From 4111c2c6ed9f9310cff38e97e9c84200c5027713 Mon Sep 17 00:00:00 2001 From: shuirong Date: Mon, 27 Apr 2026 18:42:04 +0900 Subject: [PATCH] =?UTF-8?q?feat(ci):=20onprem-release=20=E5=88=86=E6=94=AF?= =?UTF-8?q?=E6=9E=84=E5=BB=BA=E5=90=8E=E8=87=AA=E5=8A=A8=20SSH=20=E9=83=A8?= =?UTF-8?q?=E7=BD=B2=E5=88=B0=E6=9C=8D=E5=8A=A1=E5=99=A8?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit 参考 gbase-frontend-onprem 的 CD 流程,在 docker-hub-build-push 中新增 deploy 参数与 when 块:构建&推送完成后通过 ssh-keyscan + add_ssh_keys 连接 onprem 服务器,sed 改写 docker-compose.yml 的 catalog-agent image 行并重启服务。仅 AMD64 任务在 onprem-release 分支启用,ARM64 与其他分支保持只构建。 Co-Authored-By: Claude Opus 4.7 (1M context) --- .circleci/config.yml | 46 ++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 46 insertions(+) diff --git a/.circleci/config.yml b/.circleci/config.yml index 8fde4b9..bc1eed2 100644 --- a/.circleci/config.yml +++ b/.circleci/config.yml @@ -67,6 +67,9 @@ jobs: type: string docker-tag: type: string + deploy: + type: boolean + default: false steps: - checkout - run: @@ -92,11 +95,52 @@ jobs: docker push <>:<> docker push <>:$IMAGE_TAG + # 把 IMAGE_TAG 透传到后续 step(CD SSH 部署需要使用) + echo "export IMAGE_TAG=$IMAGE_TAG" >> $BASH_ENV + bash scripts/ci/notify_feishu.sh \ --event docker_hub \ --image-repo <> \ --image-tag <> \ --version-tag "$IMAGE_TAG" + - when: + # 仅当 deploy=true 且当前分支为 onprem-release 时才触发 CD,避免其他分支误部署 + condition: + and: + - << parameters.deploy >> + - equal: [ onprem-release, << pipeline.git.branch >> ] + steps: + # 将预先在 CircleCI 项目设置 → SSH Keys 上传的私钥加载到 ssh-agent + # ONPREM_DEPLOY_SSH_KEY_FINGERPRINT 是上传私钥后 CircleCI 返回的 MD5 指纹 + - add_ssh_keys: + fingerprints: + - "$ONPREM_DEPLOY_SSH_KEY_FINGERPRINT" + - run: + name: SSH 部署到服务器(更新 catalog-agent 镜像并重启) + command: | + # 把服务器公钥写入 known_hosts,避免首次连接时的交互确认 + # 服务器 SSH 端口通过 ONPREM_DEPLOY_SSH_PORT 环境变量控制(例如 17290) + mkdir -p ~/.ssh + ssh-keyscan -H -p "$ONPREM_DEPLOY_SSH_PORT" "$ONPREM_DEPLOY_SSH_HOST" >> ~/.ssh/known_hosts 2>/dev/null + + # 将本次生成的 IMAGE_TAG 透传到远端脚本 + # - 本地 shell 展开 $IMAGE_TAG 组装成远端命令前缀 + # - heredoc 使用 'REMOTE' 单引号形式,避免本地对脚本体再次展开 + # - sed 直接替换 catalog-agent 的整行 image 字段(兼容 "gptbasesparticle/..." 或 + # "docker.gbase.ai/..." 等任意仓库前缀、以及 0.0.x 等任意标签格式) + # - 通过「标签首字符是数字」排除 arm64 等非 AMD64 镜像干扰(本 CD 仅在 AMD64 job 触发) + ssh -p "$ONPREM_DEPLOY_SSH_PORT" "$ONPREM_DEPLOY_SSH_USER@$ONPREM_DEPLOY_SSH_HOST" \ + "IMAGE_TAG='$IMAGE_TAG' bash -s" \<<'REMOTE' + set -euo pipefail + cd gbase_onprem + echo "更新前 catalog-agent 镜像行:" + grep -E '^[[:space:]]*image:[[:space:]]*[^#[:space:]]*catalog-agent:[0-9]' docker-compose.yml || true + sed -i -E "s|^([[:space:]]*)image:[[:space:]]*[^#[:space:]]*catalog-agent:[0-9][^[:space:]]*|\1image: gptbasesparticle/catalog-agent:${IMAGE_TAG}|" docker-compose.yml + echo "更新后 catalog-agent 镜像行:" + grep -E "^[[:space:]]*image:[[:space:]]*gptbasesparticle/catalog-agent:${IMAGE_TAG}" docker-compose.yml + docker compose down catalog-agent + docker compose up catalog-agent -d + REMOTE workflows: backend_build_and_push: @@ -184,6 +228,8 @@ workflows: repo: gptbasesparticle/catalog-agent dockerfile: Dockerfile docker-tag: latest + # 启用 CD:构建&推送完成后 SSH 到服务器更新 catalog-agent 镜像(仅 onprem-release 分支生效,见 job 内 when 条件) + deploy: true filters: branches: only: