fix: 修复 docker compose 变量替换导致 DB/Redis 密码变空字符串

docker compose 的 environment 块在 shell 缺少 MYSQL_PASSWORD /
REDIS_PASSWORD 时将 SPRING_DATASOURCE_PASSWORD 替换为空字符串，
此空字符串会覆盖 env_file 注入的值，导致 Spring 连接 MySQL/Redis
时使用空密码（using password: NO）。

修复：
1. deploy.sh 在 secrets.env 中额外写入 SPRING_DATASOURCE_PASSWORD
   和 SPRING_DATA_REDIS_PASSWORD，由 env_file 直接注入容器
2. docker-compose.yml 中删除这两个 environment 条目，消除覆盖风险

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

docker-compose.yml

@@ -25,12 +25,12 @@ services:
       - ./config/tenant/bootstrap.env  # 初始租户配置
     environment:
       # 覆盖 application.yml 中硬编码的生产地址，私有化部署必须保留此块
+      # SPRING_DATASOURCE_PASSWORD / SPRING_DATA_REDIS_PASSWORD 由 secrets.env 注入，
+      # 不在此处设置，避免 compose 变量替换时因 shell 缺少变量而覆盖成空字符串
       SPRING_DATASOURCE_URL: "jdbc:mysql://${MYSQL_HOST}:${MYSQL_PORT:-3306}/${MYSQL_DATABASE:-xuqm_private}?useUnicode=true&characterEncoding=UTF-8&useSSL=false&serverTimezone=GMT%2B8&allowPublicKeyRetrieval=true"
       SPRING_DATASOURCE_USERNAME: "${MYSQL_USERNAME:-xuqm}"
-      SPRING_DATASOURCE_PASSWORD: "${MYSQL_PASSWORD}"
       SPRING_DATA_REDIS_HOST: "${REDIS_HOST}"
       SPRING_DATA_REDIS_PORT: "${REDIS_PORT:-6379}"
-      SPRING_DATA_REDIS_PASSWORD: "${REDIS_PASSWORD}"
       SPRING_DATA_REDIS_DATABASE: "${REDIS_DATABASE:-0}"
     restart: unless-stopped
 
@@ -50,10 +50,8 @@ services:
     environment:
       SPRING_DATASOURCE_URL: "jdbc:mysql://${MYSQL_HOST}:${MYSQL_PORT:-3306}/${MYSQL_DATABASE:-xuqm_private}?useUnicode=true&characterEncoding=UTF-8&useSSL=false&serverTimezone=GMT%2B8&allowPublicKeyRetrieval=true"
       SPRING_DATASOURCE_USERNAME: "${MYSQL_USERNAME:-xuqm}"
-      SPRING_DATASOURCE_PASSWORD: "${MYSQL_PASSWORD}"
       SPRING_DATA_REDIS_HOST: "${REDIS_HOST}"
       SPRING_DATA_REDIS_PORT: "${REDIS_PORT:-6379}"
-      SPRING_DATA_REDIS_PASSWORD: "${REDIS_PASSWORD}"
       SPRING_DATA_REDIS_DATABASE: "${REDIS_DATABASE:-0}"
     volumes:
       - ./data/uploads:/data/uploads   # 上传文件持久化目录
@@ -108,10 +106,8 @@ services:
     environment:
       SPRING_DATASOURCE_URL: "jdbc:mysql://${MYSQL_HOST}:${MYSQL_PORT:-3306}/${MYSQL_DATABASE:-xuqm_private}?useUnicode=true&characterEncoding=UTF-8&useSSL=false&serverTimezone=GMT%2B8&allowPublicKeyRetrieval=true"
       SPRING_DATASOURCE_USERNAME: "${MYSQL_USERNAME:-xuqm}"
-      SPRING_DATASOURCE_PASSWORD: "${MYSQL_PASSWORD}"
       SPRING_DATA_REDIS_HOST: "${REDIS_HOST}"
       SPRING_DATA_REDIS_PORT: "${REDIS_PORT:-6379}"
-      SPRING_DATA_REDIS_PASSWORD: "${REDIS_PASSWORD}"
       SPRING_DATA_REDIS_DATABASE: "${REDIS_DATABASE:-0}"
       TENANT_SERVICE_URL: "http://tenant-service:9001"
       PUSH_SERVICE_URL: "http://push-service:8083"
@@ -134,7 +130,6 @@ services:
     environment:
       SPRING_DATASOURCE_URL: "jdbc:mysql://${MYSQL_HOST}:${MYSQL_PORT:-3306}/${MYSQL_DATABASE:-xuqm_private}?useUnicode=true&characterEncoding=UTF-8&useSSL=false&serverTimezone=GMT%2B8&allowPublicKeyRetrieval=true"
       SPRING_DATASOURCE_USERNAME: "${MYSQL_USERNAME:-xuqm}"
-      SPRING_DATASOURCE_PASSWORD: "${MYSQL_PASSWORD}"
     restart: unless-stopped
 
   # ---------------------------------------------------------------------------
@@ -154,7 +149,6 @@ services:
     environment:
       SPRING_DATASOURCE_URL: "jdbc:mysql://${MYSQL_HOST}:${MYSQL_PORT:-3306}/${MYSQL_DATABASE:-xuqm_private}?useUnicode=true&characterEncoding=UTF-8&useSSL=false&serverTimezone=GMT%2B8&allowPublicKeyRetrieval=true"
       SPRING_DATASOURCE_USERNAME: "${MYSQL_USERNAME:-xuqm}"
-      SPRING_DATASOURCE_PASSWORD: "${MYSQL_PASSWORD}"
       SDK_TENANT_SERVICE_URL: "http://tenant-service:9001"
     volumes:
       - ./data/update:/data/update   # 版本包存储目录
@@ -176,5 +170,4 @@ services:
     environment:
       SPRING_DATASOURCE_URL: "jdbc:mysql://${MYSQL_HOST}:${MYSQL_PORT:-3306}/${MYSQL_DATABASE:-xuqm_private}?useUnicode=true&characterEncoding=UTF-8&useSSL=false&serverTimezone=GMT%2B8&allowPublicKeyRetrieval=true"
       SPRING_DATASOURCE_USERNAME: "${MYSQL_USERNAME:-xuqm}"
-      SPRING_DATASOURCE_PASSWORD: "${MYSQL_PASSWORD}"
     restart: unless-stopped

scripts/deploy.sh

@@ -319,6 +319,9 @@ cat > "$ROOT_DIR/config/secrets.env" <<EOF
 MYSQL_ROOT_PASSWORD=${MYSQL_ROOT_PASSWORD}
 MYSQL_PASSWORD=${MYSQL_PASSWORD}
 REDIS_PASSWORD=${REDIS_PASSWORD}
+# Spring 直接读取的 env 名（避免 docker compose 变量替换时因 shell 缺失变量而变成空字符串）
+SPRING_DATASOURCE_PASSWORD=${MYSQL_PASSWORD}
+SPRING_DATA_REDIS_PASSWORD=${REDIS_PASSWORD}
 EOF
 chmod 600 "$ROOT_DIR/config/secrets.env"
 ok "config/secrets.env 已写入 (chmod 600)"