1차 프로덕션 배포 (kickytime-server)

.gitattributes

@@ -0,0 +1,3 @@
+/gradlew text eol=lf
+*.bat text eol=crlf
+*.jar binary

.github/workflows/ci.yml

@@ -0,0 +1,38 @@
+name: CI
+
+on:
+  pull_request:
+    branches: [ main, develop ]
+  push:
+    branches: [ main, develop ]
+
+
+jobs:
+  build-and-lint:
+    runs-on: ubuntu-latest
+
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+
+      - name: Gradle Wrapper 스크립트(gradlew 및 관련 JAR) 무결성 검증
+        uses: gradle/wrapper-validation-action@v3
+        timeout-minutes: 2
+        continue-on-error: true
+
+      - name: Set up JDK 17
+        uses: actions/setup-java@v4
+        with:
+          distribution: temurin
+          java-version: 17
+
+      - name: Gradle 실행 환경 최적화 + 캐시
+        uses: gradle/actions/setup-gradle@v4
+
+      - name: Grant execute permission for gradlew
+        run: chmod +x gradlew
+
+      - name: Build (includes spotless/checkstyle/test via `check` dependency)
+        run: ./gradlew --no-daemon build
+        env:
+          SPRING_PROFILES_ACTIVE: test

.github/workflows/ec2.yml

@@ -0,0 +1,74 @@
+name: EC2 Deploy (short)
+
+on:
+  repository_dispatch:
+    types: [deploy-ec2]
+  workflow_dispatch: {}
+
+env:
+  AWS_REGION: ap-northeast-2
+  IMAGE: ${{ github.event.client_payload.image_uri || '077672914621.dkr.ecr.ap-northeast-2.amazonaws.com/kickytime-repo:latest' }}
+  TARGET_TAG_KEY: Role
+  TARGET_TAG_VALUE: app
+  PORT: "8080"
+  HEALTH: "/actuator/health"
+
+jobs:
+  deploy:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: aws-actions/configure-aws-credentials@v4
+        with:
+          aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }}
+          aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
+          aws-region: ${{ env.AWS_REGION }}
+
+      # ✅ 추가된 최소 스텝: 실행중 + 태그(Role=app) + SSM Online 교집합 → ids_list 출력
+      - name: Resolve running + tagged + SSM-online
+        id: resolve
+        shell: bash
+        run: |
+          set -euo pipefail
+          RUNNING_IDS=$(aws ec2 describe-instances \
+            --region "${AWS_REGION}" \
+            --filters "Name=tag:${TARGET_TAG_KEY},Values=${TARGET_TAG_VALUE}" "Name=instance-state-name,Values=running" \
+            --query 'Reservations[].Instances[].InstanceId' --output text | tr '\t' '\n' || true)
+          SSM_ONLINE_IDS=$(aws ssm describe-instance-information \
+            --region "${AWS_REGION}" \
+            --filters "Key=PingStatus,Values=Online" \
+            --query 'InstanceInformationList[].InstanceId' --output text | tr '\t' '\n' || true)
+          TARGET_IDS=$(comm -12 <(printf '%s\n' $RUNNING_IDS | sort) <(printf '%s\n' $SSM_ONLINE_IDS | sort) || true)
+          if [ -z "${TARGET_IDS:-}" ]; then
+            echo "No targets (running+tagged+ssm-online)."; exit 1
+          fi
+          echo "ids_list=$(printf '%s ' $TARGET_IDS)" >> "$GITHUB_OUTPUT"
+
+      - name: Run on all tagged instances via SSM (by instance-ids)
+        env:
+          IDS_LIST: ${{ steps.resolve.outputs.ids_list }}
+        run: |
+          echo "Deploying image: $IMAGE"
+
+          aws ssm send-command \
+            --region $AWS_REGION \
+            --document-name "AWS-RunShellScript" \
+            --instance-ids $IDS_LIST \
+            --cloud-watch-output-config CloudWatchOutputEnabled=true,CloudWatchLogGroupName=/aws/ssm/kickytime \
+            --parameters '{
+              "commands": [
+                "set -e",
+                "command -v docker >/dev/null 2>&1 || (dnf -y install docker && systemctl enable --now docker)",
+                "REG=$(echo \"'$IMAGE'\" | cut -d/ -f1)",
+                "aws ecr get-login-password --region '$AWS_REGION' | docker login --username AWS --password-stdin $REG",
+                "docker rm -f kickytime || true",
+                "docker pull \"'$IMAGE'\"",
+                "docker run -d --name kickytime -p '$PORT':'$PORT' \\",
+                "  -e SPRING_DATASOURCE_URL=\"'${{ secrets.DB_URL }}'\" \\",
+                "  -e SPRING_DATASOURCE_USERNAME=\"'${{ secrets.DB_USERNAME }}'\" \\",
+                "  -e SPRING_DATASOURCE_PASSWORD=\"'${{ secrets.DB_PASSWORD }}'\" \\",
+                "  \"'$IMAGE'\"",
+                "for i in $(seq 1 60); do curl -fsS http://127.0.0.1:'$PORT$HEALTH' && break || sleep 2; done"
+              ],
+              "executionTimeout": ["1800"]
+            }' \
+            --comment "Deploy $IMAGE"

.github/workflows/ecr.yml

@@ -0,0 +1,134 @@
+name: ECR - Build & Push
+
+on:
+  push:
+    branches: [main]
+  workflow_dispatch:
+
+concurrency:
+  group: ecr-main
+  cancel-in-progress: false
+
+permissions:
+  contents: write   # repository_dispatch에 필요
+
+env:
+  AWS_REGION: ap-northeast-2
+  ECR_REPOSITORY: kickytime-repo
+
+jobs:
+  build_and_push:
+    runs-on: ubuntu-latest
+
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v4
+
+      - name: Ensure jq is installed
+        run: |
+          sudo apt-get update -y
+          sudo apt-get install -y jq
+
+      # 멀티아치 에뮬레이션(QEMU) 세팅
+      - name: Set up QEMU
+        uses: docker/setup-qemu-action@v3
+        with:
+          platforms: all
+
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@v3
+
+      - name: Configure AWS credentials (Access Keys)
+        uses: aws-actions/configure-aws-credentials@v4
+        with:
+          aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }}
+          aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
+          aws-region: ${{ env.AWS_REGION }}
+
+      - name: Login to Amazon ECR
+        id: ecr
+        uses: aws-actions/amazon-ecr-login@v2
+
+      - name: Set TAG from commit SHA
+        id: tag
+        run: echo "TAG=${GITHUB_SHA::12}" >> $GITHUB_OUTPUT
+
+      - name: Build & Push multi-arch image
+        id: build
+        run: |
+          set -e
+          REGISTRY="${{ steps.ecr.outputs.registry }}"
+          TAG="${{ steps.tag.outputs.TAG }}"
+          IMAGE_URI="$REGISTRY/${{ env.ECR_REPOSITORY }}:$TAG"
+          LATEST_URI="$REGISTRY/${{ env.ECR_REPOSITORY }}:latest"
+
+          docker buildx build \
+            --platform linux/amd64,linux/arm64 \
+            --push \
+            --tag "$IMAGE_URI" \
+            --tag "$LATEST_URI" \
+            .
+
+          echo "IMAGE_URI=$IMAGE_URI" >> $GITHUB_OUTPUT
+
+      - name: Verify multi-arch manifest (Fixed)
+        run: |
+          set -e
+          REGISTRY="${{ steps.ecr.outputs.registry }}"
+          TAG="${{ steps.tag.outputs.TAG }}"
+          IMAGE_URI="$REGISTRY/${{ env.ECR_REPOSITORY }}:$TAG"
+
+          ARCHES=$(docker manifest inspect "$IMAGE_URI" | jq -r '.manifests[]?.platform | "\(.os)/\(.architecture)"' | sort -u)
+          echo "Manifests:"
+          echo "$ARCHES"
+
+          # 정확한 매칭으로 수정
+          if ! echo "$ARCHES" | grep -x 'linux/amd64' > /dev/null; then
+            echo "❌ Missing linux/amd64 in manifest"
+            echo "Available platforms: $ARCHES"
+            exit 1
+          fi
+
+          if ! echo "$ARCHES" | grep -x 'linux/arm64' > /dev/null; then
+            echo "❌ Missing linux/arm64 in manifest"
+            echo "Available platforms: $ARCHES"
+            exit 1
+          fi
+
+          echo "✅ Both linux/amd64 and linux/arm64 found"
+
+      # repository_dispatch 전송 + HTTP 204 확인
+      - name: Trigger ECS/EC2 Deploy via repository_dispatch
+        if: success()
+        run: |
+          set -e
+          image_uri="${{ steps.build.outputs.IMAGE_URI }}"
+          tag="${{ steps.tag.outputs.TAG }}"
+          branch="${{ github.ref_name }}"
+          sha="${{ github.sha }}"
+
+          # ECS
+          resp=$(curl -s -o /tmp/resp.txt -w "%{http_code}" -X POST \
+            "https://api.github.com/repos/${{ github.repository }}/dispatches" \
+            -H "Accept: application/vnd.github+json" \
+            -H "Authorization: Bearer ${{ secrets.GITHUB_TOKEN }}" \
+            -d "{\"event_type\":\"deploy-ecs\",\"client_payload\":{\"image_uri\":\"$image_uri\",\"tag\":\"$tag\",\"branch\":\"$branch\",\"sha\":\"$sha\"}}")
+          [ "$resp" = "204" ] || (echo "ECS dispatch failed:" && cat /tmp/resp.txt && exit 1)
+
+          # EC2
+          resp2=$(curl -s -o /tmp/resp2.txt -w "%{http_code}" -X POST \
+            "https://api.github.com/repos/${{ github.repository }}/dispatches" \
+            -H "Accept: application/vnd.github+json" \
+            -H "Authorization: Bearer ${{ secrets.GITHUB_TOKEN }}" \
+            -d "{\"event_type\":\"deploy-ec2\",\"client_payload\":{\"image_uri\":\"$image_uri\",\"tag\":\"$tag\",\"branch\":\"$branch\",\"sha\":\"$sha\"}}")
+          [ "$resp2" = "204" ] || (echo "EC2 dispatch failed:" && cat /tmp/resp2.txt && exit 1)
+
+      - name: Summary
+        run: |
+          echo "### ✅ ECR Push & Dispatch OK (Multi-arch)" >> $GITHUB_STEP_SUMMARY
+          echo "- Repo:   \`${{ env.ECR_REPOSITORY }}\`" >> $GITHUB_STEP_SUMMARY
+          echo "- Tag:    \`${{ steps.tag.outputs.TAG }}\`" >> $GITHUB_STEP_SUMMARY
+          echo "- Image:  \`${{ steps.build.outputs.IMAGE_URI }}\`" >> $GITHUB_STEP_SUMMARY
+          echo "- Arches: \`linux/amd64, linux/arm64\`" >> $GITHUB_STEP_SUMMARY
+          echo "- Sent:   \`repository_dispatch: deploy-ecs\`" >> $GITHUB_STEP_SUMMARY
+          echo "- Sent:   \`repository_dispatch: deploy-ec2\`" >> $GITHUB_STEP_SUMMARY

.github/workflows/ecs.yml

@@ -0,0 +1,118 @@
+name: ECS - Deploy (dispatch)
+
+on:
+  repository_dispatch:
+    types: [deploy-ecs]
+  workflow_dispatch:
+
+concurrency:
+  group: ecs-deploy
+  cancel-in-progress: false
+
+permissions:
+  contents: read
+
+env:
+  AWS_REGION: ap-northeast-2
+  ECR_REPOSITORY: kickytime-repo
+  ECS_CLUSTER: kickytime-cluster
+  ECS_SERVICE: kickytime-task-service
+  TASK_FAMILY: kickytime-task
+  CONTAINER_NAME: kickytime-ecr
+
+jobs:
+  deploy:
+    runs-on: ubuntu-latest
+    env:
+      PAYLOAD_IMAGE_URI: ${{ github.event.client_payload.image_uri }}
+      PAYLOAD_TAG:       ${{ github.event.client_payload.tag }}
+      PAYLOAD_BRANCH:    ${{ github.event.client_payload.branch }}
+      PAYLOAD_SHA:       ${{ github.event.client_payload.sha }}
+
+    steps:
+      - name: Gate - only deploy for main
+        id: gate
+        run: |
+          if [ "$PAYLOAD_BRANCH" = "main" ]; then
+            echo "GO=true" >> $GITHUB_OUTPUT
+          else
+            echo "GO=false" >> $GITHUB_OUTPUT
+            echo "Non-deploy branch: $PAYLOAD_BRANCH"
+          fi
+
+      - name: Checkout (same commit as build)
+        if: steps.gate.outputs.GO == 'true'
+        uses: actions/checkout@v4
+        with:
+          ref: ${{ env.PAYLOAD_SHA }}
+
+      - name: Configure AWS credentials
+        if: steps.gate.outputs.GO == 'true'
+        uses: aws-actions/configure-aws-credentials@v4
+        with:
+          aws-access-key-id:     ${{ secrets.AWS_ACCESS_KEY_ID }}
+          aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
+          aws-region:            ${{ env.AWS_REGION }}
+
+      - name: Login to Amazon ECR
+        if: steps.gate.outputs.GO == 'true'
+        id: ecr
+        uses: aws-actions/amazon-ecr-login@v2
+
+      - name: Describe current Task Definition
+        if: steps.gate.outputs.GO == 'true'
+        run: |
+          aws ecs describe-task-definition \
+            --task-definition "${{ env.TASK_FAMILY }}" \
+            --query 'taskDefinition' > td.json
+
+      - name: Patch image & ensure ARM64 platform
+        if: steps.gate.outputs.GO == 'true'
+        run: |
+          jq --arg NAME "${{ env.CONTAINER_NAME }}" --arg IMG "${PAYLOAD_IMAGE_URI}" '
+            .containerDefinitions |= map(if .name == $NAME then .image = $IMG else . end)
+            | .runtimePlatform = {"cpuArchitecture":"ARM64","operatingSystemFamily":"LINUX"}
+            | del(.taskDefinitionArn,.revision,.status,.requiresAttributes,.compatibilities,.registeredAt,.registeredBy)
+          ' td.json > td-new.json
+
+      - name: Register new Task Definition
+        if: steps.gate.outputs.GO == 'true'
+        id: register
+        run: |
+          NEW_TD_ARN=$(aws ecs register-task-definition \
+            --cli-input-json file://td-new.json \
+            --query 'taskDefinition.taskDefinitionArn' \
+            --output text)
+          echo "TASK_DEF_ARN=$NEW_TD_ARN" >> $GITHUB_OUTPUT
+
+      - name: Update service (rolling deployment)
+        if: steps.gate.outputs.GO == 'true'
+        run: |
+          aws ecs update-service \
+            --cluster "${{ env.ECS_CLUSTER }}" \
+            --service "${{ env.ECS_SERVICE }}" \
+            --task-definition "${{ steps.register.outputs.TASK_DEF_ARN }}" \
+            --force-new-deployment
+
+      - name: Wait for deployment (timeout 10m)
+        if: steps.gate.outputs.GO == 'true'
+        id: wait
+        continue-on-error: true
+        run: |
+          timeout 600 aws ecs wait services-stable \
+            --cluster "${{ env.ECS_CLUSTER }}" \
+            --services "${{ env.ECS_SERVICE }}" || echo "WAIT_FAILED=true" >> $GITHUB_OUTPUT
+
+      - name: Summary
+        if: steps.gate.outputs.GO == 'true'
+        run: |
+          if [ "${{ steps.wait.outputs.WAIT_FAILED }}" == "true" ]; then
+            echo "### ❌ ECS Deploy Failed" >> $GITHUB_STEP_SUMMARY
+            exit 1
+          else
+            echo "### ✅ ECS Deploy Completed (ARM64)" >> $GITHUB_STEP_SUMMARY
+            echo "- Cluster: \`${{ env.ECS_CLUSTER }}\`"
+            echo "- Service: \`${{ env.ECS_SERVICE }}\`"
+            echo "- TD: \`${{ steps.register.outputs.TASK_DEF_ARN }}\`"
+            echo "- Image: \`${PAYLOAD_IMAGE_URI}\`"
+          fi