배포테스트 2차

nerdboi123 · nerdboi123 · commit 06e2fa02804e · 2025-09-07T00:38:28.000+09:00
diff --git a/.github/workflows/deploy.yml b/.github/workflows/deploy.yml
@@ -3,12 +3,13 @@ name: deploy-purchase-to-ecs
 on:
   push:
     branches: [ "main" ]
+  workflow_dispatch:
 
 env:
   AWS_REGION: ap-northeast-2
-  ECR_REPOSITORY: shop-repo
-  ECS_CLUSTER: shop-cluster
-  ECS_SERVICE: purchase-api-service
+  ECR_REPOSITORY: shop-purchase-api-ecr
+  ECS_CLUSTER: shop-ecs-purchase-cluster
+  ECS_SERVICE: shop-ecs-purchase-task-service
   CONTAINER_NAME: purchase
 
 jobs:
@@ -21,32 +22,63 @@ jobs:
     steps:
       - uses: actions/checkout@v4
 
-      - uses: aws-actions/configure-aws-credentials@v4
+      # --- 사전 진단: 시크릿/OIDC 토큰 확인 ---
+      - name: Assert AWS_ROLE_TO_ASSUME is set
+        run: |
+          test -n "${{ secrets.AWS_ROLE_TO_ASSUME }}" || { echo "Missing secret: AWS_ROLE_TO_ASSUME"; exit 1; }
+          echo "Secret is set (value hidden)"
+
+      - name: Check OIDC availability
+        run: |
+          if [ -z "${ACTIONS_ID_TOKEN_REQUEST_URL}" ]; then
+            echo "No OIDC token available. Add 'permissions: id-token: write'."; exit 1;
+          fi
+          echo "OIDC token endpoint detected"
+
+      # --- OIDC로 AWS 자격 구성 (핵심: role-to-assume 추가) ---
+      - name: Configure AWS credentials (OIDC)
+        uses: aws-actions/configure-aws-credentials@v4
         with:
-          # access key 사용 시
-          aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }}
-          aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
+          role-to-assume: ${{ secrets.AWS_ROLE_TO_ASSUME }}
           aws-region: ${{ env.AWS_REGION }}
 
+      - name: Verify assumed identity
+        run: |
+          aws sts get-caller-identity
+          acct=$(aws sts get-caller-identity --query Account --output text)
+          [ "$acct" = "782683897698" ] || { echo "Assumed wrong account: $acct" && exit 1; }
+
+      # --- ECR 로그인 & 빌드/푸시 ---
       - id: login-ecr
         uses: aws-actions/amazon-ecr-login@v2
 
-      - name: Build & Push
+      - uses: docker/setup-buildx-action@v3
+
+      - name: Build & Push to ECR
+        uses: docker/build-push-action@v6
+        with:
+          context: .
+          platforms: linux/amd64
+          push: true
+          tags: |
+            ${{ steps.login-ecr.outputs.registry }}/${{ env.ECR_REPOSITORY }}:${{ github.sha }}
+            ${{ steps.login-ecr.outputs.registry }}/${{ env.ECR_REPOSITORY }}:latest
+
+      # --- ECS 태스크 정의 렌더 & 배포 ---
+      - name: Set image output
+        id: image
         run: |
-          IMAGE_URI=${{ steps.login-ecr.outputs.registry }}/${ECR_REPOSITORY}:${GITHUB_SHA}
-          docker build -t ${ECR_REPOSITORY}:${GITHUB_SHA} .
-          docker tag ${ECR_REPOSITORY}:${GITHUB_SHA} ${IMAGE_URI}
-          docker push ${IMAGE_URI}
-          echo "IMAGE_URI=${IMAGE_URI}" >> $GITHUB_ENV
+          echo "image=${{ steps.login-ecr.outputs.registry }}/${{ env.ECR_REPOSITORY }}:${{ github.sha }}" >> "$GITHUB_OUTPUT"
 
-      - id: render
+      - name: Render task definition
+        id: render
         uses: aws-actions/amazon-ecs-render-task-definition@v1
         with:
           task-definition: .github/ecs/task-definition.json
           container-name: ${{ env.CONTAINER_NAME }}
-          image: ${{ env.IMAGE_URI }}
+          image: ${{ steps.image.outputs.image }}
 
-      - name: Deploy
+      - name: Deploy to ECS
         uses: aws-actions/amazon-ecs-deploy-task-definition@v2
         with:
           task-definition: ${{ steps.render.outputs.task-definition }}
