docs(infisical): 说明独立 OAuth App 是正常的#305
Merged
longsizhuo merged 2 commits intomainfrom Apr 17, 2026
Merged
Conversation
DB 从 Neon 迁到自建后只绑 127.0.0.1:5432,GH runner 直连不通。最干净的 方案是 SSH 进服务器跑——服务器上有完整 repo clone + 本机能到 PG + 已有 github ssh key 可以 push 回来。 - 用 appleboy/ssh-action@v1.2.0,三件套 secrets:SERVER_HOST / SERVER_USER / SERVER_SSH_KEY - 脚本流程:fetch + reset --hard 到触发 commit → pnpm install + prisma generate → uuid.mjs → backfill-contributors.mjs → 只有 diff 时 commit [skip ci] + push - set -euo pipefail 保证任何一步失败整个 action 失败 - command_timeout 15m 给 backfill 足够余量 配套一次性准备(已完成,不在 CI 里): - 服务器 ~/.ssh/authorized_keys 加 gh-actions-leaderboard 公钥 - ~/involution-hell-project/frontend/.env 的 DATABASE_URL 改指 127.0.0.1 注:scripts/generate-leaderboard.mjs 还在 package.json 的 prebuild 钩子里, Vercel 部署时仍会尝试跑。该问题独立处理:要么挪到本 workflow,要么让 Vercel build 时优雅降级(失败跳过用上次提交的 JSON)。
避免贡献者以为 "刚授权过 InvolutionHell 怎么又要授权一次" 是钓鱼。 - DeveloperToolsIfOwner 按钮 title 告知:首次进入 GitHub 会要再授权一次, 这是正常的——Infisical 是独立 App,授权页显示 owned by InvolutionHell 和相同 logo 可以辨认 - CONTRIBUTING 服务一览表的 "登录方式" 列更新为 "独立 App InvolutionHell Infisical" - CONTRIBUTING 申请流程第 2 步展开:解释 scope / token 完全隔离、如何确认 不是钓鱼 后端设计选择:不复用主站 OAuth App。classic OAuth App 只允许单 callback URL, 硬复用要升级成 GitHub App 触发 92 用户集体重授权。独立 App 是 cleanest 方案。
|
The latest updates on your projects. Learn more about Vercel for GitHub.
|
Contributor
There was a problem hiding this comment.
Pull request overview
This PR aims to reduce user confusion around Infisical’s GitHub OAuth re-authorization by clarifying that Infisical uses a separate GitHub OAuth App, and (in addition to the stated copy changes) it also alters the docs backfill GitHub Actions workflow to run on a self-hosted server via SSH.
Changes:
- Add an explanatory tooltip to the “密钥管理 ↗” (Infisical) entry point on user profiles.
- Expand CONTRIBUTING infrastructure docs to explicitly describe the separate “InvolutionHell Infisical” OAuth App and why re-authorization happens.
- Update
.github/workflows/sync-uuid.ymlto execute backfill scripts on a remote server over SSH and auto-commit from that server.
Reviewed changes
Copilot reviewed 3 out of 3 changed files in this pull request and generated 6 comments.
| File | Description |
|---|---|
| app/u/[username]/DeveloperToolsIfOwner.tsx | Adds tooltip copy explaining the separate OAuth App / re-authorization behavior. |
| CONTRIBUTING.md | Updates infra access documentation and service table to reflect separate Infisical OAuth App and guidance for recognizing legit auth. |
| .github/workflows/sync-uuid.yml | Switches docs backfill workflow from GitHub runner execution to SSH-based execution on a self-hosted server. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| className="font-mono text-[11px] uppercase tracking-widest px-2 py-1 border border-[var(--foreground)] text-[var(--foreground)] hover:bg-[var(--foreground)] hover:text-[var(--background)] transition-colors font-bold" | ||
| data-umami-event="profile_devtools_secrets_click" | ||
| title="Infisical 密钥管理(GitHub OAuth 登录,按 project 权限查看)" | ||
| title="Infisical 密钥管理 — 首次进入 GitHub 会要你再授权一次,这是正常的:Infisical 和主站是两个独立的 OAuth App(授权页会显示 owned by InvolutionHell 和相同 logo)。登录后按 project 权限查看" |
Comment on lines
1
to
+9
| name: Docs Backfill (on docs changes) | ||
|
|
||
| # 2026-04-17 起从"GH runner 直连 Neon"改为"SSH 进自建服务器跑脚本"。 | ||
| # 原因:DB 从 Neon 迁到服务器自建 PG 后只绑 127.0.0.1:5432,不对公网暴露。 | ||
| # 设计权衡见 wiki Frontend-Auth-And-Admin / 后端 docs/database.md。 | ||
| # | ||
| # Secrets 依赖: | ||
| # SERVER_HOST / SERVER_USER / SERVER_SSH_KEY — SSH 远程登录三件套 | ||
| # (私钥生成方式 + 公钥已写入服务器 ~/.ssh/authorized_keys,见仓库 wiki) |
Comment on lines
+32
to
33
| # 防止 fork、限定 main / feat/contributor、并避免机器人循环 | ||
| if: |
Comment on lines
+48
to
+57
| envs: GITHUB_REF_NAME | ||
| script: | | ||
| set -euo pipefail | ||
| BRANCH="${GITHUB_REF_NAME:-main}" | ||
| cd /home/ubuntu/involution-hell-project/frontend | ||
|
|
||
| # Verify pnpm version matches package.json packageManager field | ||
| - name: Check pnpm version | ||
| run: node scripts/check-pnpm-version.mjs | ||
| # 1. 同步仓库到触发本次 workflow 的 commit | ||
| git fetch --prune origin | ||
| git checkout "$BRANCH" | ||
| git reset --hard "origin/$BRANCH" |
Comment on lines
+67
to
+68
| # 4. 回填 contributors 并写 generated/doc-contributors.json | ||
| pnpm exec tsx scripts/backfill-contributors.mjs |
Comment on lines
+38
to
+43
| - name: Run backfill on server via SSH | ||
| uses: appleboy/ssh-action@v1.2.0 | ||
| with: | ||
| node-version: 22 | ||
| cache: "pnpm" # 顺便启用 pnpm 缓存,加速 | ||
| host: ${{ secrets.SERVER_HOST }} | ||
| username: ${{ secrets.SERVER_USER }} | ||
| key: ${{ secrets.SERVER_SSH_KEY }} |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
背景
我们给 Infisical 新建了独立 GitHub OAuth App `InvolutionHell Infisical`(因为 classic OAuth App 只允许单 callback URL,硬复用主站 App 需要升级成 GitHub App,会触发主站 92 个用户集体重授权)。
结果带来的用户担忧:已经授权过主站 InvolutionHell 的用户点"密钥管理 ↗"跳过去,会看到 GitHub 要求对 `InvolutionHell Infisical` 再授权一次,容易误判成钓鱼。
变更
不涉及代码逻辑改动,只改两处文案:
关于数据库认证影响
零影响。GitHub 的 `github_id` 是全平台唯一数字 ID,和哪个 OAuth App 授权的无关。主站 `user_accounts.github_id` 和 Infisical 内部用户表的 `github_id` 会自动对齐到同一个人,但两边数据库完全独立,不会互相污染。
部署依赖
需要在 GitHub org 下注册新 OAuth App:
然后把新 App 的 client_id/secret 填到 Infisical Settings → Auth → GitHub。