name: 部署管理后台 on: push: branches: [ main ] paths: - 'admin/**' - '.gitea/workflows/deploy-admin.yml' workflow_dispatch: jobs: test-and-build: name: 🧪 测试和构建 runs-on: ubuntu-latest steps: - name: 📥 检出代码 uses: actions/checkout@v4 - name: 🥖 设置 Bun 环境 uses: oven-sh/setup-bun@v1 with: bun-version: latest - name: 📦 安装依赖 working-directory: ./admin run: bun install --frozen-lockfile - name: 🔍 代码检查 working-directory: ./admin run: | bun run lint bun run type-check - name: 🎨 格式检查 working-directory: ./admin run: bun run format - name: 🧪 运行测试 working-directory: ./admin run: bun run test - name: 🔒 安全审计 working-directory: ./admin run: bun audit - name: 🏗️ 构建生产版本 working-directory: ./admin env: VITE_APP_TITLE: 摄影作品集管理后台 VITE_API_BASE_URL: https://api.photography.iriver.top VITE_UPLOAD_URL: https://api.photography.iriver.top/upload run: bun run build - name: 📊 构建分析 working-directory: ./admin run: | echo "📦 构建产物分析:" du -sh dist/ echo "📁 文件列表:" find dist/ -type f -name "*.js" -o -name "*.css" | head -10 echo "📈 文件大小统计:" find dist/ -type f \( -name "*.js" -o -name "*.css" \) -exec ls -lh {} + | awk '{print $5, $9}' | sort -hr | head -10 - name: 📦 打包构建产物 uses: actions/upload-artifact@v3 with: name: admin-dist path: admin/dist/ retention-days: 7 deploy: name: 🚀 部署到生产环境 runs-on: ubuntu-latest needs: test-and-build if: github.ref == 'refs/heads/main' steps: - name: 📥 检出代码 uses: actions/checkout@v4 - name: 🥖 设置 Bun 环境 uses: oven-sh/setup-bun@v1 with: bun-version: latest - name: 📦 安装依赖 working-directory: ./admin run: bun install --frozen-lockfile - name: 🏗️ 构建生产版本 working-directory: ./admin env: VITE_APP_TITLE: 摄影作品集管理后台 VITE_API_BASE_URL: https://api.photography.iriver.top VITE_UPLOAD_URL: https://api.photography.iriver.top/upload run: bun run build - name: 📊 压缩构建产物 working-directory: ./admin run: | # 使用国内镜像源安装压缩工具 echo "🔄 使用国内镜像源..." sudo sed -i 's|http://.*.ubuntu.com|https://mirrors.aliyun.com|g' /etc/apt/sources.list sudo apt-get update -o Acquire::Retries=3 -o Acquire::http::Timeout=30 sudo apt-get install -y tar gzip tar -czf admin-dist.tar.gz -C dist . echo "压缩完成: $(ls -lh admin-dist.tar.gz)" - name: 🚀 部署到服务器 uses: appleboy/ssh-action@v1.0.0 with: host: ${{ secrets.HOST }} username: ${{ secrets.USERNAME }} key: ${{ secrets.SSH_KEY }} port: ${{ secrets.PORT }} script: | # 设置变量 ADMIN_DIR="/home/gitea/www/photography-admin" BACKUP_DIR="/home/gitea/backups/photography-admin" TEMP_DIR="/tmp/photography-admin-deploy" echo "🚀 开始部署管理后台..." # 创建临时目录 mkdir -p "$TEMP_DIR" # 创建备份目录 mkdir -p "$BACKUP_DIR" # 备份当前版本 if [ -d "$ADMIN_DIR" ] && [ "$(ls -A $ADMIN_DIR)" ]; then echo "📦 备份当前版本..." BACKUP_NAME="admin-$(date +%Y%m%d-%H%M%S).tar.gz" tar -czf "$BACKUP_DIR/$BACKUP_NAME" -C "$ADMIN_DIR" . echo "✅ 备份完成: $BACKUP_NAME" # 保留最近10个备份 cd "$BACKUP_DIR" ls -t admin-*.tar.gz | tail -n +11 | xargs -r rm echo "🧹 清理旧备份完成" fi echo "📁 准备部署目录..." mkdir -p "$ADMIN_DIR" - name: 📤 上传构建产物 uses: appleboy/scp-action@v0.1.4 with: host: ${{ secrets.HOST }} username: ${{ secrets.USERNAME }} key: ${{ secrets.SSH_KEY }} port: ${{ secrets.PORT }} source: admin/admin-dist.tar.gz target: /tmp/photography-admin-deploy/ strip_components: 1 - name: 🔄 解压并部署 uses: appleboy/ssh-action@v1.0.0 with: host: ${{ secrets.HOST }} username: ${{ secrets.USERNAME }} key: ${{ secrets.SSH_KEY }} port: ${{ secrets.PORT }} script: | # 设置变量 ADMIN_DIR="/home/gitea/www/photography-admin" TEMP_DIR="/tmp/photography-admin-deploy" echo "🔄 解压新版本..." cd "$TEMP_DIR" tar -xzf admin-dist.tar.gz echo "📂 部署新版本..." # 清空目标目录 rm -rf "$ADMIN_DIR"/* # 复制新文件 cp -r * "$ADMIN_DIR/" echo "🔐 设置文件权限..." chown -R gitea:gitea "$ADMIN_DIR" chmod -R 755 "$ADMIN_DIR" # 设置正确的文件权限 find "$ADMIN_DIR" -type f -name "*.html" -o -name "*.js" -o -name "*.css" -o -name "*.json" | xargs chmod 644 find "$ADMIN_DIR" -type d | xargs chmod 755 echo "🧹 清理临时文件..." rm -rf "$TEMP_DIR" echo "✅ 管理后台部署完成!" echo "📊 部署统计:" echo "文件数量: $(find $ADMIN_DIR -type f | wc -l)" echo "目录大小: $(du -sh $ADMIN_DIR)" - name: 🔍 健康检查 uses: appleboy/ssh-action@v1.0.0 with: host: ${{ secrets.HOST }} username: ${{ secrets.USERNAME }} key: ${{ secrets.SSH_KEY }} port: ${{ secrets.PORT }} script: | echo "🔍 执行健康检查..." # 检查文件是否存在 if [ -f "/home/gitea/www/photography-admin/index.html" ]; then echo "✅ index.html 文件存在" else echo "❌ index.html 文件不存在" exit 1 fi # 检查网站是否可访问 (本地检查) sleep 5 if curl -f -s -o /dev/null https://admin.photography.iriver.top; then echo "✅ 管理后台访问正常" else echo "⚠️ 管理后台访问异常,请检查 Caddy 配置" fi # 重新加载 Caddy (确保新文件被正确服务) sudo systemctl reload caddy echo "🔄 Caddy 配置已重新加载" rollback: name: 🔄 回滚部署 runs-on: ubuntu-latest if: failure() && github.ref == 'refs/heads/main' needs: deploy steps: - name: 🔄 执行回滚 uses: appleboy/ssh-action@v1.0.0 with: host: ${{ secrets.HOST }} username: ${{ secrets.USERNAME }} key: ${{ secrets.SSH_KEY }} port: ${{ secrets.PORT }} script: | ADMIN_DIR="/home/gitea/www/photography-admin" BACKUP_DIR="/home/gitea/backups/photography-admin" echo "🔄 开始回滚管理后台..." # 查找最新的备份 LATEST_BACKUP=$(ls -t "$BACKUP_DIR"/admin-*.tar.gz 2>/dev/null | head -n 1) if [ -n "$LATEST_BACKUP" ]; then echo "📦 找到备份文件: $LATEST_BACKUP" # 清空当前目录 rm -rf "$ADMIN_DIR"/* # 恢复备份 tar -xzf "$LATEST_BACKUP" -C "$ADMIN_DIR" # 设置权限 chown -R gitea:gitea "$ADMIN_DIR" chmod -R 755 "$ADMIN_DIR" # 重新加载 Caddy sudo systemctl reload caddy echo "✅ 回滚完成" else echo "❌ 未找到备份文件,无法回滚" exit 1 fi security-scan: name: 🔒 安全扫描 runs-on: ubuntu-latest needs: test-and-build steps: - name: 📥 检出代码 uses: actions/checkout@v4 - name: 🥖 设置 Bun 环境 uses: oven-sh/setup-bun@v1 with: bun-version: latest - name: 📦 安装依赖 working-directory: ./admin run: bun install --frozen-lockfile - name: 🔒 运行安全扫描 working-directory: ./admin run: | echo "🔍 扫描已知漏洞..." bun audit echo "📊 依赖分析..." echo "依赖数量: $(bun pm ls --depth=0 | wc -l)" echo "🔍 检查过时依赖..." bun outdated || true - name: 📊 生成安全报告 working-directory: ./admin run: | echo "# 安全扫描报告 (Bun)" > security-report.md echo "## 日期: $(date)" >> security-report.md echo "## 依赖统计" >> security-report.md echo "依赖数量: $(bun pm ls --depth=0 | wc -l)" >> security-report.md echo "## Bun 版本" >> security-report.md bun --version >> security-report.md - name: 📤 上传安全报告 uses: actions/upload-artifact@v3 with: name: security-report path: admin/security-report.md