Add one-command Docker deployment#5
Conversation
There was a problem hiding this comment.
Code Review
This pull request introduces a new Linux deployment script (scripts/deploy.sh) to enable one-command deployment using Docker and Docker Compose, along with corresponding documentation updates in both the Chinese and English README files. The review feedback focuses on improving the robustness of the deployment script: specifically, using the ENVIRON array in awk to safely handle backslashes in user-defined API keys, refining the cleanup trap to avoid passing empty strings to rm, and stripping quotes or expanding tildes from user-inputted credential paths to enhance the interactive setup experience.
Important
The consumer version of Gemini Code Assist on GitHub is being sunset. Starting June 18, 2026, new organization installations will be blocked, and all code review activity will officially cease on July 17, 2026.
For more details on the timeline and next steps, please review the Help Documentation.
| awk -v key="$key" -v value="$value" ' | ||
| BEGIN { replaced = 0 } | ||
| index($0, key "=") == 1 { | ||
| if (!replaced) { | ||
| print key "=" value | ||
| replaced = 1 | ||
| } | ||
| next | ||
| } | ||
| { print } | ||
| END { | ||
| if (!replaced) { | ||
| print key "=" value | ||
| } | ||
| } | ||
| ' "$file" >"$temporary" |
There was a problem hiding this comment.
Passing arbitrary user-controlled values to awk via -v can lead to issues if the value contains backslashes (e.g., in user-defined API keys), as awk interprets them as escape sequences.
Using the ENVIRON array in awk is a safer and more robust way to pass variables without any backslash-escaping side effects.
| awk -v key="$key" -v value="$value" ' | |
| BEGIN { replaced = 0 } | |
| index($0, key "=") == 1 { | |
| if (!replaced) { | |
| print key "=" value | |
| replaced = 1 | |
| } | |
| next | |
| } | |
| { print } | |
| END { | |
| if (!replaced) { | |
| print key "=" value | |
| } | |
| } | |
| ' "$file" >"$temporary" | |
| KEY="$key" VALUE="$value" awk ' | |
| BEGIN { replaced = 0; key = ENVIRON["KEY"]; value = ENVIRON["VALUE"] } | |
| index($0, key "=") == 1 { | |
| if (!replaced) { | |
| print key "=" value | |
| replaced = 1 | |
| } | |
| next | |
| } | |
| { print } | |
| END { | |
| if (!replaced) { | |
| print key "=" value | |
| } | |
| } | |
| ' "$file" >"$temporary" |
|
|
||
| compose_tmp="$(mktemp "${INSTALL_DIR}/compose.yaml.XXXXXX")" | ||
| env_tmp="" | ||
| trap 'rm -f "$compose_tmp" "$env_tmp"' EXIT |
There was a problem hiding this comment.
If the script exits before env_tmp is initialized (e.g., if downloading the compose file fails), the trap will execute rm -f "$compose_tmp" "". While usually harmless, passing an empty string to rm can be avoided by using Bash parameter expansion ${var:+"$var"} to only expand non-empty variables.
| trap 'rm -f "$compose_tmp" "$env_tmp"' EXIT | |
| trap 'rm -f ${compose_tmp:+"$compose_tmp"} ${env_tmp:+"$env_tmp"}' EXIT |
| if [[ -n "$credential_source" ]]; then | ||
| [[ -f "$credential_source" ]] || fail "找不到凭证文件:$credential_source" | ||
| credential_name="$(basename "$credential_source")" | ||
| [[ "$credential_name" == *.json ]] || credential_name="${credential_name}.json" | ||
| cp "$credential_source" "$INSTALL_DIR/auths/$credential_name" | ||
| chmod 600 "$INSTALL_DIR/auths/$credential_name" | ||
| credential="$INSTALL_DIR/auths/$credential_name" | ||
| success "已导入凭证:auths/$credential_name" | ||
| fi |
There was a problem hiding this comment.
When users interactively input a file path, they often copy-paste paths wrapped in single/double quotes (especially when dragging and dropping files into the terminal) or use a tilde ~ to represent their home directory.
Stripping these quotes and expanding the tilde automatically provides a much smoother and more robust user experience.
if [[ -n "$credential_source" ]]; then
# Strip leading/trailing single/double quotes
credential_source="${credential_source#\'
}"
credential_source="${credential_source%\'
}"
credential_source="${credential_source#\"}"
credential_source="${credential_source%\"}"
# Expand tilde to HOME
if [[ "$credential_source" == "~/"* ]]; then
credential_source="${HOME}/${credential_source#~/}"
fi
[[ -f "$credential_source" ]] || fail "找不到凭证文件:$credential_source"
credential_name="$(basename "$credential_source")"
[[ "$credential_name" == *.json ]] || credential_name="${credential_name}.json"
cp "$credential_source" "$INSTALL_DIR/auths/$credential_name"
chmod 600 "$INSTALL_DIR/auths/$credential_name"
credential="$INSTALL_DIR/auths/$credential_name"
success "已导入凭证:auths/$credential_name"
fi
What changed
scripts/deploy.shfor interactive and unattended Linux deployment.envand the OAuth credential directory with restrictive permissionsWhy
The existing Docker Compose flow is reliable but still requires several manual setup steps. A single guarded entry point makes first-time deployment and later updates easier while retaining the required credential and security boundaries.
User impact
Linux users with Docker Compose v2 can deploy from one command. If no credential is provided, the script initializes the configuration but deliberately does not start an unusable service.
Validation
bash -n scripts/deploy.shgo test ./...go vet ./...go build ./cmd/grok2apigit diff --check