Merge branch 'ling-drag0n:main' into main

Author: Ai686Leo

.dockerignore

@@ -4,7 +4,9 @@
 
 # 本地构建产物 / 依赖缓存
 **/node_modules
-**/dist
+/dist
+/frontend/dist
+/backend/dist
 **/.vite
 **/.cache
 
@@ -15,6 +17,7 @@ logs
 *.log
 
 # 本地工具与临时文件
+.codex
 .DS_Store
 Thumbs.db
 *.swp

.github/workflows/deploy-backend-cloudflare.yml

@@ -134,95 +134,42 @@ jobs:
         run: |
           npx wrangler d1 execute cloudpaste-db --file=./schema.sql || echo "表可能已存在，继续部署"
 
-      - name: Set ENCRYPTION_SECRET environment variable
+      - name: Resolve ENCRYPTION_SECRET for deploy
         env:
           CLOUDFLARE_API_TOKEN: ${{ secrets.CLOUDFLARE_API_TOKEN }}
           CLOUDFLARE_ACCOUNT_ID: ${{ secrets.CLOUDFLARE_ACCOUNT_ID }}
         run: |
-          echo "检查ENCRYPTION_SECRET配置情况..."
+          echo "检查 ENCRYPTION_SECRET 配置..."
 
-          # 1. 检查wrangler.toml中是否有硬编码的ENCRYPTION_SECRET
-          if grep -q "ENCRYPTION_SECRET =" wrangler.toml; then
-            echo "⚠️ 检测到wrangler.toml中存在硬编码的ENCRYPTION_SECRET"
-            echo "为确保GitHub Actions的密钥设置生效，将从wrangler.toml中移除硬编码密钥"
-
-            # 临时备份wrangler.toml
-            cp wrangler.toml wrangler.toml.bak
-
-            # 移除硬编码的ENCRYPTION_SECRET行
-            sed -i '/ENCRYPTION_SECRET =/d' wrangler.toml
-
-            echo "✅ 已从wrangler.toml中移除硬编码的ENCRYPTION_SECRET"
-          else
-            echo "✅ wrangler.toml中未检测到硬编码的ENCRYPTION_SECRET"
-          fi
-
-          # 2. 检查GitHub中是否已配置ENCRYPTION_SECRET
-          if [[ -n "${{ secrets.ENCRYPTION_SECRET }}" ]]; then
-            echo "✅ GitHub中已配置ENCRYPTION_SECRET"
-            GITHUB_HAS_SECRET=true
-          else
-            echo "⚠️ GitHub中未配置ENCRYPTION_SECRET"
-            GITHUB_HAS_SECRET=false
-          fi
-
-          # 3. 检查Worker中是否已存在ENCRYPTION_SECRET (作为secret变量)
+          # 1) 如果 Worker 里已存在 ENCRYPTION_SECRET（作为 Secret），则保持不变（跳过）
           set +e
           SECRET_LIST_OUTPUT=$(npx wrangler secret list 2>&1)
           set -e
-
           if echo "$SECRET_LIST_OUTPUT" | grep -q "ENCRYPTION_SECRET"; then
-            echo "✅ Worker中已存在ENCRYPTION_SECRET(作为secret变量)"
-            WORKER_HAS_SECRET=true
-          else
-            echo "⚠️ Worker中未检测到ENCRYPTION_SECRET(作为secret变量)"
-            WORKER_HAS_SECRET=false
+            echo "✅ Worker 已存在 ENCRYPTION_SECRET（Secret），保持不变"
+            exit 0
           fi
 
-          # 如果Worker中已有密钥，则跳过创建
-          if [[ "$WORKER_HAS_SECRET" == "true" ]]; then
-            echo "✅ Worker中已存在ENCRYPTION_SECRET(作为secret变量)，跳过创建步骤"
-          else
-            # 确定要使用的密钥值
-            if [[ "$GITHUB_HAS_SECRET" == "true" ]]; then
-              echo "使用GitHub中配置的ENCRYPTION_SECRET值"
-              ENCRYPTION_VALUE="${{ secrets.ENCRYPTION_SECRET }}"
-            else
-              echo "生成随机ENCRYPTION_SECRET值"
-              ENCRYPTION_VALUE=$(openssl rand -base64 32)
-            fi
+          # 2) 如果 GitHub Secrets 里配置了 ENCRYPTION_SECRET，则使用
+          if [[ -n "${{ secrets.ENCRYPTION_SECRET }}" ]]; then
+            echo "✅ 使用 GitHub Secrets 中的 ENCRYPTION_SECRET"
+            ENCRYPTION_VALUE="${{ secrets.ENCRYPTION_SECRET }}"
+            ENCRYPTION_ESCAPED=$(printf '%s' "$ENCRYPTION_VALUE" | sed -e 's/[\\/&]/\\&/g')
 
-            # 设置密钥到Worker
-            set +e
-            echo "正在设置ENCRYPTION_SECRET..."
-            SECRET_PUT_OUTPUT=$(echo "$ENCRYPTION_VALUE" | npx wrangler secret put ENCRYPTION_SECRET 2>&1)
-            SECRET_RESULT=$?
-            set -e
-
-            echo "Secret put 输出:"
-            echo "$SECRET_PUT_OUTPUT" | grep -v "Please update to the latest version"
-
-            if [ $SECRET_RESULT -ne 0 ]; then
-              # 如果错误是由于密钥已存在导致的，视为成功
-              if echo "$SECRET_PUT_OUTPUT" | grep -q -E "(already in use|already exists|conflict)"; then
-                echo "⚠️ 密钥已存在于Worker中但未被列表命令检测到，继续执行"
-              else
-                # 最后再检查一次是否因为密钥已存在但未被正确检测
-                set +e
-                FINAL_CHECK=$(npx wrangler secret list 2>&1)
-                set -e
-
-                if echo "$FINAL_CHECK" | grep -q "ENCRYPTION_SECRET"; then
-                  echo "虽然设置密钥失败，但密钥似乎已存在于Worker中，继续执行"
-                else
-                  echo "❌ 设置密钥失败，且密钥确实不存在，退出部署"
-                  echo "详细错误信息: $SECRET_PUT_OUTPUT"
-                  exit 1
-                fi
-              fi
+            if grep -q "^ENCRYPTION_SECRET =" wrangler.toml; then
+              sed -i -E "s/^ENCRYPTION_SECRET = \".*\"$/ENCRYPTION_SECRET = \"${ENCRYPTION_ESCAPED}\"/" wrangler.toml
             else
-              echo "✅ ENCRYPTION_SECRET 已成功创建(作为secret变量)"
+              sed -i -E "/^\\[vars\\]$/a\\ENCRYPTION_SECRET = \"${ENCRYPTION_ESCAPED}\"" wrangler.toml
             fi
+            exit 0
+          fi
+
+          # 3) GitHub 没配：用 wrangler.toml 
+          if grep -q "^ENCRYPTION_SECRET =" wrangler.toml; then
+            echo "✅ 使用 wrangler.toml 中的 ENCRYPTION_SECRET"
+          else
+            echo "❌ 缺少 ENCRYPTION_SECRET：GitHub Secrets 未配置，wrangler.toml 也没写"
+            exit 1
           fi
 
       - name: Deploy to Cloudflare Workers

.github/workflows/deploy-spa-cloudflare.yml

@@ -185,89 +185,44 @@ jobs:
           echo "初始化数据库表结构..."
           npx wrangler d1 execute cloudpaste-db --file=./schema.sql || echo "⚠️ 表可能已存在，继续部署"
 
-      # ==================== 步骤 4：设置环境变量 ====================
-      - name: Set ENCRYPTION_SECRET environment variable
+      # ==================== 步骤 4：环境变量（优先级：Worker现有 -> GitHub -> wrangler配置） ====================
+      - name: Resolve ENCRYPTION_SECRET for deploy
         working-directory: ./backend
         env:
           CLOUDFLARE_API_TOKEN: ${{ secrets.CLOUDFLARE_API_TOKEN }}
           CLOUDFLARE_ACCOUNT_ID: ${{ secrets.CLOUDFLARE_ACCOUNT_ID }}
         run: |
           echo "🔐 检查 ENCRYPTION_SECRET 配置..."
 
-          # 检查 wrangler.spa.toml 中是否有硬编码的 ENCRYPTION_SECRET
-          if grep -q "ENCRYPTION_SECRET =" wrangler.spa.toml; then
-            echo "⚠️ 检测到 wrangler.spa.toml 中存在硬编码的 ENCRYPTION_SECRET"
-            echo "为确保 GitHub Actions 的密钥设置生效，将从配置中移除"
-            cp wrangler.spa.toml wrangler.spa.toml.bak
-            sed -i '/ENCRYPTION_SECRET =/d' wrangler.spa.toml
-            echo "✅ 已移除硬编码的 ENCRYPTION_SECRET"
-          fi
-
-          # 检查 GitHub 中是否已配置 ENCRYPTION_SECRET
-          if [[ -n "${{ secrets.ENCRYPTION_SECRET }}" ]]; then
-            echo "✅ GitHub 中已配置 ENCRYPTION_SECRET"
-            GITHUB_HAS_SECRET=true
-          else
-            echo "⚠️ GitHub 中未配置 ENCRYPTION_SECRET"
-            GITHUB_HAS_SECRET=false
-          fi
-
-          # 使用 --name 参数指定 Worker 名称
-          # 检查 cloudpaste-spa Worker 中是否已存在 ENCRYPTION_SECRET
+          # 1) 如果 Worker 里已存在 ENCRYPTION_SECRET（作为 Secret），则保持不变（跳过）
           set +e
           SECRET_LIST_OUTPUT=$(npx wrangler secret list --name cloudpaste-spa 2>&1)
           set -e
-
           if echo "$SECRET_LIST_OUTPUT" | grep -q "ENCRYPTION_SECRET"; then
-            echo "✅ cloudpaste-spa Worker 中已存在 ENCRYPTION_SECRET"
-            WORKER_HAS_SECRET=true
-          else
-            echo "⚠️ cloudpaste-spa Worker 中未检测到 ENCRYPTION_SECRET"
-            WORKER_HAS_SECRET=false
+            echo "✅ Worker 已存在 ENCRYPTION_SECRET（Secret），保持不变"
+            exit 0
           fi
 
-          # 如果 Worker 中已有密钥，跳过创建
-          if [[ "$WORKER_HAS_SECRET" == "true" ]]; then
-            echo "✅ Worker 中已存在 ENCRYPTION_SECRET，跳过创建"
-          else
-            # 确定密钥值
-            if [[ "$GITHUB_HAS_SECRET" == "true" ]]; then
-              echo "使用 GitHub 中配置的 ENCRYPTION_SECRET 值"
-              ENCRYPTION_VALUE="${{ secrets.ENCRYPTION_SECRET }}"
-            else
-              echo "生成随机 ENCRYPTION_SECRET 值"
-              ENCRYPTION_VALUE=$(openssl rand -base64 32)
-            fi
+          # 2) 如果 GitHub Secrets 里配置了 ENCRYPTION_SECRET，则使用
+          if [[ -n "${{ secrets.ENCRYPTION_SECRET }}" ]]; then
+            echo "✅ 使用 GitHub Secrets 中的 ENCRYPTION_SECRET"
+            ENCRYPTION_VALUE="${{ secrets.ENCRYPTION_SECRET }}"
+            ENCRYPTION_ESCAPED=$(printf '%s' "$ENCRYPTION_VALUE" | sed -e 's/[\\/&]/\\&/g')
 
-            # 设置密钥到 cloudpaste-spa Worker
-            set +e
-            echo "正在为 cloudpaste-spa Worker 设置 ENCRYPTION_SECRET..."
-            SECRET_PUT_OUTPUT=$(echo "$ENCRYPTION_VALUE" | npx wrangler secret put ENCRYPTION_SECRET --name cloudpaste-spa 2>&1)
-            SECRET_RESULT=$?
-            set -e
-
-            echo "Secret put 输出:"
-            echo "$SECRET_PUT_OUTPUT" | grep -v "Please update to the latest version"
-
-            if [ $SECRET_RESULT -ne 0 ]; then
-              if echo "$SECRET_PUT_OUTPUT" | grep -q -E "(already in use|already exists|conflict)"; then
-                echo "⚠️ 密钥已存在但未被列表命令检测到，继续执行"
-              else
-                set +e
-                FINAL_CHECK=$(npx wrangler secret list --name cloudpaste-spa 2>&1)
-                set -e
-
-                if echo "$FINAL_CHECK" | grep -q "ENCRYPTION_SECRET"; then
-                  echo "虽然设置密钥失败，但密钥似乎已存在，继续执行"
-                else
-                  echo "❌ 设置密钥失败，且密钥确实不存在"
-                  echo "详细错误信息: $SECRET_PUT_OUTPUT"
-                  exit 1
-                fi
-              fi
+            if grep -q "^ENCRYPTION_SECRET =" wrangler.spa.toml; then
+              sed -i -E "s/^ENCRYPTION_SECRET = \".*\"$/ENCRYPTION_SECRET = \"${ENCRYPTION_ESCAPED}\"/" wrangler.spa.toml
             else
-              echo "✅ ENCRYPTION_SECRET 已成功创建"
+              sed -i -E "/^\\[vars\\]$/a\\ENCRYPTION_SECRET = \"${ENCRYPTION_ESCAPED}\"" wrangler.spa.toml
             fi
+            exit 0
+          fi
+
+          # 3) GitHub 没配：用 wrangler.spa.toml 
+          if grep -q "^ENCRYPTION_SECRET =" wrangler.spa.toml; then
+            echo "✅ 使用 wrangler.spa.toml 中的 ENCRYPTION_SECRET"
+          else
+            echo "❌ 缺少 ENCRYPTION_SECRET：GitHub Secrets 未配置，wrangler.spa.toml 也没写"
+            exit 1
           fi
 
       # ==================== 步骤 5：部署 SPA Worker ====================
@@ -324,7 +279,6 @@ jobs:
           echo "3. 验证 GitHub Secrets："
           echo "   - CLOUDFLARE_API_TOKEN: Workers 和 D1 编辑权限"
           echo "   - CLOUDFLARE_ACCOUNT_ID: Cloudflare 账户 ID"
-          echo "   - ENCRYPTION_SECRET: （可选）加密密钥"
           echo ""
           echo "4. 查看上方详细错误信息以定位问题"
           echo "===================================================="

.github/workflows/docker-build-all.yml

@@ -73,6 +73,8 @@ jobs:
     steps:
       - name: 检出代码
         uses: actions/checkout@v4
+        with:
+          lfs: true
 
       - name: 设置QEMU
         uses: docker/setup-qemu-action@v3
@@ -86,6 +88,27 @@ jobs:
           username: ${{ secrets.DOCKERHUB_USERNAME }}
           password: ${{ secrets.DOCKERHUB_TOKEN }}
 
+      # 先做一次 amd64 本地 build + 自检
+      - name: 构建前端镜像（amd64）用于静态资源自检
+        uses: docker/build-push-action@v6
+        with:
+          context: .
+          file: ./docker/frontend/Dockerfile
+          load: true
+          tags: cloudpaste-frontend:ci-check
+          platforms: linux/amd64
+          cache-from: type=gha
+
+      - name: 校验镜像内静态资源（vditor / libarchive.js）
+        run: |
+          set -e
+          VDITOR_VERSION=$(node -e "const fs=require('fs'); const t=fs.readFileSync('frontend/src/utils/vditorLoader.js','utf8'); const m=t.match(/export\\s+const\\s+VDITOR_VERSION\\s*=\\s*\\\"([^\\\"]+)\\\"/); if(!m){console.error('VDITOR_VERSION not found'); process.exit(1);} process.stdout.write(m[1]);")
+          echo "VDITOR_VERSION=${VDITOR_VERSION}"
+          docker run --rm cloudpaste-frontend:ci-check sh -c "test -f /usr/share/nginx/html/assets/vditor/${VDITOR_VERSION}/dist/index.min.js"
+          docker run --rm cloudpaste-frontend:ci-check sh -c "test -f /usr/share/nginx/html/assets/vditor/${VDITOR_VERSION}/dist/index.css"
+          docker run --rm cloudpaste-frontend:ci-check sh -c 'test -f /usr/share/nginx/html/libarchive.js/dist/worker-bundle.js'
+          echo "✅ 静态资源校验通过：vditor + libarchive.js"
+
       - name: 构建并推送前端镜像
         uses: docker/build-push-action@v6
         with:

.github/workflows/docker-build-frontend.yml

@@ -38,6 +38,8 @@ jobs:
     steps:
       - name: 检出代码
         uses: actions/checkout@v4
+        with:
+          lfs: true
 
       - name: 设置QEMU
         uses: docker/setup-qemu-action@v3
@@ -51,6 +53,27 @@ jobs:
           username: ${{ secrets.DOCKERHUB_USERNAME }}
           password: ${{ secrets.DOCKERHUB_TOKEN }}
 
+      # 先做一次 amd64 本地 build + 自检，避免 push 后/assets 404
+      - name: 构建前端镜像（amd64）用于静态资源自检
+        uses: docker/build-push-action@v6
+        with:
+          context: .
+          file: ./docker/frontend/Dockerfile
+          load: true
+          tags: cloudpaste-frontend:ci-check
+          platforms: linux/amd64
+          cache-from: type=gha
+
+      - name: 校验镜像内静态资源（vditor / libarchive.js）
+        run: |
+          set -e
+          VDITOR_VERSION=$(node -e "const fs=require('fs'); const t=fs.readFileSync('frontend/src/utils/vditorLoader.js','utf8'); const m=t.match(/export\\s+const\\s+VDITOR_VERSION\\s*=\\s*\\\"([^\\\"]+)\\\"/); if(!m){console.error('VDITOR_VERSION not found'); process.exit(1);} process.stdout.write(m[1]);")
+          echo "VDITOR_VERSION=${VDITOR_VERSION}"
+          docker run --rm cloudpaste-frontend:ci-check sh -c "test -f /usr/share/nginx/html/assets/vditor/${VDITOR_VERSION}/dist/index.min.js"
+          docker run --rm cloudpaste-frontend:ci-check sh -c "test -f /usr/share/nginx/html/assets/vditor/${VDITOR_VERSION}/dist/index.css"
+          docker run --rm cloudpaste-frontend:ci-check sh -c 'test -f /usr/share/nginx/html/libarchive.js/dist/worker-bundle.js'
+          echo "✅ 静态资源校验通过：vditor + libarchive.js"
+
       - name: 构建并推送前端镜像
         uses: docker/build-push-action@v6
         with: