Compare commits

...

3 Commits

Author SHA1 Message Date
b882141823 ci: remove AI_WORKSPACE_AUTH_TOKEN from vault-action reads
vault-action ignoreNotFound only suppresses path-level 404, not missing
keys within an existing path. Token is now sourced exclusively from the
ai_workspace_auth_token workflow_dispatch input.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-06-28 16:52:53 +08:00
6257cd41ea backport: support customizable AI_WORKSPACE_AUTH_TOKEN in deployment workflow 2026-06-28 16:32:30 +08:00
b9c649af68
ci: backport release/* source validation workflow to release/v1.1.5 (#3)
让现有 release/v1.1.5 分支自身包含门禁 workflow(pull_request_target 用 base 分支版本)。
详见 iac_modules/docs/tldr-github-branch-model.md

Co-authored-by: Claude Opus 4.8 <noreply@anthropic.com>
2026-06-28 12:41:18 +08:00
2 changed files with 59 additions and 0 deletions

View File

@ -43,6 +43,15 @@ name: Deploy AI Workspace (IaC + Ansible + Cloudflare)
# ai-workspace-infra/vultr-vps/config/resources/ai-workspace-hosts.yaml
# 的 ssh_keys[].public否则 Terraform 创机后 runner 无法 SSH 登录。
#
# 7. AI_WORKSPACE_AUTH_TOKENLiteLLM 认证 token存储在 Vault
# - 用于 OpenCode ACP adapter 的 LITELLM_MASTER_KEY
# - 存储位置vault kv patch kv/CICD AI_WORKSPACE_AUTH_TOKEN=<your-token>
# - TLDR 生成非常简单:
# • Python: python3 -c 'import uuid; print(uuid.uuid4())'
# • macOS: openssl rand -hex 32
# • Linux: openssl rand -base64 32
# - 部署时自动从 Vault 读取,注入 ansible role 的 acp_opencode_auth_token
#
# ── 流水线结构 ───────────────────────────────────────────────────────────────
#
# provision : 批量起机模式开关terraform_action=apply / run_deploy
@ -114,6 +123,11 @@ on:
required: false
default: true
type: boolean
ai_workspace_auth_token:
description: "自定义覆盖 AI Workspace auth token留空则使用 Vault kv/CICD/AI_WORKSPACE_AUTH_TOKEN— TLDR 生成python3 -c 'import uuid; print(uuid.uuid4())' 或 openssl rand -hex 32"
required: false
default: ""
type: string
# id-token: write 用于 Vault 的 GitHub OIDC(JWT) 认证contents: read 拉代码
permissions:
@ -403,6 +417,7 @@ jobs:
# 离线包重新发布后可设为 auto 恢复离线加速。
AI_WORKSPACE_OFFLINE_MODE: ${{ github.event.inputs.offline_mode || 'off' }}
XWORKMATE_BRIDGE_DOMAIN: ${{ github.event.inputs.bridge_domain }}
AI_WORKSPACE_AUTH_TOKEN: ${{ github.event.inputs.ai_workspace_auth_token }}
DEEPSEEK_API_KEY: ${{ github.event.inputs.use_deepseek == 'false' && '' || steps.vault.outputs.DEEPSEEK_API_KEY }}
NVIDIA_API_KEY: ${{ github.event.inputs.use_nvidia == 'false' && '' || steps.vault.outputs.NVIDIA_API_KEY }}
OLLAMA_API_KEY: ${{ github.event.inputs.use_ollama == 'false' && '' || steps.vault.outputs.OLLAMA_API_KEY }}

View File

@ -0,0 +1,44 @@
name: Validate Release PR
# release/* 分支的发布策略门禁:仅接受 hotfix/* 或带 cherry-pick/backport 标签的 PR。
# 详见 iac_modules/docs/tldr-github-branch-model.md
on:
pull_request_target:
types: [opened, synchronize, reopened, labeled, unlabeled]
permissions:
contents: read
pull-requests: read
jobs:
validate-release-source:
runs-on: ubuntu-latest
if: startsWith(github.base_ref, 'release/')
steps:
- name: Check PR source branch
run: |
SRC="${{ github.head_ref }}"
TGT="${{ github.base_ref }}"
LABELS="${{ join(github.event.pull_request.labels.*.name, ',') }}"
echo "🔍 Validating PR into release branch"
echo " source: $SRC"
echo " target: $TGT"
echo " labels: $LABELS"
if [[ "$SRC" =~ ^hotfix/ ]]; then
echo "✅ Allowed: hotfix/* branch"
exit 0
fi
if [[ "$LABELS" =~ (^|,)(cherry-pick|backport)(,|$) ]]; then
echo "✅ Allowed: cherry-pick/backport labeled PR"
exit 0
fi
echo "❌ Rejected."
echo "release/* 仅接受:"
echo " - 来自 hotfix/* 的 PR"
echo " - 带 cherry-pick 或 backport 标签的 PR已验证 feature 的 backport/cherry-pick"
echo "禁止从 main / develop / feature/* 直接合并到 release/*。"
exit 1