xiner/NextEdu
1
0
Fork 0
Code Issues Pull Requests Actions 2 Packages Projects Releases Wiki Activity

feat(P2): 实现质量保障类5项功能(无障碍/视觉回归/通知渠道/漏洞扫描/灾备)

Browse Source 
## 新增功能

### 1. 屏幕阅读器兼容性增强(a11y)
- 无障碍工具库:src/shared/lib/a11y.ts
- aria-live Hook:src/shared/hooks/use-aria-live.ts
- a11y 组件:skip-link/visually-hidden/focus-trap/aria-status
- 增强 UI:table.tsx 系统性 ARIA role,dialog.tsx aria-modal
- 审计文档:docs/accessibility/a11y-audit.md(WCAG 2.1 AA 清单)

### 2. 视觉回归测试
- 测试套件:tests/visual/(homepage + 3 个 dashboard)
- 3 视口(desktop/tablet/mobile)× 2 主题(light/dark)
- 动态元素遮罩,避免误报
- playwright.config.ts 新增 visual-chromium 项目
- 文档:docs/testing/visual-regression.md

### 3. 短信/微信推送渠道集成
- 新模块:src/modules/notifications/
- 4 个渠道:SMS(阿里云/腾讯云)、WeChat(公众号)、Email(SMTP)、In-App
- 分发器按用户偏好并行多渠道发送
- 外部 SDK 动态 import,Mock 模式开发可用
- 文档:docs/notifications/channels.md

### 4. 漏洞扫描 CI 集成
- CI security-scan job:npm audit + Snyk + Trivy FS + OWASP ZAP
- 独立工作流 security.yml:每周一深度扫描 + 容器镜像扫描
- 配置:suppressions.json + .trivyignore
- 本地脚本:security-scan.sh/ps1
- 文档:docs/security/scanning.md(SLA 分级)

### 5. 灾备方案
- 脚本:backup-verify/backup-offsite-sync/dr-drill/failover/health-check
- CI 增强:备份后校验+异地同步,每周灾备演练
- 独立工作流 dr-drill.yml:每周一凌晨 4 点自动演练
- 文档:docs/dr/dr-plan.md(RTO 4h/RPO 24h)+ dr-runbook.md(6 故障场景)

## 验证
- npx tsc --noEmit:0 错误
- npm run lint:0 错误 0 警告
This commit is contained in:
SpecialX
2026-06-17 20:18:29 +08:00
parent b86255f0ea
commit 6585e10c6f
53 changed files with 7491 additions and 37 deletions
Download Patch File Download Diff File Expand all files Collapse all files

124
.gitea/workflows/ci.yml
View File

@@ -131,27 +131,56 @@ jobs:
echo "Deploy complete!"
security-audit:
security-scan:
runs-on: ubuntu-latest
needs: build-deploy
steps:
- uses: actions/checkout@v4
- uses: actions/setup-node@v4
with:
node-version: 20
- run: npm ci
- name: Run npm audit
run: npm audit --audit-level=moderate
# 1. npm audit(保留)
- name: npm audit
run: |
npm audit --audit-level=moderate || true
npm audit --json > audit-report.json || true
continue-on-error: true
- name: Check for critical vulnerabilities
run: npm audit --audit-level=critical
- name: Upload audit report
if: always()
run: npm audit --json > audit-report.json
# 2. Snyk 扫描(深度依赖分析)
- name: Run Snyk to check for vulnerabilities
uses: snyk/actions/node@master
env:
SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
with:
args: --severity-threshold=high --sarif-file-output=snyk.sarif
continue-on-error: true
# 3. Trivy 文件系统扫描(扫描项目代码和依赖)
- name: Trivy FS Scan
run: |
trivy fs --format json --output trivy-fs-report.json --exit-code 0 .
trivy fs --format table --exit-code 0 .
continue-on-error: true
# 4. OWASP ZAP 基线扫描(扫描部署后的应用)
- name: OWASP ZAP Baseline Scan
uses: zaproxy/action-baseline@v0.10.0
with:
target: ${{ secrets.NEXTAUTH_URL || 'http://localhost:8015' }}
cmd_options: '-a -j'
continue-on-error: true
# 5. 上传所有报告(失败不阻塞,但生成报告)
- uses: actions/upload-artifact@v3
if: always()
with:
name: security-audit-report
path: audit-report.json
name: security-reports
path: |
audit-report.json
trivy-fs-report.json
snyk.sarif
scheduled-backup:
if: github.event_name == 'schedule'
@@ -165,8 +194,83 @@ jobs:
run: |
chmod +x scripts/backup-db.sh
./scripts/backup-db.sh
- name: Verify backup integrity
env:
DATABASE_URL: ${{ secrets.DATABASE_URL }}
BACKUP_DIR: ./backups
run: |
chmod +x scripts/backup-verify.sh
./scripts/backup-verify.sh
- name: Sync backup to offsite storage
env:
DATABASE_URL: ${{ secrets.DATABASE_URL }}
BACKUP_DIR: ./backups
BACKUP_OFFSITE_BACKEND: ${{ secrets.BACKUP_OFFSITE_BACKEND }}
BACKUP_OFFSITE_REMOTE: ${{ secrets.BACKUP_OFFSITE_REMOTE }}
BACKUP_OFFSITE_BUCKET: ${{ secrets.BACKUP_OFFSITE_BUCKET }}
BACKUP_OFFSITE_ACCESS_KEY: ${{ secrets.BACKUP_OFFSITE_ACCESS_KEY }}
BACKUP_OFFSITE_SECRET_KEY: ${{ secrets.BACKUP_OFFSITE_SECRET_KEY }}
BACKUP_OFFSITE_REGION: ${{ secrets.BACKUP_OFFSITE_REGION }}
run: |
chmod +x scripts/backup-offsite-sync.sh
./scripts/backup-offsite-sync.sh || echo "WARN: Offsite sync failed, continuing"
- uses: actions/upload-artifact@v3
with:
name: db-backup
path: backups/
retention-days: 30
backup-verify:
if: github.event_name == 'schedule'
needs: scheduled-backup
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- uses: actions/download-artifact@v3
with:
name: db-backup
path: backups/
- name: Verify backup integrity
env:
DATABASE_URL: ${{ secrets.DATABASE_URL }}
BACKUP_DIR: ./backups
run: |
chmod +x scripts/backup-verify.sh
./scripts/backup-verify.sh
- name: Run health check
env:
DATABASE_URL: ${{ secrets.DATABASE_URL }}
BACKUP_DIR: ./backups
HEALTH_CHECK_URL: ${{ secrets.HEALTH_CHECK_URL }}
run: |
chmod +x scripts/health-check.sh
./scripts/health-check.sh > health-report.json || true
- uses: actions/upload-artifact@v3
if: always()
with:
name: backup-verify-report
path: |
backups/
health-report.json
retention-days: 7
weekly-dr-drill:
if: github.event_name == 'schedule' && github.run_attempt % 7 == 0
needs: backup-verify
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- name: Run disaster recovery drill
env:
DATABASE_URL: ${{ secrets.DATABASE_URL }}
BACKUP_DIR: ./backups
DR_DRILL_TEST_DB: next_edu_dr_drill
run: |
chmod +x scripts/dr-drill.sh
./scripts/dr-drill.sh || echo "WARN: DR drill failed, see report"
- uses: actions/upload-artifact@v3
if: always()
with:
name: dr-drill-report
path: docs/dr/reports/
retention-days: 90

124
.gitea/workflows/dr-drill.yml Normal file
View File

@@ -0,0 +1,124 @@
name: DR Drill
on:
schedule:
- cron: "0 4 * * 1" # 每周一凌晨 4 点
workflow_dispatch: # 支持手动触发
inputs:
backup_file:
description: '指定备份文件(可选,留空使用最新备份)'
required: false
default: ''
no_cleanup:
description: '演练后不清理测试数据库'
required: false
type: boolean
default: false
jobs:
dr-drill:
runs-on: ubuntu-latest
timeout-minutes: 30
steps:
- name: Checkout
uses: actions/checkout@v4
- name: Install MySQL client
run: |
sudo apt-get update -qq
sudo apt-get install -y -qq mysql-client
- name: Prepare backup directory
run: mkdir -p backups docs/dr/reports
- name: Download latest backup artifact (if no backup file specified)
if: github.event.inputs.backup_file == ''
uses: actions/download-artifact@v3
with:
name: db-backup
path: backups/
continue-on-error: true
- name: Run database backup (if no artifact available)
if: steps.download.outcome == 'failure' || true
env:
DATABASE_URL: ${{ secrets.DATABASE_URL }}
BACKUP_DIR: ./backups
run: |
if [ -z "$(ls -A backups/db_backup_*.sql.gz 2>/dev/null)" ]; then
echo "No backup artifact found, creating fresh backup..."
chmod +x scripts/backup-db.sh
./scripts/backup-db.sh
else
echo "Using existing backup artifact"
fi
- name: Run disaster recovery drill
env:
DATABASE_URL: ${{ secrets.DATABASE_URL }}
BACKUP_DIR: ./backups
DR_DRILL_TEST_DB: next_edu_dr_drill
run: |
chmod +x scripts/dr-drill.sh
ARGS=""
if [ -n "${{ github.event.inputs.backup_file }}" ]; then
ARGS="$ARGS --backup ${{ github.event.inputs.backup_file }}"
fi
if [ "${{ github.event.inputs.no_cleanup }}" = "true" ]; then
ARGS="$ARGS --no-cleanup"
fi
./scripts/dr-drill.sh $ARGS
- name: Upload drill report
if: always()
uses: actions/upload-artifact@v3
with:
name: dr-drill-report-${{ github.run_id }}
path: docs/dr/reports/
retention-days: 90
- name: Notify operations team (on failure)
if: failure()
env:
WEBHOOK_URL: ${{ secrets.DR_NOTIFICATION_WEBHOOK }}
SMTP_HOST: ${{ secrets.SMTP_HOST }}
run: |
echo "DR Drill failed! Notifying operations team..."
# Webhook 通知(如果配置)
if [ -n "$WEBHOOK_URL" ]; then
curl -X POST "$WEBHOOK_URL" \
-H "Content-Type: application/json" \
-d "{
\"text\": \"⚠️ DR Drill Failed\",
\"attachments\": [{
\"color\": \"danger\",
\"fields\": [
{\"title\": \"Repository\", \"value\": \"${{ github.repository }}\", \"short\": true},
{\"title\": \"Run ID\", \"value\": \"${{ github.run_id }}\", \"short\": true},
{\"title\": \"Triggered By\", \"value\": \"${{ github.actor }}\", \"short\": true},
{\"title\": \"Time\", \"value\": \"$(date -u +%Y-%m-%dT%H:%M:%SZ)\", \"short\": true},
{\"title\": \"Action\", \"value\": \"Check workflow logs and report artifact\", \"short\": false}
]
}]
}" || echo "WARN: Webhook notification failed"
else
echo "INFO: DR_NOTIFICATION_WEBHOOK not set, skipping webhook notification"
fi
# 邮件通知(如果配置 SMTP)
if [ -n "$SMTP_HOST" ]; then
echo "INFO: SMTP notification would be sent (configure in production)"
fi
- name: Summary
if: always()
run: |
echo "=== DR Drill Workflow Summary ==="
echo "Run ID: ${{ github.run_id }}"
echo "Triggered by: ${{ github.actor }}"
echo "Status: ${{ job.status }}"
echo "Report: Check dr-drill-report-${{ github.run_id }} artifact"
echo ""
if [ -f docs/dr/reports/dr_drill_*.md ]; then
echo "Latest drill report:"
cat docs/dr/reports/dr_drill_*.md | head -50
fi

163
.gitea/workflows/security.yml Normal file
View File

@@ -0,0 +1,163 @@
name: Security
# 独立安全扫描工作流:深度安全扫描
# - 定时:每周一凌晨 3 点执行
# - 手动触发:workflow_dispatch(可指定扫描目标)
on:
schedule:
- cron: "0 3 * * 1" # 每周一凌晨 3 点
workflow_dispatch:
inputs:
target_url:
description: "DAST 扫描目标 URL(留空则使用 NEXTAUTH_URL secret 或 localhost:8015)"
required: false
default: ""
skip_dast:
description: "跳过 DAST 扫描"
type: boolean
required: false
default: false
jobs:
deep-security-scan:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- uses: actions/setup-node@v4
with:
node-version: 20
- name: Install dependencies
run: npm ci
# 1. 依赖扫描:npm audit
- name: Dependency scan (npm audit)
run: |
echo "::group::npm audit"
npm audit --audit-level=moderate || true
npm audit --json > audit-report.json || true
echo "::endgroup::"
continue-on-error: true
# 2. 深度依赖分析 + 静态分析:Snyk
- name: Snyk dependency & code scan
uses: snyk/actions/node@master
env:
SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
with:
args: --severity-threshold=medium --sarif-file-output=snyk.sarif
continue-on-error: true
# 3. 文件系统扫描:Trivy FS(代码 + 依赖)
- name: Trivy filesystem scan
run: |
echo "::group::Trivy FS scan"
trivy fs --format json --output trivy-fs-report.json --exit-code 0 .
trivy fs --format table --exit-code 0 .
echo "::endgroup::"
continue-on-error: true
# 4. 容器镜像扫描:构建 nextjs-app 镜像并扫描
- name: Build & scan container image
run: |
echo "::group::Build Next.js standalone"
SKIP_ENV_VALIDATION=1 NEXT_TELEMETRY_DISABLED=1 npm run build
mkdir -p .next/standalone/public
mkdir -p .next/standalone/.next/static
cp -r public/* .next/standalone/public/ || true
cp -r .next/static/* .next/standalone/.next/static/ || true
cp Dockerfile .next/standalone/Dockerfile
echo "::endgroup::"
echo "::group::Build Docker image"
docker build -t nextjs-app:scan .next/standalone
echo "::endgroup::"
echo "::group::Trivy image scan"
trivy image --format json --output trivy-image-report.json --exit-code 0 nextjs-app:scan
trivy image --format table --exit-code 0 nextjs-app:scan
echo "::endgroup::"
continue-on-error: true
# 5. DAST:OWASP ZAP 基线扫描
- name: OWASP ZAP Baseline Scan (DAST)
if: ${{ github.event.inputs.skip_dast != 'true' }}
uses: zaproxy/action-baseline@v0.10.0
with:
target: ${{ github.event.inputs.target_url || secrets.NEXTAUTH_URL || 'http://localhost:8015' }}
cmd_options: '-a -j'
continue-on-error: true
# 6. 生成汇总报告
- name: Generate summary report
if: always()
run: |
echo "# 安全扫描汇总报告" > security-summary.md
echo "" >> security-summary.md
echo "- 扫描时间: $(date -u '+%Y-%m-%d %H:%M:%S UTC')" >> security-summary.md
echo "- 触发方式: ${{ github.event_name }}" >> security-summary.md
echo "- 运行编号: ${{ github.run_id }}" >> security-summary.md
echo "" >> security-summary.md
echo "## 扫描结果" >> security-summary.md
echo "" >> security-summary.md
echo "| 扫描类型 | 状态 | 详情 |" >> security-summary.md
echo "|---------|------|------|" >> security-summary.md
# npm audit 汇总
if [ -f audit-report.json ]; then
AUDIT_SUMMARY=$(jq -r '.metadata.vulnerabilities | "critical:\(.critical) high:\(.high) moderate:\(.moderate) low:\(.low) info:\(.info)"' audit-report.json 2>/dev/null || echo "解析失败")
echo "| npm audit | 完成 | ${AUDIT_SUMMARY} |" >> security-summary.md
else
echo "| npm audit | 未生成报告 | - |" >> security-summary.md
fi
# Trivy FS 汇总
if [ -f trivy-fs-report.json ]; then
FS_COUNT=$(jq -r '[.Results[]?.Vulnerabilities[]?] | length' trivy-fs-report.json 2>/dev/null || echo "0")
echo "| Trivy FS | 完成 | 漏洞数: ${FS_COUNT} |" >> security-summary.md
else
echo "| Trivy FS | 未生成报告 | - |" >> security-summary.md
fi
# Trivy Image 汇总
if [ -f trivy-image-report.json ]; then
IMG_COUNT=$(jq -r '[.Results[]?.Vulnerabilities[]?] | length' trivy-image-report.json 2>/dev/null || echo "0")
echo "| Trivy Image | 完成 | 漏洞数: ${IMG_COUNT} |" >> security-summary.md
else
echo "| Trivy Image | 未生成报告 | - |" >> security-summary.md
fi
# Snyk 汇总
if [ -f snyk.sarif ]; then
SNYK_COUNT=$(jq -r '[.runs[]?.results[]?] | length' snyk.sarif 2>/dev/null || echo "0")
echo "| Snyk | 完成 | 问题数: ${SNYK_COUNT} |" >> security-summary.md
else
echo "| Snyk | 未生成报告(可能缺少 SNYK_TOKEN) | - |" >> security-summary.md
fi
echo "" >> security-summary.md
echo "## 处理建议" >> security-summary.md
echo "" >> security-summary.md
echo "- **Critical**: 24 小时内修复或缓解" >> security-summary.md
echo "- **High**: 7 天内修复" >> security-summary.md
echo "- **Medium**: 30 天内修复" >> security-summary.md
echo "- **Low**: 90 天内评估处理" >> security-summary.md
echo "" >> security-summary.md
echo "详细报告见 artifact: security-reports-full" >> security-summary.md
echo "::notice::安全扫描汇总报告已生成"
cat security-summary.md
# 7. 上传所有报告
- uses: actions/upload-artifact@v3
if: always()
with:
name: security-reports-full
path: |
audit-report.json
trivy-fs-report.json
trivy-image-report.json
snyk.sarif
security-summary.md