diff --git a/.github/workflows/playwright-music-room.yml b/.github/workflows/playwright-music-room.yml index 610428e..13ee4b2 100644 --- a/.github/workflows/playwright-music-room.yml +++ b/.github/workflows/playwright-music-room.yml @@ -53,3 +53,22 @@ jobs: # 可选:Repository variables,例如后端 health/ping;未配置时对应用例 skip MOICEN_HEALTHCHECK_URL: ${{ vars.MOICEN_HEALTHCHECK_URL }} run: npx playwright test + + # 同源 PR / push / 定时 / dispatch 才跑;fork 打开 PR 时不注入仓库 Secrets,避免误用空密钥失败。 + - name: Moicen SSH 只读校验(DB / Redis / 日志) + if: success() && (github.event_name != 'pull_request' || github.event.pull_request.head.repo.full_name == github.repository) + env: + MOICEN_SSH_HOST: moicen.com + SSH_USER: ${{ secrets.MOICEN_SSH_USER }} + run: | + set -euo pipefail + mkdir -p ~/.ssh + chmod 700 ~/.ssh + printf '%s\n' "${{ secrets.MOICEN_SSH_KNOWN_HOSTS }}" >> ~/.ssh/known_hosts + printf '%s\n' "${{ secrets.MOICEN_SSH_PRIVATE_KEY }}" > ~/.ssh/moicen_ci + chmod 600 ~/.ssh/moicen_ci + ssh -i ~/.ssh/moicen_ci \ + -o StrictHostKeyChecking=yes \ + -o IdentitiesOnly=yes \ + "${SSH_USER}@${MOICEN_SSH_HOST}" \ + 'bash -s' < scripts/moicen-remote-readonly-check.sh diff --git a/README.md b/README.md index b20b960..19bf453 100644 --- a/README.md +++ b/README.md @@ -35,6 +35,8 @@ npx playwright test 可选:在 **Settings → Secrets and variables → Actions → Variables** 配置 **`MOICEN_HEALTHCHECK_URL`**(完整 URL,返回 2xx),用于可选后端健康检查用例;未配置时该条自动 skip。 +Playwright 成功后,CI 会 **SSH 到 moicen**(需 Secrets:**`MOICEN_SSH_PRIVATE_KEY`**、**`MOICEN_SSH_USER`**、**`MOICEN_SSH_KNOWN_HOSTS`**),在机上执行 **`scripts/moicen-remote-readonly-check.sh`**:`TS_DATABASE_URL` 探库、`redis-cli ping`、tail **`htyproc`** 与 **OpenResty error.log**。fork 仓库发起的 PR 不会跑该步(无 Secrets)。主机名固定 **`moicen.com`**(写在 workflow)。 + `workflow_dispatch` 可改目标 `base_url`;**默认定时:每天 06:30 UTC**(见 `.github/workflows/playwright-music-room.yml`)。 ## 与 moicen 运维文档 diff --git a/scripts/moicen-remote-readonly-check.sh b/scripts/moicen-remote-readonly-check.sh new file mode 100755 index 0000000..6e8c830 --- /dev/null +++ b/scripts/moicen-remote-readonly-check.sh @@ -0,0 +1,35 @@ +#!/usr/bin/env bash +# 在 moicen 本机执行(由 CI 通过 ssh … bash -s 注入)。只读:PG 探活、redis ping、日志 tail。 +set -euo pipefail + +echo "=== moicen readonly verify $(date -u +%Y-%m-%dT%H:%M:%SZ) ===" + +HTYPROC_ENV="${HOME}/works/huike-back/htyproc/.env" +if [[ ! -r "$HTYPROC_ENV" ]]; then + echo "ERROR: cannot read ${HTYPROC_ENV}" + exit 1 +fi + +set -a +# shellcheck disable=SC1090 +source "$HTYPROC_ENV" +set +a + +if [[ -z "${TS_DATABASE_URL:-}" ]]; then + echo "ERROR: TS_DATABASE_URL unset after sourcing ${HTYPROC_ENV}" + exit 1 +fi + +echo "--- PostgreSQL (TS_DATABASE_URL) ---" +psql "$TS_DATABASE_URL" -v ON_ERROR_STOP=1 -c "SELECT 1 AS connectivity_ok;" + +echo "--- Redis ---" +redis-cli ping + +echo "--- htyproc log (tail, last 50 lines) ---" +tail -n 50 "${HOME}/works/huike-back/htyproc/htyproc.nohup.log" 2>/dev/null || echo "(no htyproc log)" + +echo "--- OpenResty error.log (tail, last 30 lines) ---" +tail -n 30 /usr/local/openresty/nginx/logs/error.log 2>/dev/null || echo "(no nginx error log)" + +echo "=== moicen readonly verify OK ==="