diff --git a/.gitea/workflows/cd.yaml b/.gitea/workflows/cd.yaml index be2efebe..564b9299 100644 --- a/.gitea/workflows/cd.yaml +++ b/.gitea/workflows/cd.yaml @@ -445,10 +445,10 @@ jobs: run: | # S1/S2: 統一命名 deploy_key,改用 ssh-keyscan(比 StrictHostKeyChecking=no 更安全) mkdir -p ~/.ssh - echo "$SSH_PRIVATE_KEY" > ~/.ssh/deploy_key - chmod 600 ~/.ssh/deploy_key + echo "$SSH_PRIVATE_KEY" > "${HOME}/.ssh/deploy_key" + chmod 600 "${HOME}/.ssh/deploy_key" ssh-keyscan -T 5 "${{ env.K8S_SSH_HOST }}" > ~/.ssh/known_hosts 2>/dev/null - SSH_OPTS="-i ~/.ssh/deploy_key -o BatchMode=yes -o StrictHostKeyChecking=yes -o UserKnownHostsFile=${HOME}/.ssh/known_hosts -o ConnectTimeout=10" + SSH_OPTS="-i ${HOME}/.ssh/deploy_key -o BatchMode=yes -o StrictHostKeyChecking=yes -o UserKnownHostsFile=${HOME}/.ssh/known_hosts -o ConnectTimeout=10" ssh $SSH_OPTS "wooo@${{ env.K8S_SSH_HOST }}" << SECRETS set -e K8S_API_SERVER="${{ env.K8S_API_SERVER }}" @@ -683,10 +683,10 @@ jobs: GITEA_TOKEN: ${{ secrets.CD_PUSH_TOKEN }} run: | mkdir -p ~/.ssh - echo "$SSH_PRIVATE_KEY" > ~/.ssh/deploy_key - chmod 600 ~/.ssh/deploy_key + echo "$SSH_PRIVATE_KEY" > "${HOME}/.ssh/deploy_key" + chmod 600 "${HOME}/.ssh/deploy_key" ssh-keyscan -T 5 "${{ env.K8S_SSH_HOST }}" > ~/.ssh/known_hosts 2>/dev/null - SSH_OPTS="-i ~/.ssh/deploy_key -o BatchMode=yes -o StrictHostKeyChecking=yes -o UserKnownHostsFile=${HOME}/.ssh/known_hosts -o ConnectTimeout=10" + SSH_OPTS="-i ${HOME}/.ssh/deploy_key -o BatchMode=yes -o StrictHostKeyChecking=yes -o UserKnownHostsFile=${HOME}/.ssh/known_hosts -o ConnectTimeout=10" IMAGE_TAG="${{ github.sha }}" HARBOR=192.168.0.110:5000 @@ -808,26 +808,26 @@ jobs: SSH_KEY_188: ${{ secrets.DEPLOY_SSH_KEY_188 }} run: | mkdir -p ~/.ssh - echo "$SSH_KEY_188" > ~/.ssh/deploy_key_188 - chmod 600 ~/.ssh/deploy_key_188 + echo "$SSH_KEY_188" > "${HOME}/.ssh/deploy_key_188" + chmod 600 "${HOME}/.ssh/deploy_key_188" ssh-keyscan 192.168.0.188 >> ~/.ssh/known_hosts 2>/dev/null # 同步 docker-health-monitor.sh - scp -i ~/.ssh/deploy_key_188 \ + scp -i "${HOME}/.ssh/deploy_key_188" \ scripts/ops/docker-health-monitor.sh \ ollama@192.168.0.188:~/awoooi-ops/docker-health-monitor.sh \ && echo "✅ docker-health-monitor.sh 已同步" \ || echo "⚠️ docker-health-monitor.sh 同步失敗" # 同步 pg-backup.sh - scp -i ~/.ssh/deploy_key_188 \ + scp -i "${HOME}/.ssh/deploy_key_188" \ scripts/ops/pg-backup.sh \ ollama@192.168.0.188:~/awoooi-ops/pg-backup.sh \ && echo "✅ pg-backup.sh 已同步" \ || echo "⚠️ pg-backup.sh 同步失敗" # 確保執行權限 - ssh -i ~/.ssh/deploy_key_188 ollama@192.168.0.188 \ + ssh -i "${HOME}/.ssh/deploy_key_188" ollama@192.168.0.188 \ "chmod +x ~/awoooi-ops/docker-health-monitor.sh ~/awoooi-ops/pg-backup.sh && echo '✅ 權限設定完成'" \ || echo "⚠️ 權限設定失敗" diff --git a/docs/LOGBOOK.md b/docs/LOGBOOK.md index 2c02bd32..f4f03c12 100644 --- a/docs/LOGBOOK.md +++ b/docs/LOGBOOK.md @@ -1,3 +1,15 @@ +## 2026-05-06 | Gitea CD SSH key path no longer expands to /root + +**背景**:`2c2bf9d6` 的 CD `build-and-deploy` 在 `Inject K8s Secrets` 失敗;runner 先把 deploy key 寫到 `${HOME}/.ssh/deploy_key`,但 `ssh -i ~/.ssh/deploy_key` 由 OpenSSH 展開成 `/root/.ssh/deploy_key`,導致 `Permission denied`。 + +**本次修補**: +- `.gitea/workflows/cd.yaml` 的 K8s deploy SSH_OPTS 改用 `${HOME}/.ssh/deploy_key` 絕對展開。 +- 同步修正 188 ops script 同步步驟的 `deploy_key_188` path,避免同類環境差異再次出現。 + +**驗證**: +- `rg "SSH_OPTS=|~/.ssh/deploy_key" .gitea/workflows/cd.yaml` 確認 K8s SSH_OPTS 已無 `~` path。 +- 待下一輪 CD 重新跑 `build-and-deploy` 與 `post-deploy-checks`。 + ## 2026-05-06 | AwoooP approval and MCP Gate 5 stop importing aioredis **背景**:整合計畫 P0-L 指出 AwoooP approval token service 與 MCP Gate 5 還在 runtime import `aioredis`;這會讓 approval / gateway path 在 Python 3.11+ 或套件漂移時直接壞掉,也繞過既有 Redis pool 管理。