ci: 添加 GitHub Actions 自动构建与 SSH 部署流程

longsizhuo · longsizhuo · commit e03b38c2c3a0 · 2026-03-21T02:21:05.000+08:00
- 新增 Dockerfile（GraalVM Native Image 多阶段构建）
- 新增 Caddyfile（反向代理配置，由环境变量驱动）
- 新增 .github/workflows/deploy.yml（构建推送 GHCR + SSH 部署）
- 修复 docker-compose.yml：pull_policy 改为 always，镜像默认指向 ghcr.io，移除 caddy 多余的 build 段
- 补全 .env.example 中缺失的 Postgres、镜像名等变量
diff --git a/.env.example b/.env.example
@@ -37,4 +37,16 @@ REDIS_PASSWORD=change-me
 # --- 网关与代理 (Caddy) ---
 CADDY_SITE_ADDRESS=:80
 CADDY_HTTP_PORT=80
+CADDY_HTTPS_PORT=443
 CADDY_UPSTREAM=backend:8080
+
+# --- Docker 镜像 ---
+BACKEND_IMAGE_NAME=ghcr.io/involutionhell/involutionhell-backend:latest
+
+# --- 数据库（本地 Docker postgres 服务）---
+POSTGRES_DB=involution_hell
+POSTGRES_USER=involution
+POSTGRES_PASSWORD=change_me
+SPRING_DATASOURCE_URL=jdbc:postgresql://postgres:5432/involution_hell
+SPRING_DATASOURCE_USERNAME=involution
+SPRING_DATASOURCE_PASSWORD=change_me
diff --git a/.github/workflows/deploy.yml b/.github/workflows/deploy.yml
@@ -0,0 +1,80 @@
+name: 构建并部署后端
+
+on:
+  push:
+    branches: [main]
+  workflow_dispatch:
+
+env:
+  REGISTRY: ghcr.io
+  IMAGE_NAME: ghcr.io/involutionhell/involutionhell-backend
+
+jobs:
+  build-and-push:
+    name: 编译 Native Image 并推送到 GHCR
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      packages: write
+
+    steps:
+      - name: 检出代码
+        uses: actions/checkout@v4
+
+      - name: 登录 GitHub Container Registry
+        uses: docker/login-action@v3
+        with:
+          registry: ${{ env.REGISTRY }}
+          username: ${{ github.actor }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: 设置 Docker Buildx
+        uses: docker/setup-buildx-action@v3
+
+      - name: 构建并推送镜像
+        uses: docker/build-push-action@v6
+        with:
+          context: .
+          push: true
+          platforms: linux/amd64
+          tags: |
+            ${{ env.IMAGE_NAME }}:latest
+            ${{ env.IMAGE_NAME }}:${{ github.sha }}
+          cache-from: type=gha
+          cache-to: type=gha,mode=max
+
+  deploy:
+    name: SSH 部署到服务器
+    runs-on: ubuntu-latest
+    needs: build-and-push
+    environment: production
+
+    steps:
+      - name: 检出代码（仅获取 docker-compose.yml 和 Caddyfile）
+        uses: actions/checkout@v4
+
+      - name: 将 compose 文件同步到服务器
+        uses: appleboy/scp-action@v0.1.7
+        with:
+          host: ${{ secrets.SERVER_HOST }}
+          username: ${{ secrets.SERVER_USER }}
+          key: ${{ secrets.SERVER_SSH_KEY }}
+          source: "docker-compose.yml,Caddyfile,docker/"
+          target: "/opt/involutionhell"
+
+      - name: 远程执行部署
+        uses: appleboy/ssh-action@v1
+        with:
+          host: ${{ secrets.SERVER_HOST }}
+          username: ${{ secrets.SERVER_USER }}
+          key: ${{ secrets.SERVER_SSH_KEY }}
+          script: |
+            cd /opt/involutionhell
+
+            # 写入镜像名，确保拉取最新
+            export BACKEND_IMAGE_NAME=${{ env.IMAGE_NAME }}:${{ github.sha }}
+
+            # 登录 GHCR 后拉取镜像并重启服务
+            echo ${{ secrets.GITHUB_TOKEN }} | docker login ghcr.io -u ${{ github.actor }} --password-stdin
+            docker compose pull backend
+            docker compose up -d --remove-orphans
diff --git a/Caddyfile b/Caddyfile
@@ -0,0 +1,8 @@
+# Caddy 反向代理配置
+# 通过环境变量控制监听地址和上游服务地址
+{$CADDY_SITE_ADDRESS::80} {
+    # 将所有请求转发至后端 Spring Boot 服务
+    reverse_proxy {$CADDY_UPSTREAM:backend:8080} {
+        health_uri /actuator/health
+    }
+}
diff --git a/Dockerfile b/Dockerfile
@@ -0,0 +1,29 @@
+# 多阶段构建：第一阶段用 GraalVM 编译 Native Image
+FROM ghcr.io/graalvm/native-image-community:25-muslib AS build
+
+WORKDIR /app
+
+# 先复制 Maven Wrapper 和 pom.xml，利用 Docker 层缓存加速依赖下载
+COPY mvnw mvnw.cmd pom.xml ./
+COPY .mvn .mvn
+
+RUN chmod +x mvnw && ./mvnw dependency:go-offline -q
+
+# 复制源码并编译 Native Image
+COPY src ./src
+RUN ./mvnw -DskipTests native:compile-no-fork -q
+
+# 第二阶段：最小化运行镜像
+FROM ubuntu:24.04
+
+# 安装运行时依赖（curl 用于 healthcheck）
+RUN apt-get update && apt-get install -y --no-install-recommends curl && rm -rf /var/lib/apt/lists/*
+
+WORKDIR /app
+COPY --from=build /app/target/backend ./backend
+
+RUN chmod +x ./backend
+
+EXPOSE 8080
+
+ENTRYPOINT ["./backend"]
diff --git a/docker-compose.yml b/docker-compose.yml
@@ -1,8 +1,8 @@
 services:
   backend:
-    image: ${BACKEND_IMAGE_NAME:-backend:native}
+    image: ${BACKEND_IMAGE_NAME:-ghcr.io/involutionhell/involutionhell-backend:latest}
     platform: linux/amd64
-    pull_policy: never
+    pull_policy: always
     container_name: involution-hell-backend
     restart: always
     env_file:
@@ -86,8 +86,6 @@ services:
       - InvolutionHell-net
 
   caddy:
-    build:
-      context: .
     image: caddy:2.10-alpine
     container_name: involution-hell-caddy
     restart: unless-stopped
