From 2c3357e33d82574eaf29c3881ffa017b3e0cfbf9 Mon Sep 17 00:00:00 2001
From: zyc <1439655764@qq.com>
Date: Wed, 13 May 2026 15:27:41 +0800
Subject: [PATCH] ci: trim cyberstar-env Secret to DATABASE_URL only

Previous commit scoped too broadly. Other env vars (TOS/SMS/WECHAT/etc.)
already have application-level fallbacks and aren't required to make the
deploy work, so they don't need to be in the workflow yet.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
---
 .gitea/workflows/deploy.yaml | 20 +-------------------
 1 file changed, 1 insertion(+), 19 deletions(-)

diff --git a/.gitea/workflows/deploy.yaml b/.gitea/workflows/deploy.yaml
index 7cc795d..de9a2df 100644
--- a/.gitea/workflows/deploy.yaml
+++ b/.gitea/workflows/deploy.yaml
@@ -93,27 +93,9 @@ jobs:
                 --docker-password="${{ env.CR_PASSWORD_ACTIVE }}" \
                 --dry-run=client -o yaml | kubectl apply -f -
 
-              # 2) 应用运行时 Secret（从 Gitea 仓库 Secrets 同步，每次 push 自动更新）
+              # 2) 应用运行时 Secret（数据库连接串）
               kubectl create secret generic cyberstar-env \
                 --from-literal=DATABASE_URL='${{ secrets.DATABASE_URL }}' \
-                --from-literal=REDIS_URL='${{ secrets.REDIS_URL }}' \
-                --from-literal=AUTH_SECRET='${{ secrets.AUTH_SECRET }}' \
-                --from-literal=AUTH_URL="https://${{ env.DOMAIN_WEB }}" \
-                --from-literal=AUTH_TRUST_HOST='true' \
-                --from-literal=TOS_ENDPOINT='${{ secrets.TOS_ENDPOINT }}' \
-                --from-literal=TOS_REGION='${{ secrets.TOS_REGION }}' \
-                --from-literal=TOS_BUCKET='${{ secrets.TOS_BUCKET }}' \
-                --from-literal=TOS_ACCESS_KEY='${{ secrets.TOS_ACCESS_KEY }}' \
-                --from-literal=TOS_SECRET_KEY='${{ secrets.TOS_SECRET_KEY }}' \
-                --from-literal=NEXT_PUBLIC_TOS_DOMAIN='${{ secrets.NEXT_PUBLIC_TOS_DOMAIN }}' \
-                --from-literal=WECHAT_APP_ID='${{ secrets.WECHAT_APP_ID }}' \
-                --from-literal=WECHAT_APP_SECRET='${{ secrets.WECHAT_APP_SECRET }}' \
-                --from-literal=SMS_ACCESS_KEY='${{ secrets.SMS_ACCESS_KEY }}' \
-                --from-literal=SMS_SECRET_KEY='${{ secrets.SMS_SECRET_KEY }}' \
-                --from-literal=SMS_SIGN_NAME='${{ secrets.SMS_SIGN_NAME }}' \
-                --from-literal=SMS_TEMPLATE_CODE='${{ secrets.SMS_TEMPLATE_CODE }}' \
-                --from-literal=HCAPTCHA_SITE_KEY='${{ secrets.HCAPTCHA_SITE_KEY }}' \
-                --from-literal=HCAPTCHA_SECRET='${{ secrets.HCAPTCHA_SECRET }}' \
                 --dry-run=client -o yaml | kubectl apply -f -
 
               # 3) Apply manifests