fix auth exposure and release workflows

.github/workflows/develop.yaml

@@ -1,51 +1,60 @@
-name: Deploy
+name: Publish Branch Image
 
 on:
   push:
-    branches: ["develop"]
-  pull_request:
-    branches: ["develop"]
+    branches: ["master", "dev"]
+  workflow_dispatch:
+
+permissions:
+  contents: read
 
 jobs:
-  build-and-deploy:
+  build-and-push:
     runs-on: ubuntu-latest
 
     steps:
       - name: Checkout repository
-        uses: actions/checkout@v4
+        uses: actions/checkout@v5
+
+      - name: Set up QEMU
+        uses: docker/setup-qemu-action@v3
+
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@v3
 
       - name: Log in to Docker Hub
-        uses: docker/login-action@v2
+        uses: docker/login-action@v3
         with:
           username: ${{ secrets.DOCKER_USERNAME }}
           password: ${{ secrets.DOCKER_PASSWORD }}
 
-      - name: Get short Git commit ID
-        id: vars
-        run: echo "COMMIT_ID=$(git rev-parse --short HEAD)" >> $GITHUB_ENV
-
-
-      - name: Build Docker image
-        run: docker build --build-arg VERSION=${{ env.COMMIT_ID }} -t ${{ secrets.DOCKER_USERNAME }}/ppanel-server-dev:${{ env.COMMIT_ID }} .
-
-      - name: Push Docker image
-        run: docker push ${{ secrets.DOCKER_USERNAME }}/ppanel-server-dev:${{ env.COMMIT_ID }}
-
-#      - name: Deploy to server
-#        uses: appleboy/ssh-action@v0.1.6
-#        with:
-#          host: ${{ secrets.SSH_HOST }}
-#          username: ${{ secrets.SSH_USER }}
-#          key: ${{ secrets.SSH_PRIVATE_KEY }}
-#          script: |
-#            if [ $(docker ps -a -q -f name=ppanel-server-dev) ]; then
-#              echo "Stopping and removing existing ppanel-server container..."
-#              docker stop ppanel-server-dev
-#              docker rm ppanel-server-dev
-#            else
-#              echo "No existing ppanel-server-dev container running."
-#            fi
-#
-#            docker login -u ${{ secrets.DOCKER_USERNAME }} -p ${{ secrets.DOCKER_PASSWORD }}
-#            docker run -d --restart=always --log-driver=journald --name ppanel-server-dev -p 8080:8080 -v /www/wwwroot/api/etc:/app/etc -v /www/wwwroot/api/logs:/app/logs --restart=always -d ${{ secrets.DOCKER_USERNAME }}/ppanel-server-dev:${{ env.COMMIT_ID }}
-#
+      - name: Extract image tags
+        id: tags
+        run: |
+          SHORT_SHA="${GITHUB_SHA::7}"
+          if [ "${GITHUB_REF_NAME}" = "master" ]; then
+            {
+              echo "tags<<EOF"
+              echo "${{ secrets.DOCKER_USERNAME }}/ppanel-server:latest"
+              echo "${{ secrets.DOCKER_USERNAME }}/ppanel-server:sha-${SHORT_SHA}"
+              echo "EOF"
+            } >> "$GITHUB_OUTPUT"
+          else
+            {
+              echo "tags<<EOF"
+              echo "${{ secrets.DOCKER_USERNAME }}/ppanel-server:dev"
+              echo "${{ secrets.DOCKER_USERNAME }}/ppanel-server:sha-${SHORT_SHA}"
+              echo "EOF"
+            } >> "$GITHUB_OUTPUT"
+          fi
+
+      - name: Build and push Docker image
+        uses: docker/build-push-action@v6
+        with:
+          context: .
+          file: Dockerfile
+          platforms: linux/amd64,linux/arm64
+          push: true
+          build-args: |
+            VERSION=${{ github.sha }}
+          tags: ${{ steps.tags.outputs.tags }}

.github/workflows/release.yml

@@ -4,15 +4,19 @@ on:
     tags:
       - 'v*'
 
+permissions:
+  contents: write
+  packages: write
+
 jobs:
-  build-docker:
+  build-image:
     runs-on: ubuntu-latest
     env:
       IMAGE_NAME: ppanel-server
 
     steps:
       - name: Checkout repository
-        uses: actions/checkout@v4
+        uses: actions/checkout@v5
         with:
           fetch-depth: 0
 
@@ -22,11 +26,12 @@ jobs:
       - name: Set up Docker Buildx
         uses: docker/setup-buildx-action@v3
 
-      - name: Log in to Docker Hub
+      - name: Log in to GHCR
         uses: docker/login-action@v3
         with:
-          username: ${{ secrets.DOCKER_USERNAME }}
-          password: ${{ secrets.DOCKER_PASSWORD }}
+          registry: ghcr.io
+          username: ${{ github.actor }}
+          password: ${{ secrets.GITHUB_TOKEN }}
 
       - name: Extract version from git tag
         id: version
@@ -40,7 +45,7 @@ jobs:
         run: echo BUILD_TIME=$(date --iso-8601=seconds) >> ${GITHUB_ENV}
 
 
-      - name: Build and push Docker image for main release
+      - name: Build and push image for main release
         if: "!contains(github.ref_name, 'beta')"
         uses: docker/build-push-action@v6
         with:
@@ -51,10 +56,10 @@ jobs:
           build-args: |
             VERSION=${{ env.VERSION }}
           tags: |
-            ${{ secrets.DOCKER_USERNAME }}/${{ env.IMAGE_NAME }}:latest
-            ${{ secrets.DOCKER_USERNAME }}/${{ env.IMAGE_NAME }}:${{ env.VERSION }}-${{ env.GIT_SHA }}
+            ghcr.io/${{ github.repository_owner }}/${{ env.IMAGE_NAME }}:latest
+            ghcr.io/${{ github.repository_owner }}/${{ env.IMAGE_NAME }}:${{ env.VERSION }}-${{ env.GIT_SHA }}
 
-      - name: Build and push Docker image for beta release
+      - name: Build and push image for beta release
         if: contains(github.ref_name, 'beta')
         uses: docker/build-push-action@v6
         with:
@@ -65,15 +70,14 @@ jobs:
           build-args: |
             VERSION=${{ env.VERSION }}
           tags: |
-            ${{ secrets.DOCKER_USERNAME }}/${{ env.IMAGE_NAME }}:beta
-            ${{ secrets.DOCKER_USERNAME }}/${{ env.IMAGE_NAME }}:${{ env.VERSION }}-${{ env.GIT_SHA }}
+            ghcr.io/${{ github.repository_owner }}/${{ env.IMAGE_NAME }}:beta
+            ghcr.io/${{ github.repository_owner }}/${{ env.IMAGE_NAME }}:${{ env.VERSION }}-${{ env.GIT_SHA }}
 
   release-notes:
     runs-on: ubuntu-latest
-    needs: build-docker
     steps:
       - name: Checkout code
-        uses: actions/checkout@v4
+        uses: actions/checkout@v5
         with:
           fetch-depth: 0
 
@@ -88,7 +92,7 @@ jobs:
 
       - name: Run GoReleaser
         env:
-          GITHUB_TOKEN: ${{ secrets.GH_TOKEN }}
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
         run: |
           goreleaser check
           goreleaser release --clean
@@ -109,15 +113,15 @@ jobs:
 
 
     steps:
-      - uses: actions/checkout@v2
+      - uses: actions/checkout@v5
       - name: Extract version from git tag
         id: version
         run: echo "VERSION=$(git describe --tags --abbrev=0 | sed 's/^v//')" >> $GITHUB_ENV
 
       - name: Set BUILD_TIME env
         run: echo BUILD_TIME=$(date --iso-8601=seconds) >> ${GITHUB_ENV}
 
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@v5
       - uses: wangyoucao577/go-release-action@v1
         with:
           github_token: ${{ secrets.GITHUB_TOKEN }}
@@ -129,3 +133,36 @@ jobs:
           binary_name: "ppanel-server"
           extra_files: LICENSE etc
           ldflags: -X "github.com/perfect-panel/server/pkg/constant.Version=${{env.VERSION}}" -X "github.com/perfect-panel/server/pkg/constant.BuildTime=${{env.BUILD_TIME}}"
+
+  trigger-ppanel-image:
+    name: Trigger ppanel image build
+    runs-on: ubuntu-latest
+    needs: releases-matrix
+    steps:
+      - name: Dispatch packaging build
+        env:
+          GH_TOKEN: ${{ secrets.GH_TOKEN }}
+          TAG: ${{ github.ref_name }}
+          SERVER_REPO: ${{ github.repository }}
+          TARGET_OWNER: ${{ github.repository_owner }}
+        run: |
+          PPANEL_REPO="${TARGET_OWNER}/ppanel"
+
+          if [ -z "${GH_TOKEN}" ]; then
+            echo "GH_TOKEN secret is required to dispatch ${PPANEL_REPO}" >&2
+            exit 1
+          fi
+
+          curl -sSfL -X POST \
+            -H "Accept: application/vnd.github+json" \
+            -H "Authorization: Bearer ${GH_TOKEN}" \
+            "https://api.github.com/repos/${PPANEL_REPO}/dispatches" \
+            -d @- <<EOF
+          {
+            "event_type": "trigger-build",
+            "client_payload": {
+              "tag": "${TAG}",
+              "server_repo": "${SERVER_REPO}"
+            }
+          }
+          EOF

.github/workflows/swagger.yaml

@@ -5,15 +5,15 @@ on:
   #   types: [published]
   push:
     branches:
-      - develop
+      - dev
 
 jobs:
   build:
     runs-on: ubuntu-latest
 
     steps:
       - name: Checkout code
-        uses: actions/checkout@v3
+        uses: actions/checkout@v5
 
       - name: Install goctl
         run: |
@@ -47,7 +47,7 @@ jobs:
           test -f ./swagger/admin.json
 
       - name: Checkout target repository
-        uses: actions/checkout@v4
+        uses: actions/checkout@v5
         with:
           repository: perfect-panel/ppanel-docs
           token: ${{ secrets.GH_TOKEN }}
@@ -78,4 +78,3 @@ jobs:
           echo "No changes detected."
           exit 0
           fi
-

AGENT.md

@@ -0,0 +1,6 @@
+# AGENT Entry
+
+Common branch and worktree instructions are maintained in [BRANCH_STRATEGY.md](./BRANCH_STRATEGY.md).
+
+Agent-specific note:
+- Follow `BRANCH_STRATEGY.md` as the source of truth for branching, promotion, and deployment rules in this repository.

BRANCH_STRATEGY.md

@@ -0,0 +1,26 @@
+# Branch Strategy
+
+This repository uses a simplified Git Flow model.
+
+## Long-lived branches
+- `master` is the production branch.
+- `dev` is the integration branch for daily development.
+
+## Working branches
+- Create feature work on `feat/*` from `dev`.
+- Create bug-fix work on `fix/*` from `dev`.
+- Merge `feat/*` and `fix/*` back into `dev` first.
+- Promote changes from `dev` to `master` through a pull request.
+
+## Protection and deployment rules
+- Never push directly to `master`.
+- `master` must only be updated by a `dev -> master` pull request.
+- The k3s prod environment deploys the latest `master`.
+- The k3s dev environment deploys the latest `dev`.
+
+## Worktree workflow
+```bash
+git fetch origin
+git worktree add ../ppanel-server-dev dev
+git worktree add -b feat/your-change ../ppanel-server-feat dev
+```

CLAUDE.md

@@ -0,0 +1,6 @@
+# CLAUDE Entry
+
+Common branch and worktree instructions are maintained in [BRANCH_STRATEGY.md](./BRANCH_STRATEGY.md).
+
+Claude-specific note:
+- Follow `BRANCH_STRATEGY.md` as the shared source of truth before making branch, PR, or deployment decisions in this repository.

CONTRIBUTING.md

@@ -27,9 +27,10 @@ To ensure the quality of the codebase and maintainability of the project, please
 - **Correct Branch**:
     - Develop new features based on `feature/*` branches.
     - Fix bugs based on `fix/*` branches.
-    - Ensure the target branch of the PR aligns with the project's branching strategy.
+    - Start `feature/*` and `fix/*` from `dev`.
+    - Merge daily development back into `dev` first, then promote `dev` to `master` via PR.
 
-- **Sync with Base Branch**: Before submitting the PR, ensure your branch is up-to-date with the target branch (e.g., `main` or `develop`).
+- **Sync with Base Branch**: Before submitting the PR, ensure your branch is up-to-date with the target branch (usually `dev`; only release promotions target `master`).
 
 ## 4. Review Process
 

CONTRIBUTING_ZH.md

@@ -27,9 +27,10 @@
 - **正确的分支**：
     - 新功能应基于 `feature/*` 分支进行开发。
     - Bug 修复应基于 `fix/*` 分支。
-    - 确保 PR 的目标分支与项目的分支策略一致。
+    - `feature/*` 与 `fix/*` 都应从 `dev` 拉出。
+    - 日常开发先合并回 `dev`，再通过 PR 将 `dev` 提升到 `master`。
 
-- **同步主干代码**：在提交 PR 之前，请确保分支已经与目标分支（develop）同步。
+- **同步主干代码**：在提交 PR 之前，请确保分支已经与目标分支同步。日常开发通常同步 `dev`，发布提升时再面向 `master`。
 
 ## 4. 审查流程
 
@@ -41,4 +42,3 @@
 
 
 
-