diff --git a/.gitea/workflows/cd.yaml b/.gitea/workflows/cd.yaml index 518020e2..e68e6307 100644 --- a/.gitea/workflows/cd.yaml +++ b/.gitea/workflows/cd.yaml @@ -87,7 +87,6 @@ jobs: - name: Deploy to K8s env: SSH_PRIVATE_KEY: ${{ secrets.DEPLOY_SSH_KEY }} - SUDO_PASSWORD: ${{ secrets.SUDO_PASSWORD }} run: | mkdir -p ~/.ssh echo "$SSH_PRIVATE_KEY" > ~/.ssh/deploy_key @@ -96,22 +95,22 @@ jobs: set -e export KUBECONFIG=/etc/rancher/k3s/k3s.yaml - # 2026-03-30 ogt: P0 安全修復 - 使用 secret 而非明文密碼 - echo "$SUDO_PASSWORD" | sudo -S kubectl set image deployment/awoooi-api \ + # 2026-03-30 ogt: sudoers NOPASSWD 已設定,無需密碼 + sudo kubectl set image deployment/awoooi-api \ api=192.168.0.110:5000/awoooi/api:${{ github.sha }} \ -n awoooi-prod - echo "$SUDO_PASSWORD" | sudo -S kubectl set image deployment/awoooi-web \ + sudo kubectl set image deployment/awoooi-web \ web=192.168.0.110:5000/awoooi/web:${{ github.sha }} \ -n awoooi-prod - echo "$SUDO_PASSWORD" | sudo -S kubectl set image deployment/awoooi-worker \ + sudo kubectl set image deployment/awoooi-worker \ worker=192.168.0.110:5000/awoooi/api:${{ github.sha }} \ -n awoooi-prod - echo "$SUDO_PASSWORD" | sudo -S kubectl rollout status deployment/awoooi-api -n awoooi-prod --timeout=120s - echo "$SUDO_PASSWORD" | sudo -S kubectl rollout status deployment/awoooi-web -n awoooi-prod --timeout=120s - echo "$SUDO_PASSWORD" | sudo -S kubectl rollout status deployment/awoooi-worker -n awoooi-prod --timeout=120s + sudo kubectl rollout status deployment/awoooi-api -n awoooi-prod --timeout=120s + sudo kubectl rollout status deployment/awoooi-web -n awoooi-prod --timeout=120s + sudo kubectl rollout status deployment/awoooi-worker -n awoooi-prod --timeout=120s echo "✅ 部署完成" DEPLOY