feat(ci): 添加 Gitea 仓库密钥 TJWATER_SERVER_ENV 检查

2026-06-10 15:08:47 +08:00
parent f35287d3cf
commit 26643d68c7
2 changed files with 59 additions and 0 deletions
@@ -1,5 +1,6 @@
 # TJWater Server 环境变量配置模板
 # 复制此文件为 .env 并填写实际值
+# CI/CD: 将生产 .env 的完整内容保存为 Gitea 仓库密钥 TJWATER_SERVER_ENV。
 ENVIRONMENT="production"
 NETWORK_NAME="tjwater"
 # ============================================
@@ -112,6 +112,54 @@ jobs:
            --username "${REGISTRY_USERNAME}" \
            --password-stdin

+      - name: Materialize runtime env file
+        env:
+          TJWATER_SERVER_ENV: ${{ secrets.TJWATER_SERVER_ENV }}
+        run: |
+          if [ -z "${TJWATER_SERVER_ENV}" ]; then
+            echo "Missing required repository secret: TJWATER_SERVER_ENV"
+            echo "Store the backend .env file content as a multiline Gitea repository secret named TJWATER_SERVER_ENV."
+            exit 1
+          fi
+
+          printf '%s\n' "${TJWATER_SERVER_ENV}" > .env
+          chmod 600 .env
+
+          required_env_keys=(
+            ENVIRONMENT
+            NETWORK_NAME
+            SECRET_KEY
+            ENCRYPTION_KEY
+            DB_NAME
+            DB_HOST
+            DB_PORT
+            DB_USER
+            DB_PASSWORD
+            TIMESCALEDB_DB_NAME
+            TIMESCALEDB_DB_HOST
+            TIMESCALEDB_DB_PORT
+            TIMESCALEDB_DB_USER
+            TIMESCALEDB_DB_PASSWORD
+            METADATA_DB_NAME
+            METADATA_DB_HOST
+            METADATA_DB_PORT
+            METADATA_DB_USER
+            METADATA_DB_PASSWORD
+            DATABASE_ENCRYPTION_KEY
+          )
+
+          missing_keys=()
+          for key in "${required_env_keys[@]}"; do
+            if ! grep -Eq "^[[:space:]]*${key}=" .env; then
+              missing_keys+=("$key")
+            fi
+          done
+
+          if [ "${#missing_keys[@]}" -gt 0 ]; then
+            echo "TJWATER_SERVER_ENV is missing required keys: ${missing_keys[*]}"
+            exit 1
+          fi
+
      - name: Build and Push Image
        run: |
          if [ -z "${IMAGE_NAME:-}" ] || [ -z "${IMAGE_TAG:-}" ]; then
@@ -165,6 +213,16 @@ jobs:

            webhook_url=$(echo "$webhook_url" | xargs)

+            if [ -z "$webhook_url" ]; then
+              echo "Missing required repository variable: DEPLOY_WEBHOOK_URL"
+              return 1
+            fi
+
+            if [ -z "$token" ]; then
+              echo "Missing required repository secret: DEPLOY_WEBHOOK_TOKEN"
+              return 1
+            fi
+
            echo "[$label] Calling webhook: $webhook_url"

            http_code=$(curl -sS -D /tmp/deploy_headers.txt -o /tmp/deploy_response.txt -w "%{http_code}" -X POST "$webhook_url" \