From b21175495dd7d529b2c521c1a80a627c64b04bb9 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?=E5=85=83=E7=8E=89=E9=B9=8F?= <51024420+yuanyp8@users.noreply.github.com> Date: Mon, 22 Jun 2026 07:20:58 +0800 Subject: [PATCH 1/3] ci: forbid runtime-only tools in installers --- .github/workflows/offline-run.yml | 10 +++++++++- 1 file changed, 9 insertions(+), 1 deletion(-) diff --git a/.github/workflows/offline-run.yml b/.github/workflows/offline-run.yml index e122105..bbc397d 100644 --- a/.github/workflows/offline-run.yml +++ b/.github/workflows/offline-run.yml @@ -63,7 +63,7 @@ jobs: if: steps.filter.outputs.enabled == 'true' uses: docker/setup-buildx-action@v3 - - name: Install tools + - name: Install build tools if: steps.filter.outputs.enabled == 'true' run: | sudo apt-get update @@ -80,8 +80,16 @@ jobs: cd "packages/${{ matrix.package }}" build_script="build.sh" if [[ -f build-fixed.sh ]]; then build_script="build-fixed.sh"; fi + bash -n "$build_script" install.sh jq empty images/image.json + + echo "Checking install.sh does not require non-baseline deployment tools" + if grep -En '(^|[^A-Za-z0-9_])(jq|yq|python3|python|node|npm|npx)([^A-Za-z0-9_]|$)' install.sh; then + echo "::error::install.sh must not depend on jq/yq/python/node/npm/npx. These are allowed in CI/build only, not in deployment environments." + exit 1 + fi + bash "$build_script" --arch "${{ matrix.arch }}" - name: Upload artifact From 8e3df2087526a0510f501ae34726abea354f37a5 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?=E5=85=83=E7=8E=89=E9=B9=8F?= <51024420+yuanyp8@users.noreply.github.com> Date: Mon, 22 Jun 2026 07:21:16 +0800 Subject: [PATCH 2/3] docs: clarify deployment environment requirements --- README.md | 19 +++++++++++++++++-- 1 file changed, 17 insertions(+), 2 deletions(-) diff --git a/README.md b/README.md index 14a748e..b0ca996 100644 --- a/README.md +++ b/README.md @@ -31,9 +31,11 @@ new-api-k8s-installer-arm64.run 推送 `v*` tag 时,会自动把 `.run` 与 `.sha256` 发布到 GitHub Release。 -## 本地构建 +## 构建侧依赖 -本地需要 Docker Buildx、Git、jq、tar、sha256sum: +构建环境允许安装辅助工具。GitHub Actions 当前会安装 `jq`,用于校验 `images/image.json`。 + +本地构建需要 Docker Buildx、Git、jq、tar、sha256sum: ```bash cd packages/compose @@ -47,6 +49,19 @@ bash build.sh --arch amd64 --source-dir /path/to/new-api-main `--source-dir` 可以直接指向上游源码目录;不传时会从 `SOURCE_REPO` 克隆。 +## 现场部署侧依赖 + +现场部署环境不要求 `jq`、`yq`、`python`、`node`、`npm`、`npx` 等额外工具。 + +`.run install/status/uninstall/print-images` 只依赖基础 shell 工具和对应部署运行时: + +- Compose 包:`bash`、`tar`、`sed`、`date`、`docker`,以及 `docker compose` 或 `docker-compose`。 +- Kubernetes 包:`bash`、`tar`、`sed`、`date`、`docker`、`kubectl`。 + +镜像映射不在现场解析 JSON,而是读取构建阶段生成的 `images/image-index.tsv`。 + +CI 已增加保护:如果 `install.sh` 引入 `jq/yq/python/node/npm/npx`,构建会直接失败。 + ## Compose 现场安装 ```bash From 531c899c5c48553d51ba7b8fc1b4486c19fe874b Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?=E5=85=83=E7=8E=89=E9=B9=8F?= <51024420+yuanyp8@users.noreply.github.com> Date: Mon, 22 Jun 2026 07:25:24 +0800 Subject: [PATCH 3/3] ci: avoid false positives for node-port installer option --- .github/workflows/offline-run.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/offline-run.yml b/.github/workflows/offline-run.yml index bbc397d..0b7f7a3 100644 --- a/.github/workflows/offline-run.yml +++ b/.github/workflows/offline-run.yml @@ -85,7 +85,7 @@ jobs: jq empty images/image.json echo "Checking install.sh does not require non-baseline deployment tools" - if grep -En '(^|[^A-Za-z0-9_])(jq|yq|python3|python|node|npm|npx)([^A-Za-z0-9_]|$)' install.sh; then + if grep -En '(^|[[:space:];|&()])(jq|yq|python3|python|node|npm|npx)([[:space:];|&()]|$)' install.sh; then echo "::error::install.sh must not depend on jq/yq/python/node/npm/npx. These are allowed in CI/build only, not in deployment environments." exit 1 fi