[#129]; refactor(auth): tokenType 클레임 비교를 대소문자 무시 → 엄격 비교로 정렬 #17
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: deploy-dev | |
| on: | |
| push: | |
| branches: | |
| - develop | |
| workflow_dispatch: | |
| inputs: | |
| tag: | |
| description: 'Release tag to deploy' | |
| required: true | |
| default: 'latest' | |
| jobs: | |
| build-deploy: | |
| runs-on: ubuntu-latest | |
| environment: dev | |
| permissions: | |
| id-token: write | |
| contents: read | |
| defaults: | |
| run: | |
| working-directory: ./ | |
| steps: | |
| - uses: actions/checkout@v4 | |
| - name: Set up JDK 21 | |
| uses: actions/setup-java@v4 | |
| with: | |
| java-version: '21' | |
| distribution: 'temurin' | |
| cache: 'gradle' | |
| - name: Grant execute permission for gradlew | |
| run: chmod +x gradlew | |
| - name: Set secret yml file | |
| run: | | |
| mkdir -p src/main/resources | |
| echo "${{ secrets.APPLICANT_SYNC_MAPPING_DATA }}" > src/main/resources/applicant-sync-mapping-data.yml | |
| find src | |
| # Additional Gradle Caches for better performance | |
| - name: Cache Gradle packages | |
| uses: actions/cache@v4 | |
| with: | |
| path: | | |
| ~/.gradle/caches | |
| ~/.gradle/wrapper | |
| key: ${{ runner.os }}-gradle-${{ hashFiles('**/*.gradle*', '**/gradle-wrapper.properties') }} | |
| restore-keys: | | |
| ${{ runner.os }}-gradle- | |
| - name: Clean Build with Gradle (with Testing) | |
| env: | |
| JWT_ACCESS_KEY: ${{ secrets.JWT_ACCESS_KEY }} | |
| JWT_REFRESH_KEY: ${{ secrets.JWT_REFRESH_KEY }} | |
| GOOGLE_OAUTH_CLIENT_ID: ${{ secrets.GOOGLE_OAUTH_CLIENT_ID }} | |
| GOOGLE_OAUTH_CLIENT_SECRET: ${{ secrets.GOOGLE_OAUTH_CLIENT_SECRET }} | |
| GOOGLE_OAUTH_REDIRECT_URI: ${{ secrets.GOOGLE_OAUTH_REDIRECT_URI }} | |
| ALLOWED_REDIRECT_URI_LOCAL: ${{ vars.ALLOWED_REDIRECT_URI_LOCAL }} | |
| ALLOWED_REDIRECT_URI_DEV: ${{ vars.ALLOWED_REDIRECT_URI_DEV }} | |
| SWAGGER_OAUTH2_REDIRECT_URL: ${{ vars.SWAGGER_OAUTH2_REDIRECT_URL }} | |
| run: | | |
| echo "JWT_ACCESS_KEY=$JWT_ACCESS_KEY" | |
| echo "JWT_REFRESH_KEY=$JWT_REFRESH_KEY" | |
| echo "GOOGLE_OAUTH_CLIENT_ID=$GOOGLE_OAUTH_CLIENT_ID" | |
| echo "GOOGLE_OAUTH_CLIENT_SECRET=$GOOGLE_OAUTH_CLIENT_SECRET" | |
| echo "GOOGLE_OAUTH_REDIRECT_URI=$GOOGLE_OAUTH_REDIRECT_URI" | |
| echo "ALLOWED_REDIRECT_URI_LOCAL=$ALLOWED_REDIRECT_URI_LOCAL" | |
| echo "ALLOWED_REDIRECT_URI_DEV=$ALLOWED_REDIRECT_URI_DEV" | |
| echo "SWAGGER_OAUTH2_REDIRECT_URL=$SWAGGER_OAUTH2_REDIRECT_URL" | |
| ./gradlew clean build --build-cache --parallel --daemon | |
| - name: Set up QEMU | |
| uses: docker/setup-qemu-action@v2 | |
| - name: Set up Docker Buildx | |
| uses: docker/setup-buildx-action@v3 | |
| with: | |
| driver-opts: image=moby/buildkit:latest | |
| - name: Configure AWS credentials | |
| uses: aws-actions/configure-aws-credentials@v4 | |
| with: | |
| role-to-assume: ${{ secrets.AWS_ROLE_TO_ASSUME }} | |
| role-session-name: GithubActions-${{ github.run_id }} | |
| aws-region: us-east-1 | |
| - name: Login to Amazon ECR | |
| id: login-ecr-public | |
| uses: aws-actions/amazon-ecr-login@v2 | |
| with: | |
| registry-type: public | |
| - name: Cache Docker layers | |
| uses: actions/cache@v4 | |
| with: | |
| path: /tmp/.buildx-cache | |
| key: ${{ runner.os }}-buildx-${{ hashFiles('Dockerfile') }}-${{ github.sha }} | |
| restore-keys: | | |
| ${{ runner.os }}-buildx-${{ hashFiles('Dockerfile') }}- | |
| ${{ runner.os }}-buildx- | |
| - name: Build, tag, and push image to Amazon ECR | |
| env: | |
| ECR_REGISTRY: public.ecr.aws/${{ vars.ECR_PUBLIC_REGISTRY_ID }} | |
| IMAGE_TAG: ${{ github.sha }} | |
| ECR_REPOSITORY: yourssu/${{ vars.PROJECT_NAME }} | |
| run: | | |
| echo "ECR_REGISTRY=$ECR_REGISTRY" | |
| echo "ECR_REPOSITORY=$ECR_REPOSITORY" | |
| echo "FULL_IMAGE_NAME=$ECR_REGISTRY/$ECR_REPOSITORY:latest" | |
| # create and use a new builder instance | |
| docker buildx create --use --name arm-builder | |
| docker buildx build \ | |
| --platform linux/arm64,linux/amd64 \ | |
| --push \ | |
| --provenance=false \ | |
| --cache-from "type=gha" \ | |
| --cache-from "type=local,src=/tmp/.buildx-cache" \ | |
| --cache-to "type=gha,mode=max" \ | |
| --cache-to "type=local,dest=/tmp/.buildx-cache-new,mode=max" \ | |
| -t $ECR_REGISTRY/$ECR_REPOSITORY:$IMAGE_TAG \ | |
| -t $ECR_REGISTRY/$ECR_REPOSITORY:latest \ | |
| . | |
| # 캐시 교체 | |
| rm -rf /tmp/.buildx-cache | |
| mv /tmp/.buildx-cache-new /tmp/.buildx-cache | |
| - name: Deploy to AWS EC2 | |
| env: | |
| YOURSSU_PEM: ${{ secrets.YOURSSU_PEM }} | |
| HOST_URL: ${{ vars.HOST_URL }} | |
| SERVER_PORT: ${{ vars.SERVER_PORT }} | |
| CORS_ALLOWED_ORIGINS: ${{ vars.CORS_ALLOWED_ORIGINS }} | |
| DB_URL: ${{ secrets.DB_URL }} | |
| DB_USERNAME: ${{ secrets.DB_USERNAME }} | |
| DB_PASSWORD: ${{ secrets.DB_PASSWORD }} | |
| PROJECT_NAME: ${{ vars.PROJECT_NAME }} | |
| ENVIRONMENT: ${{ vars.ENVIRONMENT }} | |
| ECR_REGISTRY: public.ecr.aws/${{ vars.ECR_PUBLIC_REGISTRY_ID }} | |
| # For this project | |
| JWT_ACCESS_KEY: ${{ secrets.JWT_ACCESS_KEY }} | |
| JWT_REFRESH_KEY: ${{ secrets.JWT_REFRESH_KEY }} | |
| GOOGLE_OAUTH_CLIENT_ID: ${{ secrets.GOOGLE_OAUTH_CLIENT_ID }} | |
| GOOGLE_OAUTH_CLIENT_SECRET: ${{ secrets.GOOGLE_OAUTH_CLIENT_SECRET }} | |
| GOOGLE_OAUTH_REDIRECT_URI: ${{ secrets.GOOGLE_OAUTH_REDIRECT_URI }} | |
| ALLOWED_REDIRECT_URI_LOCAL: ${{ vars.ALLOWED_REDIRECT_URI_LOCAL }} | |
| ALLOWED_REDIRECT_URI_DEV: ${{ vars.ALLOWED_REDIRECT_URI_DEV }} | |
| SWAGGER_OAUTH2_REDIRECT_URL: ${{ vars.SWAGGER_OAUTH2_REDIRECT_URL }} | |
| run: | | |
| mkdir -p ~/.ssh | |
| ssh-keyscan -H $HOST_URL >> ~/.ssh/known_hosts | |
| echo "$YOURSSU_PEM" > yourssu.pem | |
| chmod 600 yourssu.pem | |
| # .env 파일 생성 | |
| echo "SERVER_PORT=$SERVER_PORT" >> .env | |
| echo "CORS_ALLOWED_ORIGINS=$CORS_ALLOWED_ORIGINS" >> .env | |
| echo "DB_URL=$DB_URL" >> .env | |
| echo "DB_USERNAME=$DB_USERNAME" >> .env | |
| echo "DB_PASSWORD=$DB_PASSWORD" >> .env | |
| echo "PROJECT_NAME=$PROJECT_NAME" >> .env | |
| echo "ENVIRONMENT=$ENVIRONMENT" >> .env | |
| echo "ECR_REGISTRY=$ECR_REGISTRY" >> .env | |
| echo "JWT_ACCESS_KEY=$JWT_ACCESS_KEY" >> .env | |
| echo "JWT_REFRESH_KEY=$JWT_REFRESH_KEY" >> .env | |
| echo "GOOGLE_OAUTH_CLIENT_ID=$GOOGLE_OAUTH_CLIENT_ID" >> .env | |
| echo "GOOGLE_OAUTH_CLIENT_SECRET=$GOOGLE_OAUTH_CLIENT_SECRET" >> .env | |
| echo "GOOGLE_OAUTH_REDIRECT_URI=$GOOGLE_OAUTH_REDIRECT_URI" >> .env | |
| echo "ALLOWED_REDIRECT_URI_LOCAL=$ALLOWED_REDIRECT_URI_LOCAL" >> .env | |
| echo "ALLOWED_REDIRECT_URI_DEV=$ALLOWED_REDIRECT_URI_DEV" >> .env | |
| echo "SWAGGER_OAUTH2_REDIRECT_URL=$SWAGGER_OAUTH2_REDIRECT_URL" >> .env | |
| # create deployment directory structure | |
| ssh -i yourssu.pem ubuntu@$HOST_URL "mkdir -p ~/$PROJECT_NAME-api/logs" | |
| # deploy environment file and docker script to host machine | |
| scp -i yourssu.pem .env ubuntu@$HOST_URL:~/$PROJECT_NAME-api/ | |
| scp -i yourssu.pem scripts/docker-deploy.sh ubuntu@$HOST_URL:~/$PROJECT_NAME-api/ | |
| # Make the script executable | |
| ssh -i yourssu.pem ubuntu@$HOST_URL "chmod +x ~/$PROJECT_NAME-api/docker-deploy.sh" | |
| # Execute the script | |
| ssh -i yourssu.pem ubuntu@$HOST_URL "cd ~/$PROJECT_NAME-api && \ | |
| PROJECT_NAME=$PROJECT_NAME IMAGE_TAG=${{ github.event.inputs.tag || github.sha }} ./docker-deploy.sh" |