-
Notifications
You must be signed in to change notification settings - Fork 0
feat: GitHub Actions CI/CD #6
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
base: main
Are you sure you want to change the base?
Changes from all commits
File filter
Filter by extension
Conversations
Jump to
Diff view
Diff view
There are no files selected for viewing
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,63 @@ | ||
| name: Deploy User to ECS | ||
|
|
||
| on: | ||
| push: | ||
| branches: | ||
| - main | ||
| workflow_dispatch: | ||
|
|
||
| env: | ||
| AWS_REGION: ap-northeast-2 | ||
| AWS_ACCOUNT_ID: 727452759104 | ||
| ECR_REPOSITORY: momentlit/user | ||
| ECS_CLUSTER: default | ||
| ECS_SERVICE: momentlit-user-service | ||
| IMAGE_TAG: latest | ||
|
|
||
| jobs: | ||
| deploy: | ||
| name: Build and Deploy User | ||
| runs-on: ubuntu-latest | ||
|
|
||
| steps: | ||
| - name: Checkout source code | ||
| uses: actions/checkout@v4 | ||
|
Comment on lines
+18
to
+24
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. 🧩 Analysis chain🏁 Script executed: find . -name "deploy.yml" -type f | head -20Repository: MomentLit/User Length of output: 89 🏁 Script executed: cat -n .github/workflows/deploy.ymlRepository: MomentLit/User Length of output: 2138
워크플로우에 수정 예시 jobs:
deploy:
name: Build and Deploy User
runs-on: ubuntu-latest
+ permissions:
+ contents: read
steps:
- name: Checkout source code
uses: actions/checkout@v4
+ with:
+ persist-credentials: false🧰 Tools🪛 zizmor (1.25.2)[warning] 23-24: credential persistence through GitHub Actions artifacts (artipacked): does not set persist-credentials: false (artipacked) [warning] 18-63: overly broad permissions (excessive-permissions): default permissions used due to no permissions: block (excessive-permissions) [error] 24-24: unpinned action reference (unpinned-uses): action is not pinned to a hash (required by blanket policy) (unpinned-uses) 🤖 Prompt for AI AgentsSource: Linters/SAST tools |
||
|
|
||
| - name: Configure AWS credentials | ||
| uses: aws-actions/configure-aws-credentials@v5 | ||
| with: | ||
| aws-region: ${{ env.AWS_REGION }} | ||
| aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }} | ||
| aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }} | ||
|
|
||
| - name: Login to Amazon ECR | ||
| uses: aws-actions/amazon-ecr-login@v2 | ||
|
|
||
| - name: Set up Docker Buildx | ||
| uses: docker/setup-buildx-action@v3 | ||
|
Comment on lines
+23
to
+37
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. 깃허브 액션을 전체 커밋 SHA로 고정하세요. 현재 🧰 Tools🪛 zizmor (1.25.2)[warning] 23-24: credential persistence through GitHub Actions artifacts (artipacked): does not set persist-credentials: false (artipacked) [error] 24-24: unpinned action reference (unpinned-uses): action is not pinned to a hash (required by blanket policy) (unpinned-uses) [error] 27-27: unpinned action reference (unpinned-uses): action is not pinned to a hash (required by blanket policy) (unpinned-uses) [error] 34-34: unpinned action reference (unpinned-uses): action is not pinned to a hash (required by blanket policy) (unpinned-uses) [error] 37-37: unpinned action reference (unpinned-uses): action is not pinned to a hash (required by blanket policy) (unpinned-uses) 🤖 Prompt for AI Agents |
||
|
|
||
| - name: Build and push Docker image | ||
| run: | | ||
| IMAGE_URI=${AWS_ACCOUNT_ID}.dkr.ecr.${AWS_REGION}.amazonaws.com/${ECR_REPOSITORY}:${IMAGE_TAG} | ||
|
|
||
| docker buildx build \ | ||
| --platform linux/amd64 \ | ||
| --provenance=false \ | ||
| -t $IMAGE_URI \ | ||
| . \ | ||
| --push | ||
|
|
||
| - name: Force new ECS deployment | ||
| run: | | ||
| aws ecs update-service \ | ||
| --cluster $ECS_CLUSTER \ | ||
| --service $ECS_SERVICE \ | ||
| --force-new-deployment \ | ||
| --region $AWS_REGION | ||
|
|
||
| - name: Wait for ECS service stable | ||
| run: | | ||
| aws ecs wait services-stable \ | ||
| --cluster $ECS_CLUSTER \ | ||
| --services $ECS_SERVICE \ | ||
| --region $AWS_REGION | ||
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
🧩 Analysis chain
🏁 Script executed:
Repository: MomentLit/User
Length of output: 229
🏁 Script executed:
Repository: MomentLit/User
Length of output: 2138
불변 태그와 새 task definition 등록으로 배포 재현성 확보하기
IMAGE_TAG: latest를 계속 덮어쓰고--force-new-deployment만 호출하면, 동시에 실행 중인 여러 워크플로우에서 늦게 끝난 실행이 더 오래된 커밋의 이미지를 다시 배포할 수 있습니다. 이전 이미지를 덮어쓰므로 배포 추적과 롤백도 어렵습니다.커밋 SHA(예:
${{ github.sha }})를 불변 태그로 ECR에 푸시하고, 그 이미지를 지정하는 새 task definition revision을register-task-definition으로 등록한 후 배포하세요. 추가로 workflowconcurrency를 설정하여 main 브랜치 배포가 순차 실행되도록 하면 더욱 안전합니다.🤖 Prompt for AI Agents