name: 部署管理后台 on: push: branches: [ main ] paths: - 'admin/**' - '.gitea/workflows/deploy-admin.yml' workflow_dispatch: env: BUN_VERSION: 'latest' CACHE_KEY: ${{ runner.os }}-bun-${{ hashFiles('**/bun.lock') }} jobs: test-and-build: name: 🧪 测试和构建 runs-on: ubuntu-latest steps: - name: 📥 检出代码 uses: actions/checkout@v4 - name: 🥖 设置 Bun 环境 uses: oven-sh/setup-bun@v1 with: bun-version: ${{ env.BUN_VERSION }} - name: 💾 缓存 Bun 依赖 uses: actions/cache@v4 with: path: | ~/.bun/install/cache admin/node_modules key: ${{ env.CACHE_KEY }}-${{ hashFiles('admin/bun.lock') }} restore-keys: | ${{ env.CACHE_KEY }}- - name: 📦 安装依赖 working-directory: ./admin run: bun install --frozen-lockfile - name: 🏗️ 并行检查和构建 working-directory: ./admin run: | # 并行执行所有检查 bun run lint & bun run type-check & bun run format & bun run build & wait env: VITE_APP_TITLE: 摄影作品集管理后台 VITE_API_BASE_URL: https://api.photography.iriver.top VITE_UPLOAD_URL: https://api.photography.iriver.top/upload - name: 📊 构建分析 working-directory: ./admin run: | echo "📦 构建产物分析:" du -sh dist/ | cut -f1 echo "📁 文件数量: $(find dist/ -type f | wc -l)" - name: 📦 打包构建产物 uses: actions/upload-artifact@v3 with: name: admin-dist-${{ github.sha }} path: admin/dist/ retention-days: 1 deploy: name: 🚀 部署到生产环境 runs-on: ubuntu-latest needs: test-and-build if: github.ref == 'refs/heads/main' steps: - name: 📥 检出代码 uses: actions/checkout@v4 - name: 🥖 设置 Bun 环境 uses: oven-sh/setup-bun@v1 with: bun-version: ${{ env.BUN_VERSION }} - name: 💾 缓存 Bun 依赖 uses: actions/cache@v4 with: path: | ~/.bun/install/cache admin/node_modules key: ${{ env.CACHE_KEY }}-${{ hashFiles('admin/bun.lock') }} - name: 📦 安装依赖 working-directory: ./admin run: bun install --frozen-lockfile - name: 🏗️ 构建生产版本 working-directory: ./admin env: VITE_APP_TITLE: 摄影作品集管理后台 VITE_API_BASE_URL: https://api.photography.iriver.top VITE_UPLOAD_URL: https://api.photography.iriver.top/upload run: bun run build - name: 📤 上传文件到服务器 uses: appleboy/scp-action@v0.1.6 with: host: ${{ secrets.ALIYUN_IP }} username: ${{ secrets.ALIYUN_USER_NAME }} password: ${{ secrets.ALIYUN_PWD }} port: 22 source: "admin/dist/" target: "/tmp/admin-build" rm: true - name: 🔄 部署文件到生产目录 uses: appleboy/ssh-action@v1.0.0 with: host: ${{ secrets.ALIYUN_IP }} username: ${{ secrets.ALIYUN_USER_NAME }} password: ${{ secrets.ALIYUN_PWD }} port: 22 script: | echo "🔄 部署管理后台到生产目录..." ADMIN_DIR="/home/gitea/www/photography-admin" # 创建目标目录 mkdir -p $ADMIN_DIR # 清空旧文件 rm -rf $ADMIN_DIR/* # 移动新文件到生产目录 cp -r /tmp/admin-build/admin/dist/* $ADMIN_DIR/ || exit 1 # 清理临时文件 rm -rf /tmp/admin-build # 设置权限 chown -R gitea:gitea $ADMIN_DIR chmod -R 755 $ADMIN_DIR # 验证部署结果 echo "📋 验证部署文件..." ls -la $ADMIN_DIR/ | head -10 echo "✅ 管理后台部署完成!" - name: 🔍 健康检查 uses: appleboy/ssh-action@v1.0.0 with: host: ${{ secrets.ALIYUN_IP }} username: ${{ secrets.ALIYUN_USER_NAME }} password: ${{ secrets.ALIYUN_PWD }} port: 22 script: | echo "🔍 执行健康检查..." # 检查文件是否存在 if [ -f '/home/gitea/www/photography-admin/index.html' ]; then echo '✅ index.html 文件存在' else echo '❌ index.html 文件不存在' exit 1 fi # 快速检查 sleep 3 if curl -f -s -o /dev/null https://admin.photography.iriver.top; then echo '✅ 管理后台访问正常' else echo '⚠️ 管理后台访问异常,请检查 Caddy 配置' fi # 重新加载 Caddy sudo systemctl reload caddy echo '🔄 Caddy 配置已重新加载' security-scan: name: 🔒 安全扫描 runs-on: ubuntu-latest needs: test-and-build steps: - name: 📥 检出代码 uses: actions/checkout@v4 - name: 🥖 设置 Bun 环境 uses: oven-sh/setup-bun@v1 with: bun-version: ${{ env.BUN_VERSION }} - name: 💾 缓存 Bun 依赖 uses: actions/cache@v4 with: path: | ~/.bun/install/cache admin/node_modules key: ${{ env.CACHE_KEY }}-${{ hashFiles('admin/bun.lock') }} - name: 📦 安装依赖 working-directory: ./admin run: bun install --frozen-lockfile - name: 🔒 运行安全扫描 working-directory: ./admin run: | echo "🔍 扫描已知漏洞..." bun audit || echo "⚠️ 发现安全警告,请手动检查" echo "📊 依赖分析..." echo "依赖数量: $(bun pm ls --depth=0 | wc -l)" echo "🔍 检查过时依赖..." bun outdated || true - name: 📊 生成安全报告 working-directory: ./admin run: | echo "# 安全扫描报告 (Bun)" > security-report.md echo "## 日期: $(date)" >> security-report.md echo "## 依赖统计" >> security-report.md echo "依赖数量: $(bun pm ls --depth=0 | wc -l)" >> security-report.md echo "## Bun 版本" >> security-report.md bun --version >> security-report.md - name: 📤 上传安全报告 uses: actions/upload-artifact@v3 with: name: security-report-${{ github.sha }} path: admin/security-report.md retention-days: 7