Merge develop into main #27
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: deploy-prod | |
| on: | |
| push: | |
| branches: | |
| - main | |
| workflow_dispatch: | |
| # 수동 실행 시, 태그 지정 된 것으로 배포됨. push로 자동 실행 시, 해당 push로 만들어진 sha태그로 배포됨. | |
| inputs: | |
| tag: | |
| description: 'Optional explicit prod tag (default: prod-latest)' | |
| required: false | |
| default: 'prod-latest' | |
| concurrency: | |
| group: deploy-prod | |
| cancel-in-progress: true | |
| jobs: | |
| build-deploy: | |
| runs-on: ubuntu-latest | |
| environment: prod | |
| permissions: | |
| id-token: write | |
| contents: read | |
| defaults: | |
| run: | |
| working-directory: ./ | |
| steps: | |
| - uses: actions/checkout@v4 | |
| - name: Set up JDK 21 | |
| uses: actions/setup-java@v4 | |
| with: | |
| java-version: '21' | |
| distribution: 'temurin' | |
| cache: 'gradle' | |
| - name: Grant execute permission for gradlew | |
| run: chmod +x gradlew | |
| - name: Set secret yml file | |
| run: | | |
| mkdir -p src/main/resources | |
| printf '%s' "${{ secrets.APPLICANT_SYNC_MAPPING_DATA }}" > src/main/resources/applicant-sync-mapping-data.yml | |
| test -s src/main/resources/applicant-sync-mapping-data.yml | |
| head -n 2 src/main/resources/applicant-sync-mapping-data.yml | |
| - name: Clean Build with Gradle (with Testing) | |
| env: | |
| JWT_ACCESS_KEY: ${{ secrets.JWT_ACCESS_KEY }} | |
| JWT_REFRESH_KEY: ${{ secrets.JWT_REFRESH_KEY }} | |
| GOOGLE_OAUTH_CLIENT_ID: ${{ secrets.GOOGLE_OAUTH_CLIENT_ID }} | |
| GOOGLE_OAUTH_CLIENT_SECRET: ${{ secrets.GOOGLE_OAUTH_CLIENT_SECRET }} | |
| GOOGLE_OAUTH_REDIRECT_URI: ${{ secrets.GOOGLE_OAUTH_REDIRECT_URI }} | |
| ALLOWED_REDIRECT_URI_LOCAL: ${{ vars.ALLOWED_REDIRECT_URI_LOCAL }} | |
| ALLOWED_REDIRECT_URI_DEV: ${{ vars.ALLOWED_REDIRECT_URI_DEV }} | |
| SWAGGER_OAUTH2_REDIRECT_URL: ${{ vars.SWAGGER_OAUTH2_REDIRECT_URL }} | |
| MAIL_STORAGE_S3_BUCKET: ${{ secrets.MAIL_STORAGE_S3_BUCKET }} | |
| MAIL_STORAGE_S3_REGION: ${{ secrets.MAIL_STORAGE_S3_REGION }} | |
| MAIL_STORAGE_S3_KEY_PREFIX: ${{ secrets.MAIL_STORAGE_S3_KEY_PREFIX }} | |
| run: | | |
| ./gradlew clean build --build-cache --parallel --daemon | |
| - name: Run Flyway migration | |
| env: | |
| DB_URL: ${{ secrets.DB_URL }} | |
| DB_USERNAME: ${{ secrets.DB_USERNAME }} | |
| DB_PASSWORD: ${{ secrets.DB_PASSWORD }} | |
| run: | | |
| ./gradlew flywayMigrate --no-daemon | |
| - name: Set up QEMU | |
| uses: docker/setup-qemu-action@v2 | |
| - name: Set up Docker Buildx | |
| uses: docker/setup-buildx-action@v3 | |
| with: | |
| driver-opts: image=moby/buildkit:latest | |
| - name: Configure AWS credentials | |
| uses: aws-actions/configure-aws-credentials@v4 | |
| with: | |
| role-to-assume: ${{ secrets.AWS_ROLE_TO_ASSUME }} | |
| role-session-name: GithubActions-${{ github.run_id }} | |
| aws-region: us-east-1 | |
| - name: Login to Amazon ECR | |
| id: login-ecr-public | |
| uses: aws-actions/amazon-ecr-login@v2 | |
| with: | |
| registry-type: public | |
| - name: Build, tag, and push image to Amazon ECR | |
| env: | |
| ECR_REGISTRY: public.ecr.aws/${{ vars.ECR_PUBLIC_REGISTRY_ID }} | |
| ECR_REPOSITORY: yourssu/${{ vars.PROJECT_NAME }} | |
| run: | | |
| PROD_IMAGE_LATEST_TAG=prod-latest | |
| PROD_IMAGE_SHA_TAG=prod-${GITHUB_SHA} | |
| echo "ECR_REGISTRY=$ECR_REGISTRY" | |
| echo "ECR_REPOSITORY=$ECR_REPOSITORY" | |
| echo "FULL_IMAGE_NAME=$ECR_REGISTRY/$ECR_REPOSITORY:$PROD_IMAGE_LATEST_TAG" | |
| docker buildx create --use --name arm-builder | |
| docker buildx build \ | |
| --platform linux/arm64,linux/amd64 \ | |
| --push \ | |
| --provenance=false \ | |
| --cache-from "type=gha" \ | |
| --cache-to "type=gha,mode=max" \ | |
| -t $ECR_REGISTRY/$ECR_REPOSITORY:$PROD_IMAGE_SHA_TAG \ | |
| -t $ECR_REGISTRY/$ECR_REPOSITORY:$PROD_IMAGE_LATEST_TAG \ | |
| . | |
| - name: Deploy to AWS EC2 | |
| env: | |
| YOURSSU_PEM: ${{ secrets.YOURSSU_PEM }} | |
| HOST_URL: ${{ vars.HOST_URL }} | |
| SERVER_PORT: ${{ vars.SERVER_PORT }} | |
| CORS_ALLOWED_ORIGINS: ${{ vars.CORS_ALLOWED_ORIGINS }} | |
| DB_URL: ${{ secrets.DB_URL }} | |
| DB_USERNAME: ${{ secrets.DB_USERNAME }} | |
| DB_PASSWORD: ${{ secrets.DB_PASSWORD }} | |
| PROJECT_NAME: ${{ vars.PROJECT_NAME }} | |
| ENVIRONMENT: ${{ vars.ENVIRONMENT }} | |
| ECR_REGISTRY: public.ecr.aws/${{ vars.ECR_PUBLIC_REGISTRY_ID }} | |
| JWT_ACCESS_KEY: ${{ secrets.JWT_ACCESS_KEY }} | |
| JWT_REFRESH_KEY: ${{ secrets.JWT_REFRESH_KEY }} | |
| GOOGLE_OAUTH_CLIENT_ID: ${{ secrets.GOOGLE_OAUTH_CLIENT_ID }} | |
| GOOGLE_OAUTH_CLIENT_SECRET: ${{ secrets.GOOGLE_OAUTH_CLIENT_SECRET }} | |
| GOOGLE_OAUTH_REDIRECT_URI: ${{ secrets.GOOGLE_OAUTH_REDIRECT_URI }} | |
| ALLOWED_REDIRECT_URI_LOCAL: ${{ vars.ALLOWED_REDIRECT_URI_LOCAL }} | |
| ALLOWED_REDIRECT_URI_DEV: ${{ vars.ALLOWED_REDIRECT_URI_DEV }} | |
| SWAGGER_OAUTH2_REDIRECT_URL: ${{ vars.SWAGGER_OAUTH2_REDIRECT_URL }} | |
| MAIL_STORAGE_S3_BUCKET: ${{ secrets.MAIL_STORAGE_S3_BUCKET }} | |
| MAIL_STORAGE_S3_REGION: ${{ secrets.MAIL_STORAGE_S3_REGION }} | |
| MAIL_STORAGE_S3_KEY_PREFIX: ${{ secrets.MAIL_STORAGE_S3_KEY_PREFIX }} | |
| MAIL_SENDER_EMAIL: ${{ secrets.MAIL_SENDER_EMAIL }} | |
| MAIL_SENDER_APP_PASSWORD: ${{ secrets.MAIL_SENDER_APP_PASSWORD }} | |
| MEMBER_EXCEL_DOWNLOAD_PASSWORD: ${{ secrets.MEMBER_EXCEL_DOWNLOAD_PASSWORD }} | |
| INPUT_DEPLOY_TAG: ${{ github.event.inputs.tag }} | |
| run: | | |
| mkdir -p ~/.ssh | |
| ssh-keyscan -H $HOST_URL >> ~/.ssh/known_hosts | |
| echo "$YOURSSU_PEM" > yourssu.pem | |
| chmod 600 yourssu.pem | |
| if [ -n "$INPUT_DEPLOY_TAG" ]; then | |
| DEPLOY_TAG="$INPUT_DEPLOY_TAG" | |
| else | |
| DEPLOY_TAG="prod-${GITHUB_SHA}" | |
| fi | |
| echo "SERVER_PORT=$SERVER_PORT" >> .env.prod | |
| echo "CORS_ALLOWED_ORIGINS=$CORS_ALLOWED_ORIGINS" >> .env.prod | |
| echo "DB_URL=$DB_URL" >> .env.prod | |
| echo "DB_USERNAME=$DB_USERNAME" >> .env.prod | |
| echo "DB_PASSWORD=$DB_PASSWORD" >> .env.prod | |
| echo "PROJECT_NAME=$PROJECT_NAME" >> .env.prod | |
| echo "ENVIRONMENT=$ENVIRONMENT" >> .env.prod | |
| echo "ECR_REGISTRY=$ECR_REGISTRY" >> .env.prod | |
| echo "JWT_ACCESS_KEY=$JWT_ACCESS_KEY" >> .env.prod | |
| echo "JWT_REFRESH_KEY=$JWT_REFRESH_KEY" >> .env.prod | |
| echo "GOOGLE_OAUTH_CLIENT_ID=$GOOGLE_OAUTH_CLIENT_ID" >> .env.prod | |
| echo "GOOGLE_OAUTH_CLIENT_SECRET=$GOOGLE_OAUTH_CLIENT_SECRET" >> .env.prod | |
| echo "GOOGLE_OAUTH_REDIRECT_URI=$GOOGLE_OAUTH_REDIRECT_URI" >> .env.prod | |
| echo "ALLOWED_REDIRECT_URI_LOCAL=$ALLOWED_REDIRECT_URI_LOCAL" >> .env.prod | |
| echo "ALLOWED_REDIRECT_URI_DEV=$ALLOWED_REDIRECT_URI_DEV" >> .env.prod | |
| echo "SWAGGER_OAUTH2_REDIRECT_URL=$SWAGGER_OAUTH2_REDIRECT_URL" >> .env.prod | |
| echo "MAIL_STORAGE_S3_BUCKET=$MAIL_STORAGE_S3_BUCKET" >> .env.prod | |
| echo "MAIL_STORAGE_S3_REGION=$MAIL_STORAGE_S3_REGION" >> .env.prod | |
| echo "MAIL_STORAGE_S3_KEY_PREFIX=$MAIL_STORAGE_S3_KEY_PREFIX" >> .env.prod | |
| echo "MAIL_SENDER_EMAIL=$MAIL_SENDER_EMAIL" >> .env.prod | |
| echo "MAIL_SENDER_APP_PASSWORD=$MAIL_SENDER_APP_PASSWORD" >> .env.prod | |
| echo "MEMBER_EXCEL_DOWNLOAD_PASSWORD=$MEMBER_EXCEL_DOWNLOAD_PASSWORD" >> .env.prod | |
| echo "IMAGE_TAG=$DEPLOY_TAG" >> .env.prod | |
| ssh -i yourssu.pem ubuntu@$HOST_URL "mkdir -p ~/$PROJECT_NAME-prod-api/logs" | |
| scp -i yourssu.pem .env.prod ubuntu@$HOST_URL:~/$PROJECT_NAME-prod-api/ | |
| scp -i yourssu.pem scripts/docker-deploy.sh ubuntu@$HOST_URL:~/$PROJECT_NAME-prod-api/ | |
| ssh -i yourssu.pem ubuntu@$HOST_URL "chmod +x ~/$PROJECT_NAME-prod-api/docker-deploy.sh" | |
| ssh -i yourssu.pem ubuntu@$HOST_URL "cd ~/$PROJECT_NAME-prod-api && \ | |
| PROJECT_NAME=$PROJECT_NAME IMAGE_TAG=$DEPLOY_TAG CONTAINER_SUFFIX=prod ENV_FILE=.env.prod ./docker-deploy.sh" |