|
7897
|
6712
|
6
|
5
|
b7eb415d7a9689f1efec941bcb2dcd7d098e9c28
|
0
|
📋 安全报告汇总
|
1
|
name: Database Security Audit
"on":
pu name: Database Security Audit
"on":
push:
branches: [main, develop]
paths:
- 'backend/src/**/*.ts'
- 'backend/prisma/**'
pull_request:
branches: [main, develop]
paths:
- 'backend/src/**/*.ts'
- 'backend/prisma/**'
schedule:
# 每天凌晨 2 点执行完整审计
- cron: '0 2 * * *'
workflow_dispatch:
inputs:
full_audit:
description: '执行完整审计(包含 RLS 迁移建议)'
required: false
default: 'false'
type: boolean
env:
NODE_VERSION: "18"
jobs:
security-report:
name: "\U0001F4CB 安全报告汇总"
runs-on: ubuntu-latest
if: always()
steps:
- name: "\U0001F4E5 下载所有报告"
uses: actions/download-artifact@v4
with:
path: reports
- name: "\U0001F4DD 生成综合报告"
run: "cat << 'EOF' > security-summary.md\n# \U0001F512 数据库安全审计报告\n\n**执行时间**: $(date '+%Y-%m-%d %H:%M:%S')\n**触发方式**: ${{ github.event_name }}\n**分支**: ${{ github.ref_name }}\n\n## 审计结果汇总\n\n| 检查项 | 状态 |\n|--------|------|\n| 多租户安全 | ${{ needs.tenant-security.result == 'success' && '✅ 通过' || '❌ 失败' }} |\n| N+1 查询 | ${{ needs.n1-query-detection.result == 'success' && '✅ 通过' || '⚠️ 警告' }} |\n| RLS 覆盖 | ${{ needs.rls-coverage.result == 'success' && '✅ 通过' || '⚠️ 警告' }} |\n| 权限配置 | ${{ needs.permission-security.result == 'success' && '✅ 通过' || '⚠️ 警告' }} |\n\n## 详细报告\n\n请下载 Artifacts 查看各项检查的详细报告。\n\n## 修复指南\n\n- [多租户安全修复指南](docs/MULTI-TENANT-SECURITY.md)\n- [N+1 查询优化指南](docs/N+1-QUERY-OPTIMIZATION.md)\n- [RLS 策略配置指南](docs/RLS-POLICY-GUIDE.md)\nEOF\n"
- name: "\U0001F4CA 上传综合报告"
uses: actions/upload-artifact@v4
with:
name: security-summary
path: security-summary.md
- if: github.event_name == 'pull_request'
name: "\U0001F4AC PR 评论"
uses: actions/github-script@v7
with:
script: |
const fs = require('fs');
const summary = fs.readFileSync('security-summary.md', 'utf8');
github.rest.issues.createComment({
issue_number: context.issue.number,
owner: context.repo.owner,
repo: context.repo.repo,
body: summary
});
...
|
security-report
|
["tenant-security","n1-query-detection ["tenant-security","n1-query-detection","rls-coverage","permission-security"]...
|
["ubuntu-latest"]
|
6799
|
2
|
1773833274
|
1773833278
|
1773832743
|
1773833278
|
|
1
|
|
0
|
Edit
Delete
|
|
7896
|
6712
|
6
|
5
|
b7eb415d7a9689f1efec941bcb2dcd7d098e9c28
|
0
|
🔐 权限安全审计
|
1
|
name: Database Security Audit
"on":
pu name: Database Security Audit
"on":
push:
branches: [main, develop]
paths:
- 'backend/src/**/*.ts'
- 'backend/prisma/**'
pull_request:
branches: [main, develop]
paths:
- 'backend/src/**/*.ts'
- 'backend/prisma/**'
schedule:
# 每天凌晨 2 点执行完整审计
- cron: '0 2 * * *'
workflow_dispatch:
inputs:
full_audit:
description: '执行完整审计(包含 RLS 迁移建议)'
required: false
default: 'false'
type: boolean
env:
NODE_VERSION: "18"
jobs:
permission-security:
name: "\U0001F510 权限安全审计"
runs-on: ubuntu-latest
steps:
- name: "\U0001F4E5 Checkout code"
uses: actions/checkout@v4
- name: "\U0001F7E2 Setup Node.js"
uses: actions/setup-node@v4
with:
node-version: ${{ env.NODE_VERSION }}
- name: "\U0001F4E6 Setup pnpm"
uses: pnpm/action-setup@v2
with:
version: "8"
- name: "\U0001F4E5 Install dependencies"
run: pnpm install --frozen-lockfile
- id: permission-audit
name: "\U0001F50D 权限配置审计"
run: |
cd backend
npm run audit:permission --json 2>&1 | tee permission-audit.json
continue-on-error: true
- name: "\U0001F4CA 上传权限审计报告"
uses: actions/upload-artifact@v4
with:
name: permission-audit-report
path: backend/permission-audit.json
timeout-minutes: "10"
...
|
permission-security
|
null
|
["ubuntu-latest"]
|
6775
|
2
|
1773832881
|
1773832901
|
1773832743
|
1773832902
|
|
0
|
|
0
|
Edit
Delete
|
|
7895
|
6712
|
6
|
5
|
b7eb415d7a9689f1efec941bcb2dcd7d098e9c28
|
0
|
🛡️ RLS 覆盖分析
|
1
|
name: Database Security Audit
"on":
pu name: Database Security Audit
"on":
push:
branches: [main, develop]
paths:
- 'backend/src/**/*.ts'
- 'backend/prisma/**'
pull_request:
branches: [main, develop]
paths:
- 'backend/src/**/*.ts'
- 'backend/prisma/**'
schedule:
# 每天凌晨 2 点执行完整审计
- cron: '0 2 * * *'
workflow_dispatch:
inputs:
full_audit:
description: '执行完整审计(包含 RLS 迁移建议)'
required: false
default: 'false'
type: boolean
env:
NODE_VERSION: "18"
jobs:
rls-coverage:
name: "\U0001F6E1️ RLS 覆盖分析"
runs-on: ubuntu-latest
steps:
- name: "\U0001F4E5 Checkout code"
uses: actions/checkout@v4
- name: "\U0001F7E2 Setup Node.js"
uses: actions/setup-node@v4
with:
node-version: ${{ env.NODE_VERSION }}
- name: "\U0001F4E6 Setup pnpm"
uses: pnpm/action-setup@v2
with:
version: "8"
- name: "\U0001F4E5 Install dependencies"
run: pnpm install --frozen-lockfile
- id: rls-analysis
name: "\U0001F50D RLS 策略分析"
run: |
cd backend
npm run rls:analyze 2>&1 | tee rls-analysis.log
# 提取覆盖率
COVERAGE=$(grep -oP 'RLS 覆盖率: \K[\d.]+%' rls-analysis.log || echo "0%")
echo "coverage=$COVERAGE" >> $GITHUB_OUTPUT
- name: "\U0001F4CA 上传 RLS 分析报告"
uses: actions/upload-artifact@v4
with:
name: rls-coverage-report
path: backend/rls-analysis.log
- name: "\U0001F4C8 RLS 覆盖率检查"
run: |
COVERAGE="${{ steps.rls-analysis.outputs.coverage }}"
echo "当前 RLS 覆盖率: $COVERAGE"
# 提取数字部分
PERCENT=$(echo $COVERAGE | grep -oP '[\d.]+' || echo "0")
if (( $(echo "$PERCENT < 80" | bc -l) )); then
echo "::warning::RLS 覆盖率低于 80%,建议增加 RLS 策略"
fi
timeout-minutes: "10"
...
|
rls-coverage
|
null
|
["ubuntu-latest"]
|
6774
|
2
|
1773832860
|
1773832881
|
1773832743
|
1773832881
|
|
0
|
|
0
|
Edit
Delete
|
|
7894
|
6712
|
6
|
5
|
b7eb415d7a9689f1efec941bcb2dcd7d098e9c28
|
0
|
⚡ N+1 查询检测
|
1
|
name: Database Security Audit
"on":
pu name: Database Security Audit
"on":
push:
branches: [main, develop]
paths:
- 'backend/src/**/*.ts'
- 'backend/prisma/**'
pull_request:
branches: [main, develop]
paths:
- 'backend/src/**/*.ts'
- 'backend/prisma/**'
schedule:
# 每天凌晨 2 点执行完整审计
- cron: '0 2 * * *'
workflow_dispatch:
inputs:
full_audit:
description: '执行完整审计(包含 RLS 迁移建议)'
required: false
default: 'false'
type: boolean
env:
NODE_VERSION: "18"
jobs:
n1-query-detection:
name: ⚡ N+1 查询检测
runs-on: ubuntu-latest
steps:
- name: "\U0001F4E5 Checkout code"
uses: actions/checkout@v4
- name: "\U0001F7E2 Setup Node.js"
uses: actions/setup-node@v4
with:
node-version: ${{ env.NODE_VERSION }}
- name: "\U0001F4E6 Setup pnpm"
uses: pnpm/action-setup@v2
with:
version: "8"
- name: "\U0001F4E5 Install dependencies"
run: pnpm install --frozen-lockfile
- id: n1-audit
name: "\U0001F50D N+1 查询检测"
run: |
cd backend
npm run audit:n1 --fix 2>&1 | tee n1-audit.log
# 提取 HIGH 问题数量
HIGH_COUNT=$(grep -c "HIGH" n1-audit.log || echo "0")
echo "high_count=$HIGH_COUNT" >> $GITHUB_OUTPUT
- name: "\U0001F4CA 上传 N+1 报告"
uses: actions/upload-artifact@v4
with:
name: n1-query-report
path: backend/n1-audit.log
- if: steps.n1-audit.outputs.high_count > 0
name: ⚠️ N+1 问题警告
run: |
echo "::warning::发现 ${{ steps.n1-audit.outputs.high_count }} 个 HIGH 级别 N+1 查询问题"
timeout-minutes: "10"
...
|
n1-query-detection
|
null
|
["ubuntu-latest"]
|
6773
|
2
|
1773832838
|
1773832859
|
1773832743
|
1773832860
|
|
0
|
|
0
|
Edit
Delete
|
|
7893
|
6712
|
6
|
5
|
b7eb415d7a9689f1efec941bcb2dcd7d098e9c28
|
0
|
🔒 多租户安全审计
|
1
|
name: Database Security Audit
"on":
pu name: Database Security Audit
"on":
push:
branches: [main, develop]
paths:
- 'backend/src/**/*.ts'
- 'backend/prisma/**'
pull_request:
branches: [main, develop]
paths:
- 'backend/src/**/*.ts'
- 'backend/prisma/**'
schedule:
# 每天凌晨 2 点执行完整审计
- cron: '0 2 * * *'
workflow_dispatch:
inputs:
full_audit:
description: '执行完整审计(包含 RLS 迁移建议)'
required: false
default: 'false'
type: boolean
env:
NODE_VERSION: "18"
jobs:
tenant-security:
name: "\U0001F512 多租户安全审计"
runs-on: ubuntu-latest
steps:
- name: "\U0001F4E5 Checkout code"
uses: actions/checkout@v4
- name: "\U0001F7E2 Setup Node.js"
uses: actions/setup-node@v4
with:
node-version: ${{ env.NODE_VERSION }}
- name: "\U0001F4E6 Setup pnpm"
uses: pnpm/action-setup@v2
with:
version: "8"
- name: "\U0001F4E5 Install dependencies"
run: pnpm install --frozen-lockfile
- id: tenant-audit
name: "\U0001F50D 多租户隔离检查"
run: |
cd backend
npm run audit:tenant 2>&1 | tee tenant-audit.log
# 检查是否有 P0 级别问题
if grep -q "P0" tenant-audit.log; then
echo "has_p0_issues=true" >> $GITHUB_OUTPUT
else
echo "has_p0_issues=false" >> $GITHUB_OUTPUT
fi
- name: "\U0001F4CA 上传审计报告"
uses: actions/upload-artifact@v4
with:
name: tenant-security-report
path: backend/tenant-audit.log
- if: steps.tenant-audit.outputs.has_p0_issues == 'true'
name: ❌ P0 问题阻断
run: |
echo "::error::发现 P0 级别多租户安全问题,禁止合并!"
exit 1
timeout-minutes: "15"
...
|
tenant-security
|
null
|
["ubuntu-latest"]
|
6772
|
2
|
1773832815
|
1773832838
|
1773832743
|
1773832838
|
|
0
|
|
0
|
Edit
Delete
|
|
7877
|
6711
|
6
|
5
|
b7eb415d7a9689f1efec941bcb2dcd7d098e9c28
|
0
|
安装依赖
|
1
|
name: CI
"on":
push:
branches: name: CI
"on":
push:
branches: [main, develop, 'feature/**', 'claude/**']
pull_request:
branches: [main, develop]
env:
NODE_VERSION: "20"
PNPM_VERSION: "8"
jobs:
setup:
name: 安装依赖
runs-on: ubuntu-latest
steps:
- name: 检出代码
uses: actions/checkout@v4
- name: 安装 pnpm
uses: pnpm/action-setup@v4
with:
version: ${{ env.PNPM_VERSION }}
- name: 设置 Node.js
uses: actions/setup-node@v4
with:
cache: pnpm
node-version: ${{ env.NODE_VERSION }}
- name: 安装依赖
run: pnpm install --frozen-lockfile
- name: 构建共享包
run: pnpm --filter @juhi/shared run build
- name: 缓存 node_modules
uses: actions/cache/save@v4
with:
key: deps-${{ runner.os }}-${{ hashFiles('pnpm-lock.yaml') }}
path: |
node_modules
backend/node_modules
frontend/node_modules
mobile/node_modules
shared/node_modules
shared/dist
e2e/node_modules
...
|
setup
|
null
|
["ubuntu-latest"]
|
6771
|
2
|
1773832795
|
1773832814
|
1773832742
|
1773832814
|
|
0
|
|
0
|
Edit
Delete
|
|
7859
|
6706
|
6
|
5
|
e112d45af414e4862c0328abad7c4df74d3c1dbf
|
0
|
🔄 状态机测试
|
1
|
name: Code Quality Gate
"on":
push:
name: Code Quality Gate
"on":
push:
branches: [main, develop]
pull_request:
branches: [main, develop]
workflow_dispatch:
inputs:
strict_mode:
description: '严格模式(失败即阻止合并)'
required: false
default: true
type: boolean
env:
COVERAGE_THRESHOLD_E2E: "60"
COVERAGE_THRESHOLD_INTEGRATION: "70"
COVERAGE_THRESHOLD_UNIT: "80"
NODE_VERSION: "20"
PNPM_VERSION: "8"
jobs:
state-machine-tests:
name: "\U0001F504 状态机测试"
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- name: 安装 pnpm
uses: pnpm/action-setup@v4
with:
version: ${{ env.PNPM_VERSION }}
- name: 设置 Node.js
uses: actions/setup-node@v4
with:
cache: pnpm
node-version: ${{ env.NODE_VERSION }}
- name: 安装依赖
run: pnpm install --frozen-lockfile
- name: 生成 Prisma Client
run: pnpm --filter juhi-api run db:generate
- name: 运行状态机测试
run: |
cd backend
npx vitest run src/shared/state-machines --reporter=verbose --passWithNoTests
echo "✅ 状态机测试通过"
timeout-minutes: "15"
...
|
state-machine-tests
|
null
|
["ubuntu-latest"]
|
6761
|
2
|
1773832682
|
1773832712
|
1773831750
|
1773832712
|
|
0
|
|
0
|
Edit
Delete
|
|
7858
|
6706
|
6
|
5
|
e112d45af414e4862c0328abad7c4df74d3c1dbf
|
0
|
📊 单元测试覆盖率门禁
|
1
|
name: Code Quality Gate
"on":
push:
name: Code Quality Gate
"on":
push:
branches: [main, develop]
pull_request:
branches: [main, develop]
workflow_dispatch:
inputs:
strict_mode:
description: '严格模式(失败即阻止合并)'
required: false
default: true
type: boolean
env:
COVERAGE_THRESHOLD_E2E: "60"
COVERAGE_THRESHOLD_INTEGRATION: "70"
COVERAGE_THRESHOLD_UNIT: "80"
NODE_VERSION: "20"
PNPM_VERSION: "8"
jobs:
unit-test-coverage:
name: "\U0001F4CA 单元测试覆盖率门禁"
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- name: 安装 pnpm
uses: pnpm/action-setup@v4
with:
version: ${{ env.PNPM_VERSION }}
- name: 设置 Node.js
uses: actions/setup-node@v4
with:
cache: pnpm
node-version: ${{ env.NODE_VERSION }}
- name: 安装依赖
run: pnpm install --frozen-lockfile
- name: 生成 Prisma Client
run: pnpm --filter juhi-api run db:generate
- name: 运行单元测试并生成覆盖率
run: |
cd backend
npm run test:coverage
env:
NODE_ENV: test
JWT_SECRET: test-jwt-secret
JWT_REFRESH_SECRET: test-jwt-refresh-secret
- id: coverage-check
name: 检查覆盖率阈值
run: "cd backend\nif [ -f \"coverage/coverage-summary.json\" ]; then\n LINES_PCT=$(cat coverage/coverage-summary.json | jq '.total.lines.pct')\n STATEMENTS_PCT=$(cat coverage/coverage-summary.json | jq '.total.statements.pct')\n BRANCHES_PCT=$(cat coverage/coverage-summary.json | jq '.total.branches.pct')\n FUNCTIONS_PCT=$(cat coverage/coverage-summary.json | jq '.total.functions.pct')\n\n echo \"\U0001F4CA 覆盖率报告:\"\n echo \" - 行覆盖率: $LINES_PCT%\"\n echo \" - 语句覆盖率: $STATEMENTS_PCT%\"\n echo \" - 分支覆盖率: $BRANCHES_PCT%\"\n echo \" - 函数覆盖率: $FUNCTIONS_PCT%\"\n\n echo \"lines_pct=$LINES_PCT\" >> $GITHUB_OUTPUT\n echo \"statements_pct=$STATEMENTS_PCT\" >> $GITHUB_OUTPUT\n echo \"branches_pct=$BRANCHES_PCT\" >> $GITHUB_OUTPUT\n echo \"functions_pct=$FUNCTIONS_PCT\" >> $GITHUB_OUTPUT\n\n # 检查是否达到阈值(使用行覆盖率作为主要指标)\n if (( $(echo \"$LINES_PCT < ${{ env.COVERAGE_THRESHOLD_UNIT }}\" | bc -l) )); then\n echo \"❌ 行覆盖率 $LINES_PCT% 低于阈值 ${{ env.COVERAGE_THRESHOLD_UNIT }}%\"\n echo \"coverage_pass=false\" >> $GITHUB_OUTPUT\n exit 1\n fi\n\n echo \"✅ 覆盖率检查通过\"\n echo \"coverage_pass=true\" >> $GITHUB_OUTPUT\nelse\n echo \"⚠️ 未找到覆盖率报告\"\n echo \"coverage_pass=false\" >> $GITHUB_OUTPUT\n exit 1\nfi\n"
- if: always()
name: 生成覆盖率徽章
run: |
COVERAGE="${{ steps.coverage-check.outputs.lines_pct }}"
if [ -z "$COVERAGE" ]; then
COVERAGE="0"
fi
# 确定颜色
if (( $(echo "$COVERAGE >= 80" | bc -l) )); then
COLOR="brightgreen"
elif (( $(echo "$COVERAGE >= 60" | bc -l) )); then
COLOR="yellow"
else
COLOR="red"
fi
echo "Coverage: $COVERAGE% ($COLOR)"
- if: always()
name: 上传覆盖率报告
uses: actions/upload-artifact@v4
with:
name: unit-test-coverage
path: |
backend/coverage/
backend/test-results/
retention-days: "14"
- if: github.event_name == 'pull_request'
name: 评论 PR 覆盖率
uses: actions/github-script@v7
with:
script: "const coverage = '${{ steps.coverage-check.outputs.lines_pct }}';\nconst threshold = '${{ env.COVERAGE_THRESHOLD_UNIT }}';\nconst passed = '${{ steps.coverage-check.outputs.coverage_pass }}' === 'true';\n\nconst emoji = passed ? '✅' : '❌';\nconst status = passed ? '通过' : '未通过';\n\nconst body = [\n `## ${emoji} 单元测试覆盖率报告`,\n '',\n '| 指标 | 当前值 | 阈值 | 状态 |',\n '|------|--------|------|------|',\n `| 行覆盖率 | ${coverage}% | ${threshold}% | ${status} |`,\n `| 语句覆盖率 | ${{ steps.coverage-check.outputs.statements_pct }}% | - | - |`,\n `| 分支覆盖率 | ${{ steps.coverage-check.outputs.branches_pct }}% | - | - |`,\n `| 函数覆盖率 | ${{ steps.coverage-check.outputs.functions_pct }}% | - | - |`,\n '',\n passed ? '\U0001F389 恭喜!测试覆盖率达标。' : '⚠️ 请增加测试用例以提高覆盖率。'\n].join('\\n');\n\ngithub.rest.issues.createComment({\n issue_number: context.issue.number,\n owner: context.repo.owner,\n repo: context.repo.repo,\n body: body\n});\n"
timeout-minutes: "30"
...
|
unit-test-coverage
|
null
|
["ubuntu-latest"]
|
6760
|
2
|
1773832652
|
1773832682
|
1773831750
|
1773832682
|
|
0
|
|
0
|
Edit
Delete
|
|
7857
|
6706
|
6
|
5
|
e112d45af414e4862c0328abad7c4df74d3c1dbf
|
0
|
🔒 多租户安全审计
|
1
|
name: Code Quality Gate
"on":
push:
name: Code Quality Gate
"on":
push:
branches: [main, develop]
pull_request:
branches: [main, develop]
workflow_dispatch:
inputs:
strict_mode:
description: '严格模式(失败即阻止合并)'
required: false
default: true
type: boolean
env:
COVERAGE_THRESHOLD_E2E: "60"
COVERAGE_THRESHOLD_INTEGRATION: "70"
COVERAGE_THRESHOLD_UNIT: "80"
NODE_VERSION: "20"
PNPM_VERSION: "8"
jobs:
tenant-security:
name: "\U0001F512 多租户安全审计"
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- name: 安装 pnpm
uses: pnpm/action-setup@v4
with:
version: ${{ env.PNPM_VERSION }}
- name: 设置 Node.js
uses: actions/setup-node@v4
with:
cache: pnpm
node-version: ${{ env.NODE_VERSION }}
- name: 安装依赖
run: pnpm install --frozen-lockfile
- name: 生成 Prisma Client
run: pnpm --filter juhi-api run db:generate
- id: tenant-audit
name: 执行多租户安全审计
run: |
cd backend
npm run audit:tenant 2>&1 | tee audit-result.txt
if grep -q "FAIL" audit-result.txt; then
echo "❌ 多租户安全审计失败"
echo "has_failures=true" >> $GITHUB_OUTPUT
exit 1
fi
echo "✅ 多租户安全审计通过"
echo "has_failures=false" >> $GITHUB_OUTPUT
- if: always()
name: 上传审计报告
uses: actions/upload-artifact@v4
with:
name: tenant-security-audit
path: backend/audit-result.txt
retention-days: "30"
timeout-minutes: "15"
...
|
tenant-security
|
null
|
["ubuntu-latest"]
|
6759
|
2
|
1773832621
|
1773832651
|
1773831750
|
1773832651
|
|
0
|
|
0
|
Edit
Delete
|
|
7856
|
6706
|
6
|
5
|
e112d45af414e4862c0328abad7c4df74d3c1dbf
|
0
|
静态代码分析
|
1
|
name: Code Quality Gate
"on":
push:
name: Code Quality Gate
"on":
push:
branches: [main, develop]
pull_request:
branches: [main, develop]
workflow_dispatch:
inputs:
strict_mode:
description: '严格模式(失败即阻止合并)'
required: false
default: true
type: boolean
env:
COVERAGE_THRESHOLD_E2E: "60"
COVERAGE_THRESHOLD_INTEGRATION: "70"
COVERAGE_THRESHOLD_UNIT: "80"
NODE_VERSION: "20"
PNPM_VERSION: "8"
jobs:
static-analysis:
name: 静态代码分析
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- name: 安装 pnpm
uses: pnpm/action-setup@v4
with:
version: ${{ env.PNPM_VERSION }}
- name: 设置 Node.js
uses: actions/setup-node@v4
with:
cache: pnpm
node-version: ${{ env.NODE_VERSION }}
- name: 安装依赖
run: pnpm install --frozen-lockfile
- name: Prisma Schema 验证
run: |
cd backend
npx prisma validate
echo "✅ Prisma Schema 验证通过"
- name: 生成 Prisma Client
run: pnpm --filter juhi-api run db:generate
- name: 后端 TypeScript 类型检查
run: |
cd backend
npx tsc --noEmit
echo "✅ 后端类型检查通过"
- name: 前端 TypeScript 类型检查
run: |
cd frontend
npm run check:array-guard
npm run type-check
echo "✅ 前端类型检查通过"
- name: ESLint 检查
run: |
cd backend
npm run lint || echo "⚠️ Lint 警告(非阻塞)"
continue-on-error: true
timeout-minutes: "20"
...
|
static-analysis
|
null
|
["ubuntu-latest"]
|
6758
|
2
|
1773832591
|
1773832621
|
1773831750
|
1773832621
|
|
0
|
|
0
|
Edit
Delete
|
|
7851
|
6705
|
6
|
5
|
e112d45af414e4862c0328abad7c4df74d3c1dbf
|
0
|
检测代码变更
|
1
|
name: Integration Tests
"on":
push:
name: Integration Tests
"on":
push:
branches: [main, develop, 'feature/**', 'claude/**']
pull_request:
branches: [main, develop]
workflow_dispatch:
inputs:
run_all_tests:
description: '运行所有集成测试(包括慢速测试)'
required: false
default: 'false'
type: boolean
env:
NODE_VERSION: "20"
PNPM_VERSION: "8"
jobs:
detect-changes:
name: 检测代码变更
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- id: filter
uses: dorny/paths-filter@v3
with:
filters: |
backend:
- 'backend/**'
- 'shared/**'
tests:
- 'backend/tests/**'
- 'backend/vitest*.config.ts'
outputs:
backend: ${{ steps.filter.outputs.backend }}
tests: ${{ steps.filter.outputs.tests }}
...
|
detect-changes
|
null
|
["ubuntu-latest"]
|
6757
|
2
|
1773832556
|
1773832588
|
1773831750
|
1773832589
|
|
0
|
|
0
|
Edit
Delete
|
|
7850
|
6704
|
6
|
5
|
e112d45af414e4862c0328abad7c4df74d3c1dbf
|
0
|
test-summary
|
1
|
name: E2E Tests
"on":
# PR validation name: E2E Tests
"on":
# PR validation - 运行关键测试
pull_request:
branches: [main, develop]
paths:
- 'frontend/**'
- 'backend/**'
- 'e2e/**'
- 'package.json'
- 'pnpm-lock.yaml'
# Push to main - 运行完整测试套件
push:
branches: [main]
# 每日定时全量测试 (UTC 时间 00:00 = 北京时间 08:00)
schedule:
- cron: '0 0 * * *'
# 手动触发
workflow_dispatch:
inputs:
test_suite:
description: 'Test suite to run'
required: true
default: 'all'
type: choice
options:
- all
- critical
- business-flows
- visual-regression
- performance
env:
NODE_VERSION: "18"
PNPM_VERSION: "8"
jobs:
test-summary:
name: test-summary
runs-on: ubuntu-latest
if: always()
steps:
- name: Download all test artifacts
uses: actions/download-artifact@v4
- name: Generate summary report
run: "echo \"## \U0001F9EA E2E 测试汇总\" >> $GITHUB_STEP_SUMMARY\necho \"\" >> $GITHUB_STEP_SUMMARY\n\nif [ -d \"playwright-report-pr\" ]; then\n echo \"### PR 快速验证\" >> $GITHUB_STEP_SUMMARY\n echo \"✅ 关键测试通过\" >> $GITHUB_STEP_SUMMARY\nfi\n\nif [ -d \"business-flows-report\" ]; then\n echo \"### 业务流程测试\" >> $GITHUB_STEP_SUMMARY\n echo \"✅ 业务流程测试完成\" >> $GITHUB_STEP_SUMMARY\nfi\n\nif [ -d \"performance-report\" ]; then\n echo \"### 性能基准测试\" >> $GITHUB_STEP_SUMMARY\n echo \"\U0001F4CA 性能测试报告已生成\" >> $GITHUB_STEP_SUMMARY\nfi\n\nif [ -d \"visual-regression-report\" ]; then\n echo \"### 视觉回归测试\" >> $GITHUB_STEP_SUMMARY\n echo \"\U0001F3A8 视觉对比完成\" >> $GITHUB_STEP_SUMMARY\nfi\n"
...
|
test-summary
|
["pr-validation","full-test-suite" ["pr-validation","full-test-suite","business-flows","performance-benchmarks","visual-regression"]...
|
["ubuntu-latest"]
|
6807
|
2
|
1773833309
|
1773833311
|
1773831749
|
1773833311
|
|
1
|
|
0
|
Edit
Delete
|
|
7849
|
6704
|
6
|
5
|
e112d45af414e4862c0328abad7c4df74d3c1dbf
|
0
|
visual-regression
|
1
|
name: E2E Tests
"on":
# PR validation name: E2E Tests
"on":
# PR validation - 运行关键测试
pull_request:
branches: [main, develop]
paths:
- 'frontend/**'
- 'backend/**'
- 'e2e/**'
- 'package.json'
- 'pnpm-lock.yaml'
# Push to main - 运行完整测试套件
push:
branches: [main]
# 每日定时全量测试 (UTC 时间 00:00 = 北京时间 08:00)
schedule:
- cron: '0 0 * * *'
# 手动触发
workflow_dispatch:
inputs:
test_suite:
description: 'Test suite to run'
required: true
default: 'all'
type: choice
options:
- all
- critical
- business-flows
- visual-regression
- performance
env:
NODE_VERSION: "18"
PNPM_VERSION: "8"
jobs:
visual-regression:
name: visual-regression
runs-on: ubuntu-latest
if: github.event_name == 'push' || (github.event_name == 'workflow_dispatch' && github.event.inputs.test_suite == 'visual-regression')
steps:
- name: Checkout code
uses: actions/checkout@v4
with:
fetch-depth: "0"
- name: Setup pnpm
uses: pnpm/action-setup@v2
with:
version: ${{ env.PNPM_VERSION }}
- name: Setup Node.js
uses: actions/setup-node@v4
with:
cache: pnpm
node-version: ${{ env.NODE_VERSION }}
- name: Install dependencies
run: pnpm install --frozen-lockfile
- name: Setup test database
run: |
cd backend
npx prisma migrate deploy
npx prisma db seed
env:
DATABASE_URL: postgresql://test_user:test_password@localhost:5432/juhi_test
- name: Build and start services
run: |
cd backend && npm run build && npm run start &
cd frontend && npm run build && npm run preview &
sleep 15
env:
DATABASE_URL: postgresql://test_user:test_password@localhost:5432/juhi_test
REDIS_URL: redis://localhost:6379
NODE_ENV: test
VITE_API_URL: http://localhost:3000
- name: Install Playwright
run: npx playwright install --with-deps chromium
- name: Run visual regression tests
run: |
cd e2e
npx playwright test tests/visual-regression/ --reporter=html
env:
E2E_BASE_URL: http://localhost:5173
E2E_TEST_USER: admin@juhi.com
E2E_TEST_PASSWORD: Admin@123
- if: always()
name: Upload visual diff results
uses: actions/upload-artifact@v4
with:
name: visual-regression-report
path: |
e2e/playwright-report/
e2e/test-results/
retention-days: "30"
- if: github.event_name == 'push' && github.ref == 'refs/heads/main'
name: Update baseline screenshots
run: |
cd e2e
npx playwright test tests/visual-regression/ --update-snapshots
git config user.name "GitHub Actions"
git config user.email "actions@github.com"
git add tests/visual-regression/**/*.png
git commit -m "chore: update visual regression baselines" || echo "No changes"
git push
timeout-minutes: "30"
services:
postgres:
image: postgres:15
env:
POSTGRES_DB: juhi_test
POSTGRES_PASSWORD: test_password
POSTGRES_USER: test_user
ports:
- 5432:5432
options: --health-cmd pg_isready --health-interval 10s --health-timeout 5s --health-retries 5
redis:
image: redis:7
ports:
- 6379:6379
options: --health-cmd "redis-cli ping" --health-interval 10s --health-timeout 5s --health-retries 5
...
|
visual-regression
|
null
|
["ubuntu-latest"]
|
6756
|
2
|
1773832377
|
1773833155
|
1773831749
|
1773833155
|
|
0
|
|
0
|
Edit
Delete
|
|
7846
|
6704
|
6
|
5
|
e112d45af414e4862c0328abad7c4df74d3c1dbf
|
0
|
full-test-suite (webkit)
|
1
|
name: E2E Tests
"on":
# PR validation name: E2E Tests
"on":
# PR validation - 运行关键测试
pull_request:
branches: [main, develop]
paths:
- 'frontend/**'
- 'backend/**'
- 'e2e/**'
- 'package.json'
- 'pnpm-lock.yaml'
# Push to main - 运行完整测试套件
push:
branches: [main]
# 每日定时全量测试 (UTC 时间 00:00 = 北京时间 08:00)
schedule:
- cron: '0 0 * * *'
# 手动触发
workflow_dispatch:
inputs:
test_suite:
description: 'Test suite to run'
required: true
default: 'all'
type: choice
options:
- all
- critical
- business-flows
- visual-regression
- performance
env:
NODE_VERSION: "18"
PNPM_VERSION: "8"
jobs:
full-test-suite:
name: full-test-suite (webkit)
runs-on: ubuntu-latest
if: github.event_name == 'push' || github.event_name == 'schedule' || (github.event_name == 'workflow_dispatch' && github.event.inputs.test_suite == 'all')
steps:
- name: Checkout code
uses: actions/checkout@v4
- name: Setup pnpm
uses: pnpm/action-setup@v2
with:
version: ${{ env.PNPM_VERSION }}
- name: Setup Node.js
uses: actions/setup-node@v4
with:
cache: pnpm
node-version: ${{ env.NODE_VERSION }}
- name: Install dependencies
run: pnpm install --frozen-lockfile
- name: Setup test database
run: |
cd backend
npx prisma migrate deploy
npx prisma db seed
env:
DATABASE_URL: postgresql://test_user:test_password@localhost:5432/juhi_test
- name: Build backend
run: |
cd backend
npm run build
- name: Build frontend
run: |
cd frontend
npm run build
- name: Install Playwright Browsers
run: npx playwright install --with-deps ${{ matrix.browser }}
- name: Start backend server
run: |
cd backend
npm run start &
sleep 10
env:
DATABASE_URL: postgresql://test_user:test_password@localhost:5432/juhi_test
REDIS_URL: redis://localhost:6379
NODE_ENV: test
- name: Start frontend server
run: |
cd frontend
npm run preview &
sleep 5
env:
VITE_API_URL: http://localhost:3000
- name: Run all E2E tests
run: |
cd e2e
npx playwright test --project=${{ matrix.browser }} --reporter=html,json
env:
E2E_BASE_URL: http://localhost:5173
E2E_TEST_USER: admin@juhi.com
E2E_TEST_PASSWORD: Admin@123
- if: always()
name: Upload test results
uses: actions/upload-artifact@v4
with:
name: playwright-report-${{ matrix.browser }}
path: e2e/playwright-report/
retention-days: "30"
- if: always()
name: Upload test artifacts
uses: actions/upload-artifact@v4
with:
name: test-results-${{ matrix.browser }}
path: e2e/test-results/
retention-days: "30"
timeout-minutes: "60"
services:
postgres:
image: postgres:15
env:
POSTGRES_DB: juhi_test
POSTGRES_PASSWORD: test_password
POSTGRES_USER: test_user
ports:
- 5432:5432
options: --health-cmd pg_isready --health-interval 10s --health-timeout 5s --health-retries 5
redis:
image: redis:7
ports:
- 6379:6379
options: --health-cmd "redis-cli ping" --health-interval 10s --health-timeout 5s --health-retries 5
strategy:
fail-fast: "false"
matrix:
browser:
- webkit
...
|
full-test-suite
|
null
|
["ubuntu-latest"]
|
6753
|
2
|
1773832349
|
1773832373
|
1773831749
|
1773832373
|
|
0
|
|
0
|
Edit
Delete
|
|
7845
|
6704
|
6
|
5
|
e112d45af414e4862c0328abad7c4df74d3c1dbf
|
0
|
full-test-suite (firefox)
|
1
|
name: E2E Tests
"on":
# PR validation name: E2E Tests
"on":
# PR validation - 运行关键测试
pull_request:
branches: [main, develop]
paths:
- 'frontend/**'
- 'backend/**'
- 'e2e/**'
- 'package.json'
- 'pnpm-lock.yaml'
# Push to main - 运行完整测试套件
push:
branches: [main]
# 每日定时全量测试 (UTC 时间 00:00 = 北京时间 08:00)
schedule:
- cron: '0 0 * * *'
# 手动触发
workflow_dispatch:
inputs:
test_suite:
description: 'Test suite to run'
required: true
default: 'all'
type: choice
options:
- all
- critical
- business-flows
- visual-regression
- performance
env:
NODE_VERSION: "18"
PNPM_VERSION: "8"
jobs:
full-test-suite:
name: full-test-suite (firefox)
runs-on: ubuntu-latest
if: github.event_name == 'push' || github.event_name == 'schedule' || (github.event_name == 'workflow_dispatch' && github.event.inputs.test_suite == 'all')
steps:
- name: Checkout code
uses: actions/checkout@v4
- name: Setup pnpm
uses: pnpm/action-setup@v2
with:
version: ${{ env.PNPM_VERSION }}
- name: Setup Node.js
uses: actions/setup-node@v4
with:
cache: pnpm
node-version: ${{ env.NODE_VERSION }}
- name: Install dependencies
run: pnpm install --frozen-lockfile
- name: Setup test database
run: |
cd backend
npx prisma migrate deploy
npx prisma db seed
env:
DATABASE_URL: postgresql://test_user:test_password@localhost:5432/juhi_test
- name: Build backend
run: |
cd backend
npm run build
- name: Build frontend
run: |
cd frontend
npm run build
- name: Install Playwright Browsers
run: npx playwright install --with-deps ${{ matrix.browser }}
- name: Start backend server
run: |
cd backend
npm run start &
sleep 10
env:
DATABASE_URL: postgresql://test_user:test_password@localhost:5432/juhi_test
REDIS_URL: redis://localhost:6379
NODE_ENV: test
- name: Start frontend server
run: |
cd frontend
npm run preview &
sleep 5
env:
VITE_API_URL: http://localhost:3000
- name: Run all E2E tests
run: |
cd e2e
npx playwright test --project=${{ matrix.browser }} --reporter=html,json
env:
E2E_BASE_URL: http://localhost:5173
E2E_TEST_USER: admin@juhi.com
E2E_TEST_PASSWORD: Admin@123
- if: always()
name: Upload test results
uses: actions/upload-artifact@v4
with:
name: playwright-report-${{ matrix.browser }}
path: e2e/playwright-report/
retention-days: "30"
- if: always()
name: Upload test artifacts
uses: actions/upload-artifact@v4
with:
name: test-results-${{ matrix.browser }}
path: e2e/test-results/
retention-days: "30"
timeout-minutes: "60"
services:
postgres:
image: postgres:15
env:
POSTGRES_DB: juhi_test
POSTGRES_PASSWORD: test_password
POSTGRES_USER: test_user
ports:
- 5432:5432
options: --health-cmd pg_isready --health-interval 10s --health-timeout 5s --health-retries 5
redis:
image: redis:7
ports:
- 6379:6379
options: --health-cmd "redis-cli ping" --health-interval 10s --health-timeout 5s --health-retries 5
strategy:
fail-fast: "false"
matrix:
browser:
- firefox
...
|
full-test-suite
|
null
|
["ubuntu-latest"]
|
6752
|
2
|
1773832324
|
1773832348
|
1773831749
|
1773832348
|
|
0
|
|
0
|
Edit
Delete
|
|
7844
|
6704
|
6
|
5
|
e112d45af414e4862c0328abad7c4df74d3c1dbf
|
0
|
full-test-suite (chromium)
|
1
|
name: E2E Tests
"on":
# PR validation name: E2E Tests
"on":
# PR validation - 运行关键测试
pull_request:
branches: [main, develop]
paths:
- 'frontend/**'
- 'backend/**'
- 'e2e/**'
- 'package.json'
- 'pnpm-lock.yaml'
# Push to main - 运行完整测试套件
push:
branches: [main]
# 每日定时全量测试 (UTC 时间 00:00 = 北京时间 08:00)
schedule:
- cron: '0 0 * * *'
# 手动触发
workflow_dispatch:
inputs:
test_suite:
description: 'Test suite to run'
required: true
default: 'all'
type: choice
options:
- all
- critical
- business-flows
- visual-regression
- performance
env:
NODE_VERSION: "18"
PNPM_VERSION: "8"
jobs:
full-test-suite:
name: full-test-suite (chromium)
runs-on: ubuntu-latest
if: github.event_name == 'push' || github.event_name == 'schedule' || (github.event_name == 'workflow_dispatch' && github.event.inputs.test_suite == 'all')
steps:
- name: Checkout code
uses: actions/checkout@v4
- name: Setup pnpm
uses: pnpm/action-setup@v2
with:
version: ${{ env.PNPM_VERSION }}
- name: Setup Node.js
uses: actions/setup-node@v4
with:
cache: pnpm
node-version: ${{ env.NODE_VERSION }}
- name: Install dependencies
run: pnpm install --frozen-lockfile
- name: Setup test database
run: |
cd backend
npx prisma migrate deploy
npx prisma db seed
env:
DATABASE_URL: postgresql://test_user:test_password@localhost:5432/juhi_test
- name: Build backend
run: |
cd backend
npm run build
- name: Build frontend
run: |
cd frontend
npm run build
- name: Install Playwright Browsers
run: npx playwright install --with-deps ${{ matrix.browser }}
- name: Start backend server
run: |
cd backend
npm run start &
sleep 10
env:
DATABASE_URL: postgresql://test_user:test_password@localhost:5432/juhi_test
REDIS_URL: redis://localhost:6379
NODE_ENV: test
- name: Start frontend server
run: |
cd frontend
npm run preview &
sleep 5
env:
VITE_API_URL: http://localhost:3000
- name: Run all E2E tests
run: |
cd e2e
npx playwright test --project=${{ matrix.browser }} --reporter=html,json
env:
E2E_BASE_URL: http://localhost:5173
E2E_TEST_USER: admin@juhi.com
E2E_TEST_PASSWORD: Admin@123
- if: always()
name: Upload test results
uses: actions/upload-artifact@v4
with:
name: playwright-report-${{ matrix.browser }}
path: e2e/playwright-report/
retention-days: "30"
- if: always()
name: Upload test artifacts
uses: actions/upload-artifact@v4
with:
name: test-results-${{ matrix.browser }}
path: e2e/test-results/
retention-days: "30"
timeout-minutes: "60"
services:
postgres:
image: postgres:15
env:
POSTGRES_DB: juhi_test
POSTGRES_PASSWORD: test_password
POSTGRES_USER: test_user
ports:
- 5432:5432
options: --health-cmd pg_isready --health-interval 10s --health-timeout 5s --health-retries 5
redis:
image: redis:7
ports:
- 6379:6379
options: --health-cmd "redis-cli ping" --health-interval 10s --health-timeout 5s --health-retries 5
strategy:
fail-fast: "false"
matrix:
browser:
- chromium
...
|
full-test-suite
|
null
|
["ubuntu-latest"]
|
6751
|
2
|
1773832300
|
1773832324
|
1773831749
|
1773832324
|
|
0
|
|
0
|
Edit
Delete
|
|
7837
|
6703
|
6
|
5
|
e112d45af414e4862c0328abad7c4df74d3c1dbf
|
0
|
质量门禁
|
1
|
name: Deploy
"on":
push:
branc name: Deploy
"on":
push:
branches: [main]
tags: ['v*']
workflow_dispatch:
inputs:
environment:
description: '部署环境'
required: true
default: 'staging'
type: choice
options:
- staging
- production
- rollback
skip_tests:
description: '跳过测试(紧急修复时使用)'
required: false
default: false
type: boolean
env:
IMAGE_PREFIX: ${{ github.repository_owner }}/juhi
NODE_VERSION: "20"
PNPM_VERSION: "8"
REGISTRY: ghcr.io
jobs:
quality-check:
name: 质量门禁
runs-on: ubuntu-latest
if: >-
!(github.event_name == 'workflow_dispatch' && github.event.inputs.environment == 'rollback') && !(github.event_name == 'workflow_dispatch' && github.event.inputs.skip_tests == 'true')
steps:
- name: 检出代码
uses: actions/checkout@v4
- name: 安装 pnpm
uses: pnpm/action-setup@v2
with:
version: ${{ env.PNPM_VERSION }}
- name: 设置 Node.js
uses: actions/setup-node@v4
with:
cache: pnpm
node-version: ${{ env.NODE_VERSION }}
- name: 安装依赖
run: pnpm install --frozen-lockfile
- name: 后端类型检查
run: npx tsc --noEmit
working-directory: backend
- name: 前端类型检查
run: npx vue-tsc --noEmit
working-directory: frontend
- name: 后端测试
run: npm run test:run -- --reporter=default --reporter=junit --outputFile=test-results.xml
working-directory: backend
env:
NODE_ENV: test
- if: always()
name: 上传测试结果
uses: actions/upload-artifact@v4
with:
name: test-results
path: backend/test-results.xml
retention-days: "7"
timeout-minutes: "15"
...
|
quality-check
|
null
|
["ubuntu-latest"]
|
6748
|
2
|
1773832272
|
1773832296
|
1773831749
|
1773832296
|
|
0
|
|
0
|
Edit
Delete
|
|
7835
|
6702
|
6
|
5
|
e112d45af414e4862c0328abad7c4df74d3c1dbf
|
0
|
📋 安全报告汇总
|
1
|
name: Database Security Audit
"on":
pu name: Database Security Audit
"on":
push:
branches: [main, develop]
paths:
- 'backend/src/**/*.ts'
- 'backend/prisma/**'
pull_request:
branches: [main, develop]
paths:
- 'backend/src/**/*.ts'
- 'backend/prisma/**'
schedule:
# 每天凌晨 2 点执行完整审计
- cron: '0 2 * * *'
workflow_dispatch:
inputs:
full_audit:
description: '执行完整审计(包含 RLS 迁移建议)'
required: false
default: 'false'
type: boolean
env:
NODE_VERSION: "18"
jobs:
security-report:
name: "\U0001F4CB 安全报告汇总"
runs-on: ubuntu-latest
if: always()
steps:
- name: "\U0001F4E5 下载所有报告"
uses: actions/download-artifact@v4
with:
path: reports
- name: "\U0001F4DD 生成综合报告"
run: "cat << 'EOF' > security-summary.md\n# \U0001F512 数据库安全审计报告\n\n**执行时间**: $(date '+%Y-%m-%d %H:%M:%S')\n**触发方式**: ${{ github.event_name }}\n**分支**: ${{ github.ref_name }}\n\n## 审计结果汇总\n\n| 检查项 | 状态 |\n|--------|------|\n| 多租户安全 | ${{ needs.tenant-security.result == 'success' && '✅ 通过' || '❌ 失败' }} |\n| N+1 查询 | ${{ needs.n1-query-detection.result == 'success' && '✅ 通过' || '⚠️ 警告' }} |\n| RLS 覆盖 | ${{ needs.rls-coverage.result == 'success' && '✅ 通过' || '⚠️ 警告' }} |\n| 权限配置 | ${{ needs.permission-security.result == 'success' && '✅ 通过' || '⚠️ 警告' }} |\n\n## 详细报告\n\n请下载 Artifacts 查看各项检查的详细报告。\n\n## 修复指南\n\n- [多租户安全修复指南](docs/MULTI-TENANT-SECURITY.md)\n- [N+1 查询优化指南](docs/N+1-QUERY-OPTIMIZATION.md)\n- [RLS 策略配置指南](docs/RLS-POLICY-GUIDE.md)\nEOF\n"
- name: "\U0001F4CA 上传综合报告"
uses: actions/upload-artifact@v4
with:
name: security-summary
path: security-summary.md
- if: github.event_name == 'pull_request'
name: "\U0001F4AC PR 评论"
uses: actions/github-script@v7
with:
script: |
const fs = require('fs');
const summary = fs.readFileSync('security-summary.md', 'utf8');
github.rest.issues.createComment({
issue_number: context.issue.number,
owner: context.repo.owner,
repo: context.repo.repo,
body: summary
});
...
|
security-report
|
["tenant-security","n1-query-detection ["tenant-security","n1-query-detection","rls-coverage","permission-security"]...
|
["ubuntu-latest"]
|
6767
|
2
|
1773832753
|
1773832777
|
1773831748
|
1773832777
|
|
1
|
|
0
|
Edit
Delete
|
|
7834
|
6702
|
6
|
5
|
e112d45af414e4862c0328abad7c4df74d3c1dbf
|
0
|
🔐 权限安全审计
|
1
|
name: Database Security Audit
"on":
pu name: Database Security Audit
"on":
push:
branches: [main, develop]
paths:
- 'backend/src/**/*.ts'
- 'backend/prisma/**'
pull_request:
branches: [main, develop]
paths:
- 'backend/src/**/*.ts'
- 'backend/prisma/**'
schedule:
# 每天凌晨 2 点执行完整审计
- cron: '0 2 * * *'
workflow_dispatch:
inputs:
full_audit:
description: '执行完整审计(包含 RLS 迁移建议)'
required: false
default: 'false'
type: boolean
env:
NODE_VERSION: "18"
jobs:
permission-security:
name: "\U0001F510 权限安全审计"
runs-on: ubuntu-latest
steps:
- name: "\U0001F4E5 Checkout code"
uses: actions/checkout@v4
- name: "\U0001F7E2 Setup Node.js"
uses: actions/setup-node@v4
with:
node-version: ${{ env.NODE_VERSION }}
- name: "\U0001F4E6 Setup pnpm"
uses: pnpm/action-setup@v2
with:
version: "8"
- name: "\U0001F4E5 Install dependencies"
run: pnpm install --frozen-lockfile
- id: permission-audit
name: "\U0001F50D 权限配置审计"
run: |
cd backend
npm run audit:permission --json 2>&1 | tee permission-audit.json
continue-on-error: true
- name: "\U0001F4CA 上传权限审计报告"
uses: actions/upload-artifact@v4
with:
name: permission-audit-report
path: backend/permission-audit.json
timeout-minutes: "10"
...
|
permission-security
|
null
|
["ubuntu-latest"]
|
6747
|
2
|
1773832251
|
1773832272
|
1773831748
|
1773832272
|
|
0
|
|
0
|
Edit
Delete
|
|
7833
|
6702
|
6
|
5
|
e112d45af414e4862c0328abad7c4df74d3c1dbf
|
0
|
🛡️ RLS 覆盖分析
|
1
|
name: Database Security Audit
"on":
pu name: Database Security Audit
"on":
push:
branches: [main, develop]
paths:
- 'backend/src/**/*.ts'
- 'backend/prisma/**'
pull_request:
branches: [main, develop]
paths:
- 'backend/src/**/*.ts'
- 'backend/prisma/**'
schedule:
# 每天凌晨 2 点执行完整审计
- cron: '0 2 * * *'
workflow_dispatch:
inputs:
full_audit:
description: '执行完整审计(包含 RLS 迁移建议)'
required: false
default: 'false'
type: boolean
env:
NODE_VERSION: "18"
jobs:
rls-coverage:
name: "\U0001F6E1️ RLS 覆盖分析"
runs-on: ubuntu-latest
steps:
- name: "\U0001F4E5 Checkout code"
uses: actions/checkout@v4
- name: "\U0001F7E2 Setup Node.js"
uses: actions/setup-node@v4
with:
node-version: ${{ env.NODE_VERSION }}
- name: "\U0001F4E6 Setup pnpm"
uses: pnpm/action-setup@v2
with:
version: "8"
- name: "\U0001F4E5 Install dependencies"
run: pnpm install --frozen-lockfile
- id: rls-analysis
name: "\U0001F50D RLS 策略分析"
run: |
cd backend
npm run rls:analyze 2>&1 | tee rls-analysis.log
# 提取覆盖率
COVERAGE=$(grep -oP 'RLS 覆盖率: \K[\d.]+%' rls-analysis.log || echo "0%")
echo "coverage=$COVERAGE" >> $GITHUB_OUTPUT
- name: "\U0001F4CA 上传 RLS 分析报告"
uses: actions/upload-artifact@v4
with:
name: rls-coverage-report
path: backend/rls-analysis.log
- name: "\U0001F4C8 RLS 覆盖率检查"
run: |
COVERAGE="${{ steps.rls-analysis.outputs.coverage }}"
echo "当前 RLS 覆盖率: $COVERAGE"
# 提取数字部分
PERCENT=$(echo $COVERAGE | grep -oP '[\d.]+' || echo "0")
if (( $(echo "$PERCENT < 80" | bc -l) )); then
echo "::warning::RLS 覆盖率低于 80%,建议增加 RLS 策略"
fi
timeout-minutes: "10"
...
|
rls-coverage
|
null
|
["ubuntu-latest"]
|
6746
|
2
|
1773832230
|
1773832250
|
1773831748
|
1773832251
|
|
0
|
|
0
|
Edit
Delete
|
|
7832
|
6702
|
6
|
5
|
e112d45af414e4862c0328abad7c4df74d3c1dbf
|
0
|
⚡ N+1 查询检测
|
1
|
name: Database Security Audit
"on":
pu name: Database Security Audit
"on":
push:
branches: [main, develop]
paths:
- 'backend/src/**/*.ts'
- 'backend/prisma/**'
pull_request:
branches: [main, develop]
paths:
- 'backend/src/**/*.ts'
- 'backend/prisma/**'
schedule:
# 每天凌晨 2 点执行完整审计
- cron: '0 2 * * *'
workflow_dispatch:
inputs:
full_audit:
description: '执行完整审计(包含 RLS 迁移建议)'
required: false
default: 'false'
type: boolean
env:
NODE_VERSION: "18"
jobs:
n1-query-detection:
name: ⚡ N+1 查询检测
runs-on: ubuntu-latest
steps:
- name: "\U0001F4E5 Checkout code"
uses: actions/checkout@v4
- name: "\U0001F7E2 Setup Node.js"
uses: actions/setup-node@v4
with:
node-version: ${{ env.NODE_VERSION }}
- name: "\U0001F4E6 Setup pnpm"
uses: pnpm/action-setup@v2
with:
version: "8"
- name: "\U0001F4E5 Install dependencies"
run: pnpm install --frozen-lockfile
- id: n1-audit
name: "\U0001F50D N+1 查询检测"
run: |
cd backend
npm run audit:n1 --fix 2>&1 | tee n1-audit.log
# 提取 HIGH 问题数量
HIGH_COUNT=$(grep -c "HIGH" n1-audit.log || echo "0")
echo "high_count=$HIGH_COUNT" >> $GITHUB_OUTPUT
- name: "\U0001F4CA 上传 N+1 报告"
uses: actions/upload-artifact@v4
with:
name: n1-query-report
path: backend/n1-audit.log
- if: steps.n1-audit.outputs.high_count > 0
name: ⚠️ N+1 问题警告
run: |
echo "::warning::发现 ${{ steps.n1-audit.outputs.high_count }} 个 HIGH 级别 N+1 查询问题"
timeout-minutes: "10"
...
|
n1-query-detection
|
null
|
["ubuntu-latest"]
|
6745
|
2
|
1773832209
|
1773832229
|
1773831748
|
1773832229
|
|
0
|
|
0
|
Edit
Delete
|
|
7831
|
6702
|
6
|
5
|
e112d45af414e4862c0328abad7c4df74d3c1dbf
|
0
|
🔒 多租户安全审计
|
1
|
name: Database Security Audit
"on":
pu name: Database Security Audit
"on":
push:
branches: [main, develop]
paths:
- 'backend/src/**/*.ts'
- 'backend/prisma/**'
pull_request:
branches: [main, develop]
paths:
- 'backend/src/**/*.ts'
- 'backend/prisma/**'
schedule:
# 每天凌晨 2 点执行完整审计
- cron: '0 2 * * *'
workflow_dispatch:
inputs:
full_audit:
description: '执行完整审计(包含 RLS 迁移建议)'
required: false
default: 'false'
type: boolean
env:
NODE_VERSION: "18"
jobs:
tenant-security:
name: "\U0001F512 多租户安全审计"
runs-on: ubuntu-latest
steps:
- name: "\U0001F4E5 Checkout code"
uses: actions/checkout@v4
- name: "\U0001F7E2 Setup Node.js"
uses: actions/setup-node@v4
with:
node-version: ${{ env.NODE_VERSION }}
- name: "\U0001F4E6 Setup pnpm"
uses: pnpm/action-setup@v2
with:
version: "8"
- name: "\U0001F4E5 Install dependencies"
run: pnpm install --frozen-lockfile
- id: tenant-audit
name: "\U0001F50D 多租户隔离检查"
run: |
cd backend
npm run audit:tenant 2>&1 | tee tenant-audit.log
# 检查是否有 P0 级别问题
if grep -q "P0" tenant-audit.log; then
echo "has_p0_issues=true" >> $GITHUB_OUTPUT
else
echo "has_p0_issues=false" >> $GITHUB_OUTPUT
fi
- name: "\U0001F4CA 上传审计报告"
uses: actions/upload-artifact@v4
with:
name: tenant-security-report
path: backend/tenant-audit.log
- if: steps.tenant-audit.outputs.has_p0_issues == 'true'
name: ❌ P0 问题阻断
run: |
echo "::error::发现 P0 级别多租户安全问题,禁止合并!"
exit 1
timeout-minutes: "15"
...
|
tenant-security
|
null
|
["ubuntu-latest"]
|
6744
|
2
|
1773832182
|
1773832208
|
1773831748
|
1773832209
|
|
0
|
|
0
|
Edit
Delete
|
|
7815
|
6701
|
6
|
5
|
e112d45af414e4862c0328abad7c4df74d3c1dbf
|
0
|
安装依赖
|
1
|
name: CI
"on":
push:
branches: name: CI
"on":
push:
branches: [main, develop, 'feature/**', 'claude/**']
pull_request:
branches: [main, develop]
env:
NODE_VERSION: "20"
PNPM_VERSION: "8"
jobs:
setup:
name: 安装依赖
runs-on: ubuntu-latest
steps:
- name: 检出代码
uses: actions/checkout@v4
- name: 安装 pnpm
uses: pnpm/action-setup@v4
with:
version: ${{ env.PNPM_VERSION }}
- name: 设置 Node.js
uses: actions/setup-node@v4
with:
cache: pnpm
node-version: ${{ env.NODE_VERSION }}
- name: 安装依赖
run: pnpm install --frozen-lockfile
- name: 构建共享包
run: pnpm --filter @juhi/shared run build
- name: 缓存 node_modules
uses: actions/cache/save@v4
with:
key: deps-${{ runner.os }}-${{ hashFiles('pnpm-lock.yaml') }}
path: |
node_modules
backend/node_modules
frontend/node_modules
mobile/node_modules
shared/node_modules
shared/dist
e2e/node_modules
...
|
setup
|
null
|
["ubuntu-latest"]
|
6743
|
2
|
1773832157
|
1773832182
|
1773831747
|
1773832182
|
|
0
|
|
0
|
Edit
Delete
|
|
7814
|
6701
|
6
|
5
|
e112d45af414e4862c0328abad7c4df74d3c1dbf
|
0
|
检测代码变更
|
1
|
name: CI
"on":
push:
branches: name: CI
"on":
push:
branches: [main, develop, 'feature/**', 'claude/**']
pull_request:
branches: [main, develop]
env:
NODE_VERSION: "20"
PNPM_VERSION: "8"
jobs:
detect-changes:
name: 检测代码变更
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- id: filter
uses: dorny/paths-filter@v3
with:
filters: |
backend:
- 'backend/**'
- 'shared/**'
frontend:
- 'frontend/**'
- 'shared/**'
mobile:
- 'mobile/**'
- 'shared/**'
shared:
- 'shared/**'
workflows:
- '.github/workflows/**'
outputs:
backend: ${{ steps.filter.outputs.backend }}
frontend: ${{ steps.filter.outputs.frontend }}
mobile: ${{ steps.filter.outputs.mobile }}
shared: ${{ steps.filter.outputs.shared }}
workflows: ${{ steps.filter.outputs.workflows }}
...
|
detect-changes
|
null
|
["ubuntu-latest"]
|
6742
|
2
|
1773831748
|
1773832156
|
1773831747
|
1773832156
|
|
0
|
|
0
|
Edit
Delete
|
|
7735
|
6637
|
6
|
5
|
546fbeca78809fbcac00c1eef45705beea0bc71f
|
0
|
安装依赖
|
1
|
name: CI
"on":
push:
branches: name: CI
"on":
push:
branches: [main, develop, 'feature/**', 'claude/**']
pull_request:
branches: [main, develop]
env:
NODE_VERSION: "20"
PNPM_VERSION: "8"
jobs:
setup:
name: 安装依赖
runs-on: ubuntu-latest
steps:
- name: 检出代码
uses: actions/checkout@v4
- name: 安装 pnpm
uses: pnpm/action-setup@v4
with:
version: ${{ env.PNPM_VERSION }}
- name: 设置 Node.js
uses: actions/setup-node@v4
with:
cache: pnpm
node-version: ${{ env.NODE_VERSION }}
- name: 安装依赖
run: pnpm install --frozen-lockfile
- name: 构建共享包
run: pnpm --filter @juhi/shared run build
- name: 缓存 node_modules
uses: actions/cache/save@v4
with:
key: deps-${{ runner.os }}-${{ hashFiles('pnpm-lock.yaml') }}
path: |
node_modules
backend/node_modules
frontend/node_modules
mobile/node_modules
shared/node_modules
shared/dist
e2e/node_modules
...
|
setup
|
null
|
["ubuntu-latest"]
|
6676
|
2
|
1773811767
|
1773811858
|
1773811675
|
1773811858
|
NULL
|
NULL
|
|
0
|
Edit
Delete
|
|
7734
|
6637
|
6
|
5
|
546fbeca78809fbcac00c1eef45705beea0bc71f
|
0
|
检测代码变更
|
1
|
name: CI
"on":
push:
branches: name: CI
"on":
push:
branches: [main, develop, 'feature/**', 'claude/**']
pull_request:
branches: [main, develop]
env:
NODE_VERSION: "20"
PNPM_VERSION: "8"
jobs:
detect-changes:
name: 检测代码变更
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- id: filter
uses: dorny/paths-filter@v3
with:
filters: |
backend:
- 'backend/**'
- 'shared/**'
frontend:
- 'frontend/**'
- 'shared/**'
mobile:
- 'mobile/**'
- 'shared/**'
shared:
- 'shared/**'
workflows:
- '.github/workflows/**'
outputs:
backend: ${{ steps.filter.outputs.backend }}
frontend: ${{ steps.filter.outputs.frontend }}
mobile: ${{ steps.filter.outputs.mobile }}
shared: ${{ steps.filter.outputs.shared }}
workflows: ${{ steps.filter.outputs.workflows }}
...
|
detect-changes
|
null
|
["ubuntu-latest"]
|
6675
|
2
|
1773811676
|
1773811767
|
1773811675
|
1773811767
|
NULL
|
NULL
|
|
0
|
Edit
Delete
|
|
7530
|
6448
|
6
|
5
|
607365e90475966d498a4cbc9738e9b8a8f511b1
|
0
|
安装依赖
|
1
|
name: CI
"on":
push:
branches: name: CI
"on":
push:
branches: [main, develop, 'feature/**', 'claude/**']
pull_request:
branches: [main, develop]
env:
NODE_VERSION: "20"
PNPM_VERSION: "8"
jobs:
setup:
name: 安装依赖
runs-on: ubuntu-latest
steps:
- name: 检出代码
uses: actions/checkout@v4
- name: 安装 pnpm
uses: pnpm/action-setup@v4
with:
version: ${{ env.PNPM_VERSION }}
- name: 设置 Node.js
uses: actions/setup-node@v4
with:
cache: pnpm
node-version: ${{ env.NODE_VERSION }}
- name: 安装依赖
run: pnpm install --frozen-lockfile
- name: 构建共享包
run: pnpm --filter @juhi/shared run build
- name: 缓存 node_modules
uses: actions/cache/save@v4
with:
key: deps-${{ runner.os }}-${{ hashFiles('pnpm-lock.yaml') }}
path: |
node_modules
backend/node_modules
frontend/node_modules
mobile/node_modules
shared/node_modules
shared/dist
e2e/node_modules
...
|
setup
|
null
|
["ubuntu-latest"]
|
6484
|
2
|
1773755274
|
1773755288
|
1773755259
|
1773755288
|
NULL
|
NULL
|
|
0
|
Edit
Delete
|
|
7508
|
6442
|
6
|
5
|
68f0e1e26e6d6bd34f17a1bcb704c42d148f0ad5
|
0
|
安装依赖
|
1
|
name: CI
"on":
push:
branches: name: CI
"on":
push:
branches: [main, develop, 'feature/**', 'claude/**']
pull_request:
branches: [main, develop]
env:
NODE_VERSION: "20"
PNPM_VERSION: "8"
jobs:
setup:
name: 安装依赖
runs-on: ubuntu-latest
steps:
- name: 检出代码
uses: actions/checkout@v4
- name: 安装 pnpm
uses: pnpm/action-setup@v4
with:
version: ${{ env.PNPM_VERSION }}
- name: 设置 Node.js
uses: actions/setup-node@v4
with:
cache: pnpm
node-version: ${{ env.NODE_VERSION }}
- name: 安装依赖
run: pnpm install --frozen-lockfile
- name: 构建共享包
run: pnpm --filter @juhi/shared run build
- name: 缓存 node_modules
uses: actions/cache/save@v4
with:
key: deps-${{ runner.os }}-${{ hashFiles('pnpm-lock.yaml') }}
path: |
node_modules
backend/node_modules
frontend/node_modules
mobile/node_modules
shared/node_modules
shared/dist
e2e/node_modules
...
|
setup
|
null
|
["ubuntu-latest"]
|
6475
|
2
|
1773753861
|
1773753876
|
1773753846
|
1773753876
|
NULL
|
NULL
|
|
0
|
Edit
Delete
|
|
7488
|
6438
|
6
|
5
|
d761bda761335047b47a9c6b4829d3bcfacbb2c9
|
0
|
安装依赖
|
1
|
name: CI
"on":
push:
branches: name: CI
"on":
push:
branches: [main, develop, 'feature/**', 'claude/**']
pull_request:
branches: [main, develop]
env:
NODE_VERSION: "20"
PNPM_VERSION: "8"
jobs:
setup:
name: 安装依赖
runs-on: ubuntu-latest
steps:
- name: 检出代码
uses: actions/checkout@v4
- name: 安装 pnpm
uses: pnpm/action-setup@v4
with:
version: ${{ env.PNPM_VERSION }}
- name: 设置 Node.js
uses: actions/setup-node@v4
with:
cache: pnpm
node-version: ${{ env.NODE_VERSION }}
- name: 安装依赖
run: pnpm install --frozen-lockfile
- name: 构建共享包
run: pnpm --filter @juhi/shared run build
- name: 缓存 node_modules
uses: actions/cache/save@v4
with:
key: deps-${{ runner.os }}-${{ hashFiles('pnpm-lock.yaml') }}
path: |
node_modules
backend/node_modules
frontend/node_modules
mobile/node_modules
shared/node_modules
shared/dist
e2e/node_modules
...
|
setup
|
null
|
["ubuntu-latest"]
|
6469
|
2
|
1773752933
|
1773753345
|
1773752902
|
1773753345
|
NULL
|
NULL
|
|
0
|
Edit
Delete
|
|
7487
|
6438
|
6
|
5
|
d761bda761335047b47a9c6b4829d3bcfacbb2c9
|
0
|
检测代码变更
|
1
|
name: CI
"on":
push:
branches: name: CI
"on":
push:
branches: [main, develop, 'feature/**', 'claude/**']
pull_request:
branches: [main, develop]
env:
NODE_VERSION: "20"
PNPM_VERSION: "8"
jobs:
detect-changes:
name: 检测代码变更
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- id: filter
uses: dorny/paths-filter@v3
with:
filters: |
backend:
- 'backend/**'
- 'shared/**'
frontend:
- 'frontend/**'
- 'shared/**'
mobile:
- 'mobile/**'
- 'shared/**'
shared:
- 'shared/**'
workflows:
- '.github/workflows/**'
outputs:
backend: ${{ steps.filter.outputs.backend }}
frontend: ${{ steps.filter.outputs.frontend }}
mobile: ${{ steps.filter.outputs.mobile }}
shared: ${{ steps.filter.outputs.shared }}
workflows: ${{ steps.filter.outputs.workflows }}
...
|
detect-changes
|
null
|
["ubuntu-latest"]
|
6468
|
2
|
1773752903
|
1773752933
|
1773752902
|
1773752933
|
NULL
|
NULL
|
|
0
|
Edit
Delete
|
|
7469
|
6435
|
6
|
5
|
e2899fe4a30c3be6afb4230ccf40447f45e903dc
|
0
|
安装依赖
|
1
|
name: CI
"on":
push:
branches: name: CI
"on":
push:
branches: [main, develop, 'feature/**', 'claude/**']
pull_request:
branches: [main, develop]
env:
NODE_VERSION: "20"
PNPM_VERSION: "8"
jobs:
setup:
name: 安装依赖
runs-on: ubuntu-latest
steps:
- name: 检出代码
uses: actions/checkout@v4
- name: 安装 pnpm
uses: pnpm/action-setup@v4
with:
version: ${{ env.PNPM_VERSION }}
- name: 设置 Node.js
uses: actions/setup-node@v4
with:
cache: pnpm
node-version: ${{ env.NODE_VERSION }}
- name: 安装依赖
run: pnpm install --frozen-lockfile
- name: 构建共享包
run: pnpm --filter @juhi/shared run build
- name: 缓存 node_modules
uses: actions/cache/save@v4
with:
key: deps-${{ runner.os }}-${{ hashFiles('pnpm-lock.yaml') }}
path: |
node_modules
backend/node_modules
frontend/node_modules
mobile/node_modules
shared/node_modules
shared/dist
e2e/node_modules
...
|
setup
|
null
|
["ubuntu-latest"]
|
6464
|
2
|
1773752780
|
1773752871
|
1773752343
|
1773752871
|
NULL
|
NULL
|
|
0
|
Edit
Delete
|
|
7468
|
6435
|
6
|
5
|
e2899fe4a30c3be6afb4230ccf40447f45e903dc
|
0
|
检测代码变更
|
1
|
name: CI
"on":
push:
branches: name: CI
"on":
push:
branches: [main, develop, 'feature/**', 'claude/**']
pull_request:
branches: [main, develop]
env:
NODE_VERSION: "20"
PNPM_VERSION: "8"
jobs:
detect-changes:
name: 检测代码变更
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- id: filter
uses: dorny/paths-filter@v3
with:
filters: |
backend:
- 'backend/**'
- 'shared/**'
frontend:
- 'frontend/**'
- 'shared/**'
mobile:
- 'mobile/**'
- 'shared/**'
shared:
- 'shared/**'
workflows:
- '.github/workflows/**'
outputs:
backend: ${{ steps.filter.outputs.backend }}
frontend: ${{ steps.filter.outputs.frontend }}
mobile: ${{ steps.filter.outputs.mobile }}
shared: ${{ steps.filter.outputs.shared }}
workflows: ${{ steps.filter.outputs.workflows }}
...
|
detect-changes
|
null
|
["ubuntu-latest"]
|
6463
|
2
|
1773752345
|
1773752780
|
1773752343
|
1773752780
|
NULL
|
NULL
|
|
0
|
Edit
Delete
|
|
7448
|
6430
|
6
|
5
|
8a1f5fc17b0e1692e9da7c94fc0fd769eff89926
|
0
|
安装依赖
|
1
|
name: CI
"on":
push:
branches: name: CI
"on":
push:
branches: [main, develop, 'feature/**', 'claude/**']
pull_request:
branches: [main, develop]
env:
NODE_VERSION: "20"
PNPM_VERSION: "8"
jobs:
setup:
name: 安装依赖
runs-on: ubuntu-latest
steps:
- name: 检出代码
uses: actions/checkout@v4
- name: 安装 pnpm
uses: pnpm/action-setup@v4
with:
version: ${{ env.PNPM_VERSION }}
- name: 设置 Node.js
uses: actions/setup-node@v4
with:
cache: pnpm
node-version: ${{ env.NODE_VERSION }}
- name: 安装依赖
run: pnpm install --frozen-lockfile
- name: 构建共享包
run: pnpm --filter @juhi/shared run build
- name: 缓存 node_modules
uses: actions/cache/save@v4
with:
key: deps-${{ runner.os }}-${{ hashFiles('pnpm-lock.yaml') }}
path: |
node_modules
backend/node_modules
frontend/node_modules
mobile/node_modules
shared/node_modules
shared/dist
e2e/node_modules
...
|
setup
|
null
|
["ubuntu-latest"]
|
6456
|
2
|
1773751116
|
1773751146
|
1773751025
|
1773751146
|
NULL
|
NULL
|
|
0
|
Edit
Delete
|
|
7447
|
6430
|
6
|
5
|
8a1f5fc17b0e1692e9da7c94fc0fd769eff89926
|
0
|
检测代码变更
|
1
|
name: CI
"on":
push:
branches: name: CI
"on":
push:
branches: [main, develop, 'feature/**', 'claude/**']
pull_request:
branches: [main, develop]
env:
NODE_VERSION: "20"
PNPM_VERSION: "8"
jobs:
detect-changes:
name: 检测代码变更
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- id: filter
uses: dorny/paths-filter@v3
with:
filters: |
backend:
- 'backend/**'
- 'shared/**'
frontend:
- 'frontend/**'
- 'shared/**'
mobile:
- 'mobile/**'
- 'shared/**'
shared:
- 'shared/**'
workflows:
- '.github/workflows/**'
outputs:
backend: ${{ steps.filter.outputs.backend }}
frontend: ${{ steps.filter.outputs.frontend }}
mobile: ${{ steps.filter.outputs.mobile }}
shared: ${{ steps.filter.outputs.shared }}
workflows: ${{ steps.filter.outputs.workflows }}
...
|
detect-changes
|
null
|
["ubuntu-latest"]
|
6455
|
2
|
1773751025
|
1773751116
|
1773751025
|
1773751116
|
NULL
|
NULL
|
|
0
|
Edit
Delete
|
|
7425
|
6423
|
6
|
5
|
2732364ba177bf3cf8029788b582f34689d5d9a9
|
0
|
安装依赖
|
1
|
name: CI
"on":
push:
branches: name: CI
"on":
push:
branches: [main, develop, 'feature/**', 'claude/**']
pull_request:
branches: [main, develop]
env:
NODE_VERSION: "20"
PNPM_VERSION: "8"
jobs:
setup:
name: 安装依赖
runs-on: ubuntu-latest
steps:
- name: 检出代码
uses: actions/checkout@v4
- name: 安装 pnpm
uses: pnpm/action-setup@v4
with:
version: ${{ env.PNPM_VERSION }}
- name: 设置 Node.js
uses: actions/setup-node@v4
with:
cache: pnpm
node-version: ${{ env.NODE_VERSION }}
- name: 安装依赖
run: pnpm install --frozen-lockfile
- name: 构建共享包
run: pnpm --filter @juhi/shared run build
- name: 缓存 node_modules
uses: actions/cache/save@v4
with:
key: deps-${{ runner.os }}-${{ hashFiles('pnpm-lock.yaml') }}
path: |
node_modules
backend/node_modules
frontend/node_modules
mobile/node_modules
shared/node_modules
shared/dist
e2e/node_modules
...
|
setup
|
null
|
["ubuntu-latest"]
|
6446
|
2
|
1773749352
|
1773749367
|
1773749337
|
1773749367
|
NULL
|
NULL
|
|
0
|
Edit
Delete
|
|
7423
|
6422
|
2
|
2
|
1ef6ab81eeec77f3d60f54a3af5c9a6f46332a89
|
0
|
deploy
|
1
|
name: Smart Deploy via Rsync Daemon
"on": name: Smart Deploy via Rsync Daemon
"on": [push]
jobs:
deploy:
name: deploy
runs-on: ubuntu-latest
steps:
- name: Checkout code manually
run: |
# 调试输出
echo "GITEA_HOST: $GITEA_HOST"
echo "GITHUB_REPOSITORY: ${{ github.repository }}"
echo "GITHUB_SHA: ${{ github.sha }}"
if [ -z "$GITEA_HOST" ]; then
echo "❌ GITEA_HOST secret is missing!"
exit 1
fi
# 使用 github 上下文变量
REPO="${{ github.repository }}"
SHA="${{ github.sha }}"
if [ -z "$REPO" ] || [ -z "$SHA" ]; then
echo "❌ Missing GITHUB_REPOSITORY or GITHUB_SHA"
exit 1
fi
REPO_URL="https://${GITEA_TOKEN}@${GITEA_HOST}/${REPO}.git"
echo "Cloning from: ${REPO_URL//${GITEA_TOKEN}/***REDACTED***} (SHA: $SHA)"
git init
git remote add origin "$REPO_URL"
git fetch --depth=2 origin "$SHA"
git checkout "$SHA"
env:
GITEA_HOST: ${{ secrets.GITEAS_HOST }}
GITEA_TOKEN: ${{ secrets.GITEAS_TOKEN }}
- name: Prepare rsync password file (HARDCODED for test)
run: |
echo "m9QNiLJ8LIqBozXwmsoKdNXa23xia34R" > /tmp/rsync.pass
chmod 600 /tmp/rsync.pass
echo "✅ /tmp/rsync.pass created with password 'm9QNiLJ8LIqBozXwmsoKdNXa23xia34R'"
- name: Get commit message and decide sync mode
run: "COMMIT_MSG=$(git log -1 --pretty=%B | head -n1)\necho \"Commit message: $COMMIT_MSG\"\n\nRSYNC_TARGET=\"rsync://${RSYNC_USER}@${RSYNC_HOST}/${RSYNC_MODULE}/\"\n\nif [[ \"$COMMIT_MSG\" == *\"全量同步\"* ]] || [[ \"$COMMIT_MSG\" == *\"full sync\"* ]]; then\n echo \"\U0001F50D Full sync requested...\"\n /usr/bin/rsync -avz --no-owner --no-group --delete \\\n --exclude='.git' \\\n --exclude='.gitea' \\\n --exclude='node_modules/' \\\n --password-file=/tmp/rsync.pass \\\n ./ \\\n \"$RSYNC_TARGET\"\nelse\n echo \"\U0001F504 Incremental sync...\"\n\n if git rev-parse HEAD~1 >/dev/null 2>&1; then\n git diff --name-only HEAD~1 HEAD > /tmp/changed.txt\n else\n find . -type f -not -path './.git/*' -not -path './.gitea/*' | sed 's|^\\./||' > /tmp/changed.txt\n fi\n\n if [ -s /tmp/changed.txt ]; then\n echo \"Files to sync:\"\n cat /tmp/changed.txt\n\n /usr/bin/rsync -avz --no-owner --no-group --relative \\\n --files-from=/tmp/changed.txt \\\n --password-file=/tmp/rsync.pass \\\n ./ \\\n \"$RSYNC_TARGET\"\n else\n echo \"✅ No files changed.\"\n fi\nfi\n"
env:
RSYNC_HOST: "172.17.70.241"
RSYNC_USER: "ahead_rsync_user"
RSYNC_MODULE: "ftp"
- if: always()
name: Clean up
run: rm -f /tmp/rsync.pass
...
|
deploy
|
null
|
["ubuntu-latest"]
|
6444
|
2
|
1773749178
|
1773749180
|
1773749176
|
1773749180
|
NULL
|
NULL
|
|
0
|
Edit
Delete
|
|
7420
|
6419
|
2
|
2
|
ea6cb146adc009a4840c052e3c31d888ced32f24
|
0
|
deploy
|
1
|
name: Smart Deploy via Rsync Daemon
"on": name: Smart Deploy via Rsync Daemon
"on": [push]
jobs:
deploy:
name: deploy
runs-on: ubuntu-latest
steps:
- name: Checkout code manually
run: |
# 调试输出
echo "GITEA_HOST: $GITEA_HOST"
echo "GITHUB_REPOSITORY: ${{ github.repository }}"
echo "GITHUB_SHA: ${{ github.sha }}"
if [ -z "$GITEA_HOST" ]; then
echo "❌ GITEA_HOST secret is missing!"
exit 1
fi
# 使用 github 上下文变量
REPO="${{ github.repository }}"
SHA="${{ github.sha }}"
if [ -z "$REPO" ] || [ -z "$SHA" ]; then
echo "❌ Missing GITHUB_REPOSITORY or GITHUB_SHA"
exit 1
fi
REPO_URL="https://${GITEA_TOKEN}@${GITEA_HOST}/${REPO}.git"
echo "Cloning from: ${REPO_URL//${GITEA_TOKEN}/***REDACTED***} (SHA: $SHA)"
git init
git remote add origin "$REPO_URL"
git fetch --depth=2 origin "$SHA"
git checkout "$SHA"
env:
GITEA_HOST: ${{ secrets.GITEAS_HOST }}
GITEA_TOKEN: ${{ secrets.GITEAS_TOKEN }}
- name: Prepare rsync password file (HARDCODED for test)
run: |
echo "m9QNiLJ8LIqBozXwmsoKdNXa23xia34R" > /tmp/rsync.pass
chmod 600 /tmp/rsync.pass
echo "✅ /tmp/rsync.pass created with password 'm9QNiLJ8LIqBozXwmsoKdNXa23xia34R'"
- name: Get commit message and decide sync mode
run: "COMMIT_MSG=$(git log -1 --pretty=%B | head -n1)\necho \"Commit message: $COMMIT_MSG\"\n\nRSYNC_TARGET=\"rsync://${RSYNC_USER}@${RSYNC_HOST}/${RSYNC_MODULE}/\"\n\nif [[ \"$COMMIT_MSG\" == *\"全量同步\"* ]] || [[ \"$COMMIT_MSG\" == *\"full sync\"* ]]; then\n echo \"\U0001F50D Full sync requested...\"\n /usr/bin/rsync -avz --no-owner --no-group --delete \\\n --exclude='.git' \\\n --exclude='.gitea' \\\n --exclude='node_modules/' \\\n --password-file=/tmp/rsync.pass \\\n ./ \\\n \"$RSYNC_TARGET\"\nelse\n echo \"\U0001F504 Incremental sync...\"\n\n if git rev-parse HEAD~1 >/dev/null 2>&1; then\n git diff --name-only HEAD~1 HEAD > /tmp/changed.txt\n else\n find . -type f -not -path './.git/*' -not -path './.gitea/*' | sed 's|^\\./||' > /tmp/changed.txt\n fi\n\n if [ -s /tmp/changed.txt ]; then\n echo \"Files to sync:\"\n cat /tmp/changed.txt\n\n /usr/bin/rsync -avz --no-owner --no-group --relative \\\n --files-from=/tmp/changed.txt \\\n --password-file=/tmp/rsync.pass \\\n ./ \\\n \"$RSYNC_TARGET\"\n else\n echo \"✅ No files changed.\"\n fi\nfi\n"
env:
RSYNC_HOST: "172.17.70.241"
RSYNC_USER: "ahead_rsync_user"
RSYNC_MODULE: "ftp"
- if: always()
name: Clean up
run: rm -f /tmp/rsync.pass
...
|
deploy
|
null
|
["ubuntu-latest"]
|
6441
|
2
|
1773748565
|
1773748567
|
1773748565
|
1773748568
|
NULL
|
NULL
|
|
0
|
Edit
Delete
|
|
7418
|
6417
|
2
|
2
|
b6f9b8218b26c820d37dd7cf6b2c406afbf656aa
|
0
|
deploy
|
1
|
name: Smart Deploy via Rsync Daemon
"on": name: Smart Deploy via Rsync Daemon
"on": [push]
jobs:
deploy:
name: deploy
runs-on: ubuntu-latest
steps:
- name: Checkout code manually
run: |
# 调试输出
echo "GITEA_HOST: $GITEA_HOST"
echo "GITHUB_REPOSITORY: ${{ github.repository }}"
echo "GITHUB_SHA: ${{ github.sha }}"
if [ -z "$GITEA_HOST" ]; then
echo "❌ GITEA_HOST secret is missing!"
exit 1
fi
# 使用 github 上下文变量
REPO="${{ github.repository }}"
SHA="${{ github.sha }}"
if [ -z "$REPO" ] || [ -z "$SHA" ]; then
echo "❌ Missing GITHUB_REPOSITORY or GITHUB_SHA"
exit 1
fi
REPO_URL="https://${GITEA_TOKEN}@${GITEA_HOST}/${REPO}.git"
echo "Cloning from: ${REPO_URL//${GITEA_TOKEN}/***REDACTED***} (SHA: $SHA)"
git init
git remote add origin "$REPO_URL"
git fetch --depth=2 origin "$SHA"
git checkout "$SHA"
env:
GITEA_HOST: ${{ secrets.GITEAS_HOST }}
GITEA_TOKEN: ${{ secrets.GITEAS_TOKEN }}
- name: Prepare rsync password file (HARDCODED for test)
run: |
echo "m9QNiLJ8LIqBozXwmsoKdNXa23xia34R" > /tmp/rsync.pass
chmod 600 /tmp/rsync.pass
echo "✅ /tmp/rsync.pass created with password 'm9QNiLJ8LIqBozXwmsoKdNXa23xia34R'"
- name: Get commit message and decide sync mode
run: "COMMIT_MSG=$(git log -1 --pretty=%B | head -n1)\necho \"Commit message: $COMMIT_MSG\"\n\n# 提取分支名,去掉 refs/heads/ 前缀,并将斜杠替换为连字符(避免路径歧义)\nBRANCH_NAME=\"${{ github.ref_name }}\"\nBRANCH_NAME=\"${BRANCH_NAME//\\//-}\"\necho \"Branch: $BRANCH_NAME\"\n\nRSYNC_TARGET=\"rsync://${RSYNC_USER}@${RSYNC_HOST}/${RSYNC_MODULE}/${BRANCH_NAME}/\"\necho \"Sync target: $RSYNC_TARGET\"\n\nif [[ \"$COMMIT_MSG\" == *\"全量同步\"* ]] || [[ \"$COMMIT_MSG\" == *\"full sync\"* ]]; then\n echo \"\U0001F50D Full sync requested...\"\n /usr/bin/rsync -avz --no-owner --no-group --delete \\\n --exclude='.git' \\\n --exclude='.gitea' \\\n --exclude='node_modules/' \\\n --password-file=/tmp/rsync.pass \\\n ./ \\\n \"$RSYNC_TARGET\"\nelse\n echo \"\U0001F504 Incremental sync...\"\n\n if git rev-parse HEAD~1 >/dev/null 2>&1; then\n git diff --name-only HEAD~1 HEAD > /tmp/changed.txt\n else\n find . -type f -not -path './.git/*' -not -path './.gitea/*' | sed 's|^\\./||' > /tmp/changed.txt\n fi\n\n if [ -s /tmp/changed.txt ]; then\n echo \"Files to sync:\"\n cat /tmp/changed.txt\n\n /usr/bin/rsync -avz --no-owner --no-group --relative \\\n --files-from=/tmp/changed.txt \\\n --password-file=/tmp/rsync.pass \\\n ./ \\\n \"$RSYNC_TARGET\"\n else\n echo \"✅ No files changed.\"\n fi\nfi\n"
env:
RSYNC_HOST: "172.17.70.241"
RSYNC_USER: "ahead_rsync_user"
RSYNC_MODULE: "ftp"
- if: always()
name: Clean up
run: rm -f /tmp/rsync.pass
...
|
deploy
|
null
|
["ubuntu-latest"]
|
6439
|
2
|
1773748513
|
1773748515
|
1773748512
|
1773748515
|
NULL
|
NULL
|
|
0
|
Edit
Delete
|
|
7416
|
6415
|
2
|
2
|
b678da8d00cf7b8be2141acd5482811386dc834c
|
0
|
deploy
|
1
|
name: Smart Deploy via Rsync Daemon
"on": name: Smart Deploy via Rsync Daemon
"on": [push]
jobs:
deploy:
name: deploy
runs-on: ubuntu-latest
steps:
- name: Checkout code manually
run: |
# 调试输出
echo "GITEA_HOST: $GITEA_HOST"
echo "GITHUB_REPOSITORY: ${{ github.repository }}"
echo "GITHUB_SHA: ${{ github.sha }}"
if [ -z "$GITEA_HOST" ]; then
echo "❌ GITEA_HOST secret is missing!"
exit 1
fi
# 使用 github 上下文变量
REPO="${{ github.repository }}"
SHA="${{ github.sha }}"
if [ -z "$REPO" ] || [ -z "$SHA" ]; then
echo "❌ Missing GITHUB_REPOSITORY or GITHUB_SHA"
exit 1
fi
REPO_URL="https://${GITEA_TOKEN}@${GITEA_HOST}/${REPO}.git"
echo "Cloning from: ${REPO_URL//${GITEA_TOKEN}/***REDACTED***} (SHA: $SHA)"
git init
git remote add origin "$REPO_URL"
git fetch --depth=2 origin "$SHA"
git checkout "$SHA"
env:
GITEA_HOST: ${{ secrets.GITEAS_HOST }}
GITEA_TOKEN: ${{ secrets.GITEAS_TOKEN }}
- name: Prepare rsync password file (HARDCODED for test)
run: |
echo "m9QNiLJ8LIqBozXwmsoKdNXa23xia34R" > /tmp/rsync.pass
chmod 600 /tmp/rsync.pass
echo "✅ /tmp/rsync.pass created with password 'm9QNiLJ8LIqBozXwmsoKdNXa23xia34R'"
- name: Get commit message and decide sync mode
run: "COMMIT_MSG=$(git log -1 --pretty=%B | head -n1)\necho \"Commit message: $COMMIT_MSG\"\n\nRSYNC_TARGET=\"rsync://${RSYNC_USER}@${RSYNC_HOST}/${RSYNC_MODULE}/\"\n\nif [[ \"$COMMIT_MSG\" == *\"全量同步\"* ]] || [[ \"$COMMIT_MSG\" == *\"full sync\"* ]]; then\n echo \"\U0001F50D Full sync requested...\"\n /usr/bin/rsync -avz --no-owner --no-group --delete \\\n --exclude='.git' \\\n --exclude='.gitea' \\\n --exclude='node_modules/' \\\n --password-file=/tmp/rsync.pass \\\n ./ \\\n \"$RSYNC_TARGET\"\nelse\n echo \"\U0001F504 Incremental sync...\"\n\n if git rev-parse HEAD~1 >/dev/null 2>&1; then\n git diff --name-only HEAD~1 HEAD > /tmp/changed.txt\n else\n find . -type f -not -path './.git/*' -not -path './.gitea/*' | sed 's|^\\./||' > /tmp/changed.txt\n fi\n\n if [ -s /tmp/changed.txt ]; then\n echo \"Files to sync:\"\n cat /tmp/changed.txt\n\n /usr/bin/rsync -avz --no-owner --no-group --relative \\\n --files-from=/tmp/changed.txt \\\n --password-file=/tmp/rsync.pass \\\n ./ \\\n \"$RSYNC_TARGET\"\n else\n echo \"✅ No files changed.\"\n fi\nfi\n"
env:
RSYNC_HOST: "172.17.70.241"
RSYNC_USER: "ahead_rsync_user"
RSYNC_MODULE: "ftp"
- if: always()
name: Clean up
run: rm -f /tmp/rsync.pass
...
|
deploy
|
null
|
["ubuntu-latest"]
|
6437
|
2
|
1773748066
|
1773748068
|
1773748064
|
1773748068
|
NULL
|
NULL
|
|
0
|
Edit
Delete
|
|
7412
|
6411
|
2
|
2
|
62eaedf1e6d2116287bf82d324ff642f894551b9
|
0
|
deploy
|
1
|
name: Smart Deploy via Rsync Daemon
"on": name: Smart Deploy via Rsync Daemon
"on": [push]
jobs:
deploy:
name: deploy
runs-on: ubuntu-latest
steps:
- name: Checkout code manually
run: |
# 调试输出
echo "GITEA_HOST: $GITEA_HOST"
echo "GITHUB_REPOSITORY: ${{ github.repository }}"
echo "GITHUB_SHA: ${{ github.sha }}"
if [ -z "$GITEA_HOST" ]; then
echo "❌ GITEA_HOST secret is missing!"
exit 1
fi
# 使用 github 上下文变量
REPO="${{ github.repository }}"
SHA="${{ github.sha }}"
if [ -z "$REPO" ] || [ -z "$SHA" ]; then
echo "❌ Missing GITHUB_REPOSITORY or GITHUB_SHA"
exit 1
fi
REPO_URL="https://${GITEA_TOKEN}@${GITEA_HOST}/${REPO}.git"
echo "Cloning from: ${REPO_URL//${GITEA_TOKEN}/***REDACTED***} (SHA: $SHA)"
git init
git remote add origin "$REPO_URL"
git fetch --depth=2 origin "$SHA"
git checkout "$SHA"
env:
GITEA_HOST: ${{ secrets.GITEAS_HOST }}
GITEA_TOKEN: ${{ secrets.GITEAS_TOKEN }}
- name: Prepare rsync password file (HARDCODED for test)
run: |
echo "m9QNiLJ8LIqBozXwmsoKdNXa23xia34R" > /tmp/rsync.pass
chmod 600 /tmp/rsync.pass
echo "✅ /tmp/rsync.pass created with password 'm9QNiLJ8LIqBozXwmsoKdNXa23xia34R'"
- name: Get commit message and decide sync mode
run: "COMMIT_MSG=$(git log -1 --pretty=%B | head -n1)\necho \"Commit message: $COMMIT_MSG\"\n\nRSYNC_TARGET=\"rsync://${RSYNC_USER}@${RSYNC_HOST}/${RSYNC_MODULE}/\"\n\nif [[ \"$COMMIT_MSG\" == *\"全量同步\"* ]] || [[ \"$COMMIT_MSG\" == *\"full sync\"* ]]; then\n echo \"\U0001F50D Full sync requested...\"\n /usr/bin/rsync -avz --no-owner --no-group --delete \\\n --exclude='.git' \\\n --exclude='.gitea' \\\n --exclude='node_modules/' \\\n --password-file=/tmp/rsync.pass \\\n ./ \\\n \"$RSYNC_TARGET\"\nelse\n echo \"\U0001F504 Incremental sync...\"\n\n if git rev-parse HEAD~1 >/dev/null 2>&1; then\n git diff --name-only HEAD~1 HEAD > /tmp/changed.txt\n else\n find . -type f -not -path './.git/*' -not -path './.gitea/*' | sed 's|^\\./||' > /tmp/changed.txt\n fi\n\n if [ -s /tmp/changed.txt ]; then\n echo \"Files to sync:\"\n cat /tmp/changed.txt\n\n /usr/bin/rsync -avz --no-owner --no-group --relative \\\n --files-from=/tmp/changed.txt \\\n --password-file=/tmp/rsync.pass \\\n ./ \\\n \"$RSYNC_TARGET\"\n else\n echo \"✅ No files changed.\"\n fi\nfi\n"
env:
RSYNC_HOST: "172.17.70.241"
RSYNC_USER: "ahead_rsync_user"
RSYNC_MODULE: "ftp"
- if: always()
name: Clean up
run: rm -f /tmp/rsync.pass
...
|
deploy
|
null
|
["ubuntu-latest"]
|
6433
|
2
|
1773747236
|
1773747238
|
1773747235
|
1773747238
|
NULL
|
NULL
|
|
0
|
Edit
Delete
|
|
7390
|
6404
|
6
|
5
|
cf72cf544ca2a256fc4024e735a4c2e127aa6e39
|
0
|
安装依赖
|
1
|
name: CI
"on":
push:
branches: name: CI
"on":
push:
branches: [main, develop, 'feature/**', 'claude/**']
pull_request:
branches: [main, develop]
env:
NODE_VERSION: "20"
PNPM_VERSION: "8"
jobs:
setup:
name: 安装依赖
runs-on: ubuntu-latest
steps:
- name: 检出代码
uses: actions/checkout@v4
- name: 安装 pnpm
uses: pnpm/action-setup@v4
with:
version: ${{ env.PNPM_VERSION }}
- name: 设置 Node.js
uses: actions/setup-node@v4
with:
cache: pnpm
node-version: ${{ env.NODE_VERSION }}
- name: 安装依赖
run: pnpm install --frozen-lockfile
- name: 构建共享包
run: pnpm --filter @juhi/shared run build
- name: 缓存 node_modules
uses: actions/cache/save@v4
with:
key: deps-${{ runner.os }}-${{ hashFiles('pnpm-lock.yaml') }}
path: |
node_modules
backend/node_modules
frontend/node_modules
mobile/node_modules
shared/node_modules
shared/dist
e2e/node_modules
...
|
setup
|
null
|
["ubuntu-latest"]
|
6424
|
2
|
1773745353
|
1773745755
|
1773745261
|
1773745755
|
NULL
|
NULL
|
|
0
|
Edit
Delete
|
|
7389
|
6404
|
6
|
5
|
cf72cf544ca2a256fc4024e735a4c2e127aa6e39
|
0
|
检测代码变更
|
1
|
name: CI
"on":
push:
branches: name: CI
"on":
push:
branches: [main, develop, 'feature/**', 'claude/**']
pull_request:
branches: [main, develop]
env:
NODE_VERSION: "20"
PNPM_VERSION: "8"
jobs:
detect-changes:
name: 检测代码变更
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- id: filter
uses: dorny/paths-filter@v3
with:
filters: |
backend:
- 'backend/**'
- 'shared/**'
frontend:
- 'frontend/**'
- 'shared/**'
mobile:
- 'mobile/**'
- 'shared/**'
shared:
- 'shared/**'
workflows:
- '.github/workflows/**'
outputs:
backend: ${{ steps.filter.outputs.backend }}
frontend: ${{ steps.filter.outputs.frontend }}
mobile: ${{ steps.filter.outputs.mobile }}
shared: ${{ steps.filter.outputs.shared }}
workflows: ${{ steps.filter.outputs.workflows }}
...
|
detect-changes
|
null
|
["ubuntu-latest"]
|
6423
|
2
|
1773745262
|
1773745353
|
1773745261
|
1773745353
|
NULL
|
NULL
|
|
0
|
Edit
Delete
|
|
7368
|
6398
|
6
|
5
|
1bbe0e31bce6079667ac188e55066ae94e1938fb
|
0
|
安装依赖
|
1
|
name: CI
"on":
push:
branches: name: CI
"on":
push:
branches: [main, develop, 'feature/**', 'claude/**']
pull_request:
branches: [main, develop]
env:
NODE_VERSION: "20"
PNPM_VERSION: "8"
jobs:
setup:
name: 安装依赖
runs-on: ubuntu-latest
steps:
- name: 检出代码
uses: actions/checkout@v4
- name: 安装 pnpm
uses: pnpm/action-setup@v4
with:
version: ${{ env.PNPM_VERSION }}
- name: 设置 Node.js
uses: actions/setup-node@v4
with:
cache: pnpm
node-version: ${{ env.NODE_VERSION }}
- name: 安装依赖
run: pnpm install --frozen-lockfile
- name: 构建共享包
run: pnpm --filter @juhi/shared run build
- name: 缓存 node_modules
uses: actions/cache/save@v4
with:
key: deps-${{ runner.os }}-${{ hashFiles('pnpm-lock.yaml') }}
path: |
node_modules
backend/node_modules
frontend/node_modules
mobile/node_modules
shared/node_modules
shared/dist
e2e/node_modules
...
|
setup
|
null
|
["ubuntu-latest"]
|
6415
|
2
|
1773743986
|
1773744000
|
1773743973
|
1773744000
|
NULL
|
NULL
|
|
0
|
Edit
Delete
|
|
7349
|
6395
|
6
|
5
|
02b254a9bb6dc749245c39967e0b7b09d947804f
|
0
|
安装依赖
|
1
|
name: CI
"on":
push:
branches: name: CI
"on":
push:
branches: [main, develop, 'feature/**', 'claude/**']
pull_request:
branches: [main, develop]
env:
NODE_VERSION: "20"
PNPM_VERSION: "8"
jobs:
setup:
name: 安装依赖
runs-on: ubuntu-latest
steps:
- name: 检出代码
uses: actions/checkout@v4
- name: 安装 pnpm
uses: pnpm/action-setup@v4
with:
version: ${{ env.PNPM_VERSION }}
- name: 设置 Node.js
uses: actions/setup-node@v4
with:
cache: pnpm
node-version: ${{ env.NODE_VERSION }}
- name: 安装依赖
run: pnpm install --frozen-lockfile
- name: 构建共享包
run: pnpm --filter @juhi/shared run build
- name: 缓存 node_modules
uses: actions/cache/save@v4
with:
key: deps-${{ runner.os }}-${{ hashFiles('pnpm-lock.yaml') }}
path: |
node_modules
backend/node_modules
frontend/node_modules
mobile/node_modules
shared/node_modules
shared/dist
e2e/node_modules
...
|
setup
|
null
|
["ubuntu-latest"]
|
6409
|
2
|
1773743282
|
1773743296
|
1773743268
|
1773743296
|
NULL
|
NULL
|
|
0
|
Edit
Delete
|
|
7320
|
6382
|
6
|
5
|
ff7f47d3c90b5611690472f956e2f089c52dfd3b
|
0
|
安装依赖
|
1
|
name: CI
"on":
push:
branches: name: CI
"on":
push:
branches: [main, develop, 'feature/**', 'claude/**']
pull_request:
branches: [main, develop]
env:
NODE_VERSION: "20"
PNPM_VERSION: "8"
jobs:
setup:
name: 安装依赖
runs-on: ubuntu-latest
steps:
- name: 检出代码
uses: actions/checkout@v4
- name: 安装 pnpm
uses: pnpm/action-setup@v4
with:
version: ${{ env.PNPM_VERSION }}
- name: 设置 Node.js
uses: actions/setup-node@v4
with:
cache: pnpm
node-version: ${{ env.NODE_VERSION }}
- name: 安装依赖
run: pnpm install --frozen-lockfile
- name: 构建共享包
run: pnpm --filter @juhi/shared run build
- name: 缓存 node_modules
uses: actions/cache/save@v4
with:
key: deps-${{ runner.os }}-${{ hashFiles('pnpm-lock.yaml') }}
path: |
node_modules
backend/node_modules
frontend/node_modules
mobile/node_modules
shared/node_modules
shared/dist
e2e/node_modules
...
|
setup
|
null
|
["ubuntu-latest"]
|
6393
|
2
|
1773739757
|
1773739772
|
1773739744
|
1773739772
|
NULL
|
NULL
|
|
0
|
Edit
Delete
|
|
7279
|
6357
|
6
|
5
|
c1da50f2974fe9552f40dde68ec34df656ddca22
|
0
|
安装依赖
|
1
|
name: CI
"on":
push:
branches: name: CI
"on":
push:
branches: [main, develop, 'feature/**', 'claude/**']
pull_request:
branches: [main, develop]
env:
NODE_VERSION: "20"
PNPM_VERSION: "8"
jobs:
setup:
name: 安装依赖
runs-on: ubuntu-latest
steps:
- name: 检出代码
uses: actions/checkout@v4
- name: 安装 pnpm
uses: pnpm/action-setup@v4
with:
version: ${{ env.PNPM_VERSION }}
- name: 设置 Node.js
uses: actions/setup-node@v4
with:
cache: pnpm
node-version: ${{ env.NODE_VERSION }}
- name: 安装依赖
run: pnpm install --frozen-lockfile
- name: 构建共享包
run: pnpm --filter @juhi/shared run build
- name: 缓存 node_modules
uses: actions/cache/save@v4
with:
key: deps-${{ runner.os }}-${{ hashFiles('pnpm-lock.yaml') }}
path: |
node_modules
backend/node_modules
frontend/node_modules
mobile/node_modules
shared/node_modules
shared/dist
e2e/node_modules
...
|
setup
|
null
|
["ubuntu-latest"]
|
6365
|
2
|
1773732831
|
1773732849
|
1773732813
|
1773732849
|
NULL
|
NULL
|
|
0
|
Edit
Delete
|
|
6829
|
5908
|
13
|
5
|
6c80c00976d1c5ac4aaa5f76d10cf1e7b4f59448
|
0
|
Analyze (java)
|
1
|
name: CodeQL Analysis
"on":
push:
name: CodeQL Analysis
"on":
push:
branches: [develop, master, main]
pull_request:
branches: [develop, master, main]
schedule:
# 每周一凌晨3点运行
- cron: '0 3 * * 1'
jobs:
analyze:
name: Analyze (java)
runs-on: ubuntu-latest
steps:
- name: Checkout repository
uses: actions/checkout@v4
- name: Setup Java
uses: actions/setup-java@v4
with:
cache: gradle
distribution: temurin
java-version: "17"
- name: Initialize CodeQL
uses: github/codeql-action/init@v3
with:
languages: ${{ matrix.language }}
queries: +security-extended,security-and-quality
- name: Grant Execute Permission
run: chmod +x ./gradlew
- name: Build
run: ./gradlew assembleDebug --stacktrace
- name: Perform CodeQL Analysis
uses: github/codeql-action/analyze@v3
with:
category: /language:${{ matrix.language }}
timeout-minutes: "30"
strategy:
fail-fast: "false"
matrix:
language:
- java
...
|
analyze
|
null
|
["ubuntu-latest"]
|
5915
|
2
|
1773601235
|
1773601637
|
1773601232
|
1773601638
|
NULL
|
NULL
|
|
0
|
Edit
Delete
|
|
5174
|
4268
|
6
|
5
|
e5a2f5ba8d6442be07c490ec77c734dbe317bfd5
|
0
|
安装依赖
|
1
|
name: CI
"on":
push:
branches: name: CI
"on":
push:
branches: [main, develop, 'feature/**', 'claude/**']
pull_request:
branches: [main, develop]
env:
NODE_VERSION: "20"
PNPM_VERSION: "8"
jobs:
setup:
name: 安装依赖
runs-on: ubuntu-latest
steps:
- name: 检出代码
uses: actions/checkout@v4
- name: 安装 pnpm
uses: pnpm/action-setup@v4
with:
version: ${{ env.PNPM_VERSION }}
- name: 设置 Node.js
uses: actions/setup-node@v4
with:
cache: pnpm
node-version: ${{ env.NODE_VERSION }}
- name: 安装依赖
run: pnpm install --frozen-lockfile
- name: 构建共享包
run: pnpm --filter @juhi/shared run build
- name: 缓存 node_modules
uses: actions/cache/save@v4
with:
key: deps-${{ runner.os }}-${{ hashFiles('pnpm-lock.yaml') }}
path: |
node_modules
backend/node_modules
frontend/node_modules
mobile/node_modules
shared/node_modules
shared/dist
e2e/node_modules
...
|
setup
|
null
|
["ubuntu-latest"]
|
4273
|
2
|
1773109718
|
1773109729
|
1773109708
|
1773109729
|
NULL
|
NULL
|
|
0
|
Edit
Delete
|
|
5155
|
4265
|
6
|
5
|
aca27bf02ce6383914983c80b4169430b45bc90f
|
0
|
安装依赖
|
1
|
name: CI
"on":
push:
branches: name: CI
"on":
push:
branches: [main, develop, 'feature/**', 'claude/**']
pull_request:
branches: [main, develop]
env:
NODE_VERSION: "20"
PNPM_VERSION: "8"
jobs:
setup:
name: 安装依赖
runs-on: ubuntu-latest
steps:
- name: 检出代码
uses: actions/checkout@v4
- name: 安装 pnpm
uses: pnpm/action-setup@v4
with:
version: ${{ env.PNPM_VERSION }}
- name: 设置 Node.js
uses: actions/setup-node@v4
with:
cache: pnpm
node-version: ${{ env.NODE_VERSION }}
- name: 安装依赖
run: pnpm install --frozen-lockfile
- name: 构建共享包
run: pnpm --filter @juhi/shared run build
- name: 缓存 node_modules
uses: actions/cache/save@v4
with:
key: deps-${{ runner.os }}-${{ hashFiles('pnpm-lock.yaml') }}
path: |
node_modules
backend/node_modules
frontend/node_modules
mobile/node_modules
shared/node_modules
shared/dist
e2e/node_modules
...
|
setup
|
null
|
["ubuntu-latest"]
|
4267
|
2
|
1773108989
|
1773108999
|
1773108978
|
1773108999
|
NULL
|
NULL
|
|
0
|
Edit
Delete
|
|
5137
|
4263
|
6
|
5
|
a827624730a039637887a7c3f1fb7f5c813cb3ec
|
0
|
安装依赖
|
1
|
name: CI
"on":
push:
branches: name: CI
"on":
push:
branches: [main, develop, 'feature/**', 'claude/**']
pull_request:
branches: [main, develop]
env:
NODE_VERSION: "20"
PNPM_VERSION: "8"
jobs:
setup:
name: 安装依赖
runs-on: ubuntu-latest
steps:
- name: 检出代码
uses: actions/checkout@v4
- name: 安装 pnpm
uses: pnpm/action-setup@v4
with:
version: ${{ env.PNPM_VERSION }}
- name: 设置 Node.js
uses: actions/setup-node@v4
with:
cache: pnpm
node-version: ${{ env.NODE_VERSION }}
- name: 安装依赖
run: pnpm install --frozen-lockfile
- name: 构建共享包
run: pnpm --filter @juhi/shared run build
- name: 缓存 node_modules
uses: actions/cache/save@v4
with:
key: deps-${{ runner.os }}-${{ hashFiles('pnpm-lock.yaml') }}
path: |
node_modules
backend/node_modules
frontend/node_modules
mobile/node_modules
shared/node_modules
shared/dist
e2e/node_modules
...
|
setup
|
null
|
["ubuntu-latest"]
|
4262
|
2
|
1773108727
|
1773108741
|
1773108717
|
1773108742
|
NULL
|
NULL
|
|
0
|
Edit
Delete
|