name: 部署到生产环境 on: push: branches: [ main ] pull_request: branches: [ main ] workflow_dispatch: inputs: reason: description: '手动触发部署的原因' required: false default: '手动部署' jobs: deploy: runs-on: ubuntu-latest environment: SSH-KEY # 确保该环境配置了KEY、PASSPHRASE、SERVER_USER、SERVER_ADDRESS等变量 steps: - uses: actions/checkout@v4 - name: 安装依赖工具 run: | # 移除sshpass(不再使用密码登录),保留expect用于处理密钥密码 sudo apt-get update sudo apt-get install -y expect - name: 配置SSH密钥并启动ssh-agent run: | # 创建SSH目录并设置正确权限 mkdir -p ~/.ssh chmod 700 ~/.ssh # 将GitHub Secrets中的KEY写入私钥文件 echo "${{ secrets.KEY }}" > ~/.ssh/id_rsa chmod 600 ~/.ssh/id_rsa # SSH密钥必须是600权限,否则会被拒绝 # 启动ssh-agent并加载密钥(处理密钥密码) eval $(ssh-agent -s) expect -c " spawn ssh-add ~/.ssh/id_rsa expect \"Enter passphrase for /home/runner/.ssh/id_rsa:\" send \"${{ secrets.PASSPHRASE }}\r\" expect eof " # 禁用StrictHostKeyChecking,避免首次连接的确认提示 echo "StrictHostKeyChecking no" >> ~/.ssh/config chmod 600 ~/.ssh/config - name: 执行部署 run: | # 使用SSH密钥登录服务器,不再需要sshpass ssh -p 42422 ${{ secrets.SERVER_USER }}@${{ secrets.SERVER_ADDRESS }} ' set -ex echo "=== 部署调试信息开始 ===" echo "测试sudo权限..." # 注意:这里仍需要服务器用户密码(如果sudo需要),请确保secrets.SERVER_PASSWORD已配置 echo "${{ secrets.SERVER_PASSWORD }}" | sudo -S whoami echo "停止服务..." echo "${{ secrets.SERVER_PASSWORD }}" | sudo -S systemctl stop neobot.service echo "修复文件权限..." echo "${{ secrets.SERVER_PASSWORD }}" | sudo -S chown -R ${{ secrets.SERVER_USER }}:${{ secrets.SERVER_USER }} /home/luoxiaolei/neobot/NeoBot cd /home/luoxiaolei/neobot/NeoBot echo "拉取最新代码(服务器本地已有GitHub密钥)..." git pull origin main echo "启动服务..." echo "${{ secrets.SERVER_PASSWORD }}" | sudo -S systemctl start neobot.service echo "检查服务状态..." echo "${{ secrets.SERVER_PASSWORD }}" | sudo -S systemctl status neobot.service --no-pager echo "部署完成!" echo "=== 部署调试信息结束 ===" ' continue-on-error: false # 部署失败时直接终止,便于排查问题 - name: 检查部署状态 if: failure() run: | echo "部署失败!请检查服务器日志和Actions执行日志。" exit 1