fix(ci): release-server 首次实跑修复 + go 工具链 sha256 pin
Deploy Server / deploy-server (push) Failing after 13m45s

- lib-forgejo/release-server: 5 处 read -r X < file 在 set -e 下遇无结尾换行的
  EOF 会返回 1 静默中止(ver_from_tag printf 无换行、curl -w http_code 无换行);
  逐处加 || true 容错(值已赋)。
- lib-forgejo: 空数组 ${FORGEJO_CURL_TLS[@]} 在 set -u 下老 bash 报 unbound;
  改 empty-safe 展开(可移植 + 本地可测)。
- deploy-server.yml: Setup Go 加 sha256 校验(供应链完整性, 防镜像篡改注入工具链)。

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
Claude-Session: https://claude.ai/code/session_013nMthbVEmQquxBRKb9Fj8u
This commit is contained in:
wangjia
2026-07-06 18:04:51 +08:00
parent 8850c94e96
commit f1950ffb6f
3 changed files with 16 additions and 8 deletions
+4
View File
@@ -25,7 +25,11 @@ jobs:
- name: Setup Go 1.25.10(CN 镜像)
run: |
GO_VER=1.25.10
# 供应链完整性:校验 sha256(取自 Go 官方 release JSON,pin 为字面量),
# 防镜像被篡改/MITM 注入恶意工具链(它会编译要上生产的二进制)。校验失败即中止。
GO_SHA256=42d4f7a32316aa66591eca7e89867256057a4264451aca10570a715b3637ba70
curl -fsSL "https://golang.google.cn/dl/go${GO_VER}.linux-amd64.tar.gz" -o /tmp/go.tgz
echo "${GO_SHA256} /tmp/go.tgz" | sha256sum -c -
rm -rf /usr/local/go
tar -C /usr/local -xzf /tmp/go.tgz
echo "/usr/local/go/bin" >> "$GITHUB_PATH"
+9 -7
View File
@@ -43,11 +43,13 @@ forgejo_release_ensure() {
get_code_file="/tmp/forgejo_get_code.$$"
get_body_file="/tmp/forgejo_get_body.$$.json"
curl "${FORGEJO_CURL_TLS[@]}" -s -o "$get_body_file" -w '%{http_code}' \
curl ${FORGEJO_CURL_TLS[@]+"${FORGEJO_CURL_TLS[@]}"} -s -o "$get_body_file" -w '%{http_code}' \
-H "Authorization: token ${FORGEJO_TOKEN}" \
"${FORGEJO_URL}/api/v1/repos/${FORGEJO_REPO}/releases/tags/${tag}" \
> "$get_code_file"
read -r get_code < "$get_code_file"
# `|| true`: curl -w '%{http_code}' 写入的值无结尾换行,read 到无换行 EOF 返回 1
# (值已赋)→ set -e 会静默中止。容错该退出码;文件恒由上面的 curl 创建,不掩盖真错。
read -r get_code < "$get_code_file" || true
rm -f "$get_code_file"
if [ "$get_code" = "200" ]; then
@@ -81,13 +83,13 @@ json.dump(
)
' > "$create_req_file"
curl "${FORGEJO_CURL_TLS[@]}" -s -o "$create_body_file" -w '%{http_code}' \
curl ${FORGEJO_CURL_TLS[@]+"${FORGEJO_CURL_TLS[@]}"} -s -o "$create_body_file" -w '%{http_code}' \
-X POST "${FORGEJO_URL}/api/v1/repos/${FORGEJO_REPO}/releases" \
-H "Authorization: token ${FORGEJO_TOKEN}" \
-H "Content-Type: application/json" \
--data @"$create_req_file" \
> "$create_code_file"
read -r create_code < "$create_code_file"
read -r create_code < "$create_code_file" || true # 无结尾换行,见 forgejo_release_ensure 注释
rm -f "$create_code_file" "$create_req_file"
if [ "$create_code" -lt 200 ] || [ "$create_code" -ge 300 ]; then
@@ -108,7 +110,7 @@ _forgejo_read_release_id() {
id_file="/tmp/forgejo_release_id.$$"
python3 -c "import json,sys; print(json.load(open(sys.argv[1]))['id'])" \
"$json_file" > "$id_file"
read -r RELEASE_ID < "$id_file"
read -r RELEASE_ID < "$id_file" || true # python 写入可能无结尾换行,见上注释
rm -f "$id_file"
export RELEASE_ID
}
@@ -125,12 +127,12 @@ forgejo_upload_asset() {
code_file="/tmp/forgejo_upload_code.$$"
body_file="/tmp/forgejo_upload_body.$$.json"
curl "${FORGEJO_CURL_TLS[@]}" -s -o "$body_file" -w '%{http_code}' \
curl ${FORGEJO_CURL_TLS[@]+"${FORGEJO_CURL_TLS[@]}"} -s -o "$body_file" -w '%{http_code}' \
-X POST "${FORGEJO_URL}/api/v1/repos/${FORGEJO_REPO}/releases/${RELEASE_ID}/assets" \
-H "Authorization: token ${FORGEJO_TOKEN}" \
-F "attachment=@${file}" \
> "$code_file"
read -r code < "$code_file"
read -r code < "$code_file" || true # curl http_code 无结尾换行,见上注释
rm -f "$code_file"
echo "==> forgejo: uploaded ${file} (HTTP ${code})"
+3 -1
View File
@@ -20,7 +20,9 @@ TAG="${1:?usage: release-server.sh <tag>}"
ver_file="/tmp/release_server_ver.$$"
ver_from_tag server "$TAG" > "$ver_file"
VER=""
read -r VER < "$ver_file"
# `|| true`: ver_from_tag 用 printf '%s'(无结尾换行),read 到无换行的 EOF 会返回 1
# (但 VER 已正确赋值)——set -e 下会静默退出。容错 read 的这个退出码,不掩盖真错。
read -r VER < "$ver_file" || true
rm -f "$ver_file"
echo "==> release-server: tag=${TAG} ver=${VER}"