ci: Playwright 后 SSH moicen 只读校验（PG/Redis/日志）

新增 scripts/moicen-remote-readonly-check.sh；同源 PR/push 跑 MOICEN_SSH_*。

Made-with: Cursor

.github/workflows/playwright-music-room.yml

@@ -53,3 +53,22 @@ jobs:
           # 可选：Repository variables，例如后端 health/ping；未配置时对应用例 skip
           MOICEN_HEALTHCHECK_URL: ${{ vars.MOICEN_HEALTHCHECK_URL }}
         run: npx playwright test
+
+      # 同源 PR / push / 定时 / dispatch 才跑；fork 打开 PR 时不注入仓库 Secrets，避免误用空密钥失败。
+      - name: Moicen SSH 只读校验（DB / Redis / 日志）
+        if: success() && (github.event_name != 'pull_request' || github.event.pull_request.head.repo.full_name == github.repository)
+        env:
+          MOICEN_SSH_HOST: moicen.com
+          SSH_USER: ${{ secrets.MOICEN_SSH_USER }}
+        run: |
+          set -euo pipefail
+          mkdir -p ~/.ssh
+          chmod 700 ~/.ssh
+          printf '%s\n' "${{ secrets.MOICEN_SSH_KNOWN_HOSTS }}" >> ~/.ssh/known_hosts
+          printf '%s\n' "${{ secrets.MOICEN_SSH_PRIVATE_KEY }}" > ~/.ssh/moicen_ci
+          chmod 600 ~/.ssh/moicen_ci
+          ssh -i ~/.ssh/moicen_ci \
+            -o StrictHostKeyChecking=yes \
+            -o IdentitiesOnly=yes \
+            "${SSH_USER}@${MOICEN_SSH_HOST}" \
+            'bash -s' < scripts/moicen-remote-readonly-check.sh

README.md

@@ -35,6 +35,8 @@ npx playwright test
 
 可选：在 **Settings → Secrets and variables → Actions → Variables** 配置 **`MOICEN_HEALTHCHECK_URL`**（完整 URL，返回 2xx），用于可选后端健康检查用例；未配置时该条自动 skip。
 
+Playwright 成功后，CI 会 **SSH 到 moicen**（需 Secrets：**`MOICEN_SSH_PRIVATE_KEY`**、**`MOICEN_SSH_USER`**、**`MOICEN_SSH_KNOWN_HOSTS`**），在机上执行 **`scripts/moicen-remote-readonly-check.sh`**：`TS_DATABASE_URL` 探库、`redis-cli ping`、tail **`htyproc`** 与 **OpenResty error.log**。fork 仓库发起的 PR 不会跑该步（无 Secrets）。主机名固定 **`moicen.com`**（写在 workflow）。
+
 `workflow_dispatch` 可改目标 `base_url`；**默认定时：每天 06:30 UTC**（见 `.github/workflows/playwright-music-room.yml`）。
 
 ## 与 moicen 运维文档

scripts/moicen-remote-readonly-check.sh

@@ -0,0 +1,35 @@
+#!/usr/bin/env bash
+# 在 moicen 本机执行（由 CI 通过 ssh … bash -s 注入）。只读：PG 探活、redis ping、日志 tail。
+set -euo pipefail
+
+echo "=== moicen readonly verify $(date -u +%Y-%m-%dT%H:%M:%SZ) ==="
+
+HTYPROC_ENV="${HOME}/works/huike-back/htyproc/.env"
+if [[ ! -r "$HTYPROC_ENV" ]]; then
+  echo "ERROR: cannot read ${HTYPROC_ENV}"
+  exit 1
+fi
+
+set -a
+# shellcheck disable=SC1090
+source "$HTYPROC_ENV"
+set +a
+
+if [[ -z "${TS_DATABASE_URL:-}" ]]; then
+  echo "ERROR: TS_DATABASE_URL unset after sourcing ${HTYPROC_ENV}"
+  exit 1
+fi
+
+echo "--- PostgreSQL (TS_DATABASE_URL) ---"
+psql "$TS_DATABASE_URL" -v ON_ERROR_STOP=1 -c "SELECT 1 AS connectivity_ok;"
+
+echo "--- Redis ---"
+redis-cli ping
+
+echo "--- htyproc log (tail, last 50 lines) ---"
+tail -n 50 "${HOME}/works/huike-back/htyproc/htyproc.nohup.log" 2>/dev/null || echo "(no htyproc log)"
+
+echo "--- OpenResty error.log (tail, last 30 lines) ---"
+tail -n 30 /usr/local/openresty/nginx/logs/error.log 2>/dev/null || echo "(no nginx error log)"
+
+echo "=== moicen readonly verify OK ==="