@@ -80,36 +80,11 @@ jobs:
8080 - name : Create test .env file
8181 working-directory : backend
8282 run : |
83- cat > .env << 'EOF'
84- # Datasource 설정 (application-test.yml에서 참조)
85- TEST_DATASOURCE_URL=jdbc:h2:mem:db_test;MODE=MySQL
86- TEST_DATASOURCE_USERNAME=sa
87- TEST_DATASOURCE_PASSWORD=
88- TEST_DATASOURCE_DRIVER=org.h2.Driver
89-
90- # JPA 설정 (application-test.yml에서 참조)
91- TEST_JPA_HIBERNATE_DDL_AUTO=create-drop
92-
93- email_address=${{ secrets.EMAIL_ADDRESS }}
94- send_email_password=${{ secrets.EMAIL_PASSWORD }}
95- send_email_address=${{ secrets.SEND_EMAIL_ADDRESS }}
96-
97- # Redis 설정 (application-test.yml에서 참조, GitHub Actions 서비스 사용)
98- TEST_REDIS_HOST=localhost
99- TEST_REDIS_PORT=6379
100- TEST_REDIS_PASSWORD=
101-
102- # Qdrant
103- TEST_QDRANT_HOST=localhost
104- TEST_QDRANT_PORT=6333
105-
106- # CI/CD 환경에서는 Embedded Redis 끄기
107- SPRING_DATA_REDIS_EMBEDDED=false
108-
109- # JWT 설정 (application-test.yml에서 참조)
110- CUSTOM_JWT_SECRET_KEY=${{ secrets.JWT_SECRET_KEY }}
111- CUSTOM_JWT_ACCESS_TOKEN_EXPIRATION_SECONDS=3600
112- EOF
83+ set -euo pipefail
84+ install -d -m 700 .
85+ echo "${{ secrets.ENV_BASE64 }}" | base64 -d > .env
86+ chmod 600 .env
87+ test -s .env || { echo ".env is empty"; exit 1; }
11388
11489name : Run unit, and domain tests
11590 run : ${{ matrix.gradle_cmd }} clean test
@@ -219,19 +194,6 @@ jobs:
219194 run : |
220195 echo "IMAGE_PREFIX=$(echo $GITHUB_REPOSITORY | tr '[:upper:]' '[:lower:]')" >> $GITHUB_ENV
221196
222- name : Create prod .env file
223- run : |
224- cat > .env << 'EOF'
225- SPRING_PROFILES_ACTIVE=prod
226- PROD_DATASOURCE_URL=jdbc:mysql://mysql:3306/${{ secrets.DB_NAME }}
227- PROD_DATASOURCE_USERNAME=${{ secrets.DB_USER }}
228- PROD_DATASOURCE_PASSWORD=${{ secrets.DB_PASSWORD }}
229-
230- PROD_REDIS_HOST=redis
231- PROD_REDIS_PORT=6379
232- PROD_REDIS_PASSWORD=${{ secrets.REDIS_PASSWORD }}
233- EOF
234-
235197name : AWS SSM Send-Command
236198 uses : peterkimzz/aws-ssm-send-command@master
237199 id : ssm
@@ -243,44 +205,24 @@ jobs:
243205 working-directory : /
244206 comment : Deploy
245207 command : |
246- set -xe
208+ set -euo pipefail
247209 echo "===== 현재 실행 중인 컨테이너 ====="
248210 docker ps -a || true
249211
250212 echo "===== 기존 컨테이너 종료 & 제거 ====="
251213 docker stop app 2>/dev/null || true
252214 docker rm app 2>/dev/null || true
253215
254- # EC2 내부에서 prod.env 파일 생성 (기존 파일 있으면 덮어쓰기)
255- mkdir -p /home/ec2-user/configs
256- cat > /home/ec2-user/configs/prod.env << 'EOF'
257- SPRING_PROFILES_ACTIVE=prod
258-
259- CUSTOM_JWT_SECRET_KEY=${{ secrets.JWT_SECRET_KEY }}
260- CUSTOM_JWT_ACCESS_TOKEN_EXPIRATION_SECONDS=3600
261-
262- PROD_DATASOURCE_URL=jdbc:mysql://mysql:3306/${{ secrets.DB_NAME }}?createDatabaseIfNotExist=true&useSSL=false&allowPublicKeyRetrieval=true&serverTimezone=Asia/Seoul
263- PROD_DATASOURCE_DRIVER=com.mysql.cj.jdbc.Driver
264- PROD_DATASOURCE_USERNAME=root
265- PROD_DATASOURCE_PASSWORD=${{ secrets.DB_PASSWORD }}
266- PROD_JPA_HIBERNATE_DDL_AUTO=none
267-
268- PROD_REDIS_HOST=redis
269- PROD_REDIS_PORT=6379
270- PROD_REDIS_PASSWORD=${{ secrets.REDIS_PASSWORD }}
216+ # EC2 내부에서 prod.env 복원 (ENV_BASE64 -> 디코드)
217+ install -d -m 700 /home/ec2-user/configs
218+ cat > /home/ec2-user/configs/prod.env.b64 <<'__B64__'
219+ ${{ secrets.ENV_BASE64 }}
220+ __B64__
271221
272- PROD_QDRANT_HOST=qdrant
273- PROD_QDRANT_PORT=6334
274-
275- send_email_address=${{ secrets.SEND_EMAIL_ADDRESS }}
276- send_email_password=${{ secrets.SEND_EMAIL_PASSWORD }}
277-
278- PROD_SENTRY_DSN=${{ secrets.SENTRY_DSN }}
279-
280- EOF
281-
282- # 파일 권한 최소화
222+ base64 -d /home/ec2-user/configs/prod.env.b64 > /home/ec2-user/configs/prod.env
283223 chmod 600 /home/ec2-user/configs/prod.env
224+ shred -u /home/ec2-user/configs/prod.env.b64 # 임시 파일 안전 삭제
225+
284226
285227 # EC2에서 GHCR 로그인
286228 echo "${{ secrets.GHCR_PAT }}" | docker login ghcr.io -u ${{ github.actor }} --password-stdin
0 commit comments