154 lines
5.2 KiB
YAML
154 lines
5.2 KiB
YAML
name: 2026 World Cup Quant Platform - Production Deployment
|
|
|
|
on:
|
|
push:
|
|
branches:
|
|
- main
|
|
|
|
jobs:
|
|
test-and-lint:
|
|
name: Code Quality, Security Gate & Testing
|
|
runs-on: ewoooc-dedicated-runner
|
|
steps:
|
|
- name: Checkout Code
|
|
uses: actions/checkout@v4
|
|
|
|
- name: Security policy gate
|
|
run: |
|
|
set -euo pipefail
|
|
echo "== 檢查禁止進入正式部署的臨時維運腳本 =="
|
|
forbidden_files="
|
|
iwooos_javae_monitor.sh
|
|
iwooos_autopatch.py
|
|
fix_guardian.py
|
|
fix_register.sh
|
|
fix_wazuh.sh
|
|
ops/harden-host.sh
|
|
"
|
|
for file in $forbidden_files; do
|
|
if [ -e "$file" ]; then
|
|
echo "禁止部署:$file 不得存在於正式產品 repo。"
|
|
exit 1
|
|
fi
|
|
done
|
|
|
|
echo "== 檢查硬編碼密碼、手工 SSH 修補與挖礦 IOC =="
|
|
if grep -RInE '(sshpass|sudo -S|WAZUH_PASS\s*=|YOUR_BOT_TOKEN|xmrig|kinsing|kdevtmpfsi|stratum|pool\.supportxmr\.com|221\.156\.167\.200|0936223270|Wooo-0936223270)' \
|
|
--exclude-dir=.git \
|
|
--exclude-dir=.gitea \
|
|
--exclude-dir=node_modules \
|
|
--exclude-dir=.next \
|
|
--exclude=package-lock.json \
|
|
--exclude='*.md' \
|
|
.; then
|
|
echo "禁止部署:偵測到硬編碼密碼、挖礦 IOC 或手工 SSH 修補痕跡。"
|
|
exit 1
|
|
fi
|
|
|
|
- name: Setup Python Environment
|
|
run: |
|
|
apt-get update -qq
|
|
apt-get install -y -qq python3-pip python3-venv
|
|
python3 -m venv venv
|
|
echo "PATH=$PWD/venv/bin:$PATH" >> $GITHUB_ENV
|
|
|
|
- name: Install Backend Dependencies
|
|
run: |
|
|
pip install -r platform/backend/requirements.txt pytest pip-audit
|
|
|
|
- name: Python dependency audit
|
|
run: pip-audit -r platform/backend/requirements.txt
|
|
|
|
- name: Run Backend Quant Engine Tests
|
|
run: |
|
|
if find platform/backend -type f \( -name 'test_*.py' -o -name '*_test.py' \) | grep -q .; then
|
|
pytest platform/backend
|
|
else
|
|
echo "未找到後端 pytest 測試檔,改以 Python 編譯檢查作為最低安全閘門。"
|
|
python -m compileall -q platform/backend/app
|
|
fi
|
|
|
|
- name: Setup Node.js Environment
|
|
uses: actions/setup-node@v4
|
|
with:
|
|
node-version: '22'
|
|
|
|
- name: Install Frontend Dependencies
|
|
run: |
|
|
cd platform/web
|
|
npm ci --legacy-peer-deps
|
|
|
|
- name: Frontend dependency audit
|
|
run: |
|
|
cd platform/web
|
|
npm audit --audit-level=high
|
|
|
|
- name: Run Frontend Linting
|
|
run: |
|
|
cd platform/web
|
|
npm run lint
|
|
|
|
- name: Validate Docker Compose
|
|
env:
|
|
DB_PASSWORD: ci-placeholder-db-password
|
|
REDIS_PASSWORD: ci-placeholder-redis-password
|
|
NEXTAUTH_SECRET: ci-placeholder-nextauth-secret
|
|
run: docker compose -f docker-compose.prod.yml config -q
|
|
|
|
deploy-docker:
|
|
name: Deploy to Production VM via Gitea CD
|
|
needs: test-and-lint
|
|
runs-on: ewoooc-dedicated-runner
|
|
if: github.ref == 'refs/heads/main'
|
|
|
|
steps:
|
|
- name: Checkout Code
|
|
uses: actions/checkout@v4
|
|
|
|
- name: Install rsync and ssh
|
|
run: apt-get update -qq && apt-get install -y -qq rsync openssh-client
|
|
|
|
- name: Configure SSH Key
|
|
run: |
|
|
mkdir -p ~/.ssh
|
|
echo "${{ secrets.PROD_SSH_PRIVATE_KEY }}" > ~/.ssh/id_deploy
|
|
chmod 600 ~/.ssh/id_deploy
|
|
ssh-keyscan ${{ secrets.PROD_SERVER_IP }} >> ~/.ssh/known_hosts
|
|
|
|
- name: Sync Files to Production
|
|
run: |
|
|
printf "%s\n" "${{ github.sha }}" > REVISION
|
|
rsync -az --delete --delay-updates -e "ssh -i ~/.ssh/id_deploy" \
|
|
--exclude='.git/' \
|
|
--exclude='.gitea/' \
|
|
--exclude='node_modules/' \
|
|
--exclude='.next/' \
|
|
--exclude='venv/' \
|
|
--exclude='__pycache__/' \
|
|
--exclude='.env' \
|
|
./ ${{ secrets.PROD_SERVER_USER }}@${{ secrets.PROD_SERVER_IP }}:/opt/fifa2026/current/
|
|
|
|
- name: Restart Docker Containers
|
|
uses: appleboy/ssh-action@v1.0.3
|
|
with:
|
|
host: ${{ secrets.PROD_SERVER_IP }}
|
|
username: ${{ secrets.PROD_SERVER_USER }}
|
|
key: ${{ secrets.PROD_SSH_PRIVATE_KEY }}
|
|
script: |
|
|
set -euo pipefail
|
|
echo "🚀 [Deploy] Starting deployment for 2026fifa.wooo.work"
|
|
cd /opt/fifa2026/current
|
|
|
|
for file in iwooos_javae_monitor.sh iwooos_autopatch.py fix_guardian.py fix_register.sh fix_wazuh.sh ops/harden-host.sh; do
|
|
if [ -e "$file" ]; then
|
|
echo "❌ [Deploy] Forbidden emergency script still exists on production: $file"
|
|
exit 1
|
|
fi
|
|
done
|
|
|
|
docker compose -f docker-compose.prod.yml config -q
|
|
docker compose -f docker-compose.prod.yml build --pull
|
|
docker compose -f docker-compose.prod.yml up -d --remove-orphans
|
|
docker image prune -f
|
|
echo "✅ [Deploy] Deployment completed successfully!"
|