|
9068
|
7307
|
6
|
5
|
339ea969ec2633756fb1a155d47723d0f61396a4
|
0
|
🧠 内存泄漏检测
|
1
|
name: Performance Tests
"on":
# 每周一凌晨 name: Performance Tests
"on":
# 每周一凌晨 2 点运行
schedule:
- cron: '0 2 * * 1'
# 允许手动触发
workflow_dispatch:
inputs:
test_type:
description: '测试类型'
required: true
default: 'benchmark'
type: choice
options:
- benchmark
- load
- stress
- all
duration:
description: '测试持续时间(秒)'
required: false
default: '60'
type: string
concurrency:
description: '并发数'
required: false
default: '10'
type: string
# PR 触发时只运行基准测试
pull_request:
branches: [main]
paths:
- 'backend/src/**'
- 'backend/prisma/**'
env:
NODE_VERSION: "18"
PNPM_VERSION: "8"
jobs:
memory-leak-detection:
name: "\U0001F9E0 内存泄漏检测"
runs-on: ubuntu-latest
if: needs.setup.outputs.test_type == 'all'
steps:
- name: "\U0001F4E5 检出代码"
uses: actions/checkout@v4
- name: "\U0001F4E6 安装 pnpm"
uses: pnpm/action-setup@v2
with:
version: ${{ env.PNPM_VERSION }}
- name: "\U0001F7E2 设置 Node.js"
uses: actions/setup-node@v4
with:
cache: pnpm
node-version: ${{ env.NODE_VERSION }}
- name: "\U0001F4E6 安装依赖"
run: pnpm install --frozen-lockfile
- name: "\U0001F5C4️ 初始化数据库"
run: |
cd backend
npx prisma migrate deploy
npx prisma db seed
env:
DATABASE_URL: postgresql://test:test@localhost:5432/juhi_mem
- name: "\U0001F528 构建后端"
run: |
pnpm --filter shared build
pnpm --filter backend build
- name: "\U0001F9E0 运行内存泄漏检测"
run: "cd backend\n# 使用 --expose-gc 启动服务并检测内存\nnode --expose-gc -e \"\nconst http = require('http');\n\nasync function measureMemory() {\n if (global.gc) global.gc();\n const used = process.memoryUsage();\n return {\n heapUsed: Math.round(used.heapUsed / 1024 / 1024),\n heapTotal: Math.round(used.heapTotal / 1024 / 1024),\n rss: Math.round(used.rss / 1024 / 1024),\n };\n}\n\nasync function main() {\n console.log('\U0001F9E0 内存泄漏检测开始');\n\n const before = await measureMemory();\n console.log('初始内存:', before);\n\n // 模拟 1000 次请求\n for (let i = 0; i < 1000; i++) {\n // 模拟内存分配\n const arr = new Array(10000).fill(Math.random());\n if (i % 100 === 0) {\n if (global.gc) global.gc();\n console.log('进度:', i);\n }\n }\n\n if (global.gc) global.gc();\n await new Promise(r => setTimeout(r, 1000));\n if (global.gc) global.gc();\n\n const after = await measureMemory();\n console.log('最终内存:', after);\n\n const diff = after.heapUsed - before.heapUsed;\n console.log('内存增长:', diff, 'MB');\n\n if (diff > 50) {\n console.log('⚠️ 警告: 可能存在内存泄漏');\n process.exit(1);\n } else {\n console.log('✅ 内存使用正常');\n }\n}\n\nmain().catch(err => {\n console.error(err);\n process.exit(1);\n});\n\" | tee memory-leak-output.txt\n"
env:
NODE_ENV: test
DATABASE_URL: postgresql://test:test@localhost:5432/juhi_mem
REDIS_URL: redis://localhost:6379
- name: "\U0001F4DD 生成内存检测报告"
run: "echo \"## \U0001F9E0 内存泄漏检测报告\" >> $GITHUB_STEP_SUMMARY\necho \"\" >> $GITHUB_STEP_SUMMARY\n\nif [ -f \"backend/memory-leak-output.txt\" ]; then\n echo '```' >> $GITHUB_STEP_SUMMARY\n cat backend/memory-leak-output.txt >> $GITHUB_STEP_SUMMARY\n echo '```' >> $GITHUB_STEP_SUMMARY\nfi\n"
timeout-minutes: "30"
services:
postgres:
image: postgres:15
env:
POSTGRES_DB: juhi_mem
POSTGRES_PASSWORD: test
POSTGRES_USER: test
ports:
- 5432:5432
redis:
image: redis:7
ports:
- 6379:6379
...
|
memory-leak-detection
|
["setup"]
|
["ubuntu-latest"]
|
7840
|
2
|
1774231423
|
1774231445
|
1774231240
|
1774231445
|
|
1
|
|
0
|
Edit
Delete
|
|
12938
|
9521
|
6
|
5
|
58e5152a38868b8f3832d9573c340a3eb60051c8
|
0
|
🧠 内存泄漏检测
|
1
|
name: Performance Tests
"on":
# 每周一凌晨 name: Performance Tests
"on":
# 每周一凌晨 2 点运行
schedule:
- cron: '0 2 * * 1'
# 允许手动触发
workflow_dispatch:
inputs:
test_type:
description: '测试类型'
required: true
default: 'benchmark'
type: choice
options:
- benchmark
- load
- stress
- all
duration:
description: '测试持续时间(秒)'
required: false
default: '60'
type: string
concurrency:
description: '并发数'
required: false
default: '10'
type: string
# PR 触发时只运行基准测试
pull_request:
branches: [main]
paths:
- 'backend/src/**'
- 'backend/prisma/**'
env:
NODE_VERSION: "18"
PNPM_VERSION: "8"
jobs:
memory-leak-detection:
name: "\U0001F9E0 内存泄漏检测"
runs-on: ubuntu-latest
if: needs.setup.outputs.test_type == 'all'
steps:
- name: "\U0001F4E5 检出代码"
uses: actions/checkout@v4
- name: "\U0001F4E6 安装 pnpm"
uses: pnpm/action-setup@v2
with:
version: ${{ env.PNPM_VERSION }}
- name: "\U0001F7E2 设置 Node.js"
uses: actions/setup-node@v4
with:
cache: pnpm
node-version: ${{ env.NODE_VERSION }}
- name: "\U0001F4E6 安装依赖"
run: pnpm install --frozen-lockfile
- name: "\U0001F5C4️ 初始化数据库"
run: |
cd backend
npx prisma migrate deploy
npx prisma db seed
env:
DATABASE_URL: postgresql://test:test@localhost:5432/juhi_mem
- name: "\U0001F528 构建后端"
run: |
pnpm --filter shared build
pnpm --filter backend build
- name: "\U0001F9E0 运行内存泄漏检测"
run: "cd backend\n# 使用 --expose-gc 启动服务并检测内存\nnode --expose-gc -e \"\nconst http = require('http');\n\nasync function measureMemory() {\n if (global.gc) global.gc();\n const used = process.memoryUsage();\n return {\n heapUsed: Math.round(used.heapUsed / 1024 / 1024),\n heapTotal: Math.round(used.heapTotal / 1024 / 1024),\n rss: Math.round(used.rss / 1024 / 1024),\n };\n}\n\nasync function main() {\n console.log('\U0001F9E0 内存泄漏检测开始');\n\n const before = await measureMemory();\n console.log('初始内存:', before);\n\n // 模拟 1000 次请求\n for (let i = 0; i < 1000; i++) {\n // 模拟内存分配\n const arr = new Array(10000).fill(Math.random());\n if (i % 100 === 0) {\n if (global.gc) global.gc();\n console.log('进度:', i);\n }\n }\n\n if (global.gc) global.gc();\n await new Promise(r => setTimeout(r, 1000));\n if (global.gc) global.gc();\n\n const after = await measureMemory();\n console.log('最终内存:', after);\n\n const diff = after.heapUsed - before.heapUsed;\n console.log('内存增长:', diff, 'MB');\n\n if (diff > 50) {\n console.log('⚠️ 警告: 可能存在内存泄漏');\n process.exit(1);\n } else {\n console.log('✅ 内存使用正常');\n }\n}\n\nmain().catch(err => {\n console.error(err);\n process.exit(1);\n});\n\" | tee memory-leak-output.txt\n"
env:
NODE_ENV: test
DATABASE_URL: postgresql://test:test@localhost:5432/juhi_mem
REDIS_URL: redis://localhost:6379
- name: "\U0001F4DD 生成内存检测报告"
run: "echo \"## \U0001F9E0 内存泄漏检测报告\" >> $GITHUB_STEP_SUMMARY\necho \"\" >> $GITHUB_STEP_SUMMARY\n\nif [ -f \"backend/memory-leak-output.txt\" ]; then\n echo '```' >> $GITHUB_STEP_SUMMARY\n cat backend/memory-leak-output.txt >> $GITHUB_STEP_SUMMARY\n echo '```' >> $GITHUB_STEP_SUMMARY\nfi\n"
timeout-minutes: "30"
services:
postgres:
image: postgres:15
env:
POSTGRES_DB: juhi_mem
POSTGRES_PASSWORD: test
POSTGRES_USER: test
ports:
- 5432:5432
redis:
image: redis:7
ports:
- 6379:6379
...
|
memory-leak-detection
|
["setup"]
|
["ubuntu-latest"]
|
10936
|
2
|
1774837344
|
1774837434
|
1774836018
|
1774837434
|
|
1
|
|
0
|
Edit
Delete
|
|
16461
|
11697
|
6
|
5
|
9d69e1960ec649a49c0c6f307c0fc197f47ee4c4
|
0
|
🧠 内存泄漏检测
|
1
|
name: Performance Tests
"on":
# 每周一凌晨 name: Performance Tests
"on":
# 每周一凌晨 2 点运行
schedule:
- cron: '0 2 * * 1'
# 允许手动触发
workflow_dispatch:
inputs:
test_type:
description: '测试类型'
required: true
default: 'benchmark'
type: choice
options:
- benchmark
- load
- stress
- all
duration:
description: '测试持续时间(秒)'
required: false
default: '60'
type: string
concurrency:
description: '并发数'
required: false
default: '10'
type: string
# PR 触发时只运行基准测试
pull_request:
branches: [main]
paths:
- 'backend/src/**'
- 'backend/prisma/**'
env:
NODE_VERSION: "18"
PNPM_VERSION: "8"
jobs:
memory-leak-detection:
name: "\U0001F9E0 内存泄漏检测"
runs-on: ubuntu-latest
if: needs.setup.outputs.test_type == 'all'
steps:
- name: "\U0001F4E5 检出代码"
uses: actions/checkout@v4
- name: "\U0001F4E6 安装 pnpm"
uses: pnpm/action-setup@v2
with:
version: ${{ env.PNPM_VERSION }}
- name: "\U0001F7E2 设置 Node.js"
uses: actions/setup-node@v4
with:
cache: pnpm
node-version: ${{ env.NODE_VERSION }}
- name: "\U0001F4E6 安装依赖"
run: pnpm install --frozen-lockfile
- name: "\U0001F5C4️ 初始化数据库"
run: |
cd backend
npx prisma migrate deploy
npx prisma db seed
env:
DATABASE_URL: postgresql://test:test@localhost:5432/juhi_mem
- name: "\U0001F528 构建后端"
run: |
pnpm --filter shared build
pnpm --filter backend build
- name: "\U0001F9E0 运行内存泄漏检测"
run: "cd backend\n# 使用 --expose-gc 启动服务并检测内存\nnode --expose-gc -e \"\nconst http = require('http');\n\nasync function measureMemory() {\n if (global.gc) global.gc();\n const used = process.memoryUsage();\n return {\n heapUsed: Math.round(used.heapUsed / 1024 / 1024),\n heapTotal: Math.round(used.heapTotal / 1024 / 1024),\n rss: Math.round(used.rss / 1024 / 1024),\n };\n}\n\nasync function main() {\n console.log('\U0001F9E0 内存泄漏检测开始');\n\n const before = await measureMemory();\n console.log('初始内存:', before);\n\n // 模拟 1000 次请求\n for (let i = 0; i < 1000; i++) {\n // 模拟内存分配\n const arr = new Array(10000).fill(Math.random());\n if (i % 100 === 0) {\n if (global.gc) global.gc();\n console.log('进度:', i);\n }\n }\n\n if (global.gc) global.gc();\n await new Promise(r => setTimeout(r, 1000));\n if (global.gc) global.gc();\n\n const after = await measureMemory();\n console.log('最终内存:', after);\n\n const diff = after.heapUsed - before.heapUsed;\n console.log('内存增长:', diff, 'MB');\n\n if (diff > 50) {\n console.log('⚠️ 警告: 可能存在内存泄漏');\n process.exit(1);\n } else {\n console.log('✅ 内存使用正常');\n }\n}\n\nmain().catch(err => {\n console.error(err);\n process.exit(1);\n});\n\" | tee memory-leak-output.txt\n"
env:
NODE_ENV: test
DATABASE_URL: postgresql://test:test@localhost:5432/juhi_mem
REDIS_URL: redis://localhost:6379
- name: "\U0001F4DD 生成内存检测报告"
run: "echo \"## \U0001F9E0 内存泄漏检测报告\" >> $GITHUB_STEP_SUMMARY\necho \"\" >> $GITHUB_STEP_SUMMARY\n\nif [ -f \"backend/memory-leak-output.txt\" ]; then\n echo '```' >> $GITHUB_STEP_SUMMARY\n cat backend/memory-leak-output.txt >> $GITHUB_STEP_SUMMARY\n echo '```' >> $GITHUB_STEP_SUMMARY\nfi\n"
timeout-minutes: "30"
services:
postgres:
image: postgres:15
env:
POSTGRES_DB: juhi_mem
POSTGRES_PASSWORD: test
POSTGRES_USER: test
ports:
- 5432:5432
redis:
image: redis:7
ports:
- 6379:6379
...
|
memory-leak-detection
|
["setup"]
|
["ubuntu-latest"]
|
13755
|
2
|
1775441437
|
1775441602
|
1775440818
|
1775441603
|
|
1
|
|
0
|
Edit
Delete
|
|
7833
|
6702
|
6
|
5
|
e112d45af414e4862c0328abad7c4df74d3c1dbf
|
0
|
🛡️ RLS 覆盖分析
|
1
|
name: Database Security Audit
"on":
pu name: Database Security Audit
"on":
push:
branches: [main, develop]
paths:
- 'backend/src/**/*.ts'
- 'backend/prisma/**'
pull_request:
branches: [main, develop]
paths:
- 'backend/src/**/*.ts'
- 'backend/prisma/**'
schedule:
# 每天凌晨 2 点执行完整审计
- cron: '0 2 * * *'
workflow_dispatch:
inputs:
full_audit:
description: '执行完整审计(包含 RLS 迁移建议)'
required: false
default: 'false'
type: boolean
env:
NODE_VERSION: "18"
jobs:
rls-coverage:
name: "\U0001F6E1️ RLS 覆盖分析"
runs-on: ubuntu-latest
steps:
- name: "\U0001F4E5 Checkout code"
uses: actions/checkout@v4
- name: "\U0001F7E2 Setup Node.js"
uses: actions/setup-node@v4
with:
node-version: ${{ env.NODE_VERSION }}
- name: "\U0001F4E6 Setup pnpm"
uses: pnpm/action-setup@v2
with:
version: "8"
- name: "\U0001F4E5 Install dependencies"
run: pnpm install --frozen-lockfile
- id: rls-analysis
name: "\U0001F50D RLS 策略分析"
run: |
cd backend
npm run rls:analyze 2>&1 | tee rls-analysis.log
# 提取覆盖率
COVERAGE=$(grep -oP 'RLS 覆盖率: \K[\d.]+%' rls-analysis.log || echo "0%")
echo "coverage=$COVERAGE" >> $GITHUB_OUTPUT
- name: "\U0001F4CA 上传 RLS 分析报告"
uses: actions/upload-artifact@v4
with:
name: rls-coverage-report
path: backend/rls-analysis.log
- name: "\U0001F4C8 RLS 覆盖率检查"
run: |
COVERAGE="${{ steps.rls-analysis.outputs.coverage }}"
echo "当前 RLS 覆盖率: $COVERAGE"
# 提取数字部分
PERCENT=$(echo $COVERAGE | grep -oP '[\d.]+' || echo "0")
if (( $(echo "$PERCENT < 80" | bc -l) )); then
echo "::warning::RLS 覆盖率低于 80%,建议增加 RLS 策略"
fi
timeout-minutes: "10"
...
|
rls-coverage
|
null
|
["ubuntu-latest"]
|
6746
|
2
|
1773832230
|
1773832250
|
1773831748
|
1773832251
|
|
0
|
|
0
|
Edit
Delete
|
|
7895
|
6712
|
6
|
5
|
b7eb415d7a9689f1efec941bcb2dcd7d098e9c28
|
0
|
🛡️ RLS 覆盖分析
|
1
|
name: Database Security Audit
"on":
pu name: Database Security Audit
"on":
push:
branches: [main, develop]
paths:
- 'backend/src/**/*.ts'
- 'backend/prisma/**'
pull_request:
branches: [main, develop]
paths:
- 'backend/src/**/*.ts'
- 'backend/prisma/**'
schedule:
# 每天凌晨 2 点执行完整审计
- cron: '0 2 * * *'
workflow_dispatch:
inputs:
full_audit:
description: '执行完整审计(包含 RLS 迁移建议)'
required: false
default: 'false'
type: boolean
env:
NODE_VERSION: "18"
jobs:
rls-coverage:
name: "\U0001F6E1️ RLS 覆盖分析"
runs-on: ubuntu-latest
steps:
- name: "\U0001F4E5 Checkout code"
uses: actions/checkout@v4
- name: "\U0001F7E2 Setup Node.js"
uses: actions/setup-node@v4
with:
node-version: ${{ env.NODE_VERSION }}
- name: "\U0001F4E6 Setup pnpm"
uses: pnpm/action-setup@v2
with:
version: "8"
- name: "\U0001F4E5 Install dependencies"
run: pnpm install --frozen-lockfile
- id: rls-analysis
name: "\U0001F50D RLS 策略分析"
run: |
cd backend
npm run rls:analyze 2>&1 | tee rls-analysis.log
# 提取覆盖率
COVERAGE=$(grep -oP 'RLS 覆盖率: \K[\d.]+%' rls-analysis.log || echo "0%")
echo "coverage=$COVERAGE" >> $GITHUB_OUTPUT
- name: "\U0001F4CA 上传 RLS 分析报告"
uses: actions/upload-artifact@v4
with:
name: rls-coverage-report
path: backend/rls-analysis.log
- name: "\U0001F4C8 RLS 覆盖率检查"
run: |
COVERAGE="${{ steps.rls-analysis.outputs.coverage }}"
echo "当前 RLS 覆盖率: $COVERAGE"
# 提取数字部分
PERCENT=$(echo $COVERAGE | grep -oP '[\d.]+' || echo "0")
if (( $(echo "$PERCENT < 80" | bc -l) )); then
echo "::warning::RLS 覆盖率低于 80%,建议增加 RLS 策略"
fi
timeout-minutes: "10"
...
|
rls-coverage
|
null
|
["ubuntu-latest"]
|
6774
|
2
|
1773832860
|
1773832881
|
1773832743
|
1773832881
|
|
0
|
|
0
|
Edit
Delete
|
|
8150
|
6903
|
6
|
5
|
b7eb415d7a9689f1efec941bcb2dcd7d098e9c28
|
0
|
🛡️ RLS 覆盖分析
|
1
|
name: Database Security Audit
"on":
pu name: Database Security Audit
"on":
push:
branches: [main, develop]
paths:
- 'backend/src/**/*.ts'
- 'backend/prisma/**'
pull_request:
branches: [main, develop]
paths:
- 'backend/src/**/*.ts'
- 'backend/prisma/**'
schedule:
# 每天凌晨 2 点执行完整审计
- cron: '0 2 * * *'
workflow_dispatch:
inputs:
full_audit:
description: '执行完整审计(包含 RLS 迁移建议)'
required: false
default: 'false'
type: boolean
env:
NODE_VERSION: "18"
jobs:
rls-coverage:
name: "\U0001F6E1️ RLS 覆盖分析"
runs-on: ubuntu-latest
steps:
- name: "\U0001F4E5 Checkout code"
uses: actions/checkout@v4
- name: "\U0001F7E2 Setup Node.js"
uses: actions/setup-node@v4
with:
node-version: ${{ env.NODE_VERSION }}
- name: "\U0001F4E6 Setup pnpm"
uses: pnpm/action-setup@v2
with:
version: "8"
- name: "\U0001F4E5 Install dependencies"
run: pnpm install --frozen-lockfile
- id: rls-analysis
name: "\U0001F50D RLS 策略分析"
run: |
cd backend
npm run rls:analyze 2>&1 | tee rls-analysis.log
# 提取覆盖率
COVERAGE=$(grep -oP 'RLS 覆盖率: \K[\d.]+%' rls-analysis.log || echo "0%")
echo "coverage=$COVERAGE" >> $GITHUB_OUTPUT
- name: "\U0001F4CA 上传 RLS 分析报告"
uses: actions/upload-artifact@v4
with:
name: rls-coverage-report
path: backend/rls-analysis.log
- name: "\U0001F4C8 RLS 覆盖率检查"
run: |
COVERAGE="${{ steps.rls-analysis.outputs.coverage }}"
echo "当前 RLS 覆盖率: $COVERAGE"
# 提取数字部分
PERCENT=$(echo $COVERAGE | grep -oP '[\d.]+' || echo "0")
if (( $(echo "$PERCENT < 80" | bc -l) )); then
echo "::warning::RLS 覆盖率低于 80%,建议增加 RLS 策略"
fi
timeout-minutes: "10"
...
|
rls-coverage
|
null
|
["ubuntu-latest"]
|
7032
|
2
|
1773885739
|
1773885770
|
1773885613
|
1773885770
|
|
0
|
|
0
|
Edit
Delete
|
|
8451
|
7068
|
6
|
5
|
9771b23ae7aaee164f15f9c4ccbdb18eb68fc71f
|
0
|
🛡️ RLS 覆盖分析
|
1
|
name: Database Security Audit
"on":
pu name: Database Security Audit
"on":
push:
branches: [main, develop]
paths:
- 'backend/src/**/*.ts'
- 'backend/prisma/**'
pull_request:
branches: [main, develop]
paths:
- 'backend/src/**/*.ts'
- 'backend/prisma/**'
schedule:
# 每天凌晨 2 点执行完整审计
- cron: '0 2 * * *'
workflow_dispatch:
inputs:
full_audit:
description: '执行完整审计(包含 RLS 迁移建议)'
required: false
default: 'false'
type: boolean
env:
NODE_VERSION: "18"
jobs:
rls-coverage:
name: "\U0001F6E1️ RLS 覆盖分析"
runs-on: ubuntu-latest
steps:
- name: "\U0001F4E5 Checkout code"
uses: actions/checkout@v4
- name: "\U0001F7E2 Setup Node.js"
uses: actions/setup-node@v4
with:
node-version: ${{ env.NODE_VERSION }}
- name: "\U0001F4E6 Setup pnpm"
uses: pnpm/action-setup@v2
with:
version: "8"
- name: "\U0001F4E5 Install dependencies"
run: pnpm install --frozen-lockfile
- id: rls-analysis
name: "\U0001F50D RLS 策略分析"
run: |
cd backend
npm run rls:analyze 2>&1 | tee rls-analysis.log
# 提取覆盖率
COVERAGE=$(grep -oP 'RLS 覆盖率: \K[\d.]+%' rls-analysis.log || echo "0%")
echo "coverage=$COVERAGE" >> $GITHUB_OUTPUT
- name: "\U0001F4CA 上传 RLS 分析报告"
uses: actions/upload-artifact@v4
with:
name: rls-coverage-report
path: backend/rls-analysis.log
- name: "\U0001F4C8 RLS 覆盖率检查"
run: |
COVERAGE="${{ steps.rls-analysis.outputs.coverage }}"
echo "当前 RLS 覆盖率: $COVERAGE"
# 提取数字部分
PERCENT=$(echo $COVERAGE | grep -oP '[\d.]+' || echo "0")
if (( $(echo "$PERCENT < 80" | bc -l) )); then
echo "::warning::RLS 覆盖率低于 80%,建议增加 RLS 策略"
fi
timeout-minutes: "10"
...
|
rls-coverage
|
null
|
["ubuntu-latest"]
|
7265
|
2
|
1773929497
|
1773929518
|
1773929407
|
1773929519
|
|
0
|
|
0
|
Edit
Delete
|
|
8560
|
7113
|
6
|
5
|
979d9c81063fbda12f1445bf80b0c0027b0fbac2
|
0
|
🛡️ RLS 覆盖分析
|
1
|
name: Database Security Audit
"on":
pu name: Database Security Audit
"on":
push:
branches: [main, develop]
paths:
- 'backend/src/**/*.ts'
- 'backend/prisma/**'
pull_request:
branches: [main, develop]
paths:
- 'backend/src/**/*.ts'
- 'backend/prisma/**'
schedule:
# 每天凌晨 2 点执行完整审计
- cron: '0 2 * * *'
workflow_dispatch:
inputs:
full_audit:
description: '执行完整审计(包含 RLS 迁移建议)'
required: false
default: 'false'
type: boolean
env:
NODE_VERSION: "18"
jobs:
rls-coverage:
name: "\U0001F6E1️ RLS 覆盖分析"
runs-on: ubuntu-latest
steps:
- name: "\U0001F4E5 Checkout code"
uses: actions/checkout@v4
- name: "\U0001F7E2 Setup Node.js"
uses: actions/setup-node@v4
with:
node-version: ${{ env.NODE_VERSION }}
- name: "\U0001F4E6 Setup pnpm"
uses: pnpm/action-setup@v2
with:
version: "8"
- name: "\U0001F4E5 Install dependencies"
run: pnpm install --frozen-lockfile
- id: rls-analysis
name: "\U0001F50D RLS 策略分析"
run: |
cd backend
npm run rls:analyze 2>&1 | tee rls-analysis.log
# 提取覆盖率
COVERAGE=$(grep -oP 'RLS 覆盖率: \K[\d.]+%' rls-analysis.log || echo "0%")
echo "coverage=$COVERAGE" >> $GITHUB_OUTPUT
- name: "\U0001F4CA 上传 RLS 分析报告"
uses: actions/upload-artifact@v4
with:
name: rls-coverage-report
path: backend/rls-analysis.log
- name: "\U0001F4C8 RLS 覆盖率检查"
run: |
COVERAGE="${{ steps.rls-analysis.outputs.coverage }}"
echo "当前 RLS 覆盖率: $COVERAGE"
# 提取数字部分
PERCENT=$(echo $COVERAGE | grep -oP '[\d.]+' || echo "0")
if (( $(echo "$PERCENT < 80" | bc -l) )); then
echo "::warning::RLS 覆盖率低于 80%,建议增加 RLS 策略"
fi
timeout-minutes: "10"
...
|
rls-coverage
|
null
|
["ubuntu-latest"]
|
7364
|
2
|
1773939861
|
1773939880
|
1773939780
|
1773939881
|
|
0
|
|
0
|
Edit
Delete
|
|
8749
|
7231
|
6
|
5
|
0900b15d607e5c78f97fec16a73357ad4f814390
|
0
|
🛡️ RLS 覆盖分析
|
1
|
name: Database Security Audit
"on":
pu name: Database Security Audit
"on":
push:
branches: [main, develop]
paths:
- 'backend/src/**/*.ts'
- 'backend/prisma/**'
pull_request:
branches: [main, develop]
paths:
- 'backend/src/**/*.ts'
- 'backend/prisma/**'
schedule:
# 每天凌晨 2 点执行完整审计
- cron: '0 2 * * *'
workflow_dispatch:
inputs:
full_audit:
description: '执行完整审计(包含 RLS 迁移建议)'
required: false
default: 'false'
type: boolean
env:
NODE_VERSION: "18"
jobs:
rls-coverage:
name: "\U0001F6E1️ RLS 覆盖分析"
runs-on: ubuntu-latest
steps:
- name: "\U0001F4E5 Checkout code"
uses: actions/checkout@v4
- name: "\U0001F7E2 Setup Node.js"
uses: actions/setup-node@v4
with:
node-version: ${{ env.NODE_VERSION }}
- name: "\U0001F4E6 Setup pnpm"
uses: pnpm/action-setup@v2
with:
version: "8"
- name: "\U0001F4E5 Install dependencies"
run: pnpm install --frozen-lockfile
- id: rls-analysis
name: "\U0001F50D RLS 策略分析"
run: |
cd backend
npm run rls:analyze 2>&1 | tee rls-analysis.log
# 提取覆盖率
COVERAGE=$(grep -oP 'RLS 覆盖率: \K[\d.]+%' rls-analysis.log || echo "0%")
echo "coverage=$COVERAGE" >> $GITHUB_OUTPUT
- name: "\U0001F4CA 上传 RLS 分析报告"
uses: actions/upload-artifact@v4
with:
name: rls-coverage-report
path: backend/rls-analysis.log
- name: "\U0001F4C8 RLS 覆盖率检查"
run: |
COVERAGE="${{ steps.rls-analysis.outputs.coverage }}"
echo "当前 RLS 覆盖率: $COVERAGE"
# 提取数字部分
PERCENT=$(echo $COVERAGE | grep -oP '[\d.]+' || echo "0")
if (( $(echo "$PERCENT < 80" | bc -l) )); then
echo "::warning::RLS 覆盖率低于 80%,建议增加 RLS 策略"
fi
timeout-minutes: "10"
...
|
rls-coverage
|
null
|
["ubuntu-latest"]
|
7543
|
2
|
1774221067
|
1774221089
|
1774220984
|
1774221089
|
|
0
|
|
0
|
Edit
Delete
|
|
9000
|
7290
|
6
|
5
|
339ea969ec2633756fb1a155d47723d0f61396a4
|
0
|
🛡️ RLS 覆盖分析
|
1
|
name: Database Security Audit
"on":
pu name: Database Security Audit
"on":
push:
branches: [main, develop]
paths:
- 'backend/src/**/*.ts'
- 'backend/prisma/**'
pull_request:
branches: [main, develop]
paths:
- 'backend/src/**/*.ts'
- 'backend/prisma/**'
schedule:
# 每天凌晨 2 点执行完整审计
- cron: '0 2 * * *'
workflow_dispatch:
inputs:
full_audit:
description: '执行完整审计(包含 RLS 迁移建议)'
required: false
default: 'false'
type: boolean
env:
NODE_VERSION: "18"
jobs:
rls-coverage:
name: "\U0001F6E1️ RLS 覆盖分析"
runs-on: ubuntu-latest
steps:
- name: "\U0001F4E5 Checkout code"
uses: actions/checkout@v4
- name: "\U0001F7E2 Setup Node.js"
uses: actions/setup-node@v4
with:
node-version: ${{ env.NODE_VERSION }}
- name: "\U0001F4E6 Setup pnpm"
uses: pnpm/action-setup@v2
with:
version: "8"
- name: "\U0001F4E5 Install dependencies"
run: pnpm install --frozen-lockfile
- id: rls-analysis
name: "\U0001F50D RLS 策略分析"
run: |
cd backend
npm run rls:analyze 2>&1 | tee rls-analysis.log
# 提取覆盖率
COVERAGE=$(grep -oP 'RLS 覆盖率: \K[\d.]+%' rls-analysis.log || echo "0%")
echo "coverage=$COVERAGE" >> $GITHUB_OUTPUT
- name: "\U0001F4CA 上传 RLS 分析报告"
uses: actions/upload-artifact@v4
with:
name: rls-coverage-report
path: backend/rls-analysis.log
- name: "\U0001F4C8 RLS 覆盖率检查"
run: |
COVERAGE="${{ steps.rls-analysis.outputs.coverage }}"
echo "当前 RLS 覆盖率: $COVERAGE"
# 提取数字部分
PERCENT=$(echo $COVERAGE | grep -oP '[\d.]+' || echo "0")
if (( $(echo "$PERCENT < 80" | bc -l) )); then
echo "::warning::RLS 覆盖率低于 80%,建议增加 RLS 策略"
fi
timeout-minutes: "10"
...
|
rls-coverage
|
null
|
["ubuntu-latest"]
|
7761
|
2
|
1774229139
|
1774229160
|
1774229062
|
1774229161
|
|
0
|
|
0
|
Edit
Delete
|
|
9073
|
7309
|
6
|
5
|
339ea969ec2633756fb1a155d47723d0f61396a4
|
0
|
🛡️ RLS 覆盖分析
|
1
|
name: Database Security Audit
"on":
pu name: Database Security Audit
"on":
push:
branches: [main, develop]
paths:
- 'backend/src/**/*.ts'
- 'backend/prisma/**'
pull_request:
branches: [main, develop]
paths:
- 'backend/src/**/*.ts'
- 'backend/prisma/**'
schedule:
# 每天凌晨 2 点执行完整审计
- cron: '0 2 * * *'
workflow_dispatch:
inputs:
full_audit:
description: '执行完整审计(包含 RLS 迁移建议)'
required: false
default: 'false'
type: boolean
env:
NODE_VERSION: "18"
jobs:
rls-coverage:
name: "\U0001F6E1️ RLS 覆盖分析"
runs-on: ubuntu-latest
steps:
- name: "\U0001F4E5 Checkout code"
uses: actions/checkout@v4
- name: "\U0001F7E2 Setup Node.js"
uses: actions/setup-node@v4
with:
node-version: ${{ env.NODE_VERSION }}
- name: "\U0001F4E6 Setup pnpm"
uses: pnpm/action-setup@v2
with:
version: "8"
- name: "\U0001F4E5 Install dependencies"
run: pnpm install --frozen-lockfile
- id: rls-analysis
name: "\U0001F50D RLS 策略分析"
run: |
cd backend
npm run rls:analyze 2>&1 | tee rls-analysis.log
# 提取覆盖率
COVERAGE=$(grep -oP 'RLS 覆盖率: \K[\d.]+%' rls-analysis.log || echo "0%")
echo "coverage=$COVERAGE" >> $GITHUB_OUTPUT
- name: "\U0001F4CA 上传 RLS 分析报告"
uses: actions/upload-artifact@v4
with:
name: rls-coverage-report
path: backend/rls-analysis.log
- name: "\U0001F4C8 RLS 覆盖率检查"
run: |
COVERAGE="${{ steps.rls-analysis.outputs.coverage }}"
echo "当前 RLS 覆盖率: $COVERAGE"
# 提取数字部分
PERCENT=$(echo $COVERAGE | grep -oP '[\d.]+' || echo "0")
if (( $(echo "$PERCENT < 80" | bc -l) )); then
echo "::warning::RLS 覆盖率低于 80%,建议增加 RLS 策略"
fi
timeout-minutes: "10"
...
|
rls-coverage
|
null
|
["ubuntu-latest"]
|
7834
|
2
|
1774231289
|
1774231311
|
1774231240
|
1774231311
|
|
0
|
|
0
|
Edit
Delete
|
|
9203
|
7415
|
6
|
5
|
67078f9a95f53530156ad27027eafe15a3126e89
|
0
|
🛡️ RLS 覆盖分析
|
1
|
name: Database Security Audit
"on":
pu name: Database Security Audit
"on":
push:
branches: [main, develop]
paths:
- 'backend/src/**/*.ts'
- 'backend/prisma/**'
pull_request:
branches: [main, develop]
paths:
- 'backend/src/**/*.ts'
- 'backend/prisma/**'
schedule:
# 每天凌晨 2 点执行完整审计
- cron: '0 2 * * *'
workflow_dispatch:
inputs:
full_audit:
description: '执行完整审计(包含 RLS 迁移建议)'
required: false
default: 'false'
type: boolean
env:
NODE_VERSION: "18"
jobs:
rls-coverage:
name: "\U0001F6E1️ RLS 覆盖分析"
runs-on: ubuntu-latest
steps:
- name: "\U0001F4E5 Checkout code"
uses: actions/checkout@v4
- name: "\U0001F7E2 Setup Node.js"
uses: actions/setup-node@v4
with:
node-version: ${{ env.NODE_VERSION }}
- name: "\U0001F4E6 Setup pnpm"
uses: pnpm/action-setup@v2
with:
version: "8"
- name: "\U0001F4E5 Install dependencies"
run: pnpm install --frozen-lockfile
- id: rls-analysis
name: "\U0001F50D RLS 策略分析"
run: |
cd backend
npm run rls:analyze 2>&1 | tee rls-analysis.log
# 提取覆盖率
COVERAGE=$(grep -oP 'RLS 覆盖率: \K[\d.]+%' rls-analysis.log || echo "0%")
echo "coverage=$COVERAGE" >> $GITHUB_OUTPUT
- name: "\U0001F4CA 上传 RLS 分析报告"
uses: actions/upload-artifact@v4
with:
name: rls-coverage-report
path: backend/rls-analysis.log
- name: "\U0001F4C8 RLS 覆盖率检查"
run: |
COVERAGE="${{ steps.rls-analysis.outputs.coverage }}"
echo "当前 RLS 覆盖率: $COVERAGE"
# 提取数字部分
PERCENT=$(echo $COVERAGE | grep -oP '[\d.]+' || echo "0")
if (( $(echo "$PERCENT < 80" | bc -l) )); then
echo "::warning::RLS 覆盖率低于 80%,建议增加 RLS 策略"
fi
timeout-minutes: "10"
...
|
rls-coverage
|
null
|
["ubuntu-latest"]
|
7952
|
2
|
1774262643
|
1774262673
|
1774262375
|
1774262673
|
|
0
|
|
0
|
Edit
Delete
|
|
9067
|
7307
|
6
|
5
|
339ea969ec2633756fb1a155d47723d0f61396a4
|
0
|
🗄️ 数据库性能测试
|
1
|
name: Performance Tests
"on":
# 每周一凌晨 name: Performance Tests
"on":
# 每周一凌晨 2 点运行
schedule:
- cron: '0 2 * * 1'
# 允许手动触发
workflow_dispatch:
inputs:
test_type:
description: '测试类型'
required: true
default: 'benchmark'
type: choice
options:
- benchmark
- load
- stress
- all
duration:
description: '测试持续时间(秒)'
required: false
default: '60'
type: string
concurrency:
description: '并发数'
required: false
default: '10'
type: string
# PR 触发时只运行基准测试
pull_request:
branches: [main]
paths:
- 'backend/src/**'
- 'backend/prisma/**'
env:
NODE_VERSION: "18"
PNPM_VERSION: "8"
jobs:
db-performance:
name: "\U0001F5C4️ 数据库性能测试"
runs-on: ubuntu-latest
if: needs.setup.outputs.test_type == 'all'
steps:
- name: "\U0001F4E5 检出代码"
uses: actions/checkout@v4
- name: "\U0001F4E6 安装 pnpm"
uses: pnpm/action-setup@v2
with:
version: ${{ env.PNPM_VERSION }}
- name: "\U0001F7E2 设置 Node.js"
uses: actions/setup-node@v4
with:
cache: pnpm
node-version: ${{ env.NODE_VERSION }}
- name: "\U0001F4E6 安装依赖"
run: pnpm install --frozen-lockfile
- name: "\U0001F5C4️ 初始化数据库"
run: |
cd backend
npx prisma migrate deploy
env:
DATABASE_URL: postgresql://test:test@localhost:5432/juhi_db_perf
- name: "\U0001F528 生成测试数据"
run: |
cd backend
# 生成大量测试数据用于性能测试
cat > generate-test-data.ts << 'EOF'
import { PrismaClient } from '@prisma/client';
const prisma = new PrismaClient();
const TENANT_ID = '00000000-0000-0000-0000-000000000001';
async function main() {
console.log('生成测试数据...');
// 创建租户
await prisma.tenants.upsert({
where: { id: TENANT_ID },
create: { id: TENANT_ID, name: 'Performance Test Tenant', code: 'PERF' },
update: {},
});
// 批量创建线索(10000 条)
const leads = [];
for (let i = 0; i < 10000; i++) {
leads.push({
id: `lead-${i.toString().padStart(5, '0')}`,
tenant_id: TENANT_ID,
biz_id: `LEAD-${Date.now()}-${i}`,
company_name: `测试公司 ${i}`,
contact_name: `联系人 ${i}`,
contact_phone: `138${i.toString().padStart(8, '0')}`,
status: ['new', 'contacted', 'qualified'][i % 3],
source: ['website', 'referral', 'advertisement'][i % 3],
created_at: new Date(),
updated_at: new Date(),
});
}
await prisma.leads.createMany({
data: leads,
skipDuplicates: true,
});
console.log('已创建 10000 条线索');
}
main()
.catch(console.error)
.finally(() => prisma.$disconnect());
EOF
npx tsx generate-test-data.ts
env:
DATABASE_URL: postgresql://test:test@localhost:5432/juhi_db_perf
- name: "\U0001F9EA 运行数据库性能测试"
run: "cd backend\ncat > db-perf-test.ts << 'EOF'\nimport { PrismaClient } from '@prisma/client';\n\nconst prisma = new PrismaClient({\n log: ['query'],\n});\nconst TENANT_ID = '00000000-0000-0000-0000-000000000001';\n\ninterface PerfResult {\n name: string;\n avgMs: number;\n minMs: number;\n maxMs: number;\n iterations: number;\n}\n\nasync function benchmark(name: string, fn: () => Promise<any>, iterations = 100): Promise<PerfResult> {\n const times: number[] = [];\n\n // 预热\n for (let i = 0; i < 5; i++) {\n await fn();\n }\n\n // 正式测试\n for (let i = 0; i < iterations; i++) {\n const start = performance.now();\n await fn();\n times.push(performance.now() - start);\n }\n\n return {\n name,\n avgMs: times.reduce((a, b) => a + b, 0) / times.length,\n minMs: Math.min(...times),\n maxMs: Math.max(...times),\n iterations,\n };\n}\n\nasync function main() {\n const results: PerfResult[] = [];\n\n // 测试 1: 简单查询\n results.push(await benchmark('简单查询 (findMany)', async () => {\n await prisma.leads.findMany({\n where: { tenant_id: TENANT_ID },\n take: 20,\n });\n }));\n\n // 测试 2: 带筛选查询\n results.push(await benchmark('带筛选查询', async () => {\n await prisma.leads.findMany({\n where: {\n tenant_id: TENANT_ID,\n status: 'new',\n },\n take: 20,\n });\n }));\n\n // 测试 3: 计数查询\n results.push(await benchmark('计数查询', async () => {\n await prisma.leads.count({\n where: { tenant_id: TENANT_ID },\n });\n }));\n\n // 测试 4: 分页查询\n results.push(await benchmark('分页查询 (第50页)', async () => {\n await prisma.leads.findMany({\n where: { tenant_id: TENANT_ID },\n skip: 1000,\n take: 20,\n });\n }));\n\n // 输出结果\n console.log('\\n\U0001F4CA 数据库性能测试结果\\n');\n console.log('| 测试项 | 平均耗时 | 最小耗时 | 最大耗时 | 迭代次数 |');\n console.log('|--------|----------|----------|----------|----------|');\n\n for (const r of results) {\n console.log(`| ${r.name} | ${r.avgMs.toFixed(2)}ms | ${r.minMs.toFixed(2)}ms | ${r.maxMs.toFixed(2)}ms | ${r.iterations} |`);\n }\n\n // 写入 JSON 结果\n const fs = await import('fs');\n fs.writeFileSync('db-perf-results.json', JSON.stringify(results, null, 2));\n}\n\nmain()\n .catch(console.error)\n .finally(() => prisma.$disconnect());\nEOF\n\nnpx tsx db-perf-test.ts | tee db-perf-output.txt\n"
env:
DATABASE_URL: postgresql://test:test@localhost:5432/juhi_db_perf
- name: "\U0001F4DD 生成数据库性能报告"
run: "echo \"## \U0001F5C4️ 数据库性能测试报告\" >> $GITHUB_STEP_SUMMARY\necho \"\" >> $GITHUB_STEP_SUMMARY\n\nif [ -f \"backend/db-perf-output.txt\" ]; then\n cat backend/db-perf-output.txt >> $GITHUB_STEP_SUMMARY\nfi\n"
- name: "\U0001F4E4 上传数据库性能结果"
uses: actions/upload-artifact@v4
with:
name: db-performance-results
path: |
backend/db-perf-results.json
backend/db-perf-output.txt
retention-days: "30"
timeout-minutes: "30"
services:
postgres:
image: postgres:15
env:
POSTGRES_DB: juhi_db_perf
POSTGRES_PASSWORD: test
POSTGRES_USER: test
ports:
- 5432:5432
options: --health-cmd pg_isready --health-interval 10s --health-timeout 5s --health-retries 5
...
|
db-performance
|
["setup"]
|
["ubuntu-latest"]
|
7839
|
2
|
1774231400
|
1774231423
|
1774231240
|
1774231423
|
|
1
|
|
0
|
Edit
Delete
|
|
12937
|
9521
|
6
|
5
|
58e5152a38868b8f3832d9573c340a3eb60051c8
|
0
|
🗄️ 数据库性能测试
|
1
|
name: Performance Tests
"on":
# 每周一凌晨 name: Performance Tests
"on":
# 每周一凌晨 2 点运行
schedule:
- cron: '0 2 * * 1'
# 允许手动触发
workflow_dispatch:
inputs:
test_type:
description: '测试类型'
required: true
default: 'benchmark'
type: choice
options:
- benchmark
- load
- stress
- all
duration:
description: '测试持续时间(秒)'
required: false
default: '60'
type: string
concurrency:
description: '并发数'
required: false
default: '10'
type: string
# PR 触发时只运行基准测试
pull_request:
branches: [main]
paths:
- 'backend/src/**'
- 'backend/prisma/**'
env:
NODE_VERSION: "18"
PNPM_VERSION: "8"
jobs:
db-performance:
name: "\U0001F5C4️ 数据库性能测试"
runs-on: ubuntu-latest
if: needs.setup.outputs.test_type == 'all'
steps:
- name: "\U0001F4E5 检出代码"
uses: actions/checkout@v4
- name: "\U0001F4E6 安装 pnpm"
uses: pnpm/action-setup@v2
with:
version: ${{ env.PNPM_VERSION }}
- name: "\U0001F7E2 设置 Node.js"
uses: actions/setup-node@v4
with:
cache: pnpm
node-version: ${{ env.NODE_VERSION }}
- name: "\U0001F4E6 安装依赖"
run: pnpm install --frozen-lockfile
- name: "\U0001F5C4️ 初始化数据库"
run: |
cd backend
npx prisma migrate deploy
env:
DATABASE_URL: postgresql://test:test@localhost:5432/juhi_db_perf
- name: "\U0001F528 生成测试数据"
run: |
cd backend
# 生成大量测试数据用于性能测试
cat > generate-test-data.ts << 'EOF'
import { PrismaClient } from '@prisma/client';
const prisma = new PrismaClient();
const TENANT_ID = '00000000-0000-0000-0000-000000000001';
async function main() {
console.log('生成测试数据...');
// 创建租户
await prisma.tenants.upsert({
where: { id: TENANT_ID },
create: { id: TENANT_ID, name: 'Performance Test Tenant', code: 'PERF' },
update: {},
});
// 批量创建线索(10000 条)
const leads = [];
for (let i = 0; i < 10000; i++) {
leads.push({
id: `lead-${i.toString().padStart(5, '0')}`,
tenant_id: TENANT_ID,
biz_id: `LEAD-${Date.now()}-${i}`,
company_name: `测试公司 ${i}`,
contact_name: `联系人 ${i}`,
contact_phone: `138${i.toString().padStart(8, '0')}`,
status: ['new', 'contacted', 'qualified'][i % 3],
source: ['website', 'referral', 'advertisement'][i % 3],
created_at: new Date(),
updated_at: new Date(),
});
}
await prisma.leads.createMany({
data: leads,
skipDuplicates: true,
});
console.log('已创建 10000 条线索');
}
main()
.catch(console.error)
.finally(() => prisma.$disconnect());
EOF
npx tsx generate-test-data.ts
env:
DATABASE_URL: postgresql://test:test@localhost:5432/juhi_db_perf
- name: "\U0001F9EA 运行数据库性能测试"
run: "cd backend\ncat > db-perf-test.ts << 'EOF'\nimport { PrismaClient } from '@prisma/client';\n\nconst prisma = new PrismaClient({\n log: ['query'],\n});\nconst TENANT_ID = '00000000-0000-0000-0000-000000000001';\n\ninterface PerfResult {\n name: string;\n avgMs: number;\n minMs: number;\n maxMs: number;\n iterations: number;\n}\n\nasync function benchmark(name: string, fn: () => Promise<any>, iterations = 100): Promise<PerfResult> {\n const times: number[] = [];\n\n // 预热\n for (let i = 0; i < 5; i++) {\n await fn();\n }\n\n // 正式测试\n for (let i = 0; i < iterations; i++) {\n const start = performance.now();\n await fn();\n times.push(performance.now() - start);\n }\n\n return {\n name,\n avgMs: times.reduce((a, b) => a + b, 0) / times.length,\n minMs: Math.min(...times),\n maxMs: Math.max(...times),\n iterations,\n };\n}\n\nasync function main() {\n const results: PerfResult[] = [];\n\n // 测试 1: 简单查询\n results.push(await benchmark('简单查询 (findMany)', async () => {\n await prisma.leads.findMany({\n where: { tenant_id: TENANT_ID },\n take: 20,\n });\n }));\n\n // 测试 2: 带筛选查询\n results.push(await benchmark('带筛选查询', async () => {\n await prisma.leads.findMany({\n where: {\n tenant_id: TENANT_ID,\n status: 'new',\n },\n take: 20,\n });\n }));\n\n // 测试 3: 计数查询\n results.push(await benchmark('计数查询', async () => {\n await prisma.leads.count({\n where: { tenant_id: TENANT_ID },\n });\n }));\n\n // 测试 4: 分页查询\n results.push(await benchmark('分页查询 (第50页)', async () => {\n await prisma.leads.findMany({\n where: { tenant_id: TENANT_ID },\n skip: 1000,\n take: 20,\n });\n }));\n\n // 输出结果\n console.log('\\n\U0001F4CA 数据库性能测试结果\\n');\n console.log('| 测试项 | 平均耗时 | 最小耗时 | 最大耗时 | 迭代次数 |');\n console.log('|--------|----------|----------|----------|----------|');\n\n for (const r of results) {\n console.log(`| ${r.name} | ${r.avgMs.toFixed(2)}ms | ${r.minMs.toFixed(2)}ms | ${r.maxMs.toFixed(2)}ms | ${r.iterations} |`);\n }\n\n // 写入 JSON 结果\n const fs = await import('fs');\n fs.writeFileSync('db-perf-results.json', JSON.stringify(results, null, 2));\n}\n\nmain()\n .catch(console.error)\n .finally(() => prisma.$disconnect());\nEOF\n\nnpx tsx db-perf-test.ts | tee db-perf-output.txt\n"
env:
DATABASE_URL: postgresql://test:test@localhost:5432/juhi_db_perf
- name: "\U0001F4DD 生成数据库性能报告"
run: "echo \"## \U0001F5C4️ 数据库性能测试报告\" >> $GITHUB_STEP_SUMMARY\necho \"\" >> $GITHUB_STEP_SUMMARY\n\nif [ -f \"backend/db-perf-output.txt\" ]; then\n cat backend/db-perf-output.txt >> $GITHUB_STEP_SUMMARY\nfi\n"
- name: "\U0001F4E4 上传数据库性能结果"
uses: actions/upload-artifact@v4
with:
name: db-performance-results
path: |
backend/db-perf-results.json
backend/db-perf-output.txt
retention-days: "30"
timeout-minutes: "30"
services:
postgres:
image: postgres:15
env:
POSTGRES_DB: juhi_db_perf
POSTGRES_PASSWORD: test
POSTGRES_USER: test
ports:
- 5432:5432
options: --health-cmd pg_isready --health-interval 10s --health-timeout 5s --health-retries 5
...
|
db-performance
|
["setup"]
|
["ubuntu-latest"]
|
10935
|
2
|
1774836934
|
1774837343
|
1774836018
|
1774837344
|
|
1
|
|
0
|
Edit
Delete
|
|
16460
|
11697
|
6
|
5
|
9d69e1960ec649a49c0c6f307c0fc197f47ee4c4
|
0
|
🗄️ 数据库性能测试
|
1
|
name: Performance Tests
"on":
# 每周一凌晨 name: Performance Tests
"on":
# 每周一凌晨 2 点运行
schedule:
- cron: '0 2 * * 1'
# 允许手动触发
workflow_dispatch:
inputs:
test_type:
description: '测试类型'
required: true
default: 'benchmark'
type: choice
options:
- benchmark
- load
- stress
- all
duration:
description: '测试持续时间(秒)'
required: false
default: '60'
type: string
concurrency:
description: '并发数'
required: false
default: '10'
type: string
# PR 触发时只运行基准测试
pull_request:
branches: [main]
paths:
- 'backend/src/**'
- 'backend/prisma/**'
env:
NODE_VERSION: "18"
PNPM_VERSION: "8"
jobs:
db-performance:
name: "\U0001F5C4️ 数据库性能测试"
runs-on: ubuntu-latest
if: needs.setup.outputs.test_type == 'all'
steps:
- name: "\U0001F4E5 检出代码"
uses: actions/checkout@v4
- name: "\U0001F4E6 安装 pnpm"
uses: pnpm/action-setup@v2
with:
version: ${{ env.PNPM_VERSION }}
- name: "\U0001F7E2 设置 Node.js"
uses: actions/setup-node@v4
with:
cache: pnpm
node-version: ${{ env.NODE_VERSION }}
- name: "\U0001F4E6 安装依赖"
run: pnpm install --frozen-lockfile
- name: "\U0001F5C4️ 初始化数据库"
run: |
cd backend
npx prisma migrate deploy
env:
DATABASE_URL: postgresql://test:test@localhost:5432/juhi_db_perf
- name: "\U0001F528 生成测试数据"
run: |
cd backend
# 生成大量测试数据用于性能测试
cat > generate-test-data.ts << 'EOF'
import { PrismaClient } from '@prisma/client';
const prisma = new PrismaClient();
const TENANT_ID = '00000000-0000-0000-0000-000000000001';
async function main() {
console.log('生成测试数据...');
// 创建租户
await prisma.tenants.upsert({
where: { id: TENANT_ID },
create: { id: TENANT_ID, name: 'Performance Test Tenant', code: 'PERF' },
update: {},
});
// 批量创建线索(10000 条)
const leads = [];
for (let i = 0; i < 10000; i++) {
leads.push({
id: `lead-${i.toString().padStart(5, '0')}`,
tenant_id: TENANT_ID,
biz_id: `LEAD-${Date.now()}-${i}`,
company_name: `测试公司 ${i}`,
contact_name: `联系人 ${i}`,
contact_phone: `138${i.toString().padStart(8, '0')}`,
status: ['new', 'contacted', 'qualified'][i % 3],
source: ['website', 'referral', 'advertisement'][i % 3],
created_at: new Date(),
updated_at: new Date(),
});
}
await prisma.leads.createMany({
data: leads,
skipDuplicates: true,
});
console.log('已创建 10000 条线索');
}
main()
.catch(console.error)
.finally(() => prisma.$disconnect());
EOF
npx tsx generate-test-data.ts
env:
DATABASE_URL: postgresql://test:test@localhost:5432/juhi_db_perf
- name: "\U0001F9EA 运行数据库性能测试"
run: "cd backend\ncat > db-perf-test.ts << 'EOF'\nimport { PrismaClient } from '@prisma/client';\n\nconst prisma = new PrismaClient({\n log: ['query'],\n});\nconst TENANT_ID = '00000000-0000-0000-0000-000000000001';\n\ninterface PerfResult {\n name: string;\n avgMs: number;\n minMs: number;\n maxMs: number;\n iterations: number;\n}\n\nasync function benchmark(name: string, fn: () => Promise<any>, iterations = 100): Promise<PerfResult> {\n const times: number[] = [];\n\n // 预热\n for (let i = 0; i < 5; i++) {\n await fn();\n }\n\n // 正式测试\n for (let i = 0; i < iterations; i++) {\n const start = performance.now();\n await fn();\n times.push(performance.now() - start);\n }\n\n return {\n name,\n avgMs: times.reduce((a, b) => a + b, 0) / times.length,\n minMs: Math.min(...times),\n maxMs: Math.max(...times),\n iterations,\n };\n}\n\nasync function main() {\n const results: PerfResult[] = [];\n\n // 测试 1: 简单查询\n results.push(await benchmark('简单查询 (findMany)', async () => {\n await prisma.leads.findMany({\n where: { tenant_id: TENANT_ID },\n take: 20,\n });\n }));\n\n // 测试 2: 带筛选查询\n results.push(await benchmark('带筛选查询', async () => {\n await prisma.leads.findMany({\n where: {\n tenant_id: TENANT_ID,\n status: 'new',\n },\n take: 20,\n });\n }));\n\n // 测试 3: 计数查询\n results.push(await benchmark('计数查询', async () => {\n await prisma.leads.count({\n where: { tenant_id: TENANT_ID },\n });\n }));\n\n // 测试 4: 分页查询\n results.push(await benchmark('分页查询 (第50页)', async () => {\n await prisma.leads.findMany({\n where: { tenant_id: TENANT_ID },\n skip: 1000,\n take: 20,\n });\n }));\n\n // 输出结果\n console.log('\\n\U0001F4CA 数据库性能测试结果\\n');\n console.log('| 测试项 | 平均耗时 | 最小耗时 | 最大耗时 | 迭代次数 |');\n console.log('|--------|----------|----------|----------|----------|');\n\n for (const r of results) {\n console.log(`| ${r.name} | ${r.avgMs.toFixed(2)}ms | ${r.minMs.toFixed(2)}ms | ${r.maxMs.toFixed(2)}ms | ${r.iterations} |`);\n }\n\n // 写入 JSON 结果\n const fs = await import('fs');\n fs.writeFileSync('db-perf-results.json', JSON.stringify(results, null, 2));\n}\n\nmain()\n .catch(console.error)\n .finally(() => prisma.$disconnect());\nEOF\n\nnpx tsx db-perf-test.ts | tee db-perf-output.txt\n"
env:
DATABASE_URL: postgresql://test:test@localhost:5432/juhi_db_perf
- name: "\U0001F4DD 生成数据库性能报告"
run: "echo \"## \U0001F5C4️ 数据库性能测试报告\" >> $GITHUB_STEP_SUMMARY\necho \"\" >> $GITHUB_STEP_SUMMARY\n\nif [ -f \"backend/db-perf-output.txt\" ]; then\n cat backend/db-perf-output.txt >> $GITHUB_STEP_SUMMARY\nfi\n"
- name: "\U0001F4E4 上传数据库性能结果"
uses: actions/upload-artifact@v4
with:
name: db-performance-results
path: |
backend/db-perf-results.json
backend/db-perf-output.txt
retention-days: "30"
timeout-minutes: "30"
services:
postgres:
image: postgres:15
env:
POSTGRES_DB: juhi_db_perf
POSTGRES_PASSWORD: test
POSTGRES_USER: test
ports:
- 5432:5432
options: --health-cmd pg_isready --health-interval 10s --health-timeout 5s --health-retries 5
...
|
db-performance
|
["setup"]
|
["ubuntu-latest"]
|
13754
|
2
|
1775441259
|
1775441437
|
1775440818
|
1775441437
|
|
1
|
|
0
|
Edit
Delete
|
|
7836
|
6702
|
6
|
5
|
e112d45af414e4862c0328abad7c4df74d3c1dbf
|
0
|
🔬 完整安全审计
|
1
|
name: Database Security Audit
"on":
pu name: Database Security Audit
"on":
push:
branches: [main, develop]
paths:
- 'backend/src/**/*.ts'
- 'backend/prisma/**'
pull_request:
branches: [main, develop]
paths:
- 'backend/src/**/*.ts'
- 'backend/prisma/**'
schedule:
# 每天凌晨 2 点执行完整审计
- cron: '0 2 * * *'
workflow_dispatch:
inputs:
full_audit:
description: '执行完整审计(包含 RLS 迁移建议)'
required: false
default: 'false'
type: boolean
env:
NODE_VERSION: "18"
jobs:
full-audit:
name: "\U0001F52C 完整安全审计"
runs-on: ubuntu-latest
if: github.event_name == 'schedule' || github.event.inputs.full_audit == 'true'
steps:
- name: "\U0001F4E5 Checkout code"
uses: actions/checkout@v4
- name: "\U0001F7E2 Setup Node.js"
uses: actions/setup-node@v4
with:
node-version: ${{ env.NODE_VERSION }}
- name: "\U0001F4E6 Setup pnpm"
uses: pnpm/action-setup@v2
with:
version: "8"
- name: "\U0001F4E5 Install dependencies"
run: pnpm install --frozen-lockfile
- name: "\U0001F50D 生成 RLS 迁移脚本"
run: |
cd backend
npm run rls:generate 2>&1 | tee rls-migration.sql
- name: "\U0001F4CA 上传迁移脚本"
uses: actions/upload-artifact@v4
with:
name: rls-migration-scripts
path: |
backend/rls-migration.sql
backend/prisma/rls-policies/
- if: failure()
name: "\U0001F4E7 发送审计通知"
uses: actions/github-script@v7
with:
script: "// 创建 Issue 记录审计失败\ngithub.rest.issues.create({\n owner: context.repo.owner,\n repo: context.repo.repo,\n title: '\U0001F6A8 数据库安全审计失败 - ' + new Date().toISOString().split('T')[0],\n body: `\n ## 审计失败通知\n\n **执行时间**: ${new Date().toISOString()}\n **工作流运行**: ${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }}\n\n 请立即检查并修复安全问题。\n `,\n labels: ['security', 'urgent']\n});\n"
...
|
full-audit
|
["tenant-security","n1-query-detection ["tenant-security","n1-query-detection","rls-coverage","permission-security"]...
|
["ubuntu-latest"]
|
6768
|
4
|
1773832778
|
1773832778
|
1773831748
|
1773832778
|
|
1
|
|
0
|
Edit
Delete
|
|
7898
|
6712
|
6
|
5
|
b7eb415d7a9689f1efec941bcb2dcd7d098e9c28
|
0
|
🔬 完整安全审计
|
1
|
name: Database Security Audit
"on":
pu name: Database Security Audit
"on":
push:
branches: [main, develop]
paths:
- 'backend/src/**/*.ts'
- 'backend/prisma/**'
pull_request:
branches: [main, develop]
paths:
- 'backend/src/**/*.ts'
- 'backend/prisma/**'
schedule:
# 每天凌晨 2 点执行完整审计
- cron: '0 2 * * *'
workflow_dispatch:
inputs:
full_audit:
description: '执行完整审计(包含 RLS 迁移建议)'
required: false
default: 'false'
type: boolean
env:
NODE_VERSION: "18"
jobs:
full-audit:
name: "\U0001F52C 完整安全审计"
runs-on: ubuntu-latest
if: github.event_name == 'schedule' || github.event.inputs.full_audit == 'true'
steps:
- name: "\U0001F4E5 Checkout code"
uses: actions/checkout@v4
- name: "\U0001F7E2 Setup Node.js"
uses: actions/setup-node@v4
with:
node-version: ${{ env.NODE_VERSION }}
- name: "\U0001F4E6 Setup pnpm"
uses: pnpm/action-setup@v2
with:
version: "8"
- name: "\U0001F4E5 Install dependencies"
run: pnpm install --frozen-lockfile
- name: "\U0001F50D 生成 RLS 迁移脚本"
run: |
cd backend
npm run rls:generate 2>&1 | tee rls-migration.sql
- name: "\U0001F4CA 上传迁移脚本"
uses: actions/upload-artifact@v4
with:
name: rls-migration-scripts
path: |
backend/rls-migration.sql
backend/prisma/rls-policies/
- if: failure()
name: "\U0001F4E7 发送审计通知"
uses: actions/github-script@v7
with:
script: "// 创建 Issue 记录审计失败\ngithub.rest.issues.create({\n owner: context.repo.owner,\n repo: context.repo.repo,\n title: '\U0001F6A8 数据库安全审计失败 - ' + new Date().toISOString().split('T')[0],\n body: `\n ## 审计失败通知\n\n **执行时间**: ${new Date().toISOString()}\n **工作流运行**: ${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }}\n\n 请立即检查并修复安全问题。\n `,\n labels: ['security', 'urgent']\n});\n"
...
|
full-audit
|
["tenant-security","n1-query-detection ["tenant-security","n1-query-detection","rls-coverage","permission-security"]...
|
["ubuntu-latest"]
|
6800
|
4
|
1773833278
|
1773833278
|
1773832743
|
1773833279
|
|
1
|
|
0
|
Edit
Delete
|
|
8153
|
6903
|
6
|
5
|
b7eb415d7a9689f1efec941bcb2dcd7d098e9c28
|
0
|
🔬 完整安全审计
|
1
|
name: Database Security Audit
"on":
pu name: Database Security Audit
"on":
push:
branches: [main, develop]
paths:
- 'backend/src/**/*.ts'
- 'backend/prisma/**'
pull_request:
branches: [main, develop]
paths:
- 'backend/src/**/*.ts'
- 'backend/prisma/**'
schedule:
# 每天凌晨 2 点执行完整审计
- cron: '0 2 * * *'
workflow_dispatch:
inputs:
full_audit:
description: '执行完整审计(包含 RLS 迁移建议)'
required: false
default: 'false'
type: boolean
env:
NODE_VERSION: "18"
jobs:
full-audit:
name: "\U0001F52C 完整安全审计"
runs-on: ubuntu-latest
if: github.event_name == 'schedule' || github.event.inputs.full_audit == 'true'
steps:
- name: "\U0001F4E5 Checkout code"
uses: actions/checkout@v4
- name: "\U0001F7E2 Setup Node.js"
uses: actions/setup-node@v4
with:
node-version: ${{ env.NODE_VERSION }}
- name: "\U0001F4E6 Setup pnpm"
uses: pnpm/action-setup@v2
with:
version: "8"
- name: "\U0001F4E5 Install dependencies"
run: pnpm install --frozen-lockfile
- name: "\U0001F50D 生成 RLS 迁移脚本"
run: |
cd backend
npm run rls:generate 2>&1 | tee rls-migration.sql
- name: "\U0001F4CA 上传迁移脚本"
uses: actions/upload-artifact@v4
with:
name: rls-migration-scripts
path: |
backend/rls-migration.sql
backend/prisma/rls-policies/
- if: failure()
name: "\U0001F4E7 发送审计通知"
uses: actions/github-script@v7
with:
script: "// 创建 Issue 记录审计失败\ngithub.rest.issues.create({\n owner: context.repo.owner,\n repo: context.repo.repo,\n title: '\U0001F6A8 数据库安全审计失败 - ' + new Date().toISOString().split('T')[0],\n body: `\n ## 审计失败通知\n\n **执行时间**: ${new Date().toISOString()}\n **工作流运行**: ${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }}\n\n 请立即检查并修复安全问题。\n `,\n labels: ['security', 'urgent']\n});\n"
...
|
full-audit
|
["tenant-security","n1-query-detection ["tenant-security","n1-query-detection","rls-coverage","permission-security"]...
|
["ubuntu-latest"]
|
7035
|
4
|
1773885833
|
1773885833
|
1773885613
|
1773885833
|
|
1
|
|
0
|
Edit
Delete
|
|
8454
|
7068
|
6
|
5
|
9771b23ae7aaee164f15f9c4ccbdb18eb68fc71f
|
0
|
🔬 完整安全审计
|
1
|
name: Database Security Audit
"on":
pu name: Database Security Audit
"on":
push:
branches: [main, develop]
paths:
- 'backend/src/**/*.ts'
- 'backend/prisma/**'
pull_request:
branches: [main, develop]
paths:
- 'backend/src/**/*.ts'
- 'backend/prisma/**'
schedule:
# 每天凌晨 2 点执行完整审计
- cron: '0 2 * * *'
workflow_dispatch:
inputs:
full_audit:
description: '执行完整审计(包含 RLS 迁移建议)'
required: false
default: 'false'
type: boolean
env:
NODE_VERSION: "18"
jobs:
full-audit:
name: "\U0001F52C 完整安全审计"
runs-on: ubuntu-latest
if: github.event_name == 'schedule' || github.event.inputs.full_audit == 'true'
steps:
- name: "\U0001F4E5 Checkout code"
uses: actions/checkout@v4
- name: "\U0001F7E2 Setup Node.js"
uses: actions/setup-node@v4
with:
node-version: ${{ env.NODE_VERSION }}
- name: "\U0001F4E6 Setup pnpm"
uses: pnpm/action-setup@v2
with:
version: "8"
- name: "\U0001F4E5 Install dependencies"
run: pnpm install --frozen-lockfile
- name: "\U0001F50D 生成 RLS 迁移脚本"
run: |
cd backend
npm run rls:generate 2>&1 | tee rls-migration.sql
- name: "\U0001F4CA 上传迁移脚本"
uses: actions/upload-artifact@v4
with:
name: rls-migration-scripts
path: |
backend/rls-migration.sql
backend/prisma/rls-policies/
- if: failure()
name: "\U0001F4E7 发送审计通知"
uses: actions/github-script@v7
with:
script: "// 创建 Issue 记录审计失败\ngithub.rest.issues.create({\n owner: context.repo.owner,\n repo: context.repo.repo,\n title: '\U0001F6A8 数据库安全审计失败 - ' + new Date().toISOString().split('T')[0],\n body: `\n ## 审计失败通知\n\n **执行时间**: ${new Date().toISOString()}\n **工作流运行**: ${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }}\n\n 请立即检查并修复安全问题。\n `,\n labels: ['security', 'urgent']\n});\n"
...
|
full-audit
|
["tenant-security","n1-query-detection ["tenant-security","n1-query-detection","rls-coverage","permission-security"]...
|
["ubuntu-latest"]
|
7289
|
4
|
1773929909
|
1773929909
|
1773929407
|
1773929909
|
|
1
|
|
0
|
Edit
Delete
|
|
8563
|
7113
|
6
|
5
|
979d9c81063fbda12f1445bf80b0c0027b0fbac2
|
0
|
🔬 完整安全审计
|
1
|
name: Database Security Audit
"on":
pu name: Database Security Audit
"on":
push:
branches: [main, develop]
paths:
- 'backend/src/**/*.ts'
- 'backend/prisma/**'
pull_request:
branches: [main, develop]
paths:
- 'backend/src/**/*.ts'
- 'backend/prisma/**'
schedule:
# 每天凌晨 2 点执行完整审计
- cron: '0 2 * * *'
workflow_dispatch:
inputs:
full_audit:
description: '执行完整审计(包含 RLS 迁移建议)'
required: false
default: 'false'
type: boolean
env:
NODE_VERSION: "18"
jobs:
full-audit:
name: "\U0001F52C 完整安全审计"
runs-on: ubuntu-latest
if: github.event_name == 'schedule' || github.event.inputs.full_audit == 'true'
steps:
- name: "\U0001F4E5 Checkout code"
uses: actions/checkout@v4
- name: "\U0001F7E2 Setup Node.js"
uses: actions/setup-node@v4
with:
node-version: ${{ env.NODE_VERSION }}
- name: "\U0001F4E6 Setup pnpm"
uses: pnpm/action-setup@v2
with:
version: "8"
- name: "\U0001F4E5 Install dependencies"
run: pnpm install --frozen-lockfile
- name: "\U0001F50D 生成 RLS 迁移脚本"
run: |
cd backend
npm run rls:generate 2>&1 | tee rls-migration.sql
- name: "\U0001F4CA 上传迁移脚本"
uses: actions/upload-artifact@v4
with:
name: rls-migration-scripts
path: |
backend/rls-migration.sql
backend/prisma/rls-policies/
- if: failure()
name: "\U0001F4E7 发送审计通知"
uses: actions/github-script@v7
with:
script: "// 创建 Issue 记录审计失败\ngithub.rest.issues.create({\n owner: context.repo.owner,\n repo: context.repo.repo,\n title: '\U0001F6A8 数据库安全审计失败 - ' + new Date().toISOString().split('T')[0],\n body: `\n ## 审计失败通知\n\n **执行时间**: ${new Date().toISOString()}\n **工作流运行**: ${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }}\n\n 请立即检查并修复安全问题。\n `,\n labels: ['security', 'urgent']\n});\n"
...
|
full-audit
|
["tenant-security","n1-query-detection ["tenant-security","n1-query-detection","rls-coverage","permission-security"]...
|
["ubuntu-latest"]
|
7388
|
4
|
1773940582
|
1773940582
|
1773939780
|
1773940582
|
|
1
|
|
0
|
Edit
Delete
|
|
8752
|
7231
|
6
|
5
|
0900b15d607e5c78f97fec16a73357ad4f814390
|
0
|
🔬 完整安全审计
|
1
|
name: Database Security Audit
"on":
pu name: Database Security Audit
"on":
push:
branches: [main, develop]
paths:
- 'backend/src/**/*.ts'
- 'backend/prisma/**'
pull_request:
branches: [main, develop]
paths:
- 'backend/src/**/*.ts'
- 'backend/prisma/**'
schedule:
# 每天凌晨 2 点执行完整审计
- cron: '0 2 * * *'
workflow_dispatch:
inputs:
full_audit:
description: '执行完整审计(包含 RLS 迁移建议)'
required: false
default: 'false'
type: boolean
env:
NODE_VERSION: "18"
jobs:
full-audit:
name: "\U0001F52C 完整安全审计"
runs-on: ubuntu-latest
if: github.event_name == 'schedule' || github.event.inputs.full_audit == 'true'
steps:
- name: "\U0001F4E5 Checkout code"
uses: actions/checkout@v4
- name: "\U0001F7E2 Setup Node.js"
uses: actions/setup-node@v4
with:
node-version: ${{ env.NODE_VERSION }}
- name: "\U0001F4E6 Setup pnpm"
uses: pnpm/action-setup@v2
with:
version: "8"
- name: "\U0001F4E5 Install dependencies"
run: pnpm install --frozen-lockfile
- name: "\U0001F50D 生成 RLS 迁移脚本"
run: |
cd backend
npm run rls:generate 2>&1 | tee rls-migration.sql
- name: "\U0001F4CA 上传迁移脚本"
uses: actions/upload-artifact@v4
with:
name: rls-migration-scripts
path: |
backend/rls-migration.sql
backend/prisma/rls-policies/
- if: failure()
name: "\U0001F4E7 发送审计通知"
uses: actions/github-script@v7
with:
script: "// 创建 Issue 记录审计失败\ngithub.rest.issues.create({\n owner: context.repo.owner,\n repo: context.repo.repo,\n title: '\U0001F6A8 数据库安全审计失败 - ' + new Date().toISOString().split('T')[0],\n body: `\n ## 审计失败通知\n\n **执行时间**: ${new Date().toISOString()}\n **工作流运行**: ${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }}\n\n 请立即检查并修复安全问题。\n `,\n labels: ['security', 'urgent']\n});\n"
...
|
full-audit
|
["tenant-security","n1-query-detection ["tenant-security","n1-query-detection","rls-coverage","permission-security"]...
|
["ubuntu-latest"]
|
7568
|
4
|
1774221657
|
1774221657
|
1774220984
|
1774221657
|
|
1
|
|
0
|
Edit
Delete
|
|
9003
|
7290
|
6
|
5
|
339ea969ec2633756fb1a155d47723d0f61396a4
|
0
|
🔬 完整安全审计
|
1
|
name: Database Security Audit
"on":
pu name: Database Security Audit
"on":
push:
branches: [main, develop]
paths:
- 'backend/src/**/*.ts'
- 'backend/prisma/**'
pull_request:
branches: [main, develop]
paths:
- 'backend/src/**/*.ts'
- 'backend/prisma/**'
schedule:
# 每天凌晨 2 点执行完整审计
- cron: '0 2 * * *'
workflow_dispatch:
inputs:
full_audit:
description: '执行完整审计(包含 RLS 迁移建议)'
required: false
default: 'false'
type: boolean
env:
NODE_VERSION: "18"
jobs:
full-audit:
name: "\U0001F52C 完整安全审计"
runs-on: ubuntu-latest
if: github.event_name == 'schedule' || github.event.inputs.full_audit == 'true'
steps:
- name: "\U0001F4E5 Checkout code"
uses: actions/checkout@v4
- name: "\U0001F7E2 Setup Node.js"
uses: actions/setup-node@v4
with:
node-version: ${{ env.NODE_VERSION }}
- name: "\U0001F4E6 Setup pnpm"
uses: pnpm/action-setup@v2
with:
version: "8"
- name: "\U0001F4E5 Install dependencies"
run: pnpm install --frozen-lockfile
- name: "\U0001F50D 生成 RLS 迁移脚本"
run: |
cd backend
npm run rls:generate 2>&1 | tee rls-migration.sql
- name: "\U0001F4CA 上传迁移脚本"
uses: actions/upload-artifact@v4
with:
name: rls-migration-scripts
path: |
backend/rls-migration.sql
backend/prisma/rls-policies/
- if: failure()
name: "\U0001F4E7 发送审计通知"
uses: actions/github-script@v7
with:
script: "// 创建 Issue 记录审计失败\ngithub.rest.issues.create({\n owner: context.repo.owner,\n repo: context.repo.repo,\n title: '\U0001F6A8 数据库安全审计失败 - ' + new Date().toISOString().split('T')[0],\n body: `\n ## 审计失败通知\n\n **执行时间**: ${new Date().toISOString()}\n **工作流运行**: ${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }}\n\n 请立即检查并修复安全问题。\n `,\n labels: ['security', 'urgent']\n});\n"
...
|
full-audit
|
["tenant-security","n1-query-detection ["tenant-security","n1-query-detection","rls-coverage","permission-security"]...
|
["ubuntu-latest"]
|
7787
|
4
|
1774229560
|
1774229561
|
1774229062
|
1774229561
|
|
1
|
|
0
|
Edit
Delete
|
|
9076
|
7309
|
6
|
5
|
339ea969ec2633756fb1a155d47723d0f61396a4
|
0
|
🔬 完整安全审计
|
1
|
name: Database Security Audit
"on":
pu name: Database Security Audit
"on":
push:
branches: [main, develop]
paths:
- 'backend/src/**/*.ts'
- 'backend/prisma/**'
pull_request:
branches: [main, develop]
paths:
- 'backend/src/**/*.ts'
- 'backend/prisma/**'
schedule:
# 每天凌晨 2 点执行完整审计
- cron: '0 2 * * *'
workflow_dispatch:
inputs:
full_audit:
description: '执行完整审计(包含 RLS 迁移建议)'
required: false
default: 'false'
type: boolean
env:
NODE_VERSION: "18"
jobs:
full-audit:
name: "\U0001F52C 完整安全审计"
runs-on: ubuntu-latest
if: github.event_name == 'schedule' || github.event.inputs.full_audit == 'true'
steps:
- name: "\U0001F4E5 Checkout code"
uses: actions/checkout@v4
- name: "\U0001F7E2 Setup Node.js"
uses: actions/setup-node@v4
with:
node-version: ${{ env.NODE_VERSION }}
- name: "\U0001F4E6 Setup pnpm"
uses: pnpm/action-setup@v2
with:
version: "8"
- name: "\U0001F4E5 Install dependencies"
run: pnpm install --frozen-lockfile
- name: "\U0001F50D 生成 RLS 迁移脚本"
run: |
cd backend
npm run rls:generate 2>&1 | tee rls-migration.sql
- name: "\U0001F4CA 上传迁移脚本"
uses: actions/upload-artifact@v4
with:
name: rls-migration-scripts
path: |
backend/rls-migration.sql
backend/prisma/rls-policies/
- if: failure()
name: "\U0001F4E7 发送审计通知"
uses: actions/github-script@v7
with:
script: "// 创建 Issue 记录审计失败\ngithub.rest.issues.create({\n owner: context.repo.owner,\n repo: context.repo.repo,\n title: '\U0001F6A8 数据库安全审计失败 - ' + new Date().toISOString().split('T')[0],\n body: `\n ## 审计失败通知\n\n **执行时间**: ${new Date().toISOString()}\n **工作流运行**: ${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }}\n\n 请立即检查并修复安全问题。\n `,\n labels: ['security', 'urgent']\n});\n"
...
|
full-audit
|
["tenant-security","n1-query-detection ["tenant-security","n1-query-detection","rls-coverage","permission-security"]...
|
["ubuntu-latest"]
|
7842
|
4
|
1774231450
|
1774231450
|
1774231240
|
1774231450
|
|
1
|
|
0
|
Edit
Delete
|
|
9206
|
7415
|
6
|
5
|
67078f9a95f53530156ad27027eafe15a3126e89
|
0
|
🔬 完整安全审计
|
1
|
name: Database Security Audit
"on":
pu name: Database Security Audit
"on":
push:
branches: [main, develop]
paths:
- 'backend/src/**/*.ts'
- 'backend/prisma/**'
pull_request:
branches: [main, develop]
paths:
- 'backend/src/**/*.ts'
- 'backend/prisma/**'
schedule:
# 每天凌晨 2 点执行完整审计
- cron: '0 2 * * *'
workflow_dispatch:
inputs:
full_audit:
description: '执行完整审计(包含 RLS 迁移建议)'
required: false
default: 'false'
type: boolean
env:
NODE_VERSION: "18"
jobs:
full-audit:
name: "\U0001F52C 完整安全审计"
runs-on: ubuntu-latest
if: github.event_name == 'schedule' || github.event.inputs.full_audit == 'true'
steps:
- name: "\U0001F4E5 Checkout code"
uses: actions/checkout@v4
- name: "\U0001F7E2 Setup Node.js"
uses: actions/setup-node@v4
with:
node-version: ${{ env.NODE_VERSION }}
- name: "\U0001F4E6 Setup pnpm"
uses: pnpm/action-setup@v2
with:
version: "8"
- name: "\U0001F4E5 Install dependencies"
run: pnpm install --frozen-lockfile
- name: "\U0001F50D 生成 RLS 迁移脚本"
run: |
cd backend
npm run rls:generate 2>&1 | tee rls-migration.sql
- name: "\U0001F4CA 上传迁移脚本"
uses: actions/upload-artifact@v4
with:
name: rls-migration-scripts
path: |
backend/rls-migration.sql
backend/prisma/rls-policies/
- if: failure()
name: "\U0001F4E7 发送审计通知"
uses: actions/github-script@v7
with:
script: "// 创建 Issue 记录审计失败\ngithub.rest.issues.create({\n owner: context.repo.owner,\n repo: context.repo.repo,\n title: '\U0001F6A8 数据库安全审计失败 - ' + new Date().toISOString().split('T')[0],\n body: `\n ## 审计失败通知\n\n **执行时间**: ${new Date().toISOString()}\n **工作流运行**: ${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }}\n\n 请立即检查并修复安全问题。\n `,\n labels: ['security', 'urgent']\n});\n"
...
|
full-audit
|
["tenant-security","n1-query-detection ["tenant-security","n1-query-detection","rls-coverage","permission-security"]...
|
["ubuntu-latest"]
|
7979
|
4
|
1774263608
|
1774263608
|
1774262375
|
1774263609
|
|
1
|
|
0
|
Edit
Delete
|
|
9063
|
7307
|
6
|
5
|
339ea969ec2633756fb1a155d47723d0f61396a4
|
0
|
🔧 性能测试准备
|
1
|
name: Performance Tests
"on":
# 每周一凌晨 name: Performance Tests
"on":
# 每周一凌晨 2 点运行
schedule:
- cron: '0 2 * * 1'
# 允许手动触发
workflow_dispatch:
inputs:
test_type:
description: '测试类型'
required: true
default: 'benchmark'
type: choice
options:
- benchmark
- load
- stress
- all
duration:
description: '测试持续时间(秒)'
required: false
default: '60'
type: string
concurrency:
description: '并发数'
required: false
default: '10'
type: string
# PR 触发时只运行基准测试
pull_request:
branches: [main]
paths:
- 'backend/src/**'
- 'backend/prisma/**'
env:
NODE_VERSION: "18"
PNPM_VERSION: "8"
jobs:
setup:
name: "\U0001F527 性能测试准备"
runs-on: ubuntu-latest
steps:
- id: config
name: "\U0001F4DD 配置测试参数"
run: |
if [ "${{ github.event_name }}" == "workflow_dispatch" ]; then
echo "test_type=${{ github.event.inputs.test_type }}" >> $GITHUB_OUTPUT
echo "duration=${{ github.event.inputs.duration }}" >> $GITHUB_OUTPUT
echo "concurrency=${{ github.event.inputs.concurrency }}" >> $GITHUB_OUTPUT
elif [ "${{ github.event_name }}" == "pull_request" ]; then
echo "test_type=benchmark" >> $GITHUB_OUTPUT
echo "duration=30" >> $GITHUB_OUTPUT
echo "concurrency=5" >> $GITHUB_OUTPUT
else
echo "test_type=all" >> $GITHUB_OUTPUT
echo "duration=60" >> $GITHUB_OUTPUT
echo "concurrency=10" >> $GITHUB_OUTPUT
fi
outputs:
concurrency: ${{ steps.config.outputs.concurrency }}
duration: ${{ steps.config.outputs.duration }}
test_type: ${{ steps.config.outputs.test_type }}
...
|
setup
|
null
|
["ubuntu-latest"]
|
7830
|
1
|
1774231241
|
1774231241
|
1774231240
|
1774231241
|
|
0
|
|
0
|
Edit
Delete
|
|
12933
|
9521
|
6
|
5
|
58e5152a38868b8f3832d9573c340a3eb60051c8
|
0
|
🔧 性能测试准备
|
1
|
name: Performance Tests
"on":
# 每周一凌晨 name: Performance Tests
"on":
# 每周一凌晨 2 点运行
schedule:
- cron: '0 2 * * 1'
# 允许手动触发
workflow_dispatch:
inputs:
test_type:
description: '测试类型'
required: true
default: 'benchmark'
type: choice
options:
- benchmark
- load
- stress
- all
duration:
description: '测试持续时间(秒)'
required: false
default: '60'
type: string
concurrency:
description: '并发数'
required: false
default: '10'
type: string
# PR 触发时只运行基准测试
pull_request:
branches: [main]
paths:
- 'backend/src/**'
- 'backend/prisma/**'
env:
NODE_VERSION: "18"
PNPM_VERSION: "8"
jobs:
setup:
name: "\U0001F527 性能测试准备"
runs-on: ubuntu-latest
steps:
- id: config
name: "\U0001F4DD 配置测试参数"
run: |
if [ "${{ github.event_name }}" == "workflow_dispatch" ]; then
echo "test_type=${{ github.event.inputs.test_type }}" >> $GITHUB_OUTPUT
echo "duration=${{ github.event.inputs.duration }}" >> $GITHUB_OUTPUT
echo "concurrency=${{ github.event.inputs.concurrency }}" >> $GITHUB_OUTPUT
elif [ "${{ github.event_name }}" == "pull_request" ]; then
echo "test_type=benchmark" >> $GITHUB_OUTPUT
echo "duration=30" >> $GITHUB_OUTPUT
echo "concurrency=5" >> $GITHUB_OUTPUT
else
echo "test_type=all" >> $GITHUB_OUTPUT
echo "duration=60" >> $GITHUB_OUTPUT
echo "concurrency=10" >> $GITHUB_OUTPUT
fi
outputs:
concurrency: ${{ steps.config.outputs.concurrency }}
duration: ${{ steps.config.outputs.duration }}
test_type: ${{ steps.config.outputs.test_type }}
...
|
setup
|
null
|
["ubuntu-latest"]
|
10930
|
1
|
1774836019
|
1774836019
|
1774836018
|
1774836019
|
|
0
|
|
0
|
Edit
Delete
|
|
16456
|
11697
|
6
|
5
|
9d69e1960ec649a49c0c6f307c0fc197f47ee4c4
|
0
|
🔧 性能测试准备
|
1
|
name: Performance Tests
"on":
# 每周一凌晨 name: Performance Tests
"on":
# 每周一凌晨 2 点运行
schedule:
- cron: '0 2 * * 1'
# 允许手动触发
workflow_dispatch:
inputs:
test_type:
description: '测试类型'
required: true
default: 'benchmark'
type: choice
options:
- benchmark
- load
- stress
- all
duration:
description: '测试持续时间(秒)'
required: false
default: '60'
type: string
concurrency:
description: '并发数'
required: false
default: '10'
type: string
# PR 触发时只运行基准测试
pull_request:
branches: [main]
paths:
- 'backend/src/**'
- 'backend/prisma/**'
env:
NODE_VERSION: "18"
PNPM_VERSION: "8"
jobs:
setup:
name: "\U0001F527 性能测试准备"
runs-on: ubuntu-latest
steps:
- id: config
name: "\U0001F4DD 配置测试参数"
run: |
if [ "${{ github.event_name }}" == "workflow_dispatch" ]; then
echo "test_type=${{ github.event.inputs.test_type }}" >> $GITHUB_OUTPUT
echo "duration=${{ github.event.inputs.duration }}" >> $GITHUB_OUTPUT
echo "concurrency=${{ github.event.inputs.concurrency }}" >> $GITHUB_OUTPUT
elif [ "${{ github.event_name }}" == "pull_request" ]; then
echo "test_type=benchmark" >> $GITHUB_OUTPUT
echo "duration=30" >> $GITHUB_OUTPUT
echo "concurrency=5" >> $GITHUB_OUTPUT
else
echo "test_type=all" >> $GITHUB_OUTPUT
echo "duration=60" >> $GITHUB_OUTPUT
echo "concurrency=10" >> $GITHUB_OUTPUT
fi
outputs:
concurrency: ${{ steps.config.outputs.concurrency }}
duration: ${{ steps.config.outputs.duration }}
test_type: ${{ steps.config.outputs.test_type }}
...
|
setup
|
null
|
["ubuntu-latest"]
|
13749
|
1
|
1775440818
|
1775440819
|
1775440818
|
1775440819
|
|
0
|
|
0
|
Edit
Delete
|
|
9065
|
7307
|
6
|
5
|
339ea969ec2633756fb1a155d47723d0f61396a4
|
0
|
🔥 负载测试
|
1
|
name: Performance Tests
"on":
# 每周一凌晨 name: Performance Tests
"on":
# 每周一凌晨 2 点运行
schedule:
- cron: '0 2 * * 1'
# 允许手动触发
workflow_dispatch:
inputs:
test_type:
description: '测试类型'
required: true
default: 'benchmark'
type: choice
options:
- benchmark
- load
- stress
- all
duration:
description: '测试持续时间(秒)'
required: false
default: '60'
type: string
concurrency:
description: '并发数'
required: false
default: '10'
type: string
# PR 触发时只运行基准测试
pull_request:
branches: [main]
paths:
- 'backend/src/**'
- 'backend/prisma/**'
env:
NODE_VERSION: "18"
PNPM_VERSION: "8"
jobs:
load-test:
name: "\U0001F525 负载测试"
runs-on: ubuntu-latest
if: needs.setup.outputs.test_type == 'load' || needs.setup.outputs.test_type == 'all'
steps:
- name: "\U0001F4E5 检出代码"
uses: actions/checkout@v4
- name: "\U0001F4E6 安装 pnpm"
uses: pnpm/action-setup@v2
with:
version: ${{ env.PNPM_VERSION }}
- name: "\U0001F7E2 设置 Node.js"
uses: actions/setup-node@v4
with:
cache: pnpm
node-version: ${{ env.NODE_VERSION }}
- name: "\U0001F4E6 安装依赖"
run: pnpm install --frozen-lockfile
- name: "\U0001F527 安装 k6"
run: |
sudo gpg -k
sudo gpg --no-default-keyring --keyring /usr/share/keyrings/k6-archive-keyring.gpg --keyserver hkp://keyserver.ubuntu.com:80 --recv-keys C5AD17C747E3415A3642D57D77C6C491D6AC1D69
echo "deb [signed-by=/usr/share/keyrings/k6-archive-keyring.gpg] https://dl.k6.io/deb stable main" | sudo tee /etc/apt/sources.list.d/k6.list
sudo apt-get update
sudo apt-get install k6
- name: "\U0001F5C4️ 初始化数据库"
run: |
cd backend
npx prisma migrate deploy
npx prisma db seed
env:
DATABASE_URL: postgresql://test:test@localhost:5432/juhi_load
- name: "\U0001F528 构建后端"
run: |
pnpm --filter shared build
pnpm --filter backend build
- name: "\U0001F680 启动后端服务"
run: |
cd backend
npm run start &
sleep 10
env:
NODE_ENV: production
PORT: 3000
DATABASE_URL: postgresql://test:test@localhost:5432/juhi_load
REDIS_URL: redis://localhost:6379
JWT_SECRET: load-test-jwt-secret
REFRESH_TOKEN_SECRET: load-test-refresh-token
- name: ⏳ 等待服务就绪
run: |
timeout 60 bash -c 'until curl -s http://localhost:3000/health > /dev/null; do sleep 2; done'
- name: "\U0001F525 运行负载测试"
run: |
mkdir -p load-test-results
# 创建 k6 负载测试脚本
cat > load-test.js << 'EOF'
import http from 'k6/http';
import { check, sleep } from 'k6';
import { Rate, Trend } from 'k6/metrics';
const errorRate = new Rate('errors');
const responseTime = new Trend('response_time');
export const options = {
stages: [
{ duration: '30s', target: 10 }, // 预热
{ duration: '1m', target: 50 }, // 逐步增加
{ duration: '2m', target: 50 }, // 稳定负载
{ duration: '30s', target: 0 }, // 降低
],
thresholds: {
http_req_duration: ['p(95)<500'], // 95% 请求小于 500ms
errors: ['rate<0.1'], // 错误率小于 10%
},
};
const BASE_URL = 'http://localhost:3000';
export default function () {
// 健康检查
let healthRes = http.get(`${BASE_URL}/health`);
check(healthRes, { 'health check ok': (r) => r.status === 200 });
// 列表接口
let listRes = http.get(`${BASE_URL}/api/leads?page=1&pageSize=20`, {
headers: {
'Authorization': 'Bearer test-token',
'Content-Type': 'application/json',
},
});
errorRate.add(listRes.status !== 200 && listRes.status !== 401);
responseTime.add(listRes.timings.duration);
sleep(0.1);
}
EOF
k6 run --out json=load-test-results/results.json load-test.js
- name: "\U0001F4CA 分析负载测试结果"
run: "echo \"## \U0001F525 负载测试报告\" >> $GITHUB_STEP_SUMMARY\necho \"\" >> $GITHUB_STEP_SUMMARY\n\nif [ -f \"load-test-results/results.json\" ]; then\n echo \"### 关键指标\" >> $GITHUB_STEP_SUMMARY\n echo \"| 指标 | 值 |\" >> $GITHUB_STEP_SUMMARY\n echo \"|------|------|\" >> $GITHUB_STEP_SUMMARY\n\n # 提取关键指标\n avg_duration=$(cat load-test-results/results.json | jq -s '[.[] | select(.type==\"Point\" and .metric==\"http_req_duration\") | .data.value] | add / length' 2>/dev/null || echo \"N/A\")\n p95_duration=$(cat load-test-results/results.json | jq -s '[.[] | select(.type==\"Point\" and .metric==\"http_req_duration\") | .data.value] | sort | .[length * 0.95 | floor]' 2>/dev/null || echo \"N/A\")\n total_requests=$(cat load-test-results/results.json | jq -s '[.[] | select(.type==\"Point\" and .metric==\"http_reqs\")] | length' 2>/dev/null || echo \"N/A\")\n\n echo \"| 平均响应时间 | ${avg_duration}ms |\" >> $GITHUB_STEP_SUMMARY\n echo \"| P95 响应时间 | ${p95_duration}ms |\" >> $GITHUB_STEP_SUMMARY\n echo \"| 总请求数 | $total_requests |\" >> $GITHUB_STEP_SUMMARY\nfi\n"
- name: "\U0001F4E4 上传负载测试结果"
uses: actions/upload-artifact@v4
with:
name: load-test-results
path: load-test-results/
retention-days: "30"
timeout-minutes: "45"
services:
postgres:
image: postgres:15
env:
POSTGRES_DB: juhi_load
POSTGRES_PASSWORD: test
POSTGRES_USER: test
ports:
- 5432:5432
options: --health-cmd pg_isready --health-interval 10s --health-timeout 5s --health-retries 5
redis:
image: redis:7
ports:
- 6379:6379
...
|
load-test
|
["setup"]
|
["ubuntu-latest"]
|
7837
|
2
|
1774231355
|
1774231377
|
1774231240
|
1774231378
|
|
1
|
|
0
|
Edit
Delete
|
|
12935
|
9521
|
6
|
5
|
58e5152a38868b8f3832d9573c340a3eb60051c8
|
0
|
🔥 负载测试
|
1
|
name: Performance Tests
"on":
# 每周一凌晨 name: Performance Tests
"on":
# 每周一凌晨 2 点运行
schedule:
- cron: '0 2 * * 1'
# 允许手动触发
workflow_dispatch:
inputs:
test_type:
description: '测试类型'
required: true
default: 'benchmark'
type: choice
options:
- benchmark
- load
- stress
- all
duration:
description: '测试持续时间(秒)'
required: false
default: '60'
type: string
concurrency:
description: '并发数'
required: false
default: '10'
type: string
# PR 触发时只运行基准测试
pull_request:
branches: [main]
paths:
- 'backend/src/**'
- 'backend/prisma/**'
env:
NODE_VERSION: "18"
PNPM_VERSION: "8"
jobs:
load-test:
name: "\U0001F525 负载测试"
runs-on: ubuntu-latest
if: needs.setup.outputs.test_type == 'load' || needs.setup.outputs.test_type == 'all'
steps:
- name: "\U0001F4E5 检出代码"
uses: actions/checkout@v4
- name: "\U0001F4E6 安装 pnpm"
uses: pnpm/action-setup@v2
with:
version: ${{ env.PNPM_VERSION }}
- name: "\U0001F7E2 设置 Node.js"
uses: actions/setup-node@v4
with:
cache: pnpm
node-version: ${{ env.NODE_VERSION }}
- name: "\U0001F4E6 安装依赖"
run: pnpm install --frozen-lockfile
- name: "\U0001F527 安装 k6"
run: |
sudo gpg -k
sudo gpg --no-default-keyring --keyring /usr/share/keyrings/k6-archive-keyring.gpg --keyserver hkp://keyserver.ubuntu.com:80 --recv-keys C5AD17C747E3415A3642D57D77C6C491D6AC1D69
echo "deb [signed-by=/usr/share/keyrings/k6-archive-keyring.gpg] https://dl.k6.io/deb stable main" | sudo tee /etc/apt/sources.list.d/k6.list
sudo apt-get update
sudo apt-get install k6
- name: "\U0001F5C4️ 初始化数据库"
run: |
cd backend
npx prisma migrate deploy
npx prisma db seed
env:
DATABASE_URL: postgresql://test:test@localhost:5432/juhi_load
- name: "\U0001F528 构建后端"
run: |
pnpm --filter shared build
pnpm --filter backend build
- name: "\U0001F680 启动后端服务"
run: |
cd backend
npm run start &
sleep 10
env:
NODE_ENV: production
PORT: 3000
DATABASE_URL: postgresql://test:test@localhost:5432/juhi_load
REDIS_URL: redis://localhost:6379
JWT_SECRET: load-test-jwt-secret
REFRESH_TOKEN_SECRET: load-test-refresh-token
- name: ⏳ 等待服务就绪
run: |
timeout 60 bash -c 'until curl -s http://localhost:3000/health > /dev/null; do sleep 2; done'
- name: "\U0001F525 运行负载测试"
run: |
mkdir -p load-test-results
# 创建 k6 负载测试脚本
cat > load-test.js << 'EOF'
import http from 'k6/http';
import { check, sleep } from 'k6';
import { Rate, Trend } from 'k6/metrics';
const errorRate = new Rate('errors');
const responseTime = new Trend('response_time');
export const options = {
stages: [
{ duration: '30s', target: 10 }, // 预热
{ duration: '1m', target: 50 }, // 逐步增加
{ duration: '2m', target: 50 }, // 稳定负载
{ duration: '30s', target: 0 }, // 降低
],
thresholds: {
http_req_duration: ['p(95)<500'], // 95% 请求小于 500ms
errors: ['rate<0.1'], // 错误率小于 10%
},
};
const BASE_URL = 'http://localhost:3000';
export default function () {
// 健康检查
let healthRes = http.get(`${BASE_URL}/health`);
check(healthRes, { 'health check ok': (r) => r.status === 200 });
// 列表接口
let listRes = http.get(`${BASE_URL}/api/leads?page=1&pageSize=20`, {
headers: {
'Authorization': 'Bearer test-token',
'Content-Type': 'application/json',
},
});
errorRate.add(listRes.status !== 200 && listRes.status !== 401);
responseTime.add(listRes.timings.duration);
sleep(0.1);
}
EOF
k6 run --out json=load-test-results/results.json load-test.js
- name: "\U0001F4CA 分析负载测试结果"
run: "echo \"## \U0001F525 负载测试报告\" >> $GITHUB_STEP_SUMMARY\necho \"\" >> $GITHUB_STEP_SUMMARY\n\nif [ -f \"load-test-results/results.json\" ]; then\n echo \"### 关键指标\" >> $GITHUB_STEP_SUMMARY\n echo \"| 指标 | 值 |\" >> $GITHUB_STEP_SUMMARY\n echo \"|------|------|\" >> $GITHUB_STEP_SUMMARY\n\n # 提取关键指标\n avg_duration=$(cat load-test-results/results.json | jq -s '[.[] | select(.type==\"Point\" and .metric==\"http_req_duration\") | .data.value] | add / length' 2>/dev/null || echo \"N/A\")\n p95_duration=$(cat load-test-results/results.json | jq -s '[.[] | select(.type==\"Point\" and .metric==\"http_req_duration\") | .data.value] | sort | .[length * 0.95 | floor]' 2>/dev/null || echo \"N/A\")\n total_requests=$(cat load-test-results/results.json | jq -s '[.[] | select(.type==\"Point\" and .metric==\"http_reqs\")] | length' 2>/dev/null || echo \"N/A\")\n\n echo \"| 平均响应时间 | ${avg_duration}ms |\" >> $GITHUB_STEP_SUMMARY\n echo \"| P95 响应时间 | ${p95_duration}ms |\" >> $GITHUB_STEP_SUMMARY\n echo \"| 总请求数 | $total_requests |\" >> $GITHUB_STEP_SUMMARY\nfi\n"
- name: "\U0001F4E4 上传负载测试结果"
uses: actions/upload-artifact@v4
with:
name: load-test-results
path: load-test-results/
retention-days: "30"
timeout-minutes: "45"
services:
postgres:
image: postgres:15
env:
POSTGRES_DB: juhi_load
POSTGRES_PASSWORD: test
POSTGRES_USER: test
ports:
- 5432:5432
options: --health-cmd pg_isready --health-interval 10s --health-timeout 5s --health-retries 5
redis:
image: redis:7
ports:
- 6379:6379
...
|
load-test
|
["setup"]
|
["ubuntu-latest"]
|
10933
|
2
|
1774836434
|
1774836525
|
1774836018
|
1774836525
|
|
1
|
|
0
|
Edit
Delete
|
|
16458
|
11697
|
6
|
5
|
9d69e1960ec649a49c0c6f307c0fc197f47ee4c4
|
0
|
🔥 负载测试
|
1
|
name: Performance Tests
"on":
# 每周一凌晨 name: Performance Tests
"on":
# 每周一凌晨 2 点运行
schedule:
- cron: '0 2 * * 1'
# 允许手动触发
workflow_dispatch:
inputs:
test_type:
description: '测试类型'
required: true
default: 'benchmark'
type: choice
options:
- benchmark
- load
- stress
- all
duration:
description: '测试持续时间(秒)'
required: false
default: '60'
type: string
concurrency:
description: '并发数'
required: false
default: '10'
type: string
# PR 触发时只运行基准测试
pull_request:
branches: [main]
paths:
- 'backend/src/**'
- 'backend/prisma/**'
env:
NODE_VERSION: "18"
PNPM_VERSION: "8"
jobs:
load-test:
name: "\U0001F525 负载测试"
runs-on: ubuntu-latest
if: needs.setup.outputs.test_type == 'load' || needs.setup.outputs.test_type == 'all'
steps:
- name: "\U0001F4E5 检出代码"
uses: actions/checkout@v4
- name: "\U0001F4E6 安装 pnpm"
uses: pnpm/action-setup@v2
with:
version: ${{ env.PNPM_VERSION }}
- name: "\U0001F7E2 设置 Node.js"
uses: actions/setup-node@v4
with:
cache: pnpm
node-version: ${{ env.NODE_VERSION }}
- name: "\U0001F4E6 安装依赖"
run: pnpm install --frozen-lockfile
- name: "\U0001F527 安装 k6"
run: |
sudo gpg -k
sudo gpg --no-default-keyring --keyring /usr/share/keyrings/k6-archive-keyring.gpg --keyserver hkp://keyserver.ubuntu.com:80 --recv-keys C5AD17C747E3415A3642D57D77C6C491D6AC1D69
echo "deb [signed-by=/usr/share/keyrings/k6-archive-keyring.gpg] https://dl.k6.io/deb stable main" | sudo tee /etc/apt/sources.list.d/k6.list
sudo apt-get update
sudo apt-get install k6
- name: "\U0001F5C4️ 初始化数据库"
run: |
cd backend
npx prisma migrate deploy
npx prisma db seed
env:
DATABASE_URL: postgresql://test:test@localhost:5432/juhi_load
- name: "\U0001F528 构建后端"
run: |
pnpm --filter shared build
pnpm --filter backend build
- name: "\U0001F680 启动后端服务"
run: |
cd backend
npm run start &
sleep 10
env:
NODE_ENV: production
PORT: 3000
DATABASE_URL: postgresql://test:test@localhost:5432/juhi_load
REDIS_URL: redis://localhost:6379
JWT_SECRET: load-test-jwt-secret
REFRESH_TOKEN_SECRET: load-test-refresh-token
- name: ⏳ 等待服务就绪
run: |
timeout 60 bash -c 'until curl -s http://localhost:3000/health > /dev/null; do sleep 2; done'
- name: "\U0001F525 运行负载测试"
run: |
mkdir -p load-test-results
# 创建 k6 负载测试脚本
cat > load-test.js << 'EOF'
import http from 'k6/http';
import { check, sleep } from 'k6';
import { Rate, Trend } from 'k6/metrics';
const errorRate = new Rate('errors');
const responseTime = new Trend('response_time');
export const options = {
stages: [
{ duration: '30s', target: 10 }, // 预热
{ duration: '1m', target: 50 }, // 逐步增加
{ duration: '2m', target: 50 }, // 稳定负载
{ duration: '30s', target: 0 }, // 降低
],
thresholds: {
http_req_duration: ['p(95)<500'], // 95% 请求小于 500ms
errors: ['rate<0.1'], // 错误率小于 10%
},
};
const BASE_URL = 'http://localhost:3000';
export default function () {
// 健康检查
let healthRes = http.get(`${BASE_URL}/health`);
check(healthRes, { 'health check ok': (r) => r.status === 200 });
// 列表接口
let listRes = http.get(`${BASE_URL}/api/leads?page=1&pageSize=20`, {
headers: {
'Authorization': 'Bearer test-token',
'Content-Type': 'application/json',
},
});
errorRate.add(listRes.status !== 200 && listRes.status !== 401);
responseTime.add(listRes.timings.duration);
sleep(0.1);
}
EOF
k6 run --out json=load-test-results/results.json load-test.js
- name: "\U0001F4CA 分析负载测试结果"
run: "echo \"## \U0001F525 负载测试报告\" >> $GITHUB_STEP_SUMMARY\necho \"\" >> $GITHUB_STEP_SUMMARY\n\nif [ -f \"load-test-results/results.json\" ]; then\n echo \"### 关键指标\" >> $GITHUB_STEP_SUMMARY\n echo \"| 指标 | 值 |\" >> $GITHUB_STEP_SUMMARY\n echo \"|------|------|\" >> $GITHUB_STEP_SUMMARY\n\n # 提取关键指标\n avg_duration=$(cat load-test-results/results.json | jq -s '[.[] | select(.type==\"Point\" and .metric==\"http_req_duration\") | .data.value] | add / length' 2>/dev/null || echo \"N/A\")\n p95_duration=$(cat load-test-results/results.json | jq -s '[.[] | select(.type==\"Point\" and .metric==\"http_req_duration\") | .data.value] | sort | .[length * 0.95 | floor]' 2>/dev/null || echo \"N/A\")\n total_requests=$(cat load-test-results/results.json | jq -s '[.[] | select(.type==\"Point\" and .metric==\"http_reqs\")] | length' 2>/dev/null || echo \"N/A\")\n\n echo \"| 平均响应时间 | ${avg_duration}ms |\" >> $GITHUB_STEP_SUMMARY\n echo \"| P95 响应时间 | ${p95_duration}ms |\" >> $GITHUB_STEP_SUMMARY\n echo \"| 总请求数 | $total_requests |\" >> $GITHUB_STEP_SUMMARY\nfi\n"
- name: "\U0001F4E4 上传负载测试结果"
uses: actions/upload-artifact@v4
with:
name: load-test-results
path: load-test-results/
retention-days: "30"
timeout-minutes: "45"
services:
postgres:
image: postgres:15
env:
POSTGRES_DB: juhi_load
POSTGRES_PASSWORD: test
POSTGRES_USER: test
ports:
- 5432:5432
options: --health-cmd pg_isready --health-interval 10s --health-timeout 5s --health-retries 5
redis:
image: redis:7
ports:
- 6379:6379
...
|
load-test
|
["setup"]
|
["ubuntu-latest"]
|
13752
|
2
|
1775440994
|
1775441168
|
1775440818
|
1775441168
|
|
1
|
|
0
|
Edit
Delete
|
|
7831
|
6702
|
6
|
5
|
e112d45af414e4862c0328abad7c4df74d3c1dbf
|
0
|
🔒 多租户安全审计
|
1
|
name: Database Security Audit
"on":
pu name: Database Security Audit
"on":
push:
branches: [main, develop]
paths:
- 'backend/src/**/*.ts'
- 'backend/prisma/**'
pull_request:
branches: [main, develop]
paths:
- 'backend/src/**/*.ts'
- 'backend/prisma/**'
schedule:
# 每天凌晨 2 点执行完整审计
- cron: '0 2 * * *'
workflow_dispatch:
inputs:
full_audit:
description: '执行完整审计(包含 RLS 迁移建议)'
required: false
default: 'false'
type: boolean
env:
NODE_VERSION: "18"
jobs:
tenant-security:
name: "\U0001F512 多租户安全审计"
runs-on: ubuntu-latest
steps:
- name: "\U0001F4E5 Checkout code"
uses: actions/checkout@v4
- name: "\U0001F7E2 Setup Node.js"
uses: actions/setup-node@v4
with:
node-version: ${{ env.NODE_VERSION }}
- name: "\U0001F4E6 Setup pnpm"
uses: pnpm/action-setup@v2
with:
version: "8"
- name: "\U0001F4E5 Install dependencies"
run: pnpm install --frozen-lockfile
- id: tenant-audit
name: "\U0001F50D 多租户隔离检查"
run: |
cd backend
npm run audit:tenant 2>&1 | tee tenant-audit.log
# 检查是否有 P0 级别问题
if grep -q "P0" tenant-audit.log; then
echo "has_p0_issues=true" >> $GITHUB_OUTPUT
else
echo "has_p0_issues=false" >> $GITHUB_OUTPUT
fi
- name: "\U0001F4CA 上传审计报告"
uses: actions/upload-artifact@v4
with:
name: tenant-security-report
path: backend/tenant-audit.log
- if: steps.tenant-audit.outputs.has_p0_issues == 'true'
name: ❌ P0 问题阻断
run: |
echo "::error::发现 P0 级别多租户安全问题,禁止合并!"
exit 1
timeout-minutes: "15"
...
|
tenant-security
|
null
|
["ubuntu-latest"]
|
6744
|
2
|
1773832182
|
1773832208
|
1773831748
|
1773832209
|
|
0
|
|
0
|
Edit
Delete
|
|
7857
|
6706
|
6
|
5
|
e112d45af414e4862c0328abad7c4df74d3c1dbf
|
0
|
🔒 多租户安全审计
|
1
|
name: Code Quality Gate
"on":
push:
name: Code Quality Gate
"on":
push:
branches: [main, develop]
pull_request:
branches: [main, develop]
workflow_dispatch:
inputs:
strict_mode:
description: '严格模式(失败即阻止合并)'
required: false
default: true
type: boolean
env:
COVERAGE_THRESHOLD_E2E: "60"
COVERAGE_THRESHOLD_INTEGRATION: "70"
COVERAGE_THRESHOLD_UNIT: "80"
NODE_VERSION: "20"
PNPM_VERSION: "8"
jobs:
tenant-security:
name: "\U0001F512 多租户安全审计"
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- name: 安装 pnpm
uses: pnpm/action-setup@v4
with:
version: ${{ env.PNPM_VERSION }}
- name: 设置 Node.js
uses: actions/setup-node@v4
with:
cache: pnpm
node-version: ${{ env.NODE_VERSION }}
- name: 安装依赖
run: pnpm install --frozen-lockfile
- name: 生成 Prisma Client
run: pnpm --filter juhi-api run db:generate
- id: tenant-audit
name: 执行多租户安全审计
run: |
cd backend
npm run audit:tenant 2>&1 | tee audit-result.txt
if grep -q "FAIL" audit-result.txt; then
echo "❌ 多租户安全审计失败"
echo "has_failures=true" >> $GITHUB_OUTPUT
exit 1
fi
echo "✅ 多租户安全审计通过"
echo "has_failures=false" >> $GITHUB_OUTPUT
- if: always()
name: 上传审计报告
uses: actions/upload-artifact@v4
with:
name: tenant-security-audit
path: backend/audit-result.txt
retention-days: "30"
timeout-minutes: "15"
...
|
tenant-security
|
null
|
["ubuntu-latest"]
|
6759
|
2
|
1773832621
|
1773832651
|
1773831750
|
1773832651
|
|
0
|
|
0
|
Edit
Delete
|
|
7893
|
6712
|
6
|
5
|
b7eb415d7a9689f1efec941bcb2dcd7d098e9c28
|
0
|
🔒 多租户安全审计
|
1
|
name: Database Security Audit
"on":
pu name: Database Security Audit
"on":
push:
branches: [main, develop]
paths:
- 'backend/src/**/*.ts'
- 'backend/prisma/**'
pull_request:
branches: [main, develop]
paths:
- 'backend/src/**/*.ts'
- 'backend/prisma/**'
schedule:
# 每天凌晨 2 点执行完整审计
- cron: '0 2 * * *'
workflow_dispatch:
inputs:
full_audit:
description: '执行完整审计(包含 RLS 迁移建议)'
required: false
default: 'false'
type: boolean
env:
NODE_VERSION: "18"
jobs:
tenant-security:
name: "\U0001F512 多租户安全审计"
runs-on: ubuntu-latest
steps:
- name: "\U0001F4E5 Checkout code"
uses: actions/checkout@v4
- name: "\U0001F7E2 Setup Node.js"
uses: actions/setup-node@v4
with:
node-version: ${{ env.NODE_VERSION }}
- name: "\U0001F4E6 Setup pnpm"
uses: pnpm/action-setup@v2
with:
version: "8"
- name: "\U0001F4E5 Install dependencies"
run: pnpm install --frozen-lockfile
- id: tenant-audit
name: "\U0001F50D 多租户隔离检查"
run: |
cd backend
npm run audit:tenant 2>&1 | tee tenant-audit.log
# 检查是否有 P0 级别问题
if grep -q "P0" tenant-audit.log; then
echo "has_p0_issues=true" >> $GITHUB_OUTPUT
else
echo "has_p0_issues=false" >> $GITHUB_OUTPUT
fi
- name: "\U0001F4CA 上传审计报告"
uses: actions/upload-artifact@v4
with:
name: tenant-security-report
path: backend/tenant-audit.log
- if: steps.tenant-audit.outputs.has_p0_issues == 'true'
name: ❌ P0 问题阻断
run: |
echo "::error::发现 P0 级别多租户安全问题,禁止合并!"
exit 1
timeout-minutes: "15"
...
|
tenant-security
|
null
|
["ubuntu-latest"]
|
6772
|
2
|
1773832815
|
1773832838
|
1773832743
|
1773832838
|
|
0
|
|
0
|
Edit
Delete
|
|
7919
|
6716
|
6
|
5
|
b7eb415d7a9689f1efec941bcb2dcd7d098e9c28
|
0
|
🔒 多租户安全审计
|
1
|
name: Code Quality Gate
"on":
push:
name: Code Quality Gate
"on":
push:
branches: [main, develop]
pull_request:
branches: [main, develop]
workflow_dispatch:
inputs:
strict_mode:
description: '严格模式(失败即阻止合并)'
required: false
default: true
type: boolean
env:
COVERAGE_THRESHOLD_E2E: "60"
COVERAGE_THRESHOLD_INTEGRATION: "70"
COVERAGE_THRESHOLD_UNIT: "80"
NODE_VERSION: "20"
PNPM_VERSION: "8"
jobs:
tenant-security:
name: "\U0001F512 多租户安全审计"
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- name: 安装 pnpm
uses: pnpm/action-setup@v4
with:
version: ${{ env.PNPM_VERSION }}
- name: 设置 Node.js
uses: actions/setup-node@v4
with:
cache: pnpm
node-version: ${{ env.NODE_VERSION }}
- name: 安装依赖
run: pnpm install --frozen-lockfile
- name: 生成 Prisma Client
run: pnpm --filter juhi-api run db:generate
- id: tenant-audit
name: 执行多租户安全审计
run: |
cd backend
npm run audit:tenant 2>&1 | tee audit-result.txt
if grep -q "FAIL" audit-result.txt; then
echo "❌ 多租户安全审计失败"
echo "has_failures=true" >> $GITHUB_OUTPUT
exit 1
fi
echo "✅ 多租户安全审计通过"
echo "has_failures=false" >> $GITHUB_OUTPUT
- if: always()
name: 上传审计报告
uses: actions/upload-artifact@v4
with:
name: tenant-security-audit
path: backend/audit-result.txt
retention-days: "30"
timeout-minutes: "15"
...
|
tenant-security
|
null
|
["ubuntu-latest"]
|
6787
|
2
|
1773833170
|
1773833185
|
1773832746
|
1773833185
|
|
0
|
|
0
|
Edit
Delete
|
|
8148
|
6903
|
6
|
5
|
b7eb415d7a9689f1efec941bcb2dcd7d098e9c28
|
0
|
🔒 多租户安全审计
|
1
|
name: Database Security Audit
"on":
pu name: Database Security Audit
"on":
push:
branches: [main, develop]
paths:
- 'backend/src/**/*.ts'
- 'backend/prisma/**'
pull_request:
branches: [main, develop]
paths:
- 'backend/src/**/*.ts'
- 'backend/prisma/**'
schedule:
# 每天凌晨 2 点执行完整审计
- cron: '0 2 * * *'
workflow_dispatch:
inputs:
full_audit:
description: '执行完整审计(包含 RLS 迁移建议)'
required: false
default: 'false'
type: boolean
env:
NODE_VERSION: "18"
jobs:
tenant-security:
name: "\U0001F512 多租户安全审计"
runs-on: ubuntu-latest
steps:
- name: "\U0001F4E5 Checkout code"
uses: actions/checkout@v4
- name: "\U0001F7E2 Setup Node.js"
uses: actions/setup-node@v4
with:
node-version: ${{ env.NODE_VERSION }}
- name: "\U0001F4E6 Setup pnpm"
uses: pnpm/action-setup@v2
with:
version: "8"
- name: "\U0001F4E5 Install dependencies"
run: pnpm install --frozen-lockfile
- id: tenant-audit
name: "\U0001F50D 多租户隔离检查"
run: |
cd backend
npm run audit:tenant 2>&1 | tee tenant-audit.log
# 检查是否有 P0 级别问题
if grep -q "P0" tenant-audit.log; then
echo "has_p0_issues=true" >> $GITHUB_OUTPUT
else
echo "has_p0_issues=false" >> $GITHUB_OUTPUT
fi
- name: "\U0001F4CA 上传审计报告"
uses: actions/upload-artifact@v4
with:
name: tenant-security-report
path: backend/tenant-audit.log
- if: steps.tenant-audit.outputs.has_p0_issues == 'true'
name: ❌ P0 问题阻断
run: |
echo "::error::发现 P0 级别多租户安全问题,禁止合并!"
exit 1
timeout-minutes: "15"
...
|
tenant-security
|
null
|
["ubuntu-latest"]
|
7030
|
2
|
1773885615
|
1773885635
|
1773885613
|
1773885635
|
|
0
|
|
0
|
Edit
Delete
|
|
8282
|
6999
|
6
|
5
|
bd59e5501292cb061719f669c7a7b7afd4f1a0b7
|
0
|
🔒 多租户安全审计
|
0
|
name: Code Quality Gate
"on":
push:
name: Code Quality Gate
"on":
push:
branches: [main, develop]
pull_request:
branches: [main, develop]
workflow_dispatch:
inputs:
strict_mode:
description: '严格模式(失败即阻止合并)'
required: false
default: true
type: boolean
env:
COVERAGE_THRESHOLD_E2E: "60"
COVERAGE_THRESHOLD_INTEGRATION: "70"
COVERAGE_THRESHOLD_UNIT: "80"
NODE_VERSION: "20"
PNPM_VERSION: "8"
jobs:
tenant-security:
name: "\U0001F512 多租户安全审计"
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- name: 安装 pnpm
uses: pnpm/action-setup@v4
with:
version: ${{ env.PNPM_VERSION }}
- name: 设置 Node.js
uses: actions/setup-node@v4
with:
cache: pnpm
node-version: ${{ env.NODE_VERSION }}
- name: 安装依赖
run: pnpm install --frozen-lockfile
- name: 生成 Prisma Client
run: pnpm --filter juhi-api run db:generate
- id: tenant-audit
name: 执行多租户安全审计
run: |
cd backend
npm run audit:tenant 2>&1 | tee audit-result.txt
if grep -q "FAIL" audit-result.txt; then
echo "❌ 多租户安全审计失败"
echo "has_failures=true" >> $GITHUB_OUTPUT
exit 1
fi
echo "✅ 多租户安全审计通过"
echo "has_failures=false" >> $GITHUB_OUTPUT
- if: always()
name: 上传审计报告
uses: actions/upload-artifact@v4
with:
name: tenant-security-audit
path: backend/audit-result.txt
retention-days: "30"
timeout-minutes: "15"
...
|
tenant-security
|
null
|
["ubuntu-latest"]
|
0
|
3
|
0
|
1773913347
|
1773912914
|
1773913347
|
|
0
|
|
0
|
Edit
Delete
|
|
8340
|
7007
|
6
|
5
|
01a8ea9191c28b210d2abb3db3cbc65db42fc801
|
0
|
🔒 多租户安全审计
|
1
|
name: Code Quality Gate
"on":
push:
name: Code Quality Gate
"on":
push:
branches: [main, develop]
pull_request:
branches: [main, develop]
workflow_dispatch:
inputs:
strict_mode:
description: '严格模式(失败即阻止合并)'
required: false
default: true
type: boolean
env:
COVERAGE_THRESHOLD_E2E: "60"
COVERAGE_THRESHOLD_INTEGRATION: "70"
COVERAGE_THRESHOLD_UNIT: "80"
NODE_VERSION: "20"
PNPM_VERSION: "8"
jobs:
tenant-security:
name: "\U0001F512 多租户安全审计"
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- name: 安装 pnpm
uses: pnpm/action-setup@v4
with:
version: ${{ env.PNPM_VERSION }}
- name: 设置 Node.js
uses: actions/setup-node@v4
with:
cache: pnpm
node-version: ${{ env.NODE_VERSION }}
- name: 安装依赖
run: pnpm install --frozen-lockfile
- name: 生成 Prisma Client
run: pnpm --filter juhi-api run db:generate
- id: tenant-audit
name: 执行多租户安全审计
run: |
cd backend
npm run audit:tenant 2>&1 | tee audit-result.txt
if grep -q "FAIL" audit-result.txt; then
echo "❌ 多租户安全审计失败"
echo "has_failures=true" >> $GITHUB_OUTPUT
exit 1
fi
echo "✅ 多租户安全审计通过"
echo "has_failures=false" >> $GITHUB_OUTPUT
- if: always()
name: 上传审计报告
uses: actions/upload-artifact@v4
with:
name: tenant-security-audit
path: backend/audit-result.txt
retention-days: "30"
timeout-minutes: "15"
...
|
tenant-security
|
null
|
["ubuntu-latest"]
|
7155
|
2
|
1773914068
|
1773914085
|
1773913348
|
1773914085
|
|
0
|
|
0
|
Edit
Delete
|
|
8449
|
7068
|
6
|
5
|
9771b23ae7aaee164f15f9c4ccbdb18eb68fc71f
|
0
|
🔒 多租户安全审计
|
1
|
name: Database Security Audit
"on":
pu name: Database Security Audit
"on":
push:
branches: [main, develop]
paths:
- 'backend/src/**/*.ts'
- 'backend/prisma/**'
pull_request:
branches: [main, develop]
paths:
- 'backend/src/**/*.ts'
- 'backend/prisma/**'
schedule:
# 每天凌晨 2 点执行完整审计
- cron: '0 2 * * *'
workflow_dispatch:
inputs:
full_audit:
description: '执行完整审计(包含 RLS 迁移建议)'
required: false
default: 'false'
type: boolean
env:
NODE_VERSION: "18"
jobs:
tenant-security:
name: "\U0001F512 多租户安全审计"
runs-on: ubuntu-latest
steps:
- name: "\U0001F4E5 Checkout code"
uses: actions/checkout@v4
- name: "\U0001F7E2 Setup Node.js"
uses: actions/setup-node@v4
with:
node-version: ${{ env.NODE_VERSION }}
- name: "\U0001F4E6 Setup pnpm"
uses: pnpm/action-setup@v2
with:
version: "8"
- name: "\U0001F4E5 Install dependencies"
run: pnpm install --frozen-lockfile
- id: tenant-audit
name: "\U0001F50D 多租户隔离检查"
run: |
cd backend
npm run audit:tenant 2>&1 | tee tenant-audit.log
# 检查是否有 P0 级别问题
if grep -q "P0" tenant-audit.log; then
echo "has_p0_issues=true" >> $GITHUB_OUTPUT
else
echo "has_p0_issues=false" >> $GITHUB_OUTPUT
fi
- name: "\U0001F4CA 上传审计报告"
uses: actions/upload-artifact@v4
with:
name: tenant-security-report
path: backend/tenant-audit.log
- if: steps.tenant-audit.outputs.has_p0_issues == 'true'
name: ❌ P0 问题阻断
run: |
echo "::error::发现 P0 级别多租户安全问题,禁止合并!"
exit 1
timeout-minutes: "15"
...
|
tenant-security
|
null
|
["ubuntu-latest"]
|
7263
|
2
|
1773929449
|
1773929475
|
1773929407
|
1773929475
|
|
0
|
|
0
|
Edit
Delete
|
|
8475
|
7072
|
6
|
5
|
9771b23ae7aaee164f15f9c4ccbdb18eb68fc71f
|
0
|
🔒 多租户安全审计
|
1
|
name: Code Quality Gate
"on":
push:
name: Code Quality Gate
"on":
push:
branches: [main, develop]
pull_request:
branches: [main, develop]
workflow_dispatch:
inputs:
strict_mode:
description: '严格模式(失败即阻止合并)'
required: false
default: true
type: boolean
env:
COVERAGE_THRESHOLD_E2E: "60"
COVERAGE_THRESHOLD_INTEGRATION: "70"
COVERAGE_THRESHOLD_UNIT: "80"
NODE_VERSION: "20"
PNPM_VERSION: "8"
jobs:
tenant-security:
name: "\U0001F512 多租户安全审计"
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- name: 安装 pnpm
uses: pnpm/action-setup@v4
with:
version: ${{ env.PNPM_VERSION }}
- name: 设置 Node.js
uses: actions/setup-node@v4
with:
cache: pnpm
node-version: ${{ env.NODE_VERSION }}
- name: 安装依赖
run: pnpm install --frozen-lockfile
- name: 生成 Prisma Client
run: pnpm --filter juhi-api run db:generate
- id: tenant-audit
name: 执行多租户安全审计
run: |
cd backend
npm run audit:tenant 2>&1 | tee audit-result.txt
if grep -q "FAIL" audit-result.txt; then
echo "❌ 多租户安全审计失败"
echo "has_failures=true" >> $GITHUB_OUTPUT
exit 1
fi
echo "✅ 多租户安全审计通过"
echo "has_failures=false" >> $GITHUB_OUTPUT
- if: always()
name: 上传审计报告
uses: actions/upload-artifact@v4
with:
name: tenant-security-audit
path: backend/audit-result.txt
retention-days: "30"
timeout-minutes: "15"
...
|
tenant-security
|
null
|
["ubuntu-latest"]
|
7278
|
2
|
1773929807
|
1773929822
|
1773929409
|
1773929822
|
|
0
|
|
0
|
Edit
Delete
|
|
8558
|
7113
|
6
|
5
|
979d9c81063fbda12f1445bf80b0c0027b0fbac2
|
0
|
🔒 多租户安全审计
|
1
|
name: Database Security Audit
"on":
pu name: Database Security Audit
"on":
push:
branches: [main, develop]
paths:
- 'backend/src/**/*.ts'
- 'backend/prisma/**'
pull_request:
branches: [main, develop]
paths:
- 'backend/src/**/*.ts'
- 'backend/prisma/**'
schedule:
# 每天凌晨 2 点执行完整审计
- cron: '0 2 * * *'
workflow_dispatch:
inputs:
full_audit:
description: '执行完整审计(包含 RLS 迁移建议)'
required: false
default: 'false'
type: boolean
env:
NODE_VERSION: "18"
jobs:
tenant-security:
name: "\U0001F512 多租户安全审计"
runs-on: ubuntu-latest
steps:
- name: "\U0001F4E5 Checkout code"
uses: actions/checkout@v4
- name: "\U0001F7E2 Setup Node.js"
uses: actions/setup-node@v4
with:
node-version: ${{ env.NODE_VERSION }}
- name: "\U0001F4E6 Setup pnpm"
uses: pnpm/action-setup@v2
with:
version: "8"
- name: "\U0001F4E5 Install dependencies"
run: pnpm install --frozen-lockfile
- id: tenant-audit
name: "\U0001F50D 多租户隔离检查"
run: |
cd backend
npm run audit:tenant 2>&1 | tee tenant-audit.log
# 检查是否有 P0 级别问题
if grep -q "P0" tenant-audit.log; then
echo "has_p0_issues=true" >> $GITHUB_OUTPUT
else
echo "has_p0_issues=false" >> $GITHUB_OUTPUT
fi
- name: "\U0001F4CA 上传审计报告"
uses: actions/upload-artifact@v4
with:
name: tenant-security-report
path: backend/tenant-audit.log
- if: steps.tenant-audit.outputs.has_p0_issues == 'true'
name: ❌ P0 问题阻断
run: |
echo "::error::发现 P0 级别多租户安全问题,禁止合并!"
exit 1
timeout-minutes: "15"
...
|
tenant-security
|
null
|
["ubuntu-latest"]
|
7362
|
2
|
1773939813
|
1773939835
|
1773939780
|
1773939835
|
|
0
|
|
0
|
Edit
Delete
|
|
8584
|
7117
|
6
|
5
|
979d9c81063fbda12f1445bf80b0c0027b0fbac2
|
0
|
🔒 多租户安全审计
|
1
|
name: Code Quality Gate
"on":
push:
name: Code Quality Gate
"on":
push:
branches: [main, develop]
pull_request:
branches: [main, develop]
workflow_dispatch:
inputs:
strict_mode:
description: '严格模式(失败即阻止合并)'
required: false
default: true
type: boolean
env:
COVERAGE_THRESHOLD_E2E: "60"
COVERAGE_THRESHOLD_INTEGRATION: "70"
COVERAGE_THRESHOLD_UNIT: "80"
NODE_VERSION: "20"
PNPM_VERSION: "8"
jobs:
tenant-security:
name: "\U0001F512 多租户安全审计"
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- name: 安装 pnpm
uses: pnpm/action-setup@v4
with:
version: ${{ env.PNPM_VERSION }}
- name: 设置 Node.js
uses: actions/setup-node@v4
with:
cache: pnpm
node-version: ${{ env.NODE_VERSION }}
- name: 安装依赖
run: pnpm install --frozen-lockfile
- name: 生成 Prisma Client
run: pnpm --filter juhi-api run db:generate
- id: tenant-audit
name: 执行多租户安全审计
run: |
cd backend
npm run audit:tenant 2>&1 | tee audit-result.txt
if grep -q "FAIL" audit-result.txt; then
echo "❌ 多租户安全审计失败"
echo "has_failures=true" >> $GITHUB_OUTPUT
exit 1
fi
echo "✅ 多租户安全审计通过"
echo "has_failures=false" >> $GITHUB_OUTPUT
- if: always()
name: 上传审计报告
uses: actions/upload-artifact@v4
with:
name: tenant-security-audit
path: backend/audit-result.txt
retention-days: "30"
timeout-minutes: "15"
...
|
tenant-security
|
null
|
["ubuntu-latest"]
|
7377
|
2
|
1773940157
|
1773940171
|
1773939782
|
1773940171
|
|
0
|
|
0
|
Edit
Delete
|
|
8747
|
7231
|
6
|
5
|
0900b15d607e5c78f97fec16a73357ad4f814390
|
0
|
🔒 多租户安全审计
|
1
|
name: Database Security Audit
"on":
pu name: Database Security Audit
"on":
push:
branches: [main, develop]
paths:
- 'backend/src/**/*.ts'
- 'backend/prisma/**'
pull_request:
branches: [main, develop]
paths:
- 'backend/src/**/*.ts'
- 'backend/prisma/**'
schedule:
# 每天凌晨 2 点执行完整审计
- cron: '0 2 * * *'
workflow_dispatch:
inputs:
full_audit:
description: '执行完整审计(包含 RLS 迁移建议)'
required: false
default: 'false'
type: boolean
env:
NODE_VERSION: "18"
jobs:
tenant-security:
name: "\U0001F512 多租户安全审计"
runs-on: ubuntu-latest
steps:
- name: "\U0001F4E5 Checkout code"
uses: actions/checkout@v4
- name: "\U0001F7E2 Setup Node.js"
uses: actions/setup-node@v4
with:
node-version: ${{ env.NODE_VERSION }}
- name: "\U0001F4E6 Setup pnpm"
uses: pnpm/action-setup@v2
with:
version: "8"
- name: "\U0001F4E5 Install dependencies"
run: pnpm install --frozen-lockfile
- id: tenant-audit
name: "\U0001F50D 多租户隔离检查"
run: |
cd backend
npm run audit:tenant 2>&1 | tee tenant-audit.log
# 检查是否有 P0 级别问题
if grep -q "P0" tenant-audit.log; then
echo "has_p0_issues=true" >> $GITHUB_OUTPUT
else
echo "has_p0_issues=false" >> $GITHUB_OUTPUT
fi
- name: "\U0001F4CA 上传审计报告"
uses: actions/upload-artifact@v4
with:
name: tenant-security-report
path: backend/tenant-audit.log
- if: steps.tenant-audit.outputs.has_p0_issues == 'true'
name: ❌ P0 问题阻断
run: |
echo "::error::发现 P0 级别多租户安全问题,禁止合并!"
exit 1
timeout-minutes: "15"
...
|
tenant-security
|
null
|
["ubuntu-latest"]
|
7541
|
2
|
1774221023
|
1774221046
|
1774220984
|
1774221046
|
|
0
|
|
0
|
Edit
Delete
|
|
8773
|
7235
|
6
|
5
|
0900b15d607e5c78f97fec16a73357ad4f814390
|
0
|
🔒 多租户安全审计
|
1
|
name: Code Quality Gate
"on":
push:
name: Code Quality Gate
"on":
push:
branches: [main, develop]
pull_request:
branches: [main, develop]
workflow_dispatch:
inputs:
strict_mode:
description: '严格模式(失败即阻止合并)'
required: false
default: true
type: boolean
env:
COVERAGE_THRESHOLD_E2E: "60"
COVERAGE_THRESHOLD_INTEGRATION: "70"
COVERAGE_THRESHOLD_UNIT: "80"
NODE_VERSION: "20"
PNPM_VERSION: "8"
jobs:
tenant-security:
name: "\U0001F512 多租户安全审计"
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- name: 安装 pnpm
uses: pnpm/action-setup@v4
with:
version: ${{ env.PNPM_VERSION }}
- name: 设置 Node.js
uses: actions/setup-node@v4
with:
cache: pnpm
node-version: ${{ env.NODE_VERSION }}
- name: 安装依赖
run: pnpm install --frozen-lockfile
- name: 生成 Prisma Client
run: pnpm --filter juhi-api run db:generate
- id: tenant-audit
name: 执行多租户安全审计
run: |
cd backend
npm run audit:tenant 2>&1 | tee audit-result.txt
if grep -q "FAIL" audit-result.txt; then
echo "❌ 多租户安全审计失败"
echo "has_failures=true" >> $GITHUB_OUTPUT
exit 1
fi
echo "✅ 多租户安全审计通过"
echo "has_failures=false" >> $GITHUB_OUTPUT
- if: always()
name: 上传审计报告
uses: actions/upload-artifact@v4
with:
name: tenant-security-audit
path: backend/audit-result.txt
retention-days: "30"
timeout-minutes: "15"
...
|
tenant-security
|
null
|
["ubuntu-latest"]
|
7556
|
2
|
1774221369
|
1774221383
|
1774220986
|
1774221384
|
|
0
|
|
0
|
Edit
Delete
|
|
8849
|
7252
|
6
|
5
|
80c2bdb2f93a19aa53d16ded06387b70c6084bf8
|
0
|
🔒 多租户安全审计
|
1
|
name: Code Quality Gate
"on":
push:
name: Code Quality Gate
"on":
push:
branches: [main, develop]
pull_request:
branches: [main, develop]
workflow_dispatch:
inputs:
strict_mode:
description: '严格模式(失败即阻止合并)'
required: false
default: true
type: boolean
env:
COVERAGE_THRESHOLD_E2E: "60"
COVERAGE_THRESHOLD_INTEGRATION: "70"
COVERAGE_THRESHOLD_UNIT: "80"
NODE_VERSION: "20"
PNPM_VERSION: "8"
jobs:
tenant-security:
name: "\U0001F512 多租户安全审计"
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- name: 安装 pnpm
uses: pnpm/action-setup@v4
with:
version: ${{ env.PNPM_VERSION }}
- name: 设置 Node.js
uses: actions/setup-node@v4
with:
cache: pnpm
node-version: ${{ env.NODE_VERSION }}
- name: 安装依赖
run: pnpm install --frozen-lockfile
- name: 生成 Prisma Client
run: pnpm --filter juhi-api run db:generate
- id: tenant-audit
name: 执行多租户安全审计
run: |
cd backend
npm run audit:tenant 2>&1 | tee audit-result.txt
if grep -q "FAIL" audit-result.txt; then
echo "❌ 多租户安全审计失败"
echo "has_failures=true" >> $GITHUB_OUTPUT
exit 1
fi
echo "✅ 多租户安全审计通过"
echo "has_failures=false" >> $GITHUB_OUTPUT
- if: always()
name: 上传审计报告
uses: actions/upload-artifact@v4
with:
name: tenant-security-audit
path: backend/audit-result.txt
retention-days: "30"
timeout-minutes: "15"
...
|
tenant-security
|
null
|
["ubuntu-latest"]
|
7624
|
2
|
1774223303
|
1774223317
|
1774223021
|
1774223318
|
|
0
|
|
0
|
Edit
Delete
|
|
8920
|
7264
|
6
|
5
|
df7b6f46170cb46db4771dd1e07991b0b13d90a0
|
0
|
🔒 多租户安全审计
|
1
|
name: Code Quality Gate
"on":
push:
name: Code Quality Gate
"on":
push:
branches: [main, develop]
pull_request:
branches: [main, develop]
workflow_dispatch:
inputs:
strict_mode:
description: '严格模式(失败即阻止合并)'
required: false
default: true
type: boolean
env:
COVERAGE_THRESHOLD_E2E: "60"
COVERAGE_THRESHOLD_INTEGRATION: "70"
COVERAGE_THRESHOLD_UNIT: "80"
NODE_VERSION: "20"
PNPM_VERSION: "8"
jobs:
tenant-security:
name: "\U0001F512 多租户安全审计"
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- name: 安装 pnpm
uses: pnpm/action-setup@v4
with:
version: ${{ env.PNPM_VERSION }}
- name: 设置 Node.js
uses: actions/setup-node@v4
with:
cache: pnpm
node-version: ${{ env.NODE_VERSION }}
- name: 安装依赖
run: pnpm install --frozen-lockfile
- name: 生成 Prisma Client
run: pnpm --filter juhi-api run db:generate
- id: tenant-audit
name: 执行多租户安全审计
run: |
cd backend
npm run audit:tenant 2>&1 | tee audit-result.txt
if grep -q "FAIL" audit-result.txt; then
echo "❌ 多租户安全审计失败"
echo "has_failures=true" >> $GITHUB_OUTPUT
exit 1
fi
echo "✅ 多租户安全审计通过"
echo "has_failures=false" >> $GITHUB_OUTPUT
- if: always()
name: 上传审计报告
uses: actions/upload-artifact@v4
with:
name: tenant-security-audit
path: backend/audit-result.txt
retention-days: "30"
timeout-minutes: "15"
...
|
tenant-security
|
null
|
["ubuntu-latest"]
|
7685
|
2
|
1774223798
|
1774223813
|
1774223518
|
1774223813
|
|
0
|
|
0
|
Edit
Delete
|
|
8998
|
7290
|
6
|
5
|
339ea969ec2633756fb1a155d47723d0f61396a4
|
0
|
🔒 多租户安全审计
|
1
|
name: Database Security Audit
"on":
pu name: Database Security Audit
"on":
push:
branches: [main, develop]
paths:
- 'backend/src/**/*.ts'
- 'backend/prisma/**'
pull_request:
branches: [main, develop]
paths:
- 'backend/src/**/*.ts'
- 'backend/prisma/**'
schedule:
# 每天凌晨 2 点执行完整审计
- cron: '0 2 * * *'
workflow_dispatch:
inputs:
full_audit:
description: '执行完整审计(包含 RLS 迁移建议)'
required: false
default: 'false'
type: boolean
env:
NODE_VERSION: "18"
jobs:
tenant-security:
name: "\U0001F512 多租户安全审计"
runs-on: ubuntu-latest
steps:
- name: "\U0001F4E5 Checkout code"
uses: actions/checkout@v4
- name: "\U0001F7E2 Setup Node.js"
uses: actions/setup-node@v4
with:
node-version: ${{ env.NODE_VERSION }}
- name: "\U0001F4E6 Setup pnpm"
uses: pnpm/action-setup@v2
with:
version: "8"
- name: "\U0001F4E5 Install dependencies"
run: pnpm install --frozen-lockfile
- id: tenant-audit
name: "\U0001F50D 多租户隔离检查"
run: |
cd backend
npm run audit:tenant 2>&1 | tee tenant-audit.log
# 检查是否有 P0 级别问题
if grep -q "P0" tenant-audit.log; then
echo "has_p0_issues=true" >> $GITHUB_OUTPUT
else
echo "has_p0_issues=false" >> $GITHUB_OUTPUT
fi
- name: "\U0001F4CA 上传审计报告"
uses: actions/upload-artifact@v4
with:
name: tenant-security-report
path: backend/tenant-audit.log
- if: steps.tenant-audit.outputs.has_p0_issues == 'true'
name: ❌ P0 问题阻断
run: |
echo "::error::发现 P0 级别多租户安全问题,禁止合并!"
exit 1
timeout-minutes: "15"
...
|
tenant-security
|
null
|
["ubuntu-latest"]
|
7759
|
2
|
1774229096
|
1774229117
|
1774229062
|
1774229118
|
|
0
|
|
0
|
Edit
Delete
|
|
9024
|
7294
|
6
|
5
|
339ea969ec2633756fb1a155d47723d0f61396a4
|
0
|
🔒 多租户安全审计
|
1
|
name: Code Quality Gate
"on":
push:
name: Code Quality Gate
"on":
push:
branches: [main, develop]
pull_request:
branches: [main, develop]
workflow_dispatch:
inputs:
strict_mode:
description: '严格模式(失败即阻止合并)'
required: false
default: true
type: boolean
env:
COVERAGE_THRESHOLD_E2E: "60"
COVERAGE_THRESHOLD_INTEGRATION: "70"
COVERAGE_THRESHOLD_UNIT: "80"
NODE_VERSION: "20"
PNPM_VERSION: "8"
jobs:
tenant-security:
name: "\U0001F512 多租户安全审计"
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- name: 安装 pnpm
uses: pnpm/action-setup@v4
with:
version: ${{ env.PNPM_VERSION }}
- name: 设置 Node.js
uses: actions/setup-node@v4
with:
cache: pnpm
node-version: ${{ env.NODE_VERSION }}
- name: 安装依赖
run: pnpm install --frozen-lockfile
- name: 生成 Prisma Client
run: pnpm --filter juhi-api run db:generate
- id: tenant-audit
name: 执行多租户安全审计
run: |
cd backend
npm run audit:tenant 2>&1 | tee audit-result.txt
if grep -q "FAIL" audit-result.txt; then
echo "❌ 多租户安全审计失败"
echo "has_failures=true" >> $GITHUB_OUTPUT
exit 1
fi
echo "✅ 多租户安全审计通过"
echo "has_failures=false" >> $GITHUB_OUTPUT
- if: always()
name: 上传审计报告
uses: actions/upload-artifact@v4
with:
name: tenant-security-audit
path: backend/audit-result.txt
retention-days: "30"
timeout-minutes: "15"
...
|
tenant-security
|
null
|
["ubuntu-latest"]
|
7774
|
2
|
1774229443
|
1774229460
|
1774229064
|
1774229461
|
|
0
|
|
0
|
Edit
Delete
|
|
9071
|
7309
|
6
|
5
|
339ea969ec2633756fb1a155d47723d0f61396a4
|
0
|
🔒 多租户安全审计
|
1
|
name: Database Security Audit
"on":
pu name: Database Security Audit
"on":
push:
branches: [main, develop]
paths:
- 'backend/src/**/*.ts'
- 'backend/prisma/**'
pull_request:
branches: [main, develop]
paths:
- 'backend/src/**/*.ts'
- 'backend/prisma/**'
schedule:
# 每天凌晨 2 点执行完整审计
- cron: '0 2 * * *'
workflow_dispatch:
inputs:
full_audit:
description: '执行完整审计(包含 RLS 迁移建议)'
required: false
default: 'false'
type: boolean
env:
NODE_VERSION: "18"
jobs:
tenant-security:
name: "\U0001F512 多租户安全审计"
runs-on: ubuntu-latest
steps:
- name: "\U0001F4E5 Checkout code"
uses: actions/checkout@v4
- name: "\U0001F7E2 Setup Node.js"
uses: actions/setup-node@v4
with:
node-version: ${{ env.NODE_VERSION }}
- name: "\U0001F4E6 Setup pnpm"
uses: pnpm/action-setup@v2
with:
version: "8"
- name: "\U0001F4E5 Install dependencies"
run: pnpm install --frozen-lockfile
- id: tenant-audit
name: "\U0001F50D 多租户隔离检查"
run: |
cd backend
npm run audit:tenant 2>&1 | tee tenant-audit.log
# 检查是否有 P0 级别问题
if grep -q "P0" tenant-audit.log; then
echo "has_p0_issues=true" >> $GITHUB_OUTPUT
else
echo "has_p0_issues=false" >> $GITHUB_OUTPUT
fi
- name: "\U0001F4CA 上传审计报告"
uses: actions/upload-artifact@v4
with:
name: tenant-security-report
path: backend/tenant-audit.log
- if: steps.tenant-audit.outputs.has_p0_issues == 'true'
name: ❌ P0 问题阻断
run: |
echo "::error::发现 P0 级别多租户安全问题,禁止合并!"
exit 1
timeout-minutes: "15"
...
|
tenant-security
|
null
|
["ubuntu-latest"]
|
7832
|
2
|
1774231245
|
1774231267
|
1774231240
|
1774231267
|
|
0
|
|
0
|
Edit
Delete
|
|
9201
|
7415
|
6
|
5
|
67078f9a95f53530156ad27027eafe15a3126e89
|
0
|
🔒 多租户安全审计
|
1
|
name: Database Security Audit
"on":
pu name: Database Security Audit
"on":
push:
branches: [main, develop]
paths:
- 'backend/src/**/*.ts'
- 'backend/prisma/**'
pull_request:
branches: [main, develop]
paths:
- 'backend/src/**/*.ts'
- 'backend/prisma/**'
schedule:
# 每天凌晨 2 点执行完整审计
- cron: '0 2 * * *'
workflow_dispatch:
inputs:
full_audit:
description: '执行完整审计(包含 RLS 迁移建议)'
required: false
default: 'false'
type: boolean
env:
NODE_VERSION: "18"
jobs:
tenant-security:
name: "\U0001F512 多租户安全审计"
runs-on: ubuntu-latest
steps:
- name: "\U0001F4E5 Checkout code"
uses: actions/checkout@v4
- name: "\U0001F7E2 Setup Node.js"
uses: actions/setup-node@v4
with:
node-version: ${{ env.NODE_VERSION }}
- name: "\U0001F4E6 Setup pnpm"
uses: pnpm/action-setup@v2
with:
version: "8"
- name: "\U0001F4E5 Install dependencies"
run: pnpm install --frozen-lockfile
- id: tenant-audit
name: "\U0001F50D 多租户隔离检查"
run: |
cd backend
npm run audit:tenant 2>&1 | tee tenant-audit.log
# 检查是否有 P0 级别问题
if grep -q "P0" tenant-audit.log; then
echo "has_p0_issues=true" >> $GITHUB_OUTPUT
else
echo "has_p0_issues=false" >> $GITHUB_OUTPUT
fi
- name: "\U0001F4CA 上传审计报告"
uses: actions/upload-artifact@v4
with:
name: tenant-security-report
path: backend/tenant-audit.log
- if: steps.tenant-audit.outputs.has_p0_issues == 'true'
name: ❌ P0 问题阻断
run: |
echo "::error::发现 P0 级别多租户安全问题,禁止合并!"
exit 1
timeout-minutes: "15"
...
|
tenant-security
|
null
|
["ubuntu-latest"]
|
7950
|
2
|
1774262461
|
1774262552
|
1774262375
|
1774262552
|
|
0
|
|
0
|
Edit
Delete
|
|
9231
|
7420
|
6
|
5
|
67078f9a95f53530156ad27027eafe15a3126e89
|
0
|
🔒 多租户安全审计
|
1
|
name: Code Quality Gate
"on":
push:
name: Code Quality Gate
"on":
push:
branches: [main, develop]
pull_request:
branches: [main, develop]
workflow_dispatch:
inputs:
strict_mode:
description: '严格模式(失败即阻止合并)'
required: false
default: true
type: boolean
env:
COVERAGE_THRESHOLD_E2E: "60"
COVERAGE_THRESHOLD_INTEGRATION: "70"
COVERAGE_THRESHOLD_UNIT: "80"
NODE_VERSION: "20"
PNPM_VERSION: "8"
jobs:
tenant-security:
name: "\U0001F512 多租户安全审计"
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- name: 安装 pnpm
uses: pnpm/action-setup@v4
with:
version: ${{ env.PNPM_VERSION }}
- name: 设置 Node.js
uses: actions/setup-node@v4
with:
cache: pnpm
node-version: ${{ env.NODE_VERSION }}
- name: 安装依赖
run: pnpm install --frozen-lockfile
- name: 生成 Prisma Client
run: pnpm --filter juhi-api run db:generate
- id: tenant-audit
name: 执行多租户安全审计
run: |
cd backend
npm run audit:tenant 2>&1 | tee audit-result.txt
if grep -q "FAIL" audit-result.txt; then
echo "❌ 多租户安全审计失败"
echo "has_failures=true" >> $GITHUB_OUTPUT
exit 1
fi
echo "✅ 多租户安全审计通过"
echo "has_failures=false" >> $GITHUB_OUTPUT
- if: always()
name: 上传审计报告
uses: actions/upload-artifact@v4
with:
name: tenant-security-audit
path: backend/audit-result.txt
retention-days: "30"
timeout-minutes: "15"
...
|
tenant-security
|
null
|
["ubuntu-latest"]
|
7966
|
2
|
1774263003
|
1774263019
|
1774262378
|
1774263019
|
|
0
|
|
0
|
Edit
Delete
|