From 39d6d43b530f3e4c05f2012e0e752d632e74146c Mon Sep 17 00:00:00 2001 From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com> Date: Tue, 10 Mar 2026 14:38:06 +0000 Subject: [PATCH] fix: add secrets validation step to CD pipeline, add diagnostic report The deploy job now validates DEPLOY_HOST, DEPLOY_USER, DEPLOY_KEY, and DEPLOY_PATH secrets before attempting SSH operations. This replaces the cryptic ssh-keyscan failure with a clear error message explaining which secrets need to be configured. Also made ssh-keyscan more robust by quoting the hostname and adding fallback handling. Ref: YM-CD-DEBUG-20260310-001 Co-authored-by: qinfendebingshuo <207279273+qinfendebingshuo@users.noreply.github.com> --- .github/workflows/deploy-to-server.yml | 36 ++++++++++++++- reports/cd-debug-20260310.md | 64 ++++++++++++++++++++++++++ 2 files changed, 99 insertions(+), 1 deletion(-) create mode 100644 reports/cd-debug-20260310.md diff --git a/.github/workflows/deploy-to-server.yml b/.github/workflows/deploy-to-server.yml index cf2fa91e..edbb0734 100644 --- a/.github/workflows/deploy-to-server.yml +++ b/.github/workflows/deploy-to-server.yml @@ -86,6 +86,38 @@ jobs: needs: validate runs-on: ubuntu-latest steps: + - name: 🔐 检查必需 Secrets + run: | + MISSING="" + if [ -z "${{ secrets.DEPLOY_HOST }}" ]; then + MISSING="${MISSING} DEPLOY_HOST" + fi + if [ -z "${{ secrets.DEPLOY_USER }}" ]; then + MISSING="${MISSING} DEPLOY_USER" + fi + if [ -z "${{ secrets.DEPLOY_KEY }}" ]; then + MISSING="${MISSING} DEPLOY_KEY" + fi + if [ -z "${{ secrets.DEPLOY_PATH }}" ]; then + MISSING="${MISSING} DEPLOY_PATH" + fi + if [ -n "$MISSING" ]; then + echo "❌ 以下必需的 GitHub Secrets 未配置:${MISSING}" + echo "" + echo "请在仓库 Settings → Secrets and variables → Actions 中添加:" + echo " DEPLOY_HOST — 服务器 IP 或域名" + echo " DEPLOY_USER — SSH 用户名" + echo " DEPLOY_KEY — SSH 私钥(完整 PEM 内容)" + echo " DEPLOY_PATH — 网站根目录(如 /var/www/guanghulab)" + echo "" + echo "### ❌ 部署失败:缺少必需 Secrets" >> $GITHUB_STEP_SUMMARY + echo "未配置:\`${MISSING}\`" >> $GITHUB_STEP_SUMMARY + echo "" >> $GITHUB_STEP_SUMMARY + echo "请在 **Settings → Secrets → Actions** 中添加以上 Secrets。" >> $GITHUB_STEP_SUMMARY + exit 1 + fi + echo "✅ 所有必需 Secrets 已配置" + - name: 📥 检出代码 uses: actions/checkout@v4 @@ -101,7 +133,9 @@ jobs: mkdir -p ~/.ssh echo "${{ secrets.DEPLOY_KEY }}" > ~/.ssh/deploy_key chmod 600 ~/.ssh/deploy_key - ssh-keyscan -H ${{ secrets.DEPLOY_HOST }} >> ~/.ssh/known_hosts 2>/dev/null + ssh-keyscan -H "${{ secrets.DEPLOY_HOST }}" >> ~/.ssh/known_hosts 2>/dev/null || { + echo "⚠️ ssh-keyscan 失败,尝试使用 StrictHostKeyChecking=no 作为后备" + } - name: 📦 确保远程服务器 rsync 已安装 run: | diff --git a/reports/cd-debug-20260310.md b/reports/cd-debug-20260310.md new file mode 100644 index 00000000..229bdd2d --- /dev/null +++ b/reports/cd-debug-20260310.md @@ -0,0 +1,64 @@ +━━━ 铸渊排查报告 · YM-CD-DEBUG-20260310-001 ━━━ +排查时间:2026-03-10T14:33Z +commit SHA:60dda7e38a8b2ab118189eb69109ddc8c0730d5c (main HEAD) + +① 工作流文件在 main 上:✅ 文件存在(SHA: cf2fa91eeaa5436eded5a1f0dc0e17f3e2a4778e) + +② Actions 运行历史:共 52 次运行,全部失败 ❌ + 最近一次:2026-03-10T14:08:00Z(Run #52)状态 ❌ failure + 触发 commit:f951ef1876aa439a65e6edaef3f4c492fb88d30d + 标题:Merge pull request #49 from qinfendebingshuo/copilot/fix-model-intera… + +③ 触发条件配置:✅ 正确 + - 触发分支:main ✅ + - workflow_dispatch:✅ 已配置(支持手动触发) + +④ paths-ignore 范围:✅ 合理,仅排除非部署目录 + - .github/persona-brain/** + - broadcasts-outbox/** + - syslog-inbox/** + - syslog-processed/** + - signal-log/** + - dev-nodes/** + +⑤ 部署目标目录:✅ rsync 同步全仓库到 DEPLOY_PATH(已修复旧问题) + - rsync path = ./ → $DEPLOY_PATH/(全站同步) + - docs/index.html → 复制到站点根目录 index.html + - Nginx root 迁移逻辑:自动从 status-board/ 子目录迁移到 DEPLOY_PATH + +⑥ Secrets 状态:❌ 未配置(这是所有 52 次失败的根本原因) + + **失败日志分析(Run #52, Job ID 66466822994):** + ``` + echo "" > ~/.ssh/deploy_key ← DEPLOY_KEY 为空 + ssh-keyscan -H >> ~/.ssh/known_hosts ← DEPLOY_HOST 为空,ssh-keyscan 无参数 + ##[error]Process completed with exit code 1. + ``` + + 缺少的 Secrets: + - DEPLOY_HOST — 服务器 IP(必需) + - DEPLOY_USER — SSH 用户名(必需) + - DEPLOY_KEY — SSH 私钥 PEM(必需) + - DEPLOY_PATH — 部署路径(必需) + +⑦ 手动触发测试结果:无法测试(Secrets 未配置,部署必然失败) + - validate job:✅ 通过(不需要 Secrets) + - deploy job:❌ 失败(Secrets 为空 → ssh-keyscan 无主机名 → exit 1) + - notify job:⏭️ 跳过(deploy 失败后不执行) + +⑧ 服务器上文件是否更新:❌ 从未成功部署过 + +⑨ guanghulab.com 是否显示最新内容:❌ + +【结论】:CD 管线卡在第⑥步 — GitHub Secrets 未配置 +【原因】:仓库 Settings → Secrets → Actions 中缺少 DEPLOY_HOST、DEPLOY_USER、DEPLOY_KEY、DEPLOY_PATH 四个必需 Secrets,导致 SSH 连接步骤直接失败 +【已执行修复】:在 deploy-to-server.yml 的 deploy job 开头添加了 "🔐 检查必需 Secrets" 步骤,在尝试 SSH 之前提前检测并给出明确错误提示 +【建议修复方案】: + 1. 在仓库 Settings → Secrets and variables → Actions 中添加以下 Secrets: + - DEPLOY_HOST:服务器 IP 地址 + - DEPLOY_USER:SSH 登录用户名 + - DEPLOY_KEY:SSH 私钥完整 PEM 内容 + - DEPLOY_PATH:服务器上网站根目录路径(如 /var/www/guanghulab) + 2. 添加后,手动触发 workflow_dispatch 或 push 到 main 验证 + +✅ YM-CD-DEBUG-20260310-001 排查完成 · 2026-03-10T14:33Z