Conversation
📝 WalkthroughWalkthrough本次变更将若干 CI 流水线拆分为可复用的 GitHub Actions 工作流:新增可复用的 Docker 构建与烟雾测试工作流;将原有构建/测试/推送流程改为复用这些工作流并重构触发器与作业依赖;新增部署到 CN 生产的流水线并更新 .dockerignore。 Changes
Sequence Diagram(s)sequenceDiagram
autonumber
participant GH as GitHub Actions (workflow)
participant ReuseBuild as reusable-docker-build
participant ReuseSmoke as reusable-smoke-test
participant Registry as Container Registry (Tencent)
participant Webhook as Deployment Webhook
GH->>ReuseBuild: 调用 build-image (environment, image_tags, env, secrets)
ReuseBuild-->>GH: 上传 artifact `docker-image` (image.tar)
GH->>ReuseSmoke: 需要 build-image -> 调用 docker-smoke (artifact, port, path, timeout)
ReuseSmoke-->>GH: 返回 smoke test 成功/失败
GH->>GH: push-and-notify 下载并加载 image.tar
GH->>Registry: 登录并推送 tags (latest, sha)
GH->>Webhook: 触发部署通知 (POST)
评估代码审查工作量🎯 3 (中等) | ⏱️ ~25 分钟 诗歌庆祝
🚥 Pre-merge checks | ✅ 2 | ❌ 1❌ Failed checks (1 inconclusive)
✅ Passed checks (2 passed)
✏️ Tip: You can configure your own custom pre-merge checks in the settings. ✨ Finishing touches🧪 Generate unit tests (beta)
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
![github-advanced-security[bot]](https://avatars.githubusercontent.com/in/57789?s=60&v=4){kind=small}
![chatgpt-codex-connector[bot]](https://avatars.githubusercontent.com/in/1144995?s=60&v=4){kind=small}
There was a problem hiding this comment.
💡 Codex Review
Here are some automated review suggestions for this pull request.
Reviewed commit: d59306e33b
ℹ️ About Codex in GitHub
Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you
- Open a pull request for review
- Mark a draft as ready
- Comment "@codex review".
If Codex has suggestions, it will comment; otherwise it will react with 👍.
Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".
📦 Next.js Bundle Analysis for furrycons-siteThis analysis was generated by the Next.js Bundle Analysis action. 🤖
|
| Page | Size (compressed) |
|---|---|
global |
333.85 KB (🟡 +4 B) |
Details
The global bundle is the javascript bundle that loads alongside every page. It is in its own category because its impact is much higher - an increase to its size means that every page on your website loads slower, and a decrease means every page loads faster.
Any third party scripts you have added directly to your app using the <script> tag are not accounted for in this analysis
If you want further insight into what is behind the changes, give @next/bundle-analyzer a try!
![coderabbitai[bot]](https://avatars.githubusercontent.com/in/347564?s=60&v=4){kind=small}
There was a problem hiding this comment.
Actionable comments posted: 3
🤖 Fix all issues with AI agents
In @.github/workflows/reusable-docker-build.yml:
- Around line 46-57: The Docker image built in the "Build Docker image" step
using docker/build-push-action@v6 isn't loaded into the local daemon
(Buildx/BuildKit default), so the subsequent `docker save` in the "Export image
tar" step fails; update the Build step (the step named "Build Docker image" that
uses docker/build-push-action@v6) to include load: true under its with: block
(alongside context, push, tags) so the built image is loaded locally and `docker
save` can find the first tag.
- Around line 54-57: 在 "Export image tar" 步骤中不要把 ${{ inputs.image_tags }} 直接内联到
run 块以免命令注入;改为通过 step 的 env 字段传入(例如设置 IMAGE_TAGS: ${{ inputs.image_tags }}),然后在
run 中使用安全的参数扩展/引号(例如 printf "%s" "$IMAGE_TAGS" | tr ',' '\n' | head -n 1)来提取第一个
tag。同样处理其他直接内联的输入(如 ${{ inputs.env_vars }}):通过 env 传递并在 run 中以双引号引用对应的环境变量以避免
shell 元字符被解释。
- Around line 38-44: The workflow step "Create Env" writes REVALIDATE_TOKEN and
SENTRY_AUTH_TOKEN into a .env file which is then included in the Docker build
context (Dockerfile uses COPY . .), leaking secrets; to fix, either add ".env"
to the repository .dockerignore so the created .env is not sent to Docker build
context, or refactor the build to use Docker BuildKit secrets (docker build
--secret id=revalidate,src=/run/secrets/revalidate etc.) and remove the "echo
... >> .env" secret writes in the "Create Env" step; update the workflow to pass
secrets via build args/secrets and/or use a transient in-memory secret mount
rather than writing REVALIDATE_TOKEN and SENTRY_AUTH_TOKEN to disk.
🧹 Nitpick comments (4)
.github/workflows/reusable-docker-build.yml (1)
24-30: 建议添加permissions块以遵循最小权限原则CodeQL 静态分析提示此工作流缺少
permissions声明。虽然可复用工作流会继承调用方的权限,但显式声明可以作为额外的安全防线。建议至少添加contents: read。🛡️ 建议修复
+permissions: + contents: read + jobs: build-image: runs-on: ubuntu-latest.github/workflows/build-cn-image.yml (2)
19-23:env_vars混合使用多行 YAML 和逗号分隔符,可能产生空行
env_vars使用了 YAML|块标量(自带换行),同时每行末尾又有逗号。在可复用工作流中tr ',' '\n'会将逗号替换为额外的换行,导致.env文件中出现空行。虽然不影响功能,但建议统一使用一种分隔方式——要么纯逗号分隔(单行),要么纯多行(去掉逗号)。♻️ 建议:去掉行末逗号,纯多行格式
如果改为纯多行格式,需要同时修改
reusable-docker-build.yml中的.env生成逻辑,去掉tr ',' '\n',直接 append 即可:env_vars: | - NEXT_PUBLIC_ENABLE_TRACK=${{ vars.ENABLE_TRACK }}, - NEXT_PUBLIC_REGION=${{ vars.NEXT_PUBLIC_REGION }}, - NEXT_PUBLIC_WEBSITE_URL=${{ vars.NEXT_PUBLIC_WEBSITE_URL }}, - FEC_API_TOKEN=${{ vars.FEC_API_TOKEN }} + NEXT_PUBLIC_ENABLE_TRACK=${{ vars.ENABLE_TRACK }} + NEXT_PUBLIC_REGION=${{ vars.NEXT_PUBLIC_REGION }} + NEXT_PUBLIC_WEBSITE_URL=${{ vars.NEXT_PUBLIC_WEBSITE_URL }} + FEC_API_TOKEN=${{ vars.FEC_API_TOKEN }}
60-63: 镜像 tag 在多处硬编码,建议提取为变量
hkccr.ccs.tencentyun.com/furrycons/frontend:latest和 sha tag 在image_tags(Line 17-18)和push(Line 62-63)中重复出现。如果 registry 地址或镜像名变更,需要多处同步修改。考虑在工作流顶层定义env变量或使用 reusable workflow 的 outputs 来传递 tag 列表。.github/workflows/reusable-smoke-test.yml (1)
35-44: 建议添加permissions块与
reusable-docker-build.yml相同,CodeQL 提示此工作流缺少权限声明。由于冒烟测试不需要任何 GitHub token 权限,建议声明空权限块。🛡️ 建议修复
+permissions: {} + jobs: docker-smoke: name: Docker smoke test
There was a problem hiding this comment.
Actionable comments posted: 2
🤖 Fix all issues with AI agents
In @.github/workflows/deploy-prod-cn.yml:
- Around line 65-68: In the "Call Webhook" step the webhook variable is unquoted
and curl doesn't fail on HTTP errors; update the curl invocation that uses ${{
vars.WEBHOOK_URL }} to (1) quote the expanded variable (use "${{
vars.WEBHOOK_URL }}"), (2) add fail-on-error flags like --fail (and optionally
--show-error/--silent choices) so non-2xx responses fail the step, and (3) add a
pre-check that the variable is not empty (exit with a clear message if it is) to
avoid silent/no-op runs.
- Around line 19-23: Remove the trailing commas from the multiline env_vars
block so the INPUT_ENV_VARS parsing (the printf '%s\n' "$INPUT_ENV_VARS" | tr
',' '\n' >> .env pipeline) does not convert those commas into empty lines;
specifically edit the env_vars entries (NEXT_PUBLIC_ENABLE_TRACK,
NEXT_PUBLIC_REGION, NEXT_PUBLIC_WEBSITE_URL, FEC_API_TOKEN) to be
newline-separated with no trailing commas.
🧹 Nitpick comments (3)
.github/workflows/reusable-smoke-test.yml (1)
84-93: 轮询超时时间与timeout_minutes输入参数不一致
timeout_minutes(默认 15 分钟)用于 job 级别超时,但实际的 HTTP 轮询循环硬编码为最多 60 秒(60 次 × 1 秒)。如果应用启动较慢(例如 Next.js 冷启动),60 秒可能不够,而timeout_minutes参数给人一种可以控制轮询时长的错觉。建议将轮询次数/间隔参数化,或至少在
timeout_minutes的描述中注明实际轮询上限为 60 秒。.github/workflows/deploy-prod-cn.yml (2)
49-51:docker load步骤缺少set -euo pipefail与烟雾测试工作流中的良好实践不同,这里的
run块没有设置set -euo pipefail。如果docker load失败,shell 不会立即退出。♻️ 建议修复
- name: Load image run: | + set -euo pipefail docker load -i image.tar
60-63: 镜像标签硬编码重复
push步骤中的镜像标签与build-image中image_tags的值重复。目前可接受,但如果后续标签变更,需要同步修改两处。可以考虑通过 reusable workflow 的 outputs 传递标签列表,减少维护负担。
| env_vars: | | ||
| NEXT_PUBLIC_ENABLE_TRACK=${{ vars.ENABLE_TRACK }}, | ||
| NEXT_PUBLIC_REGION=${{ vars.NEXT_PUBLIC_REGION }}, | ||
| NEXT_PUBLIC_WEBSITE_URL=${{ vars.NEXT_PUBLIC_WEBSITE_URL }}, | ||
| FEC_API_TOKEN=${{ vars.FEC_API_TOKEN }} |
There was a problem hiding this comment.
🧩 Analysis chain
🏁 Script executed:
fd "reusable-docker-build.yml" --type fRepository: FurryConsChina/website
Length of output: 48
🏁 Script executed:
ls -la .github/workflows/ | head -20Repository: FurryConsChina/website
Length of output: 526
🏁 Script executed:
cat -n .github/workflows/deploy-prod-cn.ymlRepository: FurryConsChina/website
Length of output: 2542
🏁 Script executed:
cat -n .github/workflows/reusable-docker-build.ymlRepository: FurryConsChina/website
Length of output: 2793
多行 env_vars 格式会在 .env 文件中产生空行
根据 reusable-docker-build.yml 第 49 行的解析逻辑 (printf '%s\n' "$INPUT_ENV_VARS" | tr ',' '\n' >> .env),逗号被转换为换行符。由于第 20-22 行有尾随逗号,这将导致 .env 文件中产生不必要的空行,虽然不影响功能(.env 解析器通常忽略空行),但不够清晰。
建议移除第 20-22 行的尾随逗号:
建议的修改
env_vars: |
NEXT_PUBLIC_ENABLE_TRACK=${{ vars.ENABLE_TRACK }}
NEXT_PUBLIC_REGION=${{ vars.NEXT_PUBLIC_REGION }}
NEXT_PUBLIC_WEBSITE_URL=${{ vars.NEXT_PUBLIC_WEBSITE_URL }}
FEC_API_TOKEN=${{ vars.FEC_API_TOKEN }}
如此可维护仅使用换行符作为分隔符,避免 tr 命令产生的空行。
🤖 Prompt for AI Agents
In @.github/workflows/deploy-prod-cn.yml around lines 19 - 23, Remove the
trailing commas from the multiline env_vars block so the INPUT_ENV_VARS parsing
(the printf '%s\n' "$INPUT_ENV_VARS" | tr ',' '\n' >> .env pipeline) does not
convert those commas into empty lines; specifically edit the env_vars entries
(NEXT_PUBLIC_ENABLE_TRACK, NEXT_PUBLIC_REGION, NEXT_PUBLIC_WEBSITE_URL,
FEC_API_TOKEN) to be newline-separated with no trailing commas.
| - name: Call Webhook | ||
| run: | | ||
| curl -X POST ${{ vars.WEBHOOK_URL }} \ | ||
| -H "Content-Type: application/json" |
There was a problem hiding this comment.
Webhook URL 未加引号,存在注入和静默失败风险
${{ vars.WEBHOOK_URL }} 直接在 shell 中展开且未加引号。如果变量为空或包含特殊字符,命令会出错或产生意外行为。此外,curl 缺少 -f/--fail 标志,HTTP 错误(如 4xx/5xx)不会导致步骤失败。
🔧 建议修复
- name: Call Webhook
run: |
- curl -X POST ${{ vars.WEBHOOK_URL }} \
- -H "Content-Type: application/json"
+ set -euo pipefail
+ curl -fsSL -X POST "${{ vars.WEBHOOK_URL }}" \
+ -H "Content-Type: application/json"📝 Committable suggestion
‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.
| - name: Call Webhook | |
| run: | | |
| curl -X POST ${{ vars.WEBHOOK_URL }} \ | |
| -H "Content-Type: application/json" | |
| - name: Call Webhook | |
| run: | | |
| set -euo pipefail | |
| curl -fsSL -X POST "${{ vars.WEBHOOK_URL }}" \ | |
| -H "Content-Type: application/json" |
🤖 Prompt for AI Agents
In @.github/workflows/deploy-prod-cn.yml around lines 65 - 68, In the "Call
Webhook" step the webhook variable is unquoted and curl doesn't fail on HTTP
errors; update the curl invocation that uses ${{ vars.WEBHOOK_URL }} to (1)
quote the expanded variable (use "${{ vars.WEBHOOK_URL }}"), (2) add
fail-on-error flags like --fail (and optionally --show-error/--silent choices)
so non-2xx responses fail the step, and (3) add a pre-check that the variable is
not empty (exit with a clear message if it is) to avoid silent/no-op runs.
📦 Next.js Bundle Analysis for furrycons-siteThis analysis was generated by the Next.js Bundle Analysis action. 🤖
|
| Page | Size (compressed) |
|---|---|
global |
333.85 KB (🟡 +7 B) |
Details
The global bundle is the javascript bundle that loads alongside every page. It is in its own category because its impact is much higher - an increase to its size means that every page on your website loads slower, and a decrease means every page loads faster.
Any third party scripts you have added directly to your app using the <script> tag are not accounted for in this analysis
If you want further insight into what is behind the changes, give @next/bundle-analyzer a try!
2 participants
Summary by CodeRabbit
发布说明