Skip to content
Open
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension


Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
63 changes: 63 additions & 0 deletions .github/workflows/deploy.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,63 @@
name: Deploy User to ECS

on:
push:
branches:
- main
workflow_dispatch:

env:
AWS_REGION: ap-northeast-2
AWS_ACCOUNT_ID: 727452759104
ECR_REPOSITORY: momentlit/user
ECS_CLUSTER: default
ECS_SERVICE: momentlit-user-service
IMAGE_TAG: latest

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🟠 Major

🧩 Analysis chain

🏁 Script executed:

fd -type f -name "deploy.yml" | head -20

Repository: MomentLit/User

Length of output: 229


🏁 Script executed:

cat -n .github/workflows/deploy.yml 2>/dev/null || cat -n ./.github/workflows/deploy.yml 2>/dev/null || find . -name "deploy.yml" -type f

Repository: MomentLit/User

Length of output: 2138


불변 태그와 새 task definition 등록으로 배포 재현성 확보하기

IMAGE_TAG: latest를 계속 덮어쓰고 --force-new-deployment만 호출하면, 동시에 실행 중인 여러 워크플로우에서 늦게 끝난 실행이 더 오래된 커밋의 이미지를 다시 배포할 수 있습니다. 이전 이미지를 덮어쓰므로 배포 추적과 롤백도 어렵습니다.

커밋 SHA(예: ${{ github.sha }})를 불변 태그로 ECR에 푸시하고, 그 이미지를 지정하는 새 task definition revision을 register-task-definition으로 등록한 후 배포하세요. 추가로 workflow concurrency를 설정하여 main 브랜치 배포가 순차 실행되도록 하면 더욱 안전합니다.

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/deploy.yml at line 15, Replace the hardcoded IMAGE_TAG:
latest with an immutable tag using the commit SHA (e.g., ${{ github.sha }}) to
ensure each deployment tracks to a specific commit. Update the ECR push step to
use this immutable tag instead of overwriting 'latest'. In the ECS deployment
step, use register-task-definition to create a new task definition revision that
explicitly references the specific image tag (not 'latest'), and deploy this new
revision instead of relying only on --force-new-deployment. Additionally, add a
concurrency configuration to the workflow to ensure main branch deployments
execute sequentially rather than in parallel, preventing race conditions where
older commits could be redeployed.


jobs:
deploy:
name: Build and Deploy User
runs-on: ubuntu-latest

steps:
- name: Checkout source code
uses: actions/checkout@v4
Comment on lines +18 to +24

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🟠 Major

🧩 Analysis chain

🏁 Script executed:

find . -name "deploy.yml" -type f | head -20

Repository: MomentLit/User

Length of output: 89


🏁 Script executed:

cat -n .github/workflows/deploy.yml

Repository: MomentLit/User

Length of output: 2138


GITHUB_TOKEN 범위를 명시적으로 제한하고 checkout 자격 증명 저장을 비활성화하세요.

워크플로우에 permissions: 블록이 없어 기본 권한이 적용되며, actions/checkout@v4는 기본적으로 토큰을 작업 디렉터리의 git 설정에 저장합니다. 이후 라인 47의 docker buildx build . 명령이 .git 디렉터리를 포함한 전체 저장소를 빌드 컨텍스트로 전달하므로, 이 자격 증명이 필요 이상으로 노출될 위험이 있습니다.

수정 예시
 jobs:
   deploy:
     name: Build and Deploy User
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
 
     steps:
       - name: Checkout source code
         uses: actions/checkout@v4
+        with:
+          persist-credentials: false
🧰 Tools
🪛 zizmor (1.25.2)

[warning] 23-24: credential persistence through GitHub Actions artifacts (artipacked): does not set persist-credentials: false

(artipacked)


[warning] 18-63: overly broad permissions (excessive-permissions): default permissions used due to no permissions: block

(excessive-permissions)


[error] 24-24: unpinned action reference (unpinned-uses): action is not pinned to a hash (required by blanket policy)

(unpinned-uses)

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/deploy.yml around lines 18 - 24, The workflow lacks
explicit GITHUB_TOKEN permission restrictions and the checkout step stores
credentials in the git configuration, which could expose them when the Docker
build context includes the .git directory. Add a `permissions:` block at the
deploy job level to explicitly limit token scope to minimum necessary
permissions, and configure the checkout step with `persist-credentials: false`
to prevent storing the token in git config, thereby reducing the risk of
credential exposure in the Docker build context.

Source: Linters/SAST tools


- name: Configure AWS credentials
uses: aws-actions/configure-aws-credentials@v5
with:
aws-region: ${{ env.AWS_REGION }}
aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }}
aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }}

- name: Login to Amazon ECR
uses: aws-actions/amazon-ecr-login@v2

- name: Set up Docker Buildx
uses: docker/setup-buildx-action@v3
Comment on lines +23 to +37

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🟠 Major

깃허브 액션을 전체 커밋 SHA로 고정하세요.

현재 @v4, @v5, @v2, @v3 같은 버전 태그를 사용하고 있는데, 이 태그들은 이동 가능해서 공급망 보안 위험을 야기합니다. 배포 권한을 가진 워크플로이므로 각 uses: 항목을 검증된 전체 커밋 SHA로 고정하고, 가독성을 위해 버전을 주석으로 추가하는 것이 권장됩니다 (예: uses: actions/checkout@<full-sha> # v4). Renovate나 Dependabot 같은 자동화 도구를 사용해 SHA 업데이트를 관리하면 유지보수가 용이합니다.

🧰 Tools
🪛 zizmor (1.25.2)

[warning] 23-24: credential persistence through GitHub Actions artifacts (artipacked): does not set persist-credentials: false

(artipacked)


[error] 24-24: unpinned action reference (unpinned-uses): action is not pinned to a hash (required by blanket policy)

(unpinned-uses)


[error] 27-27: unpinned action reference (unpinned-uses): action is not pinned to a hash (required by blanket policy)

(unpinned-uses)


[error] 34-34: unpinned action reference (unpinned-uses): action is not pinned to a hash (required by blanket policy)

(unpinned-uses)


[error] 37-37: unpinned action reference (unpinned-uses): action is not pinned to a hash (required by blanket policy)

(unpinned-uses)

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/deploy.yml around lines 23 - 37, Pin all GitHub Actions to
their full commit SHA values instead of version tags to mitigate supply chain
security risks in this deployment workflow. Replace the `@v4`, `@v5`, `@v2`, and
`@v3` version tags in the `uses:` statements for actions/checkout,
aws-actions/configure-aws-credentials, aws-actions/amazon-ecr-login, and
docker/setup-buildx-action with their corresponding full commit SHAs. Add the
original version tag as a comment after each SHA for readability (for example,
`uses: actions/checkout@<full-commit-sha> # v4`). Consider using Renovate or
Dependabot to automatically manage and update these SHAs in the future.


- name: Build and push Docker image
run: |
IMAGE_URI=${AWS_ACCOUNT_ID}.dkr.ecr.${AWS_REGION}.amazonaws.com/${ECR_REPOSITORY}:${IMAGE_TAG}

docker buildx build \
--platform linux/amd64 \
--provenance=false \
-t $IMAGE_URI \
. \
--push

- name: Force new ECS deployment
run: |
aws ecs update-service \
--cluster $ECS_CLUSTER \
--service $ECS_SERVICE \
--force-new-deployment \
--region $AWS_REGION

- name: Wait for ECS service stable
run: |
aws ecs wait services-stable \
--cluster $ECS_CLUSTER \
--services $ECS_SERVICE \
--region $AWS_REGION