Merge remote-tracking branch 'remote/main'

Geniusay · Geniusay · commit fce5086c6fb9 · 2026-03-12T17:36:13.000+08:00
diff --git a/.github/workflows/deploy-static-sites.yml b/.github/workflows/deploy-static-sites.yml
@@ -0,0 +1,238 @@
+name: Deploy Static Sites
+
+on:
+  workflow_call:
+    inputs:
+      products_dir:
+        description: Root directory that contains product folders.
+        type: string
+        required: false
+        default: products
+      deploy_path:
+        description: Remote deploy base path.
+        type: string
+        required: false
+        default: /var/www/static-sites
+      force_deploy:
+        description: Deploy all product folders, ignoring git diff.
+        type: boolean
+        required: false
+        default: false
+      max_parallel:
+        description: Max parallel rsync jobs.
+        type: number
+        required: false
+        default: 3
+      reload_nginx:
+        description: Reload nginx after deploy.
+        type: boolean
+        required: false
+        default: true
+      nginx_container:
+        description: Docker container name that runs nginx.
+        type: string
+        required: false
+        default: static-sites
+    secrets:
+      SERVER_HOST:
+        required: true
+      SERVER_USER:
+        required: true
+      SERVER_PASS:
+        required: true
+
+permissions:
+  contents: read
+
+jobs:
+  detect-changes:
+    runs-on: ubuntu-latest
+    outputs:
+      changed_products: ${{ steps.changes.outputs.products }}
+      has_changes: ${{ steps.changes.outputs.has_changes }}
+    steps:
+      - uses: actions/checkout@v4
+        with:
+          fetch-depth: 0
+
+      - name: Detect changed products
+        id: changes
+        shell: bash
+        run: |
+          set -euo pipefail
+
+          PRODUCTS_DIR="${{ inputs.products_dir }}"
+          PRODUCTS_DIR="${PRODUCTS_DIR%/}"
+
+          if ! [[ "$PRODUCTS_DIR" =~ ^[a-zA-Z0-9._/-]+$ ]]; then
+            echo "Invalid products_dir: $PRODUCTS_DIR"
+            exit 1
+          fi
+          if [[ "$PRODUCTS_DIR" == -* ]]; then
+            echo "products_dir must not start with '-'"
+            exit 1
+          fi
+
+          if [ ! -d "$PRODUCTS_DIR" ]; then
+            echo "Products dir not found: $PRODUCTS_DIR"
+            echo 'products=[]' >> "$GITHUB_OUTPUT"
+            echo 'has_changes=false' >> "$GITHUB_OUTPUT"
+            exit 0
+          fi
+
+          if [ "${{ inputs.force_deploy }}" = "true" ]; then
+            PRODUCTS=$(find "$PRODUCTS_DIR" -mindepth 1 -maxdepth 1 -type d -exec basename {} \; | jq -R -s -c 'split("\n")[:-1]')
+          else
+            EVENT_NAME="${{ github.event_name }}"
+            BEFORE_SHA="${{ github.event.before }}"
+            AFTER_SHA="${{ github.sha }}"
+
+            if [ "$EVENT_NAME" = "push" ] && [ -n "$BEFORE_SHA" ] && [ "$BEFORE_SHA" != "0000000000000000000000000000000000000000" ]; then
+              CHANGED_FILES=$(git diff --name-only "$BEFORE_SHA" "$AFTER_SHA" -- "$PRODUCTS_DIR/" || true)
+            elif git rev-parse --verify HEAD~1 >/dev/null 2>&1; then
+              CHANGED_FILES=$(git diff --name-only HEAD~1 HEAD -- "$PRODUCTS_DIR/" || true)
+            else
+              CHANGED_FILES=""
+            fi
+
+            if [ -z "${CHANGED_FILES:-}" ]; then
+              PRODUCTS='[]'
+            else
+              PRODUCTS=$(echo "$CHANGED_FILES" | awk -v dir="$PRODUCTS_DIR" '
+                index($0, dir"/")==1 {
+                  rest = substr($0, length(dir)+2)
+                  split(rest, parts, "/")
+                  if (parts[1] != "") print parts[1]
+                }' | sort -u | jq -R -s -c 'split("\n")[:-1]')
+            fi
+          fi
+
+          PRODUCTS=$(echo "$PRODUCTS" | jq -r '.[]' | while IFS= read -r product; do
+            [ -z "$product" ] && continue
+            if [[ "$product" =~ ^[a-zA-Z0-9._][a-zA-Z0-9._-]*$ ]] && [ -d "$PRODUCTS_DIR/$product" ]; then
+              echo "$product"
+            fi
+          done | jq -R -s -c 'split("\n")[:-1]')
+
+          echo "products=$PRODUCTS" >> "$GITHUB_OUTPUT"
+
+          PRODUCT_COUNT=$(echo "$PRODUCTS" | jq 'length')
+          if [ "$PRODUCT_COUNT" -eq 0 ]; then
+            echo "has_changes=false" >> "$GITHUB_OUTPUT"
+          else
+            echo "has_changes=true" >> "$GITHUB_OUTPUT"
+          fi
+
+          echo "Changed products: $PRODUCTS"
+
+  deploy:
+    needs: detect-changes
+    if: needs.detect-changes.outputs.has_changes == 'true'
+    runs-on: ubuntu-latest
+    strategy:
+      matrix:
+        product: ${{ fromJson(needs.detect-changes.outputs.changed_products) }}
+      max-parallel: ${{ inputs.max_parallel }}
+
+    steps:
+      - uses: actions/checkout@v4
+
+      - name: Validate inputs
+        shell: bash
+        env:
+          PRODUCTS_DIR: ${{ inputs.products_dir }}
+          DEPLOY_PATH: ${{ inputs.deploy_path }}
+          PRODUCT: ${{ matrix.product }}
+        run: |
+          set -euo pipefail
+
+          PRODUCTS_DIR="${PRODUCTS_DIR%/}"
+          DEPLOY_PATH="${DEPLOY_PATH%/}"
+
+          fail() { echo "$1" >&2; exit 1; }
+
+          [[ -n "$PRODUCTS_DIR" ]] || fail "products_dir is empty"
+          [[ "$PRODUCTS_DIR" =~ ^[a-zA-Z0-9._/-]+$ ]] || fail "Invalid products_dir: $PRODUCTS_DIR"
+          [[ "$PRODUCTS_DIR" != -* ]] || fail "products_dir must not start with '-'"
+          [[ -n "$DEPLOY_PATH" ]] || fail "deploy_path is empty"
+          [[ "$DEPLOY_PATH" =~ ^[a-zA-Z0-9._/-]+$ ]] || fail "Invalid deploy_path: $DEPLOY_PATH"
+          [[ "$DEPLOY_PATH" != -* ]] || fail "deploy_path must not start with '-'"
+          [[ -n "$PRODUCT" ]] || fail "product is empty"
+          [[ "$PRODUCT" =~ ^[a-zA-Z0-9._][a-zA-Z0-9._-]*$ ]] || fail "Invalid product: $PRODUCT"
+
+          echo "PRODUCTS_DIR=$PRODUCTS_DIR" >> "$GITHUB_ENV"
+          echo "DEPLOY_PATH=$DEPLOY_PATH" >> "$GITHUB_ENV"
+          echo "PRODUCT=$PRODUCT" >> "$GITHUB_ENV"
+
+          if [ ! -d "$PRODUCTS_DIR/$PRODUCT" ]; then
+            echo "Source directory not found: $PRODUCTS_DIR/$PRODUCT (skipping)"
+            echo "SKIP_DEPLOY=true" >> "$GITHUB_ENV"
+            exit 0
+          fi
+
+      - name: Install sshpass
+        run: |
+          sudo apt-get update
+          sudo apt-get install -y sshpass
+
+      - name: Add server to known hosts
+        run: |
+          mkdir -p ~/.ssh
+          ssh-keyscan -H "${{ secrets.SERVER_HOST }}" >> ~/.ssh/known_hosts
+
+      - name: Deploy ${{ matrix.product }}
+        env:
+          SSHPASS: ${{ secrets.SERVER_PASS }}
+        run: |
+          set -euo pipefail
+
+          if [ "${SKIP_DEPLOY:-false}" = "true" ]; then
+            echo "Skipping deploy for $PRODUCT"
+            exit 0
+          fi
+
+          echo "Deploying product: $PRODUCT"
+          sshpass -e rsync -avz --delete \
+            --exclude='.git*' \
+            -e "ssh" \
+            -- \
+            "$PRODUCTS_DIR/$PRODUCT/" \
+            "${{ secrets.SERVER_USER }}@${{ secrets.SERVER_HOST }}:$DEPLOY_PATH/$PRODUCT/"
+
+  reload-nginx:
+    needs: deploy
+    if: ${{ inputs.reload_nginx }}
+    runs-on: ubuntu-latest
+    steps:
+      - name: Install sshpass
+        run: |
+          sudo apt-get update
+          sudo apt-get install -y sshpass
+
+      - name: Add server to known hosts
+        run: |
+          mkdir -p ~/.ssh
+          ssh-keyscan -H "${{ secrets.SERVER_HOST }}" >> ~/.ssh/known_hosts
+
+      - name: Validate inputs
+        shell: bash
+        env:
+          NGINX_CONTAINER: ${{ inputs.nginx_container }}
+        run: |
+          set -euo pipefail
+
+          fail() { echo "$1" >&2; exit 1; }
+
+          [[ -n "$NGINX_CONTAINER" ]] || fail "nginx_container is empty"
+          [[ "$NGINX_CONTAINER" =~ ^[a-zA-Z0-9][a-zA-Z0-9_.-]*$ ]] || fail "Invalid nginx_container: $NGINX_CONTAINER"
+          echo "NGINX_CONTAINER=$NGINX_CONTAINER" >> "$GITHUB_ENV"
+
+      - name: Reload Nginx
+        env:
+          SSHPASS: ${{ secrets.SERVER_PASS }}
+        run: |
+          set -euo pipefail
+
+          sshpass -e ssh \
+            "${{ secrets.SERVER_USER }}@${{ secrets.SERVER_HOST }}" \
+            "docker exec $NGINX_CONTAINER nginx -s reload || true"
diff --git a/README.md b/README.md
@@ -8,6 +8,12 @@
 |---|---|---|
 | **Discord Notification** | 发送中文格式的代码提交统计通知到 Discord | [查看文档](docs/discord-notify.md) |
 
+## 🔁 可用 Reusable Workflows 列表
+
+| Workflow 名称 | 描述 | 文档 |
+|---|---|---|
+| **Deploy Static Sites** | 将 `products/*` 静态站点增量部署到服务器并可选 reload nginx | [查看文档](docs/deploy-static-sites.md) |
+
 ## 🚀 如何在其他项目中使用
 
 ### 🤖 1. Agent 辅助集成 (推荐)
@@ -48,7 +54,7 @@ steps:
       fetch-depth: 2  # 统计变更需要历史记录
 
   - name: 发送 Discord 通知
-    uses: Time-Machine-Lab/TML-Github-Actions/actions/discord-github-notify@main
+    uses: Time-Machine-Lab/TML-Github_Actions/actions/discord-github-notify@main
     with:
       webhook_url: ${{ secrets.DISCORD_WEBHOOK_URL }}
 ```
@@ -61,10 +67,14 @@ steps:
 
 ```yaml
 jobs:
-  build:
-    uses: Time-Machine-Lab/TML-Github-Actions/.github/workflows/maven-build.yml@main
+  deploy:
+    uses: Time-Machine-Lab/TML-Github_Actions/.github/workflows/deploy-static-sites.yml@main
     with:
-      java-version: '17'
+      force_deploy: false
+    secrets:
+      SERVER_HOST: ${{ secrets.SERVER_HOST }}
+      SERVER_USER: ${{ secrets.SERVER_USER }}
+      SERVER_PASS: ${{ secrets.SERVER_PASS }}
 ```
 
 ## 目录结构
diff --git a/SKILLS.md b/SKILLS.md
@@ -1,6 +1,6 @@
 ---
 name: github workflow actions
-description: This skill provides guidelines for developing GitHub Actions and Reusable Workflows in the TML-Github-Actions repository. Use it when creating new actions, debugging workflows, or writing documentation to ensure compliance with project standards.
+description: This skill provides guidelines for developing GitHub Actions and Reusable Workflows in the TML-Github_Actions repository. Use it when creating new actions, debugging workflows, or writing documentation to ensure compliance with project standards.
 metadata:
   author: tml
 ---
diff --git a/docs/deploy-static-sites.md b/docs/deploy-static-sites.md
@@ -0,0 +1,69 @@
+# Deploy Static Sites Reusable Workflow
+
+该 Reusable Workflow 用于将 `products/<product>/` 下的静态站点内容通过 `rsync` 部署到远程服务器，并在部署完成后可选地执行 `nginx -s reload`。
+
+## 必要 Secrets
+
+在**调用该 Workflow 的仓库**中配置以下 Secrets（Settings -> Secrets and variables -> Actions）：
+
+| 名称 | 描述 |
+|---|---|
+| `SERVER_HOST` | 服务器地址（IP/域名） |
+| `SERVER_USER` | SSH 用户名 |
+| `SERVER_PASS` | SSH 密码（用于 `sshpass`） |
+
+## Inputs
+
+| 参数 | 类型 | 默认值 | 描述 |
+|---|---|---|---|
+| `products_dir` | string | `products` | 产品根目录（目录下每个子目录视为一个 product） |
+| `deploy_path` | string | `/var/www/static-sites` | 远程部署根路径 |
+| `force_deploy` | boolean | `false` | 为 `true` 时部署 `products_dir` 下所有产品 |
+| `max_parallel` | number | `3` | 并行部署数量 |
+| `reload_nginx` | boolean | `true` | 是否在部署后 reload nginx |
+| `nginx_container` | string | `static-sites` | nginx 所在 Docker 容器名 |
+
+## 使用示例（在 TML-site 中）
+
+在 `TML-site` 仓库创建/修改 `.github/workflows/deploy.yml`：
+
+```yaml
+name: Deploy Static Sites
+
+on:
+  push:
+    branches: [master]
+    paths:
+      - 'products/**'
+  workflow_dispatch:
+    inputs:
+      force_deploy:
+        description: Force deploy all products
+        type: boolean
+        required: false
+        default: false
+
+jobs:
+  deploy:
+    uses: Time-Machine-Lab/TML-Github_Actions/.github/workflows/deploy-static-sites.yml@main
+    with:
+      force_deploy: ${{ github.event_name == 'workflow_dispatch' && inputs.force_deploy }}
+    secrets:
+      SERVER_HOST: ${{ secrets.SERVER_HOST }}
+      SERVER_USER: ${{ secrets.SERVER_USER }}
+      SERVER_PASS: ${{ secrets.SERVER_PASS }}
+```
+
+## 工作原理
+
+- 默认：
+  - `push` 事件：比较本次推送范围（`github.event.before..github.sha`）在 `products_dir/` 下的变更，提取受影响的 `<product>` 并按矩阵并行部署。
+  - 其他事件：若存在上一提交则使用 `HEAD~1..HEAD` 作为兜底 diff 范围。
+- `force_deploy: true`：忽略 diff，部署 `products_dir` 下所有产品目录。
+
+## 注意事项
+
+- 该 Workflow 使用 `sshpass` 进行密码登录；如需更安全的 SSH Key 方式，我可以继续帮你改造。
+- 远程服务器需安装 `rsync`，并允许 `SERVER_USER` 写入 `deploy_path`。
+- `reload_nginx` 会在远程服务器执行：`docker exec <nginx_container> nginx -s reload || true`，请确保容器名与 nginx 命令符合实际环境。
+- 部署阶段会将服务器写入 `~/.ssh/known_hosts` 并启用 Host Key 校验；如服务器 Host Key 变更，需要更新对应配置。
diff --git a/docs/discord-notify.md b/docs/discord-notify.md
@@ -43,7 +43,7 @@ jobs:
           fetch-depth: 2  # 必须设置为 2 或 0，以便统计 Push 事件的变更
 
       - name: Send Discord Notification
-        uses: Time-Machine-Lab/TML-Github-Actions/actions/discord-github-notify@main
+        uses: Time-Machine-Lab/TML-Github_Actions/actions/discord-github-notify@main
         with:
           webhook_url: ${{ secrets.DISCORD_WEBHOOK_URL }}
 ```
