ai-workspace-lab/xworkspace-console
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

ci: update workflow actions for node 24

Browse Source
This commit is contained in:
Haitao Pan 2026-06-26 19:05:39 +08:00
parent 338d057375
commit 974904be13
1 changed files with 24 additions and 16 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

40
.github/workflows/deploy-ai-workspace-iac.yaml vendored
View File

@ -18,7 +18,8 @@ name: Deploy AI Workspace (IaC + Ansible + Cloudflare)
# VULTR_API_KEY → Vultr 账号 API keyprovision 创主机)
# SSH_PRIVATE_DEPLOY_KEY_B64 → 部署 SSH 私钥 base64deploy 登录主机,优先)
# SSH_PRIVATE_DEPLOY_KEY → 同上原始多行格式(回退,二选一必填)
# CLOUDFLARE_DNS_API_TOKEN → CF Zone DNS Edit tokendns 同步)
# CLOUDFLARE_DNS_API_TOKEN → CF Zone DNS Edit tokendns 同步,兼容旧名)
# CLOUDFLARE_API_TOKEN → 同上Cloudflare 角色兼容别名
# kv/openclaw:
# DEEPSEEK_API_KEY → LLM provider keydeploy 注入主机)
# NVIDIA_API_KEY → 同上
@ -146,7 +147,7 @@ jobs:
steps:
- name: Load Vault secrets (OIDC)
id: vault
uses: hashicorp/vault-action@v2
uses: hashicorp/vault-action@v4
with:
url: ${{ env.VAULT_ADDR }}
method: jwt
@ -159,7 +160,9 @@ jobs:
${{ env.VAULT_KV }} TF_STATE_BUCKET | TF_STATE_BUCKET ;
${{ env.VAULT_KV }} TF_STATE_ACCESS_KEY | TF_STATE_ACCESS_KEY ;
${{ env.VAULT_KV }} TF_STATE_SECRET_KEY | TF_STATE_SECRET_KEY ;
${{ env.VAULT_KV }} TF_STATE_REGION | TF_STATE_REGION
${{ env.VAULT_KV }} TF_STATE_REGION | TF_STATE_REGION ;
${{ env.VAULT_KV }} CLOUDFLARE_DNS_API_TOKEN | CLOUDFLARE_DNS_API_TOKEN ;
${{ env.VAULT_KV }} CLOUDFLARE_API_TOKEN | CLOUDFLARE_API_TOKEN
- name: Validate required secrets
env:
@ -169,6 +172,8 @@ jobs:
TF_STATE_ACCESS_KEY: ${{ steps.vault.outputs.TF_STATE_ACCESS_KEY }}
TF_STATE_SECRET_KEY: ${{ steps.vault.outputs.TF_STATE_SECRET_KEY }}
TF_STATE_REGION: ${{ steps.vault.outputs.TF_STATE_REGION }}
CLOUDFLARE_DNS_API_TOKEN: ${{ steps.vault.outputs.CLOUDFLARE_DNS_API_TOKEN }}
CLOUDFLARE_API_TOKEN: ${{ steps.vault.outputs.CLOUDFLARE_API_TOKEN }}
run: |
set -euo pipefail
# 校验 REQUIRED 机密非空(不打印任何值,仅判空)。
@ -187,14 +192,14 @@ jobs:
[ "$missing" -eq 0 ] || { echo "::error::必需机密缺失,终止 provision"; exit 1; }
- name: Checkout iac_modules
uses: actions/checkout@v4
uses: actions/checkout@v7
with:
repository: ai-workspace-infra/iac_modules
ref: ${{ github.event.inputs.infra_ref || 'main' }}
path: infra/iac_modules
- name: Checkout playbooks
uses: actions/checkout@v4
uses: actions/checkout@v7
with:
repository: ai-workspace-infra/playbooks
ref: ${{ github.event.inputs.infra_ref || 'main' }}
@ -204,7 +209,7 @@ jobs:
with:
terraform_version: "1.9.8"
- uses: actions/setup-python@v5
- uses: actions/setup-python@v6
with:
python-version: "3.12"
@ -274,7 +279,7 @@ jobs:
- name: Upload CMDB + inventory artifact
if: ${{ (github.event.inputs.terraform_action || 'apply') == 'apply' }}
uses: actions/upload-artifact@v4
uses: actions/upload-artifact@v7
with:
name: ai-workspace-cmdb
path: |
@ -299,7 +304,7 @@ jobs:
# 跑官方引导脚本——与用户 self-host 的 curl|bash 完全同一路径。
- name: Load Vault secrets (OIDC)
id: vault
uses: hashicorp/vault-action@v2
uses: hashicorp/vault-action@v4
with:
url: ${{ env.VAULT_ADDR }}
method: jwt
@ -351,10 +356,10 @@ jobs:
[ "$missing" -eq 0 ] || { echo "::error::必需机密缺失,终止 deploy"; exit 1; }
- name: Checkout xworkspace-console helpers
uses: actions/checkout@v4
uses: actions/checkout@v7
- name: Download CMDB (host IP source)
uses: actions/download-artifact@v4
uses: actions/download-artifact@v8
with:
name: ai-workspace-cmdb
path: cmdb
@ -412,7 +417,7 @@ jobs:
steps:
- name: Load Vault secrets (OIDC)
id: vault
uses: hashicorp/vault-action@v2
uses: hashicorp/vault-action@v4
with:
url: ${{ env.VAULT_ADDR }}
method: jwt
@ -420,35 +425,37 @@ jobs:
jwtGithubAudience: vault
ignoreNotFound: true
secrets: |
${{ env.VAULT_KV }} CLOUDFLARE_DNS_API_TOKEN | CLOUDFLARE_DNS_API_TOKEN
${{ env.VAULT_KV }} CLOUDFLARE_DNS_API_TOKEN | CLOUDFLARE_DNS_API_TOKEN ;
${{ env.VAULT_KV }} CLOUDFLARE_API_TOKEN | CLOUDFLARE_API_TOKEN
- name: Validate required secrets
env:
CLOUDFLARE_DNS_API_TOKEN: ${{ steps.vault.outputs.CLOUDFLARE_DNS_API_TOKEN }}
CLOUDFLARE_API_TOKEN: ${{ steps.vault.outputs.CLOUDFLARE_API_TOKEN }}
run: |
set -euo pipefail
# 只校验 REQUIRED 机密非空不打印任何值仅判空INFRA_REPO_TOKEN 可选不校验。
missing=0
if [ -z "${CLOUDFLARE_DNS_API_TOKEN:-}" ]; then
if [ -z "${CLOUDFLARE_DNS_API_TOKEN:-}" ] && [ -z "${CLOUDFLARE_API_TOKEN:-}" ]; then
echo "::error::缺少必需机密 CLOUDFLARE_DNS_API_TOKEN (Vault: ${VAULT_KV}/CLOUDFLARE_DNS_API_TOKEN)"
missing=1
fi
[ "$missing" -eq 0 ] || { echo "::error::必需机密缺失,终止 dns"; exit 1; }
- name: Checkout playbooks
uses: actions/checkout@v4
uses: actions/checkout@v7
with:
repository: ai-workspace-infra/playbooks
ref: ${{ github.event.inputs.infra_ref || 'main' }}
path: infra/playbooks
- name: Download CMDB + inventory
uses: actions/download-artifact@v4
uses: actions/download-artifact@v8
with:
name: ai-workspace-cmdb
path: cmdb
- uses: actions/setup-python@v5
- uses: actions/setup-python@v6
with:
python-version: "3.12"
@ -459,6 +466,7 @@ jobs:
working-directory: ${{ env.PLAYBOOKS_DIR }}
env:
CLOUDFLARE_DNS_API_TOKEN: ${{ steps.vault.outputs.CLOUDFLARE_DNS_API_TOKEN }}
CLOUDFLARE_API_TOKEN: ${{ steps.vault.outputs.CLOUDFLARE_API_TOKEN }}
run: |
set -euo pipefail
# 只为本次新建的 ai_workspace 组主机同步 A 记录(域名取各主机