From ee187dcb790e36a2c32421b1e6f98df70fdc6ef4 Mon Sep 17 00:00:00 2001 From: OG T Date: Mon, 6 Apr 2026 14:45:20 +0800 Subject: [PATCH] =?UTF-8?q?ci(cd):=20CD=20=E8=87=AA=E5=8B=95=E5=BB=BA?= =?UTF-8?q?=E7=AB=8B=20awoooi-repair-known-hosts=20Secret=20(Sprint=203=20?= =?UTF-8?q?T2=20=E9=96=89=E7=92=B0)?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit 每次部署時 ssh-keyscan .110/.188 並 kubectl apply secret 替換 StrictHostKeyChecking=no — Security Fix A1 Co-Authored-By: Claude Sonnet 4.6 --- .gitea/workflows/cd.yaml | 16 ++++++++++++++++ 1 file changed, 16 insertions(+) diff --git a/.gitea/workflows/cd.yaml b/.gitea/workflows/cd.yaml index 7b3315b9..fb10c118 100644 --- a/.gitea/workflows/cd.yaml +++ b/.gitea/workflows/cd.yaml @@ -261,6 +261,22 @@ jobs: echo "⚠️ GITEA_WEBHOOK_SECRET 未設定,Gitea Webhook 簽章驗證將在 prod 失效" fi + # 2026-04-06 Claude Code: Sprint 3 T2 — known_hosts Secret (Security Fix A1) + # 替換 StrictHostKeyChecking=no,讓 SSH 修復路徑使用已知主機指紋 + ssh-keyscan -H 192.168.0.110 > /tmp/known_hosts_repair 2>/dev/null + ssh-keyscan -H 192.168.0.188 >> /tmp/known_hosts_repair 2>/dev/null + if [ -s /tmp/known_hosts_repair ]; then + sudo kubectl create secret generic awoooi-repair-known-hosts \ + -n awoooi-prod \ + --from-file=known_hosts=/tmp/known_hosts_repair \ + --dry-run=client -o yaml | sudo kubectl apply -f - \ + && echo "✅ awoooi-repair-known-hosts Secret 已建立/更新" \ + || echo "⚠️ awoooi-repair-known-hosts Secret 建立失敗 (非致命)" + rm -f /tmp/known_hosts_repair + else + echo "⚠️ ssh-keyscan 掃描失敗,跳過 known_hosts Secret" + fi + echo "✅ 所有 Secrets 注入完成" SECRETS