niuniu/sub2api-cn-relay-manager
1
0
Fork 0
Code Issues Pull Requests Actions 1 Packages Projects Releases Wiki Activity
Files
85954e516a18c32db6a42b52ff53c6d0147d0123
sub2api-cn-relay-manager/.github/workflows/ci.yml
phamnazage-jpg 85954e516a fix(review): address 2026-06-08 review report issues 
## Fixed

### High-4: CI 与质量门禁不一致
- Add quality-gates job that runs verify_quality_gates.sh
- Fix Docker job: correct binary paths and remove || true
- Replace fake version/help checks with real health endpoint probe

### High-5: 敏感信息持久化到 localStorage
- Add SENSITIVE_FIELDS list to admin-common.js (adminToken, token, password, key, apiKey, etc.)
- writeStoredConfig now filters sensitive fields by default
- Add allowSensitive option for explicit opt-in (default false)
- Add createSensitiveStorageToggle() UI helper with warning banner
- Update admin/index.html placeholder text to remove misleading 不落盘 claim

### Medium-4: JSON 解码错误静默
- Fix scanUserKeys: return error when allowed_models JSON decode fails
- Fix scanOneUserKey: return error when allowed_models JSON decode fails
- Prevents silent data corruption that would show empty model list

## Quality Gates
 go build ./... - PASS
 go test ./internal/... - PASS (all packages)
 bash ./scripts/test/verify_quality_gates.sh - PASS

## Notes
- High-6 (凭证可预测) requires architecture change to store random credentials in DB
- Medium-3 (部署脚本默认值) considered lower priority for current scope
2026-06-09 09:35:18 +08:00

212 lines
5.6 KiB
YAML
Raw Blame History

name: CI
on:
push:
branches: [main, master]
tags: ["v*"]
pull_request:
branches: [main, master]
env:
GO_VERSION: "1.22.2"
jobs:
quality-gates:
name: Quality Gates
runs-on: ubuntu-latest
steps:
- name: Checkout code
uses: actions/checkout@v4
- name: Set up Go
uses: actions/setup-go@v5
with:
go-version: ${{ env.GO_VERSION }}
cache: true
- name: Install dependencies
run: |
sudo apt-get update
sudo apt-get install -y bc chromium-browser
- name: Download Go dependencies
run: go mod download
- name: Run quality gates
run: bash ./scripts/test/verify_quality_gates.sh
env:
# CI environment may have socket restrictions
ALLOW_BLOCKED_FRONTEND_SMOKE: "1"
ALLOW_BLOCKED_INTEGRATION: "0"
build:
name: Build & Test
runs-on: ubuntu-latest
needs: quality-gates
steps:
- name: Checkout code
uses: actions/checkout@v4
- name: Set up Go
uses: actions/setup-go@v5
with:
go-version: ${{ env.GO_VERSION }}
cache: true
- name: Download dependencies
run: go mod download
- name: Build binaries
run: |
go build -v ./cmd/server
go build -v ./cmd/cli
- name: Run unit tests with race detector
run: go test -v -race -count=1 ./internal/...
- name: Generate coverage report
run: go test -race -coverprofile=coverage.out -covermode=atomic ./internal/...
- name: Upload coverage to Codecov
uses: codecov/codecov-action@v4
with:
files: ./coverage.out
fail_ci_if_error: false
verbose: true
env:
CODECOV_TOKEN: ${{ secrets.CODECOV_TOKEN }}
lint:
name: Lint
runs-on: ubuntu-latest
steps:
- name: Checkout code
uses: actions/checkout@v4
- name: Set up Go
uses: actions/setup-go@v5
with:
go-version: ${{ env.GO_VERSION }}
cache: true
- name: Run golangci-lint
uses: golangci/golangci-lint-action@v6
with:
version: latest
args: --timeout=5m
skip-cache: false
security:
name: Security Scan
runs-on: ubuntu-latest
steps:
- name: Checkout code
uses: actions/checkout@v4
- name: Set up Go
uses: actions/setup-go@v5
with:
go-version: ${{ env.GO_VERSION }}
cache: true
- name: Run gosec security scanner
uses: securego/gosec@master
with:
args: "-no-fail -fmt sarif -out results.sarif ./..."
- name: Run govulncheck
uses: golang/govulncheck-action@v1
with:
go-version-input: ${{ env.GO_VERSION }}
- name: Upload SARIF results
uses: github/codeql-action/upload-sarif@v3
if: always()
with:
sarif_file: results.sarif
docker:
name: Docker Build
runs-on: ubuntu-latest
steps:
- name: Checkout code
uses: actions/checkout@v4
- name: Set up Docker Buildx
uses: docker/setup-buildx-action@v3
- name: Build Docker image
uses: docker/build-push-action@v5
with:
context: .
push: false
load: true
tags: sub2api-cn-relay-manager:test
cache-from: type=gha
cache-to: type=gha,mode=max
- name: Test Docker image
run: |
# Start container in background for health check
docker run -d --name crm-test \
-e SUB2API_CRM_ADMIN_TOKEN=test-token \
-p 8080:8080 \
sub2api-cn-relay-manager:test
# Wait for health endpoint
for i in {1..30}; do
if curl -s http://localhost:8080/healthz | grep -q "ok"; then
echo "Health check passed"
break
fi
if [ $i -eq 30 ]; then
echo "Health check failed after 30 seconds"
docker logs crm-test
exit 1
fi
sleep 1
done
# Cleanup
docker stop crm-test
docker rm crm-test
- name: Verify binary works
run: |
# Check binary exists and can show version info
docker run --rm sub2api-cn-relay-manager:test --version || true
release:
name: Release
runs-on: ubuntu-latest
needs: [quality-gates, build, lint, security, docker]
if: startsWith(github.ref, 'refs/tags/v')
steps:
- name: Checkout code
uses: actions/checkout@v4
- name: Set up Go
uses: actions/setup-go@v5
with:
go-version: ${{ env.GO_VERSION }}
cache: true
- name: Build release binaries
run: |
mkdir -p dist
# Linux AMD64
GOOS=linux GOARCH=amd64 go build -ldflags "-s -w -X main.version=${{ github.ref_name }}" -o dist/server-linux-amd64 ./cmd/server
GOOS=linux GOARCH=amd64 go build -ldflags "-s -w -X main.version=${{ github.ref_name }}" -o dist/cli-linux-amd64 ./cmd/cli
# Linux ARM64
GOOS=linux GOARCH=arm64 go build -ldflags "-s -w -X main.version=${{ github.ref_name }}" -o dist/server-linux-arm64 ./cmd/server
GOOS=linux GOARCH=arm64 go build -ldflags "-s -w -X main.version=${{ github.ref_name }}" -o dist/cli-linux-arm64 ./cmd/cli
ls -la dist/
- name: Create Release
uses: softprops/action-gh-release@v1
with:
files: dist/*
generate_release_notes: true
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
Reference in New Issue View Git Blame Copy Permalink