Skip to content

ci(sync-uuid): SSH 进自建服务器跑 DB 脚本(替代 Neon 直连)#304

Merged
longsizhuo merged 3 commits intomainfrom
feat/sync-uuid-via-ssh
Apr 17, 2026
Merged

ci(sync-uuid): SSH 进自建服务器跑 DB 脚本(替代 Neon 直连)#304
longsizhuo merged 3 commits intomainfrom
feat/sync-uuid-via-ssh

Conversation

@longsizhuo
Copy link
Copy Markdown
Member

@longsizhuo longsizhuo commented Apr 17, 2026

背景

DB 从 Neon 迁到自建 Docker PG(backend#12)以后,PG 端口只绑 `127.0.0.1:5432` 不对公网开。原 workflow 让 GH runner 直连 `DATABASE_URL` 立刻失败。

方案

SSH 进服务器跑脚本。服务器上本来就有:

  • 完整 repo clone + pnpm + prisma 生成好
  • 本机能到 PG(127.0.0.1)
  • `~/.ssh` 已注册 GitHub key 可以 push 回来

比 Cloudflare Tunnel / 改脚本走后端 API 改动最小。

变更

  • `.github/workflows/sync-uuid.yml` 改成 `appleboy/ssh-action` 单 step
  • 脚本流程:fetch & reset → pnpm install → prisma generate → uuid.mjs → backfill-contributors.mjs → [skip ci] commit + push
  • `set -euo pipefail` 保证任一步失败整个 job 失败
  • 只在 MDX / JSON 有 diff 时才 commit,避免空推
  • `command_timeout: 15m` 给 backfill 足够时间

需要的 Repo Secrets

Name Value
`SERVER_HOST` 服务器公网 IP
`SERVER_USER` `ubuntu`
`SERVER_SSH_KEY` 新生成的 ed25519 private key,公钥已加到服务器 authorized_keys

(已配好)

验证

合并后第一次触发路径:

  • 改任意 MDX 或 workflow dispatch → 跑完 → Actions tab 看日志是否 SSH 成功 + scripts 正常跑 + commit 回仓

相关 deferred work

`scripts/generate-leaderboard.mjs` 还挂在 `package.json` 的 `prebuild`,Vercel 构建时也会跑、也会失败。两种处理方式:

  1. 挪到本 workflow 和 backfill-contributors 一起跑(推荐)
  2. 让 prebuild 脚本失败时静默降级用上次提交的 JSON

留作后续 PR。

@longsizhuo
ci(sync-uuid): 迁移到 SSH 进自建服务器跑脚本
c2045bf 
DB 从 Neon 迁到自建后只绑 127.0.0.1:5432,GH runner 直连不通。最干净的
方案是 SSH 进服务器跑——服务器上有完整 repo clone + 本机能到 PG + 已有
github ssh key 可以 push 回来。

- 用 appleboy/ssh-action@v1.2.0,三件套 secrets:SERVER_HOST / SERVER_USER / SERVER_SSH_KEY
- 脚本流程:fetch + reset --hard 到触发 commit → pnpm install + prisma
  generate → uuid.mjs → backfill-contributors.mjs → 只有 diff 时 commit [skip ci] + push
- set -euo pipefail 保证任何一步失败整个 action 失败
- command_timeout 15m 给 backfill 足够余量

配套一次性准备(已完成,不在 CI 里):
- 服务器 ~/.ssh/authorized_keys 加 gh-actions-leaderboard 公钥
- ~/involution-hell-project/frontend/.env 的 DATABASE_URL 改指 127.0.0.1

注:scripts/generate-leaderboard.mjs 还在 package.json 的 prebuild 钩子里,
Vercel 部署时仍会尝试跑。该问题独立处理:要么挪到本 workflow,要么让
Vercel build 时优雅降级(失败跳过用上次提交的 JSON)。
Copilot AI review requested due to automatic review settings April 17, 2026 23:13
@vercel
Copy link
Copy Markdown

vercel Bot commented Apr 17, 2026
edited
Loading

The latest updates on your projects. Learn more about Vercel for GitHub.

Project Deployment Actions Updated (UTC)
involutionhell-github-io Ready Ready Preview, Comment Apr 17, 2026 11:55pm
website-preview Ready Ready Preview, Comment Apr 17, 2026 11:55pm

Copilot AI reviewed Apr 17, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Updates the docs backfill automation to run database-dependent scripts on the self-hosted server (via SSH) instead of having the GitHub-hosted runner directly connect to Postgres, aligning CI with the new “DB only bound to 127.0.0.1” deployment model.

Changes:

  • Replaces the multi-step GitHub runner workflow with a single appleboy/ssh-action step to run the backfill pipeline on the server.
  • Adds a remote script sequence: hard reset to the triggering branch → install deps → prisma generate → run uuid.mjs and backfill-contributors.mjs → commit/push only when outputs changed.
  • Adds stricter shell failure behavior (set -euo pipefail) and extends command timeout for the backfill run.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

Comment thread .github/workflows/sync-uuid.yml
Comment on lines +52 to +57
cd /home/ubuntu/involution-hell-project/frontend

# Verify pnpm version matches package.json packageManager field
- name: Check pnpm version
run: node scripts/check-pnpm-version.mjs
# 1. 同步仓库到触发本次 workflow 的 commit
git fetch --prune origin
git checkout "$BRANCH"
git reset --hard "origin/$BRANCH"
Comment thread .github/workflows/sync-uuid.yml
Comment on lines +44 to +49
# 超时 15 分钟:backfill-contributors 要遍历所有 docs + 拉 GitHub API,
# 大改动一次跑 3-5 分钟,留足余量
command_timeout: 15m
# set -euo pipefail + BRANCH 透传,脚本内任何一步失败都让整个 action fail
envs: GITHUB_REF_NAME
script: |
Comment thread .github/workflows/sync-uuid.yml
- name: Install deps
run: pnpm install --frozen-lockfile
# 2. 依赖和 Prisma client(frontend .env 里 DATABASE_URL 已指本地 PG)
set -a && . ./.env && set +a
@longsizhuo
ci(sync-uuid): 加 3 道防御检查保住署名记录
a70fab9 
审计后发现原 workflow 有 3 处边缘风险可能让 uuid.mjs/backfill 产出错数据:

1. 脏工作树被 git reset --hard 抹掉 → 可能浪费 docId 或抹掉手工改动
2. DATABASE_URL 缺失时 backfill 隐性降级成本轮快照 → JSON 被覆盖呈现错误累计
3. DB 行数异常低(被意外清库)→ 增量累计从 0 起算,GH API 单文件最多 N 页外的老 commits 永远丢

加三道闸:
- git status --porcelain 非空 → fail loud 强制人工介入
- DATABASE_URL 空 → fail(GITHUB_TOKEN 只 warn)
- doc_contributors < 200 行 → fail(迁移完成时 ~295 行,保守下限)

附长注释说明每项保护对应脚本里哪个不变量。以后有人看 workflow
能立刻知道每段为啥不能删。
@longsizhuo
merge main — 保留三道防御检查版本
6836ff1
@longsizhuo longsizhuo merged commit 07ac2ac into main Apr 17, 2026
4 of 6 checks passed
@longsizhuo longsizhuo deleted the feat/sync-uuid-via-ssh branch April 17, 2026 23:37
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@longsizhuo