diff --git a/.github/workflows/deploy-ai-workspace-iac.yaml b/.github/workflows/deploy-ai-workspace-iac.yaml index f2bebee..ddd2b28 100644 --- a/.github/workflows/deploy-ai-workspace-iac.yaml +++ b/.github/workflows/deploy-ai-workspace-iac.yaml @@ -43,11 +43,14 @@ name: Deploy AI Workspace (IaC + Ansible + Cloudflare) # ai-workspace-infra/vultr-vps/config/resources/ai-workspace-hosts.yaml # 的 ssh_keys[].public,否则 Terraform 创机后 runner 无法 SSH 登录。 # -# 7. AI_WORKSPACE_AUTH_TOKEN(LiteLLM 认证 token,存储在 Vault) -# - 用于 OpenCode ACP adapter 的 LITELLM_MASTER_KEY +# 7. AI_WORKSPACE_AUTH_TOKEN(统一服务 token:LiteLLM master key / bridge / vault 等) +# - 三级优先级(on-host installer resolve_unified_auth_token 统一解析): +# 1) workflow_dispatch 输入 ai_workspace_auth_token(非空时覆盖) +# 2) Vault kv/CICD/AI_WORKSPACE_AUTH_TOKEN(输入留空时回退) +# 3) 两者皆空:installer 复用 ~/.ai_workspace_auth_token 或自动生成并持久化 # - 存储位置:vault kv patch kv/CICD AI_WORKSPACE_AUTH_TOKEN= # - TLDR 生成:python3 -c 'import uuid; print(uuid.uuid4())' -# - 部署时自动从 Vault 读取,注入 ansible role 的 acp_opencode_auth_token +# - 经 run-on-host-bootstrap.sh 透传到主机 env,注入 all-in-one 各 role # # ── 流水线结构 ─────────────────────────────────────────────────────────────── # @@ -327,7 +330,8 @@ jobs: ${{ env.VAULT_KV }} SSH_PRIVATE_DEPLOY_KEY_B64 | ANSIBLE_SSH_KEY_B64 ; ${{ env.VAULT_KV_OPENCLAW }} DEEPSEEK_API_KEY | DEEPSEEK_API_KEY ; ${{ env.VAULT_KV_OPENCLAW }} NVIDIA_API_KEY | NVIDIA_API_KEY ; - ${{ env.VAULT_KV_OPENCLAW }} OLLAMA_API_KEY | OLLAMA_API_KEY + ${{ env.VAULT_KV_OPENCLAW }} OLLAMA_API_KEY | OLLAMA_API_KEY ; + ${{ env.VAULT_KV }} AI_WORKSPACE_AUTH_TOKEN | AI_WORKSPACE_AUTH_TOKEN - name: Report provider key wiring run: | @@ -414,7 +418,9 @@ jobs: # 离线包重新发布后可设为 auto 恢复离线加速。 AI_WORKSPACE_OFFLINE_MODE: ${{ github.event.inputs.offline_mode || 'off' }} XWORKMATE_BRIDGE_DOMAIN: ${{ github.event.inputs.bridge_domain }} - AI_WORKSPACE_AUTH_TOKEN: ${{ github.event.inputs.ai_workspace_auth_token }} + # input 非空则覆盖;否则取 Vault kv/CICD/AI_WORKSPACE_AUTH_TOKEN; + # 两者皆空时由 on-host installer (resolve_unified_auth_token) 自动生成并持久化。 + AI_WORKSPACE_AUTH_TOKEN: ${{ github.event.inputs.ai_workspace_auth_token != '' && github.event.inputs.ai_workspace_auth_token || steps.vault.outputs.AI_WORKSPACE_AUTH_TOKEN }} DEEPSEEK_API_KEY: ${{ github.event.inputs.use_deepseek == 'false' && '' || steps.vault.outputs.DEEPSEEK_API_KEY }} NVIDIA_API_KEY: ${{ github.event.inputs.use_nvidia == 'false' && '' || steps.vault.outputs.NVIDIA_API_KEY }} OLLAMA_API_KEY: ${{ github.event.inputs.use_ollama == 'false' && '' || steps.vault.outputs.OLLAMA_API_KEY }} diff --git a/scripts/run-on-host-bootstrap.sh b/scripts/run-on-host-bootstrap.sh index 888c5f2..611b1b4 100644 --- a/scripts/run-on-host-bootstrap.sh +++ b/scripts/run-on-host-bootstrap.sh @@ -46,6 +46,8 @@ trap 'rm -f "$remote_payload"' EXIT { printf 'AI_WORKSPACE_OFFLINE_MODE=%q\n' "${AI_WORKSPACE_OFFLINE_MODE:-off}" printf 'XWORKMATE_BRIDGE_DOMAIN=%q\n' "$domain" + # 空则不写,让 on-host installer 的 resolve_unified_auth_token 走"复用持久化/自动生成"分支。 + printf 'AI_WORKSPACE_AUTH_TOKEN=%q\n' "${AI_WORKSPACE_AUTH_TOKEN:-}" printf 'DEEPSEEK_API_KEY=%q\n' "${DEEPSEEK_API_KEY:-}" printf 'NVIDIA_API_KEY=%q\n' "${NVIDIA_API_KEY:-}" printf 'OLLAMA_API_KEY=%q\n' "${OLLAMA_API_KEY:-}" @@ -67,7 +69,7 @@ fi ( set +e source "$remote_env" - export AI_WORKSPACE_OFFLINE_MODE XWORKMATE_BRIDGE_DOMAIN DEEPSEEK_API_KEY NVIDIA_API_KEY OLLAMA_API_KEY + export AI_WORKSPACE_OFFLINE_MODE XWORKMATE_BRIDGE_DOMAIN AI_WORKSPACE_AUTH_TOKEN DEEPSEEK_API_KEY NVIDIA_API_KEY OLLAMA_API_KEY bash -lc 'curl -sfL https://install.svc.plus/ai-workspace | bash -' rc=$? printf '%s\n' "$rc" > "$remote_rc"