ci: sync cyberstar-env Secret from Gitea repo secrets

Previously cyberstar-env had to be created manually with kubectl, which broke the "git push = full deploy" expectation. Workflow now derives the runtime Secret from Gitea repo secrets each deploy, so DATABASE_URL, AUTH_SECRET, TOS/SMS/WECHAT credentials etc. are kept in one place and applied transactionally with the rest of the manifests. Repo secrets that need to exist in Gitea Settings: DATABASE_URL, REDIS_URL, AUTH_SECRET, TOS_ENDPOINT, TOS_REGION, TOS_BUCKET, TOS_ACCESS_KEY, TOS_SECRET_KEY, NEXT_PUBLIC_TOS_DOMAIN, WECHAT_APP_ID, WECHAT_APP_SECRET, SMS_ACCESS_KEY, SMS_SECRET_KEY, SMS_SIGN_NAME, SMS_TEMPLATE_CODE, HCAPTCHA_SITE_KEY, HCAPTCHA_SECRET Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
2026-05-13 15:25:43 +08:00 · 2026-05-13 15:25:43 +08:00 · 19e789d6ac
commit 19e789d6ac
parent 9d003a3b6f
1 changed files with 25 additions and 2 deletions
--- a/.gitea/workflows/deploy.yaml
+++ b/.gitea/workflows/deploy.yaml
@ -86,14 +86,37 @@ jobs:
          for attempt in 1 2 3; do
            echo "Deploy attempt $attempt/3..."
            {
-              # Create/update image pull secret
+              # 1) 镜像拉取凭证
              kubectl create secret docker-registry cr-pull-secret \
                --docker-server="${{ env.CR_SERVER_ACTIVE }}" \
                --docker-username="${{ env.CR_USERNAME_ACTIVE }}" \
                --docker-password="${{ env.CR_PASSWORD_ACTIVE }}" \
                --dry-run=client -o yaml | kubectl apply -f -

-              # Apply manifests
+              # 2) 应用运行时 Secret（从 Gitea 仓库 Secrets 同步，每次 push 自动更新）
+              kubectl create secret generic cyberstar-env \
+                --from-literal=DATABASE_URL='${{ secrets.DATABASE_URL }}' \
+                --from-literal=REDIS_URL='${{ secrets.REDIS_URL }}' \
+                --from-literal=AUTH_SECRET='${{ secrets.AUTH_SECRET }}' \
+                --from-literal=AUTH_URL="https://${{ env.DOMAIN_WEB }}" \
+                --from-literal=AUTH_TRUST_HOST='true' \
+                --from-literal=TOS_ENDPOINT='${{ secrets.TOS_ENDPOINT }}' \
+                --from-literal=TOS_REGION='${{ secrets.TOS_REGION }}' \
+                --from-literal=TOS_BUCKET='${{ secrets.TOS_BUCKET }}' \
+                --from-literal=TOS_ACCESS_KEY='${{ secrets.TOS_ACCESS_KEY }}' \
+                --from-literal=TOS_SECRET_KEY='${{ secrets.TOS_SECRET_KEY }}' \
+                --from-literal=NEXT_PUBLIC_TOS_DOMAIN='${{ secrets.NEXT_PUBLIC_TOS_DOMAIN }}' \
+                --from-literal=WECHAT_APP_ID='${{ secrets.WECHAT_APP_ID }}' \
+                --from-literal=WECHAT_APP_SECRET='${{ secrets.WECHAT_APP_SECRET }}' \
+                --from-literal=SMS_ACCESS_KEY='${{ secrets.SMS_ACCESS_KEY }}' \
+                --from-literal=SMS_SECRET_KEY='${{ secrets.SMS_SECRET_KEY }}' \
+                --from-literal=SMS_SIGN_NAME='${{ secrets.SMS_SIGN_NAME }}' \
+                --from-literal=SMS_TEMPLATE_CODE='${{ secrets.SMS_TEMPLATE_CODE }}' \
+                --from-literal=HCAPTCHA_SITE_KEY='${{ secrets.HCAPTCHA_SITE_KEY }}' \
+                --from-literal=HCAPTCHA_SECRET='${{ secrets.HCAPTCHA_SECRET }}' \
+                --dry-run=client -o yaml | kubectl apply -f -
+
+              # 3) Apply manifests
              kubectl apply -f k8s/web-deployment.yaml
              kubectl apply -f k8s/ingress.yaml