feat: 统一博客图片托管到阿里云 OSS + CDN

[xkcoding]

Summary

• 迁移 139 张图片从七牛云/旧阿里云域名到新 OSS
• 新域名：cdn.xkcoding.com（阿里云 CDN 加速）
• 添加图片迁移脚本：scanner/downloader/uploader/replacer
• 添加 SSL 工作流：cdn-ssl-renew.yml 自动续期 CDN 证书

Test plan

• 本地构建测试通过
• OSS 图片上传验证
• CDN HTTPS 证书部署（合并后触发工作流）

🤖 Generated with Claude Code

[Copilot]

Pull request overview

This PR migrates 139 blog images from Qiniu Cloud and legacy Aliyun domains to a unified Aliyun OSS bucket with CDN acceleration. The migration includes automation scripts for scanning, downloading, uploading, and replacing image URLs, plus a new GitHub Actions workflow for automatic CDN SSL certificate renewal.

Changes:

• Migrated 139 images to new CDN domain cdn.xkcoding.com (per title/description) with automated scripts
• Added SSL certificate automation workflow for CDN using acme.sh DNS-01 validation
• Updated all blog markdown files to use the new image URLs

Reviewed changes

Copilot reviewed 59 out of 60 changed files in this pull request and generated 14 comments.

Show a summary per file

File	Description
.github/workflows/cdn-ssl-renew.yml	New workflow for automated CDN SSL certificate management using acme.sh
scripts/migrate-images/*.ts	Complete migration toolchain: scanner, downloader, uploader, and URL replacer scripts
src/data/blog/**/*.md	Batch URL replacements from old domains to new CDN domain
openspec/changes/unify-image-hosting/*.md	Design documentation, proposal, and task tracking
.gitignore	Added exclusions for migration temp files and reports

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[Copilot]

The secret name uses ALI_ACCESS_KEY_ID and ALI_ACCESS_KEY_SECRET (lines 32-33, 76-77), but according to the proposal.md documentation, the expected secret names are ALI_KEY and ALI_SECRET. This inconsistency could cause the workflow to fail if secrets are configured using the documented names. Either update the workflow to use ALI_KEY and ALI_SECRET, or update all documentation to specify ALI_ACCESS_KEY_ID and ALI_ACCESS_KEY_SECRET.

Suggested change

	--access-key-id ${{ secrets.ALI_ACCESS_KEY_ID }} \
	--access-key-secret ${{ secrets.ALI_ACCESS_KEY_SECRET }}
	--access-key-id ${{ secrets.ALI_KEY }} \
	--access-key-secret ${{ secrets.ALI_SECRET }}

[Copilot]

The URL replacement at line 119 uses split().join() for string replacement instead of replaceAll() or a global regex. While this works, it's less clear in intent. Since Node.js 15+ supports String.prototype.replaceAll(), consider using content = content.replaceAll(r.oldUrl, r.newUrl) for better readability and potentially better performance.

Suggested change

	content = content.split(r.oldUrl).join(r.newUrl);
	content = content.replaceAll(r.oldUrl, r.newUrl);

[Copilot]

The exported environment variables Ali_Key and Ali_Secret are set using echo in step "Configure Aliyun DNS API" (lines 39-40), but they will not be available in the subsequent "Issue/Renew Certificate" step because environment variables set with echo >> $GITHUB_ENV are only available in subsequent steps, not in the same step. The acme.sh command in the next step needs these variables. Consider using the env context directly in the run command for the "Issue/Renew Certificate" step.

[Copilot]

The error handling logic at lines 59-62 catches failures from the acme.sh --issue command and outputs an informational message. However, this will cause the workflow to appear successful even when certificate issuance actually fails (not just when it's already valid). Consider checking the actual exit code or error message to distinguish between "certificate already valid" and genuine failures.

Suggested change

	~/.acme.sh/acme.sh --issue \
	--dns dns_ali \
	-d ${{ env.DOMAIN }} \
	$FORCE_FLAG \
	--debug || {
	# 如果证书已存在且未到期，--issue 会失败，这是正常的
	echo "ℹ️ 证书可能已存在且未到期"
	}
	if ! ~/.acme.sh/acme.sh --issue \
	--dns dns_ali \
	-d ${{ env.DOMAIN }} \
	$FORCE_FLAG \
	--debug; then
	ACME_EXIT_CODE=$?
	# acme.sh 约定：退出码 2 通常表示证书已存在且未到期，无需续期
	if [ "$ACME_EXIT_CODE" -eq 2 ]; then
	echo "ℹ️ 证书已存在且未到期，无需续期"
	else
	echo "❌ 证书申请/续期失败，退出码: $ACME_EXIT_CODE"
	exit "$ACME_EXIT_CODE"
	fi
	fi

[Copilot]

The regex pattern for relative paths at line 71 uses a negative lookbehind (?<![a-zA-Z0-9]) to avoid matching paths that are part of a longer word. However, this pattern could fail to match valid relative paths that appear after certain characters like parentheses or quotes without spaces, which are common in markdown. For example, ](/resources/image.png) might not match because the closing bracket is not in the negative lookbehind character class. Consider testing this regex thoroughly or simplifying it to /\/resources\/[^\s\)\"\']+/g.

Suggested change

	relative: /(?<![a-zA-Z0-9])\/resources\/[^\s\)\"\']+/g,
	relative: /\/resources\/[^\s\)\"\']+/g,

[Copilot]

The replacer script requires explicit command-line flags (--dry-run or --execute) but if neither is provided, it only prints usage information without exiting with an error code. This could cause issues in automated scripts that expect a non-zero exit code on failure. Consider adding process.exit(1) after the usage message at line 249 to indicate that the command was not executed.

Suggested change

	console.log(" pnpm tsx scripts/migrate-images/replacer.ts --execute");
	console.log(" pnpm tsx scripts/migrate-images/replacer.ts --execute");
	process.exit(1);

[Copilot]

The new CDN domain is cdn.xkcoding.com according to the PR title and description, but in the GitHub Actions workflow, the DOMAIN environment variable is set to cdn.xkcoding.com at line 17, while the design documentation and actual markdown replacements use static.xkcoding.com. This inconsistency needs to be resolved. Either update the workflow to use static.xkcoding.com or update all markdown files and documentation to use cdn.xkcoding.com.

Suggested change

	DOMAIN: "cdn.xkcoding.com"
	DOMAIN: "static.xkcoding.com"

[Copilot]

The verification step at line 126 tests HTTPS with a specific hardcoded image URL "2017-07-12-14998277900006.jpg". This creates a dependency on that specific image existing in the OSS bucket. If that image is missing or the path changes, the verification will fail even if the SSL certificate is correctly deployed. Consider using a more generic verification approach, such as checking the SSL certificate itself or testing the domain root URL.

Suggested change

	HTTP_CODE=$(curl -s -o /dev/null -w "%{http_code}" "https://${{ env.DOMAIN }}/2017-07-12-14998277900006.jpg" || echo "000")
	HTTP_CODE=$(curl -s -o /dev/null -w "%{http_code}" "https://${{ env.DOMAIN }}/" || echo "000")

[Copilot]

Unused function uploadFile.

Suggested change

	* 上传单个文件到 OSS
	*/
	function uploadFile(localPath: string, ossPath: string, bucket: string): boolean {
	const ossUrl = `oss://${bucket}/${ossPath}`;
	try {
	execSync(`"${ossutilCmd}" cp "${localPath}" "${ossUrl}" --force`, {
	stdio: "pipe",
	});
	return true;
	} catch (error) {
	console.error(` ❌ 上传失败: ${ossPath}`);
	console.error(` ${error instanceof Error ? error.message : String(error)}`);
	return false;
	}
	}
	/**

[Copilot]

Unused variable ossUrl.

Suggested change

const ossUrl = `${ossBaseUrl}/${ossPath}`;