diff --git a/.github/workflows/skyeye-credential-audit.yml b/.github/workflows/skyeye-credential-audit.yml index cf762806..c52d98e8 100644 --- a/.github/workflows/skyeye-credential-audit.yml +++ b/.github/workflows/skyeye-credential-audit.yml @@ -16,7 +16,7 @@ name: "🛰️ 天眼密钥流审计 (Sky-Eye Credential Audit)" on: schedule: - # 每天 UTC 14:00 (CST 22:00) 执行一次审计 + # 每天 UTC 14:00 (UTC+8 22:00) 执行一次审计 - cron: "0 14 * * *" workflow_dispatch: diff --git a/.github/workflows/sync-repo-to-drive.yml b/.github/workflows/sync-repo-to-drive.yml index 973445f7..9a66dcf4 100644 --- a/.github/workflows/sync-repo-to-drive.yml +++ b/.github/workflows/sync-repo-to-drive.yml @@ -50,7 +50,7 @@ jobs: chmod 600 "${SA_FILE}" # 天眼密钥流校验:验证 JSON 完整性 - if ! python3 -c "import json,sys; json.load(open(sys.argv[1]))" "${SA_FILE}" 2>/dev/null; then + if ! node -e "JSON.parse(require('fs').readFileSync(process.argv[1],'utf8'))" "${SA_FILE}" 2>/dev/null; then echo "::error::GOOGLE_DRIVE_SERVICE_ACCOUNT contains invalid JSON (possible truncation)" rm -f "${SA_FILE}" exit 1 diff --git a/scripts/grid-db/deploy-drive-bridge.js b/scripts/grid-db/deploy-drive-bridge.js index 1a0e0ff9..79834f18 100644 --- a/scripts/grid-db/deploy-drive-bridge.js +++ b/scripts/grid-db/deploy-drive-bridge.js @@ -311,7 +311,7 @@ async function deploy(commandFilePath) { if (!validation.valid) { console.error('[deploy] 🔴 Credential validation failed:'); console.error(formatDiagnosticReport(validation)); - writeReceipt(deploy_id, dev_id, 'failed', `Credential validation failed: ${validation.issues.join('; ')}`); + writeReceipt(deploy_id, dev_id, 'failed', 'Credential validation failed: invalid service account JSON format'); return; } credentials = validation.credentials; diff --git a/scripts/skyeye/credential-validator.js b/scripts/skyeye/credential-validator.js index de72b3a2..4a210300 100644 --- a/scripts/skyeye/credential-validator.js +++ b/scripts/skyeye/credential-validator.js @@ -146,7 +146,8 @@ function validateServiceAccountJSON(jsonStr) { } if (parsed.client_email) { - const emailOk = String(parsed.client_email).includes('@') && String(parsed.client_email).includes('.iam.gserviceaccount.com'); + const emailStr = String(parsed.client_email); + const emailOk = /^[^@]+@[^@]+\.iam\.gserviceaccount\.com$/.test(emailStr); result.diagnostics.field_checks.client_email_format = emailOk ? 'ok' : 'not a valid service account email'; if (!emailOk) result.issues.push('Field \'client_email\' does not match service account email pattern'); } diff --git a/scripts/tcs-semantic-landing.js b/scripts/tcs-semantic-landing.js index 2a556a45..764557b0 100644 --- a/scripts/tcs-semantic-landing.js +++ b/scripts/tcs-semantic-landing.js @@ -53,7 +53,8 @@ function buildAuth(serviceAccountJson) { console.log('[semantic-landing] ✅ Service account credentials validated'); } catch (err) { if (err.message === 'Service account credential validation failed') throw err; - // Fallback: if validator module is unavailable, try direct parse + // Fallback: validator module unavailable, try direct parse + console.log('[semantic-landing] Validator unavailable, using direct JSON.parse'); credentials = JSON.parse(serviceAccountJson); } return new google.auth.GoogleAuth({