ci: Q2 Chunk 4 — Gitea Actions CI/CD + Docker 生产化

- 创建 .gitea/workflows/ci.yml 四 job 并行流水线
  (rust-check, rust-test, frontend-build, security-audit)
- Docker Compose 端口不暴露到宿主机（使用 expose）
- Redis 添加 requirepass 密码认证
- 添加容器资源限制 (1 CPU / 512MB)
- Redis URL 格式更新为带密码认证

.gitea/workflows/ci.yml

@@ -0,0 +1,69 @@
+name: CI
+
+on:
+  push:
+    branches: [main]
+  pull_request:
+    branches: [main]
+
+jobs:
+  rust-check:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+      - uses: dtolnay/rust-toolchain@stable
+      - uses: Swatinem/rust-cache@v2
+        with:
+          workspaces: ". -> target"
+      - run: cargo fmt --check --all
+      - run: cargo clippy -- -D warnings
+
+  rust-test:
+    runs-on: ubuntu-latest
+    services:
+      postgres:
+        image: postgres:16
+        env:
+          POSTGRES_DB: erp_test
+          POSTGRES_USER: test
+          POSTGRES_PASSWORD: test
+        ports:
+          - 5432:5432
+        options: >-
+          --health-cmd pg_isready
+          --health-interval 10s
+          --health-timeout 5s
+          --health-retries 5
+    steps:
+      - uses: actions/checkout@v4
+      - uses: dtolnay/rust-toolchain@stable
+      - uses: Swatinem/rust-cache@v2
+        with:
+          workspaces: ". -> target"
+      - run: cargo test --workspace
+        env:
+          ERP__DATABASE__URL: postgres://test:test@localhost:5432/erp_test
+          ERP__JWT__SECRET: ci-test-secret
+          ERP__AUTH__SUPER_ADMIN_PASSWORD: CI_Test_Pass_2026
+
+  frontend-build:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+      - uses: actions/setup-node@v4
+        with:
+          node-version: "20"
+      - run: cd apps/web && corepack enable && pnpm install --frozen-lockfile
+      - run: cd apps/web && pnpm build
+
+  security-audit:
+    runs-on: ubuntu-latest
+    continue-on-error: true
+    steps:
+      - uses: actions/checkout@v4
+      - uses: dtolnay/rust-toolchain@stable
+      - run: cargo install cargo-audit && cargo audit
+      - uses: actions/setup-node@v4
+        with:
+          node-version: "20"
+      - run: cd apps/web && corepack enable && pnpm install --frozen-lockfile && pnpm audit

crates/erp-server/config/default.toml

@@ -8,7 +8,7 @@ max_connections = 20
 min_connections = 5
 
 [redis]
-url = "redis://localhost:6379"
+url = "redis://:erp_redis_dev@localhost:6379"
 
 [jwt]
 secret = "__MUST_SET_VIA_ENV__"

docker/docker-compose.yml

@@ -8,8 +8,8 @@ services:
       POSTGRES_USER: ${POSTGRES_USER:-erp}
       POSTGRES_PASSWORD: ${POSTGRES_PASSWORD:-erp_dev_2024}
       POSTGRES_DB: ${POSTGRES_DB:-erp}
-    ports:
-      - "${POSTGRES_PORT:-5432}:5432"
+    expose:
+      - "5432"
     volumes:
       - postgres_data:/var/lib/postgresql/data
     healthcheck:
@@ -17,19 +17,30 @@ services:
       interval: 5s
       timeout: 5s
       retries: 5
+    deploy:
+      resources:
+        limits:
+          cpus: "1.0"
+          memory: 512M
 
   redis:
     image: redis:7-alpine
     container_name: erp-redis
-    ports:
-      - "${REDIS_PORT:-6379}:6379"
+    command: redis-server --requirepass ${REDIS_PASSWORD:-erp_redis_dev}
+    expose:
+      - "6379"
     volumes:
       - redis_data:/data
     healthcheck:
-      test: ["CMD", "redis-cli", "ping"]
+      test: ["CMD", "redis-cli", "-a", "${REDIS_PASSWORD:-erp_redis_dev}", "ping"]
       interval: 5s
       timeout: 5s
       retries: 5
+    deploy:
+      resources:
+        limits:
+          cpus: "1.0"
+          memory: 512M
 
 volumes:
   postgres_data: