#!/usr/bin/env bash set -euo pipefail usage() { cat <<'EOF' 用法: ./scripts/jenkins-deploy-release.sh --source-dir /path/to/build/123 --deploy-dir /var/lib/jenkins/deploy/Genarrative --web-port 25001 [--clear-database] [--no-migrate-on-conflict] [--migration-dir /path/to/migrations] [--migration-export-token ] [--migration-import-token ] [--hook-with-sudo] 说明: 1. 如果部署目录已有旧版本且存在 stop.sh,则先执行旧版本 stop.sh。 2. 仅删除并替换发布产物文件或目录,保留部署目录中的运行数据目录。 3. 把指定发布目录中的白名单产物复制覆盖到部署目录。 4. 如指定 --clear-database,则以清库模式执行新版本 start.sh。 5. 默认允许新版本 start.sh 在 schema 冲突时自动导出、清库发布、导入回灌。 6. 最后执行新版本 start.sh。 参数: --source-dir 必填,待部署的发布目录,例如 build/123 --deploy-dir 必填,固定部署目录,例如 /var/lib/jenkins/deploy/Genarrative --web-port 必填,本次部署后静态网站监听端口 --clear-database 可选,启动新版本时追加 --clear-database --migrate-on-conflict 可选,普通发布遇到 schema 冲突时自动迁移,默认启用 --no-migrate-on-conflict 可选,禁用 schema 冲突自动迁移 --migration-dir 可选,自动迁移 JSON 输出目录,默认部署目录内 database-migrations/ --migration-export-token 可选,旧库已授权迁移操作员 token,仅用于 schema 冲突导出 --migration-import-token 可选,新库已授权迁移操作员 token,仅用于 schema 冲突导入 --hook-with-sudo 可选,仅对 start.sh/stop.sh 使用 sudo -n 执行 EOF } require_argument() { local value="$1" local label="$2" if [[ -z "${value}" ]]; then echo "[jenkins-deploy] 缺少参数: ${label}" >&2 exit 1 fi } validate_port() { local value="$1" local label="$2" local numeric_value if [[ ! "${value}" =~ ^[0-9]+$ ]]; then echo "[jenkins-deploy] ${label} 必须是数字端口: ${value}" >&2 exit 1 fi if ((${#value} > 5)); then echo "[jenkins-deploy] ${label} 必须在 1-65535 之间: ${value}" >&2 exit 1 fi numeric_value=$((10#${value})) if ((numeric_value < 1 || numeric_value > 65535)); then echo "[jenkins-deploy] ${label} 必须在 1-65535 之间: ${value}" >&2 exit 1 fi } validate_spacetime_database_name() { local database="$1" if [[ ! "${database}" =~ ^[a-z0-9]+(-[a-z0-9]+)*$ ]]; then echo "[jenkins-deploy] GENARRATIVE_SPACETIME_DATABASE 必须匹配 SpacetimeDB 数据库名规则 ^[a-z0-9]+(-[a-z0-9]+)*$,只能使用小写字母、数字,并用单个短横线分隔: ${database}" >&2 exit 1 fi } normalize_env_file() { local env_file="$1" local temp_file="${env_file}.tmp.$$" if [[ ! -f "${env_file}" ]]; then return fi # 兼容由 Windows 编辑器或 Jenkins 参数落盘产生的 BOM/CRLF,避免 start.sh 加载时报命令不存在。 LC_ALL=C sed $'1s/^\xef\xbb\xbf//;s/\r$//' "${env_file}" >"${temp_file}" cp "${temp_file}" "${env_file}" } read_env_value() { local key="$1" shift local env_file="" local line="" local line_number=0 local parsed_key="" local parsed_value="" local value="" local utf8_bom=$'\xef\xbb\xbf' for env_file in "$@"; do if [[ ! -f "${env_file}" ]]; then continue fi line_number=0 while IFS= read -r line || [[ -n "${line}" ]]; do line_number=$((line_number + 1)) if [[ "${line_number}" -eq 1 ]]; then line="${line#"${utf8_bom}"}" fi line="${line%$'\r'}" if [[ "${line}" =~ ^[[:space:]]*$ || "${line}" =~ ^[[:space:]]*# ]]; then continue fi if [[ ! "${line}" =~ ^[[:space:]]*(export[[:space:]]+)?([A-Za-z_][A-Za-z0-9_]*)=(.*)$ ]]; then continue fi parsed_key="${BASH_REMATCH[2]}" parsed_value="${BASH_REMATCH[3]}" if [[ "${parsed_key}" != "${key}" ]]; then continue fi value="${parsed_value}" if [[ "${#value}" -ge 2 && "${value:0:1}" == '"' && "${value: -1}" == '"' ]]; then value="${value:1:${#value}-2}" value="${value//\\\"/\"}" elif [[ "${#value}" -ge 2 && "${value:0:1}" == "'" && "${value: -1}" == "'" ]]; then value="${value:1:${#value}-2}" fi done <"${env_file}" done printf "%s" "${value}" } normalize_release_env_files() { local release_dir="$1" normalize_env_file "${release_dir}/.env" normalize_env_file "${release_dir}/.env.local" normalize_env_file "${release_dir}/web/.env" normalize_env_file "${release_dir}/web/.env.local" } write_env_override() { local env_file="$1" local key="$2" local value="$3" local temp_file="${env_file}.tmp.$$" mkdir -p "$(dirname "${env_file}")" if [[ -f "${env_file}" ]]; then # 先移除旧的同名变量,再追加 Jenkins 本次部署参数,确保 sudo 启动时也能被 start.sh 读取。 awk -v target_key="${key}" ' BEGIN { pattern = "^[[:space:]]*(export[[:space:]]+)?" target_key "=" } $0 !~ pattern { print } ' "${env_file}" >"${temp_file}" else : >"${temp_file}" fi printf "%s=%s\n" "${key}" "${value}" >>"${temp_file}" cp "${temp_file}" "${env_file}" } SOURCE_DIR="" DEPLOY_DIR="" WEB_PORT="" CLEAR_DATABASE="0" MIGRATE_ON_CONFLICT="true" MIGRATION_DIR="" HOOK_WITH_SUDO="0" MIGRATION_EXPORT_TOKEN="" MIGRATION_IMPORT_TOKEN="" PRESERVED_MIGRATION_EXPORT_TOKEN="" PRESERVED_MIGRATION_IMPORT_TOKEN="" DEPLOY_ITEMS=( ".env" ".env.local" "README.md" "api-server" "migration-bootstrap-secret.txt" "spacetime_module.wasm" "scripts" "start.sh" "stop.sh" "web" "web-server.mjs" ) PREVIOUS_MIGRATION_BOOTSTRAP_SECRET_NAME="migration-bootstrap-secret.previous.txt" while [[ $# -gt 0 ]]; do case "$1" in -h|--help) usage exit 0 ;; --source-dir) SOURCE_DIR="${2:?缺少 --source-dir 的值}" shift 2 ;; --deploy-dir) DEPLOY_DIR="${2:?缺少 --deploy-dir 的值}" shift 2 ;; --web-port) WEB_PORT="${2:?缺少 --web-port 的值}" shift 2 ;; --clear-database) CLEAR_DATABASE="1" shift ;; --migrate-on-conflict) MIGRATE_ON_CONFLICT="true" shift ;; --no-migrate-on-conflict) MIGRATE_ON_CONFLICT="false" shift ;; --migration-dir) MIGRATION_DIR="${2:?缺少 --migration-dir 的值}" shift 2 ;; --migration-export-token) MIGRATION_EXPORT_TOKEN="${2:?缺少 --migration-export-token 的值}" shift 2 ;; --migration-import-token) MIGRATION_IMPORT_TOKEN="${2:?缺少 --migration-import-token 的值}" shift 2 ;; --hook-with-sudo) HOOK_WITH_SUDO="1" shift ;; *) echo "[jenkins-deploy] 未知参数: $1" >&2 usage >&2 exit 1 ;; esac done require_argument "${SOURCE_DIR}" "--source-dir" require_argument "${DEPLOY_DIR}" "--deploy-dir" require_argument "${WEB_PORT}" "--web-port" validate_port "${WEB_PORT}" "--web-port" run_hook() { local hook_dir="$1" local hook_name="$2" shift 2 local hook_path="${hook_dir}/${hook_name}" if [[ ! -x "${hook_path}" ]]; then echo "[jenkins-deploy] hook 不存在或不可执行: ${hook_path}" >&2 exit 1 fi # 仅在启停脚本阶段使用 sudo,文件清理与移动仍保持普通权限,避免放大授权范围。 if [[ "${HOOK_WITH_SUDO}" == "1" ]]; then echo "[jenkins-deploy] 使用 sudo 执行 ${hook_name}: ${hook_path}" ( cd "${hook_dir}" sudo -n "${hook_path}" "$@" ) || { echo "[jenkins-deploy] sudo 执行 ${hook_name} 失败,请确认 jenkins 用户已配置免密 sudo 权限。" >&2 exit 1 } return fi ( cd "${hook_dir}" "./${hook_name}" "$@" ) } previous_migration_bootstrap_secret_file() { printf "%s/deploy-state/%s" "${DEPLOY_DIR}" "${PREVIOUS_MIGRATION_BOOTSTRAP_SECRET_NAME}" } save_previous_migration_bootstrap_secret() { local source_file="${DEPLOY_DIR}/migration-bootstrap-secret.txt" local state_dir="${DEPLOY_DIR}/deploy-state" local target_file target_file="$(previous_migration_bootstrap_secret_file)" mkdir -p "${state_dir}" || { echo "[jenkins-deploy] 创建部署状态目录失败: ${state_dir}" >&2 exit 1 } # 旧迁移密钥属于部署阶段要维护的状态,不再写入 run/,避免 sudo 启停生成的 root 私有 pid 目录阻断覆盖部署。 cp "${source_file}" "${target_file}" || { echo "[jenkins-deploy] 保存旧模块迁移引导密钥失败: ${target_file}" >&2 exit 1 } chmod 600 "${target_file}" 2>/dev/null || true echo "[jenkins-deploy] 已保存旧模块迁移引导密钥,用于 schema 冲突时导出旧库。" } clear_previous_migration_bootstrap_secret() { local target_file target_file="$(previous_migration_bootstrap_secret_file)" if [[ ! -e "${target_file}" ]]; then return fi rm -f "${target_file}" || { echo "[jenkins-deploy] 清理旧迁移引导密钥快照失败: ${target_file}" >&2 exit 1 } } normalize_start_previous_secret_path() { local start_file="${DEPLOY_DIR}/start.sh" local legacy_line='PREVIOUS_MIGRATION_BOOTSTRAP_SECRET_FILE="${SCRIPT_DIR}/run/migration-bootstrap-secret.previous.txt"' local state_line='PREVIOUS_MIGRATION_BOOTSTRAP_SECRET_FILE="${SCRIPT_DIR}/deploy-state/migration-bootstrap-secret.previous.txt"' local temp_file="${start_file}.tmp.$$" if [[ ! -f "${start_file}" ]]; then return fi if grep -Fq "${legacy_line}" "${start_file}"; then # 兼容已经构建出的旧发布包:部署阶段统一让 start.sh 从 Jenkins 可写的部署状态目录读取旧密钥。 awk -v legacy="${legacy_line}" -v state="${state_line}" ' $0 == legacy { print state next } { print } ' "${start_file}" >"${temp_file}" cp "${temp_file}" "${start_file}" rm -f "${temp_file}" fi } if [[ ! -d "${SOURCE_DIR}" ]]; then echo "[jenkins-deploy] 发布目录不存在: ${SOURCE_DIR}" >&2 exit 1 fi SOURCE_DIR="$(cd "${SOURCE_DIR}" && pwd)" mkdir -p "${DEPLOY_DIR}" DEPLOY_DIR="$(cd "${DEPLOY_DIR}" && pwd)" if [[ ! -f "${SOURCE_DIR}/start.sh" ]]; then echo "[jenkins-deploy] 发布目录缺少 start.sh: ${SOURCE_DIR}" >&2 exit 1 fi normalize_release_env_files "${SOURCE_DIR}" PRESERVED_MIGRATION_EXPORT_TOKEN="$(read_env_value "GENARRATIVE_SPACETIME_MIGRATION_EXPORT_TOKEN" "${DEPLOY_DIR}/.env" "${DEPLOY_DIR}/.env.local")" PRESERVED_MIGRATION_IMPORT_TOKEN="$(read_env_value "GENARRATIVE_SPACETIME_MIGRATION_IMPORT_TOKEN" "${DEPLOY_DIR}/.env" "${DEPLOY_DIR}/.env.local")" if [[ -x "${DEPLOY_DIR}/stop.sh" ]]; then echo "[jenkins-deploy] 先停止旧版本: ${DEPLOY_DIR}" run_hook "${DEPLOY_DIR}" "stop.sh" else echo "[jenkins-deploy] 部署目录无可执行 stop.sh,跳过停服" fi if [[ -f "${DEPLOY_DIR}/migration-bootstrap-secret.txt" ]]; then save_previous_migration_bootstrap_secret else clear_previous_migration_bootstrap_secret fi echo "[jenkins-deploy] 清空部署目录: ${DEPLOY_DIR}" for item in "${DEPLOY_ITEMS[@]}"; do if [[ -e "${DEPLOY_DIR}/${item}" ]]; then echo "[jenkins-deploy] 删除旧产物: ${DEPLOY_DIR}/${item}" rm -rf "${DEPLOY_DIR:?}/${item}" fi done echo "[jenkins-deploy] 复制发布内容: ${SOURCE_DIR} -> ${DEPLOY_DIR}" for item in "${DEPLOY_ITEMS[@]}"; do source_item="${SOURCE_DIR}/${item}" if [[ -e "${source_item}" ]]; then echo "[jenkins-deploy] 覆盖产物: ${item}" # web 是目录产物,必须递归复制;文件产物保持普通复制,避免误扩大复制语义。 if [[ -d "${source_item}" ]]; then cp -R "${source_item}" "${DEPLOY_DIR}/" else cp "${source_item}" "${DEPLOY_DIR}/" fi fi done normalize_start_previous_secret_path chmod +x "${DEPLOY_DIR}/start.sh" if [[ -f "${DEPLOY_DIR}/stop.sh" ]]; then chmod +x "${DEPLOY_DIR}/stop.sh" fi normalize_release_env_files "${DEPLOY_DIR}" write_env_override "${DEPLOY_DIR}/.env.local" "GENARRATIVE_WEB_PORT" "${WEB_PORT}" write_env_override "${DEPLOY_DIR}/.env.local" "GENARRATIVE_SPACETIME_MIGRATE_ON_CONFLICT" "${MIGRATE_ON_CONFLICT}" write_env_override "${DEPLOY_DIR}/.env.local" "GENARRATIVE_SPACETIME_MIGRATION_DIR" "${MIGRATION_DIR}" if [[ -n "${MIGRATION_EXPORT_TOKEN}" ]]; then write_env_override "${DEPLOY_DIR}/.env.local" "GENARRATIVE_SPACETIME_MIGRATION_EXPORT_TOKEN" "${MIGRATION_EXPORT_TOKEN}" elif [[ -n "${PRESERVED_MIGRATION_EXPORT_TOKEN}" ]] \ && [[ -z "$(read_env_value "GENARRATIVE_SPACETIME_MIGRATION_EXPORT_TOKEN" "${DEPLOY_DIR}/.env" "${DEPLOY_DIR}/.env.local")" ]]; then write_env_override "${DEPLOY_DIR}/.env.local" "GENARRATIVE_SPACETIME_MIGRATION_EXPORT_TOKEN" "${PRESERVED_MIGRATION_EXPORT_TOKEN}" fi if [[ -n "${MIGRATION_IMPORT_TOKEN}" ]]; then write_env_override "${DEPLOY_DIR}/.env.local" "GENARRATIVE_SPACETIME_MIGRATION_IMPORT_TOKEN" "${MIGRATION_IMPORT_TOKEN}" elif [[ -n "${PRESERVED_MIGRATION_IMPORT_TOKEN}" ]] \ && [[ -z "$(read_env_value "GENARRATIVE_SPACETIME_MIGRATION_IMPORT_TOKEN" "${DEPLOY_DIR}/.env" "${DEPLOY_DIR}/.env.local")" ]]; then write_env_override "${DEPLOY_DIR}/.env.local" "GENARRATIVE_SPACETIME_MIGRATION_IMPORT_TOKEN" "${PRESERVED_MIGRATION_IMPORT_TOKEN}" fi DEPLOY_DATABASE="$(read_env_value "GENARRATIVE_SPACETIME_DATABASE" "${DEPLOY_DIR}/.env" "${DEPLOY_DIR}/.env.local")" if [[ -z "${DEPLOY_DATABASE}" ]]; then echo "[jenkins-deploy] 部署包未显式写入 GENARRATIVE_SPACETIME_DATABASE;将由 start.sh 使用构建时默认值。" >&2 else validate_spacetime_database_name "${DEPLOY_DATABASE}" echo "[jenkins-deploy] SpacetimeDB 发布数据库: ${DEPLOY_DATABASE}" fi echo "[jenkins-deploy] 启动新版本: ${DEPLOY_DIR}" if [[ "${CLEAR_DATABASE}" == "1" ]]; then echo "[jenkins-deploy] 以清库模式启动新版本" run_hook "${DEPLOY_DIR}" "start.sh" --clear-database else run_hook "${DEPLOY_DIR}" "start.sh" fi echo "[jenkins-deploy] 完成"