Merge pull request #734 from kekingcn/codex/ci-auto-deploy

[codex] add master auto deploy workflow

.github/scripts/deploy_windows_winrm.py

@@ -0,0 +1,109 @@
+#!/usr/bin/env python3
+import base64
+import os
+import pathlib
+import sys
+import uuid
+
+import winrm
+
+
+def require_env(name: str) -> str:
+    value = os.getenv(name, "").strip()
+    if not value:
+        raise SystemExit(f"Missing required environment variable: {name}")
+    return value
+
+
+def optional_env(name: str, default: str) -> str:
+    value = os.getenv(name, "").strip()
+    return value if value else default
+
+
+def ps_quote(value: str) -> str:
+    return value.replace("'", "''")
+
+
+def main() -> int:
+    host = require_env("KK_DEPLOY_HOST")
+    port = optional_env("KK_DEPLOY_PORT", "5985")
+    username = require_env("KK_DEPLOY_USERNAME")
+    password = require_env("KK_DEPLOY_PASSWORD")
+    deploy_root = optional_env("KK_DEPLOY_ROOT", r"C:\kkFileView-5.0")
+    health_url = optional_env("KK_DEPLOY_HEALTH_URL", "http://127.0.0.1:8012/")
+    artifact_name = optional_env("KK_DEPLOY_ARTIFACT_NAME", "kkfileview-server-jar")
+    repository = require_env("GITHUB_REPOSITORY_NAME")
+    run_id = require_env("GITHUB_RUN_ID_VALUE")
+    artifact_token = require_env("KK_DEPLOY_ARTIFACT_TOKEN")
+    dry_run = optional_env("KK_DEPLOY_DRY_RUN", "false").lower()
+
+    script_path = pathlib.Path(__file__).with_name("remote_windows_deploy.ps1")
+    script_body = script_path.read_text(encoding="utf-8")
+    payload = script_body.encode("utf-8-sig")
+    payload_b64 = base64.b64encode(payload).decode("ascii")
+
+    endpoint = f"http://{host}:{port}/wsman"
+    session = winrm.Session(endpoint, auth=(username, password), transport="ntlm")
+
+    suffix = uuid.uuid4().hex
+    remote_b64_path = fr"C:\Windows\Temp\kkfileview_deploy_{suffix}.b64"
+    remote_ps1_path = fr"C:\Windows\Temp\kkfileview_deploy_{suffix}.ps1"
+
+    prep = session.run_ps(
+        f"""
+$ErrorActionPreference = 'Stop'
+if (Test-Path '{ps_quote(remote_b64_path)}') {{ Remove-Item '{ps_quote(remote_b64_path)}' -Force }}
+if (Test-Path '{ps_quote(remote_ps1_path)}') {{ Remove-Item '{ps_quote(remote_ps1_path)}' -Force }}
+New-Item -ItemType File -Path '{ps_quote(remote_b64_path)}' -Force | Out-Null
+"""
+    )
+    if prep.status_code != 0:
+        sys.stderr.write(prep.std_err.decode("utf-8", errors="ignore"))
+        return prep.status_code
+
+    chunk_size = 1200
+    for start in range(0, len(payload_b64), chunk_size):
+        chunk = payload_b64[start : start + chunk_size]
+        append = session.run_ps(
+            f"Add-Content -LiteralPath '{ps_quote(remote_b64_path)}' -Value '{chunk}'"
+        )
+        if append.status_code != 0:
+            sys.stderr.write(append.std_err.decode("utf-8", errors="ignore"))
+            return append.status_code
+
+    result = session.run_ps(
+        f"""
+$ErrorActionPreference = 'Stop'
+$raw = Get-Content -LiteralPath '{ps_quote(remote_b64_path)}' -Raw
+[System.IO.File]::WriteAllBytes('{ps_quote(remote_ps1_path)}', [Convert]::FromBase64String($raw))
+try {{
+  powershell -NoProfile -ExecutionPolicy Bypass -File '{ps_quote(remote_ps1_path)}' `
+    -Repository '{ps_quote(repository)}' `
+    -RunId '{ps_quote(run_id)}' `
+    -ArtifactName '{ps_quote(artifact_name)}' `
+    -GitHubToken '{ps_quote(artifact_token)}' `
+    -DeployRoot '{ps_quote(deploy_root)}' `
+    -HealthUrl '{ps_quote(health_url)}' `
+    -DryRun '{ps_quote(dry_run)}'
+  $code = $LASTEXITCODE
+}} finally {{
+  Remove-Item '{ps_quote(remote_b64_path)}' -Force -ErrorAction SilentlyContinue
+  Remove-Item '{ps_quote(remote_ps1_path)}' -Force -ErrorAction SilentlyContinue
+}}
+exit $code
+"""
+    )
+
+    stdout = result.std_out.decode("utf-8", errors="ignore").strip()
+    stderr = result.std_err.decode("utf-8", errors="ignore").strip()
+
+    if stdout:
+        print(stdout)
+    if stderr:
+        print(stderr, file=sys.stderr)
+
+    return result.status_code
+
+
+if __name__ == "__main__":
+    raise SystemExit(main())

.github/scripts/remote_windows_deploy.ps1

@@ -0,0 +1,183 @@
+param(
+    [Parameter(Mandatory = $true)][string]$Repository,
+    [Parameter(Mandatory = $true)][string]$RunId,
+    [Parameter(Mandatory = $true)][string]$ArtifactName,
+    [Parameter(Mandatory = $true)][string]$GitHubToken,
+    [Parameter(Mandatory = $true)][string]$DeployRoot,
+    [Parameter(Mandatory = $true)][string]$HealthUrl,
+    [string]$DryRun = 'false'
+)
+
+$ErrorActionPreference = 'Stop'
+
+function Write-Step {
+    param([string]$Message)
+    Write-Host "==> $Message"
+}
+
+$BinDir = Join-Path $DeployRoot 'bin'
+$StartupScript = Join-Path $BinDir 'startup.bat'
+$ReleaseDir = Join-Path $DeployRoot 'releases'
+$DeployTmp = Join-Path $DeployRoot 'deploy-tmp'
+$ArtifactZip = Join-Path $DeployTmp 'artifact.zip'
+$ExtractDir = Join-Path $DeployTmp 'artifact'
+
+if (-not (Test-Path $DeployRoot)) {
+    throw "Deploy root not found: $DeployRoot"
+}
+
+if (-not (Test-Path $BinDir)) {
+    throw "Bin directory not found: $BinDir"
+}
+
+if (-not (Test-Path $StartupScript)) {
+    throw "Startup script not found: $StartupScript"
+}
+
+$CurrentJar = Get-ChildItem $BinDir -Filter 'kkFileView-*.jar' | Sort-Object LastWriteTime -Descending | Select-Object -First 1
+if (-not $CurrentJar) {
+    throw "No kkFileView jar found in $BinDir"
+}
+
+$JarName = $CurrentJar.Name
+$JarPath = $CurrentJar.FullName
+
+Write-Step "Deploy root: $DeployRoot"
+Write-Step "Current jar: $JarPath"
+Write-Step "Startup script: $StartupScript"
+Write-Step "Health url: $HealthUrl"
+
+if ($DryRun -eq 'true') {
+    Write-Step "Dry run enabled, remote validation finished"
+    return
+}
+
+New-Item -ItemType Directory -Force -Path $ReleaseDir | Out-Null
+New-Item -ItemType Directory -Force -Path $DeployTmp | Out-Null
+
+if (Test-Path $ArtifactZip) {
+    Remove-Item $ArtifactZip -Force
+}
+
+if (Test-Path $ExtractDir) {
+    Remove-Item $ExtractDir -Recurse -Force
+}
+
+$Headers = @{
+    Authorization = "Bearer $GitHubToken"
+    Accept = "application/vnd.github+json"
+    "X-GitHub-Api-Version" = "2022-11-28"
+    "User-Agent" = "kkFileView-auto-deploy"
+}
+
+$ArtifactsApi = "https://api.github.com/repos/$Repository/actions/runs/$RunId/artifacts"
+Write-Step "Resolving workflow artifact: $ArtifactName"
+$ArtifactsResponse = Invoke-RestMethod -Headers $Headers -Uri $ArtifactsApi -Method Get
+$Artifact = $ArtifactsResponse.artifacts | Where-Object { $_.name -eq $ArtifactName } | Select-Object -First 1
+
+if (-not $Artifact) {
+    throw "Artifact '$ArtifactName' not found for workflow run $RunId"
+}
+
+Write-Step "Downloading artifact from GitHub Actions"
+Invoke-WebRequest -Headers $Headers -Uri $Artifact.archive_download_url -OutFile $ArtifactZip
+Expand-Archive -LiteralPath $ArtifactZip -DestinationPath $ExtractDir -Force
+
+$DownloadedJars = Get-ChildItem $ExtractDir -Filter 'kkFileView-*.jar' -Recurse
+if (-not $DownloadedJars) {
+    throw "No kkFileView jar found inside artifact '$ArtifactName'"
+}
+
+if ($DownloadedJars.Count -ne 1) {
+    throw "Expected exactly one kkFileView jar inside artifact '$ArtifactName', found $($DownloadedJars.Count)"
+}
+
+$DownloadedJar = $DownloadedJars[0]
+
+$Timestamp = Get-Date -Format 'yyyyMMddHHmmss'
+$BackupJar = Join-Path $ReleaseDir ("{0}.{1}.bak" -f $JarName, $Timestamp)
+
+function Stop-KkFileView {
+    $JarPattern = [regex]::Escape($JarName)
+    $Processes = Get-CimInstance Win32_Process | Where-Object {
+        $_.Name -match '^java(\.exe)?$' -and $_.CommandLine -and $_.CommandLine -match $JarPattern
+    }
+
+    foreach ($Process in $Processes) {
+        Write-Step "Stopping java process $($Process.ProcessId)"
+        Stop-Process -Id $Process.ProcessId -Force -ErrorAction SilentlyContinue
+    }
+}
+
+function Wait-KkFileViewStopped {
+    param([int]$TimeoutSeconds = 30)
+
+    $JarPattern = [regex]::Escape($JarName)
+    for ($i = 0; $i -lt $TimeoutSeconds; $i++) {
+        $Processes = Get-CimInstance Win32_Process | Where-Object {
+            $_.Name -match '^java(\.exe)?$' -and $_.CommandLine -and $_.CommandLine -match $JarPattern
+        }
+
+        if (-not $Processes) {
+            return $true
+        }
+
+        Start-Sleep -Seconds 1
+    }
+
+    return $false
+}
+
+function Start-KkFileView {
+    Write-Step "Starting kkFileView"
+    Start-Process -FilePath 'cmd.exe' -ArgumentList '/c', "`"$StartupScript`"" -WorkingDirectory $BinDir -WindowStyle Hidden
+}
+
+function Wait-Health {
+    param([string]$Url)
+
+    for ($i = 0; $i -lt 24; $i++) {
+        Start-Sleep -Seconds 5
+        try {
+            $Response = Invoke-WebRequest -Uri $Url -UseBasicParsing -TimeoutSec 5
+            if ($Response.StatusCode -eq 200) {
+                return $true
+            }
+        } catch {
+            Start-Sleep -Milliseconds 200
+        }
+    }
+
+    return $false
+}
+
+Write-Step "Backing up current jar to $BackupJar"
+Copy-Item $JarPath $BackupJar -Force
+
+Stop-KkFileView
+if (-not (Wait-KkFileViewStopped)) {
+    throw "Timed out waiting for the previous kkFileView process to exit"
+}
+
+Write-Step "Replacing jar with artifact output"
+Copy-Item $DownloadedJar.FullName $JarPath -Force
+
+Start-KkFileView
+
+if (-not (Wait-Health -Url $HealthUrl)) {
+    Write-Step "Health check failed, rolling back"
+    Stop-KkFileView
+    if (-not (Wait-KkFileViewStopped)) {
+        throw "Timed out waiting for the failed kkFileView process to exit during rollback"
+    }
+    Copy-Item $BackupJar $JarPath -Force
+    Start-KkFileView
+
+    if (-not (Wait-Health -Url $HealthUrl)) {
+        throw "Deployment failed and rollback health check also failed"
+    }
+
+    throw "Deployment failed, rollback completed successfully"
+}
+
+Write-Step "Deployment completed successfully"

.github/workflows/master-auto-deploy.yml

@@ -0,0 +1,76 @@
+name: Master Auto Deploy
+
+on:
+  push:
+    branches: [ master ]
+  workflow_dispatch:
+
+concurrency:
+  group: master-auto-deploy-production
+  cancel-in-progress: false
+
+permissions:
+  contents: read
+  actions: read
+
+jobs:
+  build:
+    runs-on: ubuntu-22.04
+
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v4
+
+      - name: Set up JDK 21
+        uses: actions/setup-java@v4
+        with:
+          java-version: '21'
+          distribution: temurin
+          cache: maven
+
+      - name: Build with Maven
+        run: mvn -B package -Dmaven.test.skip=true --file pom.xml
+
+      - name: Upload server jar artifact
+        uses: actions/upload-artifact@v4
+        with:
+          name: kkfileview-server-jar
+          path: server/target/kkFileView-*.jar
+          retention-days: 7
+
+  deploy-windows:
+    needs: build
+    runs-on: ubuntu-22.04
+    env:
+      GITHUB_REPOSITORY_NAME: ${{ github.repository }}
+      GITHUB_RUN_ID_VALUE: ${{ github.run_id }}
+      KK_DEPLOY_ARTIFACT_TOKEN: ${{ secrets.KK_DEPLOY_ARTIFACT_TOKEN }}
+      KK_DEPLOY_HOST: ${{ secrets.KK_DEPLOY_HOST }}
+      KK_DEPLOY_PORT: ${{ secrets.KK_DEPLOY_PORT }}
+      KK_DEPLOY_USERNAME: ${{ secrets.KK_DEPLOY_USERNAME }}
+      KK_DEPLOY_PASSWORD: ${{ secrets.KK_DEPLOY_PASSWORD }}
+      KK_DEPLOY_ROOT: ${{ secrets.KK_DEPLOY_ROOT }}
+      KK_DEPLOY_HEALTH_URL: ${{ secrets.KK_DEPLOY_HEALTH_URL }}
+      KK_DEPLOY_ARTIFACT_NAME: kkfileview-server-jar
+
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v4
+
+      - name: Set up Python
+        uses: actions/setup-python@v5
+        with:
+          python-version: '3.11'
+
+      - name: Install WinRM dependencies
+        run: pip install pywinrm
+
+      - name: Validate deploy secrets
+        run: |
+          test -n "$KK_DEPLOY_ARTIFACT_TOKEN" || (echo "Missing secret: KK_DEPLOY_ARTIFACT_TOKEN" && exit 1)
+          test -n "$KK_DEPLOY_HOST" || (echo "Missing secret: KK_DEPLOY_HOST" && exit 1)
+          test -n "$KK_DEPLOY_USERNAME" || (echo "Missing secret: KK_DEPLOY_USERNAME" && exit 1)
+          test -n "$KK_DEPLOY_PASSWORD" || (echo "Missing secret: KK_DEPLOY_PASSWORD" && exit 1)
+
+      - name: Deploy to Windows server
+        run: python .github/scripts/deploy_windows_winrm.py

doc/ci-auto-deploy.md

@@ -0,0 +1,41 @@
+# kkFileView master 自动部署
+
+当前线上 Windows 服务器的实际部署信息如下：
+
+- 部署根目录：`C:\kkFileView-5.0`
+- 运行 jar：`C:\kkFileView-5.0\bin\kkFileView-5.0.jar`
+- 启动脚本：`C:\kkFileView-5.0\bin\startup.bat`
+- 运行配置：`C:\kkFileView-5.0\config\test.properties`
+- 健康检查地址：`http://127.0.0.1:8012/`
+
+服务器当前没有安装 `git` 和 `mvn`，因此自动部署链路采用：
+
+1. GitHub Actions 在 `master` 合并后构建 `kkFileView-*.jar`
+2. 通过 WinRM 连接 Windows 服务器
+3. 由服务器从当前 workflow run 下载 jar artifact
+4. 备份线上 jar，替换为新版本
+5. 使用现有 `startup.bat` 重启，并做健康检查
+6. 如果健康检查失败，则自动回滚旧 jar 并重新拉起
+
+## 需要配置的 GitHub Secrets
+
+- `KK_DEPLOY_HOST`
+- `KK_DEPLOY_ARTIFACT_TOKEN`
+- `KK_DEPLOY_USERNAME`
+- `KK_DEPLOY_PASSWORD`
+
+下面这些可以不配，未配置时会使用默认值：
+
+- `KK_DEPLOY_PORT=5985`
+- `KK_DEPLOY_ROOT=C:\kkFileView-5.0`
+- `KK_DEPLOY_HEALTH_URL=http://127.0.0.1:8012/`
+
+其中 `KK_DEPLOY_ARTIFACT_TOKEN` 建议使用单独的细粒度 token，只授予当前仓库所需的最小读取权限，不要复用默认 `GITHUB_TOKEN` 到生产服务器。
+
+## Workflow
+
+新增 workflow：`.github/workflows/master-auto-deploy.yml`
+
+- 触发条件：`push` 到 `master`，或手动 `workflow_dispatch`
+- 构建产物：`kkfileview-server-jar`
+- 部署方式：WinRM + GitHub Actions artifact 下载