Skip to content
Deploy PROD & COMMON Infra, Service

fix: 민감 아웃풋 값 마스킹 처리 #40

Sign in to view logs

fix: 민감 아웃풋 값 마스킹 처리

fix: 민감 아웃풋 값 마스킹 처리 #40

Workflow file for this run

.github/workflows/deploy-prod.yml at 98cb452
name: Deploy PROD & COMMON Infra, Service
on:
push:
branches: [ main ]
paths:
- 'src/**'
- 'terraform/common/**'
- 'terraform/prod/**'
- '.github/workflows/deploy-prod.yml'
workflow_dispatch:
inputs:
rollback_version:
description: '롤백할 버전을 입력하세요 (예: 1.3.0). 비워두면 일반 배포를 실행합니다.'
required: false
default: ''
permissions:
contents: write
pull-requests: write
issues: write
concurrency:
group: terraform
cancel-in-progress: false
env:
AWS_REGION: ap-northeast-2
jobs:
terraform-apply-common:
name: Terraform Apply COMMON
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- uses: hashicorp/setup-terraform@v3
- name: Configure AWS credentials
uses: aws-actions/configure-aws-credentials@v4
with:
aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }}
aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
aws-region: ${{ env.AWS_REGION }}
- name: Terraform Init (common)
run: terraform init
working-directory: ./terraform/common
- name: Terraform Apply COMMON
run: terraform apply -auto-approve
working-directory: ./terraform/common
terraform-apply-prod:
name: Terraform Apply prod
runs-on: ubuntu-latest
needs: terraform-apply-common
outputs:
tf_outputs_json: ${{ steps.get-outputs.outputs.data }}
steps:
- uses: actions/checkout@v4
- uses: hashicorp/setup-terraform@v3
with:
terraform_wrapper: false
- name: Configure AWS credentials
uses: aws-actions/configure-aws-credentials@v4
with:
aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }}
aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
aws-region: ${{ env.AWS_REGION }}
- name: Terraform Init (prod)
run: terraform init
working-directory: ./terraform/prod
- name: Terraform Apply prod
run: terraform apply -auto-approve
working-directory: ./terraform/prod
- name: Get Terraform Outputs
id: get-outputs
run: |
echo "data<<EOF" >> $GITHUB_OUTPUT
terraform output -json >> $GITHUB_OUTPUT
echo "EOF" >> $GITHUB_OUTPUT
working-directory: ./terraform/prod
deploy-service:
name: Deploy to Amazon ECS
runs-on: ubuntu-latest
environment: production
needs: terraform-apply-prod
steps:
- uses: actions/checkout@v4
with:
fetch-depth: 0
fetch-tags: true
- name: Configure AWS credentials
uses: aws-actions/configure-aws-credentials@v4
with:
aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }}
aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
aws-region: ${{ env.AWS_REGION }}
- name: Parse Terraform Outputs
id: parse-tf
run: |
TF_OUTPUTS='${{ needs.terraform-apply-prod.outputs.tf_outputs_json }}'
echo "ECR_REPOSITORY=$(echo "$TF_OUTPUTS" | jq -r '.ecr_repository_name.value')" >> $GITHUB_ENV
echo "ECS_CLUSTER=$(echo "$TF_OUTPUTS" | jq -r '.ecs_cluster_name.value')" >> $GITHUB_ENV
echo "ECS_SERVICE=$(echo "$TF_OUTPUTS" | jq -r '.ecs_api_service_name.value')" >> $GITHUB_ENV
echo "CONTAINER_NAME=$(echo "$TF_OUTPUTS" | jq -r '.ecs_api_container_name.value')" >> $GITHUB_ENV
echo "RDS_ENDPOINT=$(echo "$TF_OUTPUTS" | jq -r '.rds_endpoint.value')" >> $GITHUB_ENV
- name: Update DB URL in Parameter Store
run: |
aws ssm put-parameter \
--name "/prod/RDS_ENDPOINT" \
--value "jdbc:mysql://${{ env.RDS_ENDPOINT }}:3306/eatda?useUnicode=true&characterEncoding=UTF-8" \
--type SecureString \
--overwrite
- name: Set up Node.js
uses: actions/setup-node@v4
with:
node-version: '22'
- name: Install Semantic Release dependencies
run: npm install semantic-release @semantic-release/commit-analyzer @semantic-release/release-notes-generator @semantic-release/github @semantic-release/changelog @semantic-release/git conventional-changelog-conventionalcommits
- name: Semantic Release (Dry Run)
id: get_version
run: |
if [[ -n "${{ github.event.inputs.rollback_version }}" ]]; then
echo " MANUAL ROLLBACK to version: ${{ github.event.inputs.rollback_version }}"
echo "SEMANTIC_VERSION=${{ github.event.inputs.rollback_version }}" >> $GITHUB_ENV
else
echo "Running semantic-release to determine next version..."
OUTPUT=$(./node_modules/.bin/semantic-release --dry-run --no-ci || true)
echo "$OUTPUT"
VERSION=$(echo "$OUTPUT" | grep -oP 'Published release \K[0-9.a-z-]+|The next release version is \K[0-9.a-z-]+' | head -n 1)
if [ -z "$VERSION" ]; then
echo "릴리즈할 새로운 버전이 없습니다. 배포를 건너뜁니다."
echo "SEMANTIC_VERSION=" >> $GITHUB_ENV
else
echo "Determined version: $VERSION"
echo "SEMANTIC_VERSION=$VERSION" >> $GITHUB_ENV
fi
fi
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
- name: Set up JDK 21
uses: actions/setup-java@v4
with:
distribution: 'temurin'
java-version: 21
java-package: jdk
architecture: 'x64'
cache: 'gradle'
- name: Get TEST_JWT_SECRET_KEY from SSM
id: get-test-secret
run: |
SECRET_VALUE=$(aws ssm get-parameter \
--name "/common/TEST_JWT_SECRET_KEY" \
--with-decryption \
--region "${{ env.AWS_REGION }}" \
--query "Parameter.Value" \
--output text)
echo "TEST_JWT_SECRET_KEY=$SECRET_VALUE" >> $GITHUB_ENV
- name: Build with Gradle
run: |
cd ${{ github.workspace }}
chmod +x gradlew
./gradlew clean build -Dspring.profiles.active=prod
env:
TEST_JWT_SECRET_KEY: ${{ env.TEST_JWT_SECRET_KEY }}
- name: Login to Amazon ECR
id: login-ecr
uses: aws-actions/amazon-ecr-login@v2
with:
mask-password: 'true'
- name: Build, tag, and push image to Amazon ECR
env:
ECR_REGISTRY: ${{ steps.login-ecr.outputs.registry }}
run: |
docker build -t $ECR_REGISTRY/$ECR_REPOSITORY:$SEMANTIC_VERSION .
docker push $ECR_REGISTRY/$ECR_REPOSITORY:$SEMANTIC_VERSION
echo "image=$ECR_REGISTRY/$ECR_REPOSITORY:$SEMANTIC_VERSION" >> $GITHUB_ENV
- name: Get latest ECS task definition
id: get-latest-task-def
run: |
TASK_DEF_ARN=$(aws ecs describe-services --cluster "${{ env.ECS_CLUSTER }}" --services "${{ env.ECS_SERVICE }}" --region "${{ env.AWS_REGION }}" --query "services[0].taskDefinition" --output text)
aws ecs describe-task-definition --task-definition "$TASK_DEF_ARN" --region "${{ env.AWS_REGION }}" --query "taskDefinition" --output json > task-definition.json
- name: Fill in the new image ID in the Amazon ECS task definition
id: task-def
uses: aws-actions/amazon-ecs-render-task-definition@v1
with:
task-definition: task-definition.json
container-name: ${{ env.CONTAINER_NAME }}
image: ${{ env.image }}
- name: Deploy Amazon ECS task definition
uses: aws-actions/amazon-ecs-deploy-task-definition@v1
with:
task-definition: ${{ steps.task-def.outputs.task-definition }}
service: ${{ env.ECS_SERVICE }}
cluster: ${{ env.ECS_CLUSTER }}
wait-for-service-stability: true
- name: Semantic Release (Final)
if: success() && env.SEMANTIC_VERSION != '' && (github.event.inputs.rollback_version == null || github.event.inputs.rollback_version == '')
run: |
./node_modules/.bin/semantic-release --no-ci
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
- name: Prepare Notification Info
id: vars
run: echo "sha_short=$(git rev-parse --short HEAD)" >> $GITHUB_OUTPUT
- name: Discord Notify (Success)
if: success()
uses: tsickert/[email protected]
with:
webhook-url: ${{ secrets.DISCORD_WEBHOOK }}
embed-title: "✅ 프로덕션 서버 배포 성공!"
embed-color: 65280
embed-description: |
새로운 버전이 성공적으로 배포되었습니다.
**버전**: [v${{ env.SEMANTIC_VERSION }}](${{ github.server_url }}/${{ github.repository }}/releases/tag/v${{ env.SEMANTIC_VERSION }})
**커밋**: [${{ steps.vars.outputs.sha_short }}](${{ github.server_url }}/${{ github.repository }}/commit/${{ github.sha }})
**배포자**: ${{ github.actor }}
embed-url: "${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }}"
- name: Discord Notify (Failure)
if: failure()
uses: tsickert/[email protected]
with:
webhook-url: ${{ secrets.DISCORD_WEBHOOK }}
embed-title: "❌ 프로덕션 서버 배포 실패!"
embed-color: 16711680
embed-description: |
배포 과정 중 오류가 발생했습니다. 아래 링크에서 로그를 확인하세요.
**시도 버전**: ${{ env.SEMANTIC_VERSION }}
**커밋**: [${{ steps.vars.outputs.sha_short }}](${{ github.server_url }}/${{ github.repository }}/commit/${{ github.sha }})
**요청자**: ${{ github.actor }}
embed-url: "${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }}"