ci: Playwright 后 SSH moicen 只读校验（PG/Redis/日志）

新增 scripts/moicen-remote-readonly-check.sh；同源 PR/push 跑 MOICEN_SSH_*。

Made-with: Cursor

.github/workflows/playwright-music-room.yml

@@ -53,3 +53,22 @@ jobs:
           # 可选：Repository variables，例如后端 health/ping；未配置时对应用例 skip
           MOICEN_HEALTHCHECK_URL: ${{ vars.MOICEN_HEALTHCHECK_URL }}
         run: npx playwright test
+
+      # 同源 PR / push / 定时 / dispatch 才跑；fork 打开 PR 时不注入仓库 Secrets，避免误用空密钥失败。
+      - name: Moicen SSH 只读校验（DB / Redis / 日志）
+        if: success() && (github.event_name != 'pull_request' || github.event.pull_request.head.repo.full_name == github.repository)
+        env:
+          MOICEN_SSH_HOST: moicen.com
+          SSH_USER: ${{ secrets.MOICEN_SSH_USER }}
+        run: |
+          set -euo pipefail
+          mkdir -p ~/.ssh
+          chmod 700 ~/.ssh
+          printf '%s\n' "${{ secrets.MOICEN_SSH_KNOWN_HOSTS }}" >> ~/.ssh/known_hosts
+          printf '%s\n' "${{ secrets.MOICEN_SSH_PRIVATE_KEY }}" > ~/.ssh/moicen_ci
+          chmod 600 ~/.ssh/moicen_ci
+          ssh -i ~/.ssh/moicen_ci \
+            -o StrictHostKeyChecking=yes \
+            -o IdentitiesOnly=yes \
+            "${SSH_USER}@${MOICEN_SSH_HOST}" \
+            'bash -s' < scripts/moicen-remote-readonly-check.sh