From 202ccbe6377e4edc5f141a1fbc9b6d7c9df16d7e Mon Sep 17 00:00:00 2001 From: wooo Date: Thu, 18 Jun 2026 12:28:37 +0800 Subject: [PATCH] ci: inject production secrets during deploy --- .gitea/workflows/cd.yaml | 42 ++++++++++++++++++++++++++++++++++++++++ 1 file changed, 42 insertions(+) diff --git a/.gitea/workflows/cd.yaml b/.gitea/workflows/cd.yaml index e7a0ac3..1d9480a 100644 --- a/.gitea/workflows/cd.yaml +++ b/.gitea/workflows/cd.yaml @@ -147,6 +147,48 @@ jobs: --exclude='.env' \ ./ "$PROD_SERVER_USER@$PROD_SERVER_IP:/opt/fifa2026/current/" + - name: Prepare production environment file + env: + DB_PASSWORD: ${{ secrets.DB_PASSWORD }} + REDIS_PASSWORD: ${{ secrets.REDIS_PASSWORD }} + NEXTAUTH_SECRET: ${{ secrets.NEXTAUTH_SECRET }} + THE_ODDS_API_KEY: ${{ secrets.THE_ODDS_API_KEY }} + GEMINI_API_KEY: ${{ secrets.GEMINI_API_KEY }} + NEMOTRON_API_BASE: ${{ secrets.NEMOTRON_API_BASE }} + OLLAMA_BASE_URL: ${{ secrets.OLLAMA_BASE_URL }} + run: | + set -euo pipefail + for required in DB_PASSWORD REDIS_PASSWORD NEXTAUTH_SECRET; do + if [ -z "${!required:-}" ]; then + echo "禁止部署:Gitea secret $required 未設定。" + exit 1 + fi + done + write_env_line() { + name="$1" + value="${!name:-}" + escaped=$(printf '%s' "$value" | sed "s/'/'\\''/g") + printf "%s='%s'\n" "$name" "$escaped" + } + write_optional_env_line() { + name="$1" + if [ -n "${!name:-}" ]; then + write_env_line "$name" + fi + } + umask 077 + { + write_env_line DB_PASSWORD + write_env_line REDIS_PASSWORD + write_env_line NEXTAUTH_SECRET + write_optional_env_line THE_ODDS_API_KEY + write_optional_env_line GEMINI_API_KEY + write_optional_env_line NEMOTRON_API_BASE + write_optional_env_line OLLAMA_BASE_URL + } > .deploy.env + scp -i ~/.ssh/id_deploy .deploy.env "$PROD_SERVER_USER@$PROD_SERVER_IP:/opt/fifa2026/current/.env" + rm -f .deploy.env + - name: Restart Docker Containers run: | set -euo pipefail