ci: 优化GitHub Actions CI配置

1. 新增统一环境变量集中管理CI配置项 2. 为多数CI作业添加仓库执行权限校验 3. 统一替换硬编码的服务版本与端口配置 4. 调整构建交付物的执行条件与报告保留规则
2026-06-02 05:54:40 +00:00 · 2026-05-31 11:42:15 +00:00
parent a60dd3ce37
commit c694cbf288
1 changed files with 31 additions and 14 deletions
@@ -10,14 +10,29 @@ on:
 env:
  PYTHON_VERSION: '3.12'
  UBUNTU_VERSION: 'ubuntu-latest'
+  # CI执行的目标仓库（仅在此仓库执行CI流程）
+  CI_TARGET_REPO: 'rnvm9wjdtj-bot/myaps_api'
  # 镜像仓库配置（请根据实际情况修改）
  REGISTRY: docker.io
  IMAGE_NAME: myaps-api
+  # 数据库配置
+  POSTGRES_VERSION: '15'
+  REDIS_VERSION: '7'
+  TEST_DB_PASSWORD: 'test_password'
+  TEST_DB_NAME: 'myaps_test'
+  POSTGRES_PORT: '5432'
+  REDIS_PORT: '6379'
+  # Docker配置
+  DOCKER_PLATFORMS: 'linux/amd64,linux/arm64'
+  # 报告保留天数
+  SHORT_RETENTION_DAYS: '7'
+  RELEASE_RETENTION_DAYS: '30'

 jobs:
  lint-and-format:
    name: 代码检查
    runs-on: ubuntu-latest
+    if: github.repository == env.CI_TARGET_REPO
    steps:
      - name: 检出代码
        uses: actions/checkout@v4
@@ -54,15 +69,16 @@ jobs:
    name: 构建与测试
    runs-on: ubuntu-latest
    needs: lint-and-format
+    if: github.repository == env.CI_TARGET_REPO
    
    services:
      postgres:
-        image: postgres:15
+        image: postgres:${{ env.POSTGRES_VERSION }}
        env:
-          POSTGRES_PASSWORD: test_password
-          POSTGRES_DB: myaps_test
+          POSTGRES_PASSWORD: ${{ env.TEST_DB_PASSWORD }}
+          POSTGRES_DB: ${{ env.TEST_DB_NAME }}
        ports:
-          - 5432:5432
+          - ${{ env.POSTGRES_PORT }}:${{ env.POSTGRES_PORT }}
        options: >-
          --health-cmd pg_isready
          --health-interval 10s
@@ -70,9 +86,9 @@ jobs:
          --health-retries 5
      
      redis:
-        image: redis:7
+        image: redis:${{ env.REDIS_VERSION }}
        ports:
-          - 6379:6379
+          - ${{ env.REDIS_PORT }}:${{ env.REDIS_PORT }}
        options: >-
          --health-cmd "redis-cli ping"
          --health-interval 10s
@@ -136,10 +152,10 @@ jobs:
          
          # PostgreSQL 数据库配置（服务自有数据库）
          THIS_DB_HOST=127.0.0.1
-          THIS_DB_PORT=5432
+          THIS_DB_PORT=${{ env.POSTGRES_PORT }}
          THIS_DB_USER=postgres
-          THIS_DB_PASSWORD=test_password
-          THIS_DB_NAME=myaps_test
+          THIS_DB_PASSWORD=${{ env.TEST_DB_PASSWORD }}
+          THIS_DB_NAME=${{ env.TEST_DB_NAME }}
          
          # MySQL 数据库配置（三方系统既有数据库，CI 环境无需配置）
          # MYAPS_DB_HOST=
@@ -187,12 +203,13 @@ jobs:
          path: |
            htmlcov/
            coverage.xml
-          retention-days: 7
+          retention-days: ${{ env.SHORT_RETENTION_DAYS }}

  security-scan:
    name: 安全扫描
    runs-on: ubuntu-latest
    needs: lint-and-format
+    if: github.repository == env.CI_TARGET_REPO
    steps:
      - name: 检出代码
        uses: actions/checkout@v4
@@ -225,13 +242,13 @@ jobs:
        with:
          name: security-report
          path: bandit-report.json
-          retention-days: 7
+          retention-days: ${{ env.SHORT_RETENTION_DAYS }}

  build-artifacts:
    name: 构建交付物
    runs-on: ubuntu-latest
    needs: [build-and-test, security-scan]
-    if: github.event_name == 'push' || github.event_name == 'workflow_dispatch'
+    if: github.repository == env.CI_TARGET_REPO && (github.event_name == 'push' || github.event_name == 'workflow_dispatch')
    
    outputs:
      image-tag: ${{ steps.meta.outputs.version }}
@@ -265,7 +282,7 @@ jobs:
        with:
          context: .
          push: true
-          platforms: linux/amd64,linux/arm64
+          platforms: ${{ env.DOCKER_PLATFORMS }}
          tags: ${{ steps.meta.outputs.tags }}
          labels: ${{ steps.meta.outputs.labels }}
          cache-from: type=gha
@@ -410,7 +427,7 @@ jobs:
          path: |
            .env.template
            DEPLOY.md
-          retention-days: 30
+          retention-days: ${{ env.RELEASE_RETENTION_DAYS }}

      - name: 输出部署信息
        run: |