backport: support customizable AI_WORKSPACE_AUTH_TOKEN in deployment workflow

ci: backport release/* source validation workflow to release/v1.1.5 (#3 )
让现有 release/v1.1.5 分支自身包含门禁 workflow（pull_request_target 用 base 分支版本）。详见 iac_modules/docs/tldr-github-branch-model.md Co-authored-by: Claude Opus 4.8 <noreply@anthropic.com>
2026-06-28 16:32:30 +08:00 · 2026-06-28 12:41:18 +08:00
2 changed files with 20 additions and 17 deletions
--- a/.github/workflows/deploy-ai-workspace-iac.yaml
+++ b/.github/workflows/deploy-ai-workspace-iac.yaml
@ -43,14 +43,14 @@ name: Deploy AI Workspace (IaC + Ansible + Cloudflare)
 #        ai-workspace-infra/vultr-vps/config/resources/ai-workspace-hosts.yaml
 #        的 ssh_keys[].public，否则 Terraform 创机后 runner 无法 SSH 登录。
 #
-#   7. AI_WORKSPACE_AUTH_TOKEN（统一服务 token：LiteLLM master key / bridge / vault 等）
-#      - 三级优先级（on-host installer resolve_unified_auth_token 统一解析）：
-#        1) workflow_dispatch 输入 ai_workspace_auth_token（非空时覆盖）
-#        2) Vault kv/CICD/AI_WORKSPACE_AUTH_TOKEN（输入留空时回退）
-#        3) 两者皆空：installer 复用 ~/.ai_workspace_auth_token 或自动生成并持久化
+#   7. AI_WORKSPACE_AUTH_TOKEN（LiteLLM 认证 token，存储在 Vault）
+#      - 用于 OpenCode ACP adapter 的 LITELLM_MASTER_KEY
 #      - 存储位置：vault kv patch kv/CICD AI_WORKSPACE_AUTH_TOKEN=<your-token>
-#      - TLDR 生成：python3 -c 'import uuid; print(uuid.uuid4())'
-#      - 经 run-on-host-bootstrap.sh 透传到主机 env，注入 all-in-one 各 role
+#      - TLDR 生成非常简单：
+#        • Python:   python3 -c 'import uuid; print(uuid.uuid4())'
+#        • macOS:    openssl rand -hex 32
+#        • Linux:    openssl rand -base64 32
+#      - 部署时自动从 Vault 读取，注入 ansible role 的 acp_opencode_auth_token
 #
 # ── 流水线结构 ───────────────────────────────────────────────────────────────
 #
@ -124,7 +124,7 @@ on:
        default: true
        type: boolean
      ai_workspace_auth_token:
-        description: "AI Workspace auth token 覆盖(留空则取 Vault kv/CICD/AI_WORKSPACE_AUTH_TOKEN；生成: python3 -c 'import uuid; print(uuid.uuid4())')"
+        description: "自定义覆盖 AI Workspace auth token（留空则使用 Vault kv/CICD/AI_WORKSPACE_AUTH_TOKEN）— TLDR 生成：python3 -c 'import uuid; print(uuid.uuid4())' 或 openssl rand -hex 32"
        required: false
        default: ""
        type: string
@ -176,7 +176,8 @@ jobs:
            ${{ env.VAULT_KV }} TF_STATE_SECRET_KEY | TF_STATE_SECRET_KEY ;
            ${{ env.VAULT_KV }} TF_STATE_REGION | TF_STATE_REGION ;
            ${{ env.VAULT_KV }} CLOUDFLARE_DNS_API_TOKEN | CLOUDFLARE_DNS_API_TOKEN ;
-            ${{ env.VAULT_KV }} CLOUDFLARE_API_TOKEN | CLOUDFLARE_API_TOKEN
+            ${{ env.VAULT_KV }} CLOUDFLARE_API_TOKEN | CLOUDFLARE_API_TOKEN ;
+            ${{ env.VAULT_KV }} AI_WORKSPACE_AUTH_TOKEN | AI_WORKSPACE_AUTH_TOKEN

      - name: Validate required secrets
        env:
@ -328,10 +329,10 @@ jobs:
          secrets: |
            ${{ env.VAULT_KV }} SSH_PRIVATE_DEPLOY_KEY | ANSIBLE_SSH_KEY ;
            ${{ env.VAULT_KV }} SSH_PRIVATE_DEPLOY_KEY_B64 | ANSIBLE_SSH_KEY_B64 ;
+            ${{ env.VAULT_KV }} AI_WORKSPACE_AUTH_TOKEN | AI_WORKSPACE_AUTH_TOKEN ;
            ${{ env.VAULT_KV_OPENCLAW }} DEEPSEEK_API_KEY | DEEPSEEK_API_KEY ;
            ${{ env.VAULT_KV_OPENCLAW }} NVIDIA_API_KEY | NVIDIA_API_KEY ;
-            ${{ env.VAULT_KV_OPENCLAW }} OLLAMA_API_KEY | OLLAMA_API_KEY ;
-            ${{ env.VAULT_KV }} AI_WORKSPACE_AUTH_TOKEN | AI_WORKSPACE_AUTH_TOKEN
+            ${{ env.VAULT_KV_OPENCLAW }} OLLAMA_API_KEY | OLLAMA_API_KEY

      - name: Report provider key wiring
        run: |
@ -344,6 +345,7 @@ jobs:
        env:
          ANSIBLE_SSH_KEY: ${{ steps.vault.outputs.ANSIBLE_SSH_KEY }}
          ANSIBLE_SSH_KEY_B64: ${{ steps.vault.outputs.ANSIBLE_SSH_KEY_B64 }}
+          AI_WORKSPACE_AUTH_TOKEN: ${{ steps.vault.outputs.AI_WORKSPACE_AUTH_TOKEN }}
          DEEPSEEK_API_KEY: ${{ github.event.inputs.use_deepseek == 'false' && '' || steps.vault.outputs.DEEPSEEK_API_KEY }}
          NVIDIA_API_KEY: ${{ github.event.inputs.use_nvidia == 'false' && '' || steps.vault.outputs.NVIDIA_API_KEY }}
          OLLAMA_API_KEY: ${{ github.event.inputs.use_ollama == 'false' && '' || steps.vault.outputs.OLLAMA_API_KEY }}
@ -356,6 +358,10 @@ jobs:
            echo "::error::缺少必需机密 SSH 私钥 (Vault: ${VAULT_KV}/SSH_PRIVATE_DEPLOY_KEY_B64 或 ${VAULT_KV}/SSH_PRIVATE_DEPLOY_KEY，至少一个)"
            missing=1
          fi
+          # AI_WORKSPACE_AUTH_TOKEN 可选，存在即校验非空。
+          if [ -n "${AI_WORKSPACE_AUTH_TOKEN:-}" ]; then
+            echo "AI_WORKSPACE_AUTH_TOKEN: present (will inject as acp_opencode_auth_token)"
+          fi
          if [ "${{ github.event.inputs.use_deepseek || 'true' }}" = "true" ] && [ -z "${DEEPSEEK_API_KEY:-}" ]; then
            echo "::error::缺少必需机密 DEEPSEEK_API_KEY (Vault: ${VAULT_KV_OPENCLAW}/DEEPSEEK_API_KEY)"
            missing=1
@ -418,9 +424,8 @@ jobs:
          # 离线包重新发布后可设为 auto 恢复离线加速。
          AI_WORKSPACE_OFFLINE_MODE: ${{ github.event.inputs.offline_mode || 'off' }}
          XWORKMATE_BRIDGE_DOMAIN: ${{ github.event.inputs.bridge_domain }}
-          # input 非空则覆盖；否则取 Vault kv/CICD/AI_WORKSPACE_AUTH_TOKEN；
-          # 两者皆空时由 on-host installer (resolve_unified_auth_token) 自动生成并持久化。
-          AI_WORKSPACE_AUTH_TOKEN: ${{ github.event.inputs.ai_workspace_auth_token != '' && github.event.inputs.ai_workspace_auth_token || steps.vault.outputs.AI_WORKSPACE_AUTH_TOKEN }}
+          # AI_WORKSPACE_AUTH_TOKEN: 优先使用 input 自定义值；留空则回退到 Vault 的值
+          AI_WORKSPACE_AUTH_TOKEN: ${{ github.event.inputs.ai_workspace_auth_token || steps.vault.outputs.AI_WORKSPACE_AUTH_TOKEN }}
          DEEPSEEK_API_KEY: ${{ github.event.inputs.use_deepseek == 'false' && '' || steps.vault.outputs.DEEPSEEK_API_KEY }}
          NVIDIA_API_KEY: ${{ github.event.inputs.use_nvidia == 'false' && '' || steps.vault.outputs.NVIDIA_API_KEY }}
          OLLAMA_API_KEY: ${{ github.event.inputs.use_ollama == 'false' && '' || steps.vault.outputs.OLLAMA_API_KEY }}
--- a/scripts/run-on-host-bootstrap.sh
+++ b/scripts/run-on-host-bootstrap.sh
@ -46,8 +46,6 @@ trap 'rm -f "$remote_payload"' EXIT
 {
  printf 'AI_WORKSPACE_OFFLINE_MODE=%q\n' "${AI_WORKSPACE_OFFLINE_MODE:-off}"
  printf 'XWORKMATE_BRIDGE_DOMAIN=%q\n' "$domain"
-  # 空则不写，让 on-host installer 的 resolve_unified_auth_token 走"复用持久化/自动生成"分支。
-  printf 'AI_WORKSPACE_AUTH_TOKEN=%q\n' "${AI_WORKSPACE_AUTH_TOKEN:-}"
  printf 'DEEPSEEK_API_KEY=%q\n' "${DEEPSEEK_API_KEY:-}"
  printf 'NVIDIA_API_KEY=%q\n' "${NVIDIA_API_KEY:-}"
  printf 'OLLAMA_API_KEY=%q\n' "${OLLAMA_API_KEY:-}"
@ -69,7 +67,7 @@ fi
 (
  set +e
  source "$remote_env"
-  export AI_WORKSPACE_OFFLINE_MODE XWORKMATE_BRIDGE_DOMAIN AI_WORKSPACE_AUTH_TOKEN DEEPSEEK_API_KEY NVIDIA_API_KEY OLLAMA_API_KEY
+  export AI_WORKSPACE_OFFLINE_MODE XWORKMATE_BRIDGE_DOMAIN DEEPSEEK_API_KEY NVIDIA_API_KEY OLLAMA_API_KEY
  bash -lc 'curl -sfL https://install.svc.plus/ai-workspace | bash -'
  rc=$?
  printf '%s\n' "$rc" > "$remote_rc"
Author	SHA1	Message	Date
Haitao Pan	6257cd41ea	backport: support customizable AI_WORKSPACE_AUTH_TOKEN in deployment workflow	2026-06-28 16:32:30 +08:00
Haitao Pan	b9c649af68	ci: backport release/* source validation workflow to release/v1.1.5 (#3 ) 让现有 release/v1.1.5 分支自身包含门禁 workflow（pull_request_target 用 base 分支版本）。详见 iac_modules/docs/tldr-github-branch-model.md Co-authored-by: Claude Opus 4.8 <noreply@anthropic.com>	2026-06-28 12:41:18 +08:00