **Latest remote failure on act_runner:** a `*-test` run still reached `Notify Deploy Server` and failed with `curl: (3) URL using bad/illegal format or missing URL`. That showed the shell-level `IS_TEST_TAG` guard was not reliable enough for cross-step skip control on this runner. - **Applied fix for test-tag skipping:** moved registry login and deploy webhook skipping to workflow-level `if:` conditions based on `endsWith(github.ref_name, '-test')`, and made the image-push branch check the tag name directly instead of relying on `IS_TEST_TAG` from a previous step. +- **Follow-up from server validation:** the runner still executed `Notify Deploy Server` for `v2026.04.24-test5`, so Gitea step-level `if:` with `endsWith(...)` was not sufficient in this environment. +- **Applied hardening:** replaced those step-level conditions with direct shell `case "${{ github.ref_name }}" in *-test)` guards inside the login, push, and deploy steps. This avoids relying on Gitea expression behavior for test-tag skipping. - **Current local result:** `npm run lint`, `npm run test -- --runInBand`, `npm run build`, `docker build ...`, and `npm run build` inside `gitea/runner-images:ubuntu-22.04` all completed successfully after the workflow adjustment. - **Non-blocking note:** local Jest run reported a haste-map naming collision between `package.json` and `.next/standalone/package.json`; tests still passed, and this does not affect the current image-build workflow.