Ec2 deploy 깃헙액션 docker관련 명령어 sudo추가

[Hys-Lee]

cd과정 중 permission 에러가 나서 sudo명령어 추가했습니다

추가로, 로그인 화면에 제스처 바 삭제했습니다.

Summary by CodeRabbit

• Style

  • Removed the gesture bar from the Login screen for a cleaner, less cluttered interface.

• Chores

  • Improved production deployment workflow for container build, push, and rollout to enhance reliability and consistency.

[coderabbitai]

Walkthrough

Updates the production GitHub Actions deploy workflow to prefix Docker commands with sudo across build, push, pull, ps, stop, rm, and run. In the app’s LoginScreen component, the gesture bar markup is commented out, removing it from render without altering logic.

Changes

Cohort / File(s)	Summary
CI/CD Deploy Workflow .github/workflows/production-deploy.yml	Added sudo to docker build/push in CI and to pull/ps/stop/rm/run on EC2; removed an extra blank line post-run.
Onboarding UI Component app/onboarding/_components/LoginScreen.tsx	Commented out gesture bar JSX; no state, logic, or control-flow changes.

Sequence Diagram(s)

sequenceDiagram
  autonumber
  actor Dev as Developer
  participant GH as GitHub Actions Runner
  participant DH as Docker Hub
  participant EC2 as EC2 Instance
  participant DD as Docker Daemon (EC2)

  Dev->>GH: Push to main triggers production-deploy
  GH->>GH: sudo docker build
  GH->>DH: sudo docker push (image)

  GH->>EC2: Remote deploy script
  EC2->>DD: sudo docker pull (image)
  EC2->>DD: sudo docker ps (check container)
  alt Container exists
    EC2->>DD: sudo docker stop
    EC2->>DD: sudo docker rm
  end
  EC2->>DD: sudo docker run (start container)

  note over GH,EC2: All Docker operations use sudo

Loading

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

Possibly related PRs

• Ec2 deploy 안정화 #60 — Adjusts the same production-deploy.yml to add --restart always to docker run; overlaps with workflow command changes.
• Ec2 deploy with Docker #59 — Prior edits to production-deploy.yml; related to ongoing deployment workflow adjustments.

Poem

A bunny taps the pipeline drum,
Adds sudo beats—ba-dum, ba-dum!
The ship sails off to Docker’s sea,
EC2 hums contentedly.
The gesture bar hops out of view—
Sleek little change, fresh as dew.
Thump-thump, deploy; we’re through! 🐇🚀

✨ Finishing Touches

• 📝 Generate Docstrings

🧪 Generate unit tests

• Create PR with unit tests
• Post copyable unit tests in a comment

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

🪧 Tips

Chat

There are 3 ways to chat with CodeRabbit:

• Review comments: Directly reply to a review comment made by CodeRabbit. Example:
  • I pushed a fix in commit <commit_id>, please review it.
  • Open a follow-up GitHub issue for this discussion.
• Files and specific lines of code (under the "Files changed" tab): Tag @coderabbit in a new review comment at the desired location with your query.
• PR comments: Tag @coderabbit in a new PR comment to ask questions about the PR branch. For the best results, please provide a very specific query, as very limited context is provided in this mode. Examples:
  • @coderabbit gather interesting stats about this repository and render them as a table. Additionally, render a pie chart showing the language distribution in the codebase.
  • @coderabbit read the files in the src/scheduler package and generate a class diagram using mermaid and a README in the markdown format.

Support

Need help? Create a ticket on our support page for assistance with any issues or questions.

CodeRabbit Commands (Invoked using PR/Issue comments)

Type @coderabbit help to get the list of available commands.

Other keywords and placeholders

• Add @coderabbit ignore or @coderabbitai ignore anywhere in the PR description to prevent this PR from being reviewed.
• Add @coderabbit summary or @coderabbitai summary to generate the high-level summary at a specific location in the PR description.
• Add @coderabbit or @coderabbitai anywhere in the PR title to generate the title automatically.

CodeRabbit Configuration File (.coderabbit.yaml)

• You can programmatically configure CodeRabbit by adding a .coderabbit.yaml file to the root of your repository.
• Please see the configuration documentation for more information.
• If your editor has YAML language server enabled, you can add the path at the top of this file to enable auto-completion and validation: # yaml-language-server: $schema=https://coderabbit.ai/integrations/schema.v2.json

Status, Documentation and Community

• Visit our Status Page to check the current availability of CodeRabbit.
• Visit our Documentation for detailed information on how to use CodeRabbit.
• Join our Discord Community to get help, request features, and share feedback.
• Follow us on X/Twitter for updates and announcements.

[coderabbitai]

Actionable comments posted: 2

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (2)

app/onboarding/_components/LoginScreen.tsx (1)

53-60: Stop logging access/refresh tokens to the client console.

These logs can leak credentials via browser extensions, shared devices, or crash reports. Remove them or wrap behind a dev-only flag.

Apply (example):

-    console.log("- access_token:", accessTokenFromUrl);
-    console.log("- refresh_token:", refreshTokenFromUrl);
+    // Do not log tokens in client code

-      if (accessTokenFromUrl) {
-        setAccessToken(accessTokenFromUrl);
-        console.log("✅ Access Token 저장됨:", accessTokenFromUrl);
-      }
+      if (accessTokenFromUrl) {
+        setAccessToken(accessTokenFromUrl);
+      }

-      if (refreshTokenFromUrl) {
-        setRefreshToken(refreshTokenFromUrl);
-        console.log("✅ Refresh Token 저장됨:", refreshTokenFromUrl);
-      }
+      if (refreshTokenFromUrl) {
+        setRefreshToken(refreshTokenFromUrl);
+      }

Also applies to: 97-107

.github/workflows/production-deploy.yml (1)

33-38: Pin the SSH action; don’t use @master.

Using a floating ref is a supply-chain risk. Pin to a stable version or, ideally, a commit SHA. Also consider script_stop: true to fail fast, and pass Docker Hub creds to the remote via envs.

Example (fill in a real version/SHA):

-        uses: appleboy/ssh-action@master
+        uses: appleboy/ssh-action@<COMMIT_SHA_OR_VERSION>
         with:
           host: ${{ secrets.EC2_HOST }}
           username: ${{ secrets.EC2_USER }}
           key: ${{ secrets.EC2_SSH_KEY }}
+          script_stop: true
+          envs: DOCKERHUB_USERNAME,DOCKERHUB_TOKEN

At job or step level, export the envs:

env:
  DOCKERHUB_USERNAME: ${{ secrets.DOCKERHUB_USERNAME }}
  DOCKERHUB_TOKEN: ${{ secrets.DOCKERHUB_TOKEN }}

🧹 Nitpick comments (3)

app/onboarding/_components/LoginScreen.tsx (1)

283-286: Delete commented-out gesture bar; avoid leaving dead UI in source.

Commented markup adds noise and risks drifting. If you plan to reintroduce it, gate via a boolean prop/feature flag instead of comments.

Apply:

-      {/* Gesture bar */}
-      {/* <div className="h-6 flex justify-center items-center">
-        <div className="w-[108px] h-1 bg-label-normal rounded-full"></div>
-      </div> */}

.github/workflows/production-deploy.yml (2)

49-49: Optional: make env-file path explicit and attach deploy metadata labels.

Prevents path ambiguity and helps trace deployments.

Example:

-            sudo docker run -d --name motimo-fe-production -p 3000:3000 --restart always --env-file ./production.env ${{ secrets.DOCKERHUB_USERNAME }}/motimo-fe-production:${{ github.sha }}
+            sudo docker run -d \
+              --name motimo-fe-production \
+              -p 3000:3000 \
+              --restart always \
+              --env-file /home/${USER}/production.env \
+              --label org.opencontainers.image.revision=${{ github.sha }} \
+              --label org.opencontainers.image.source=${{ github.repository }} \
+              ${{ secrets.DOCKERHUB_USERNAME }}/motimo-fe-production:${{ github.sha }}

---

10-13: Add workflow concurrency to avoid overlapping prod deploys.

Prevents racing deployments on rapid pushes.

Example:

concurrency:
  group: production-deploy
  cancel-in-progress: true

📜 Review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

💡 Knowledge Base configuration:

• MCP integration is disabled by default for public repositories
• Jira integration is disabled by default for public repositories
• Linear integration is disabled by default for public repositories

You can enable these sources in your CodeRabbit configuration.

📥 Commits

Reviewing files that changed from the base of the PR and between c56d18d and 964efaf.

📒 Files selected for processing (2)

• .github/workflows/production-deploy.yml (2 hunks)
• app/onboarding/_components/LoginScreen.tsx (1 hunks)

🔇 Additional comments (1)

.github/workflows/production-deploy.yml (1)

28-29: Remove sudo from Docker build/push steps
Using sudo runs Docker as root, bypassing the credentials set up by docker/login-action@v2 (line 20), which breaks pushes to private repos.
Apply this change in .github/workflows/production-deploy.yml (lines 28–29):

-          sudo docker build -t ${{ secrets.DOCKERHUB_USERNAME }}/motimo-fe-production:${{ github.sha }} .
-          sudo docker push ${{ secrets.DOCKERHUB_USERNAME }}/motimo-fe-production:${{ github.sha }}
+          docker build -t ${{ secrets.DOCKERHUB_USERNAME }}/motimo-fe-production:${{ github.sha }} .
+          docker push ${{ secrets.DOCKERHUB_USERNAME }}/motimo-fe-production:${{ github.sha }}

[coderabbitai]

💡 Verification agent

🧩 Analysis chain

Log in to Docker Hub on EC2 before pulling if the repo is private; add fail-fast.

Without a remote docker login, sudo docker pull will fail for private images.

Apply:

             # EC2에서 Docker Hub 이미지 pull
+            set -Eeuo pipefail
+            # Required only if the image is private
+            if [ -n "${DOCKERHUB_USERNAME:-}" ] && [ -n "${DOCKERHUB_TOKEN:-}" ]; then
+              echo "${DOCKERHUB_TOKEN}" | sudo docker login -u "${DOCKERHUB_USERNAME}" --password-stdin
+            fi
             sudo docker pull ${{ secrets.DOCKERHUB_USERNAME }}/motimo-fe-production:${{ github.sha }}

---

🏁 Script executed:

#!/bin/bash
set -Eeuo pipefail

echo "Searching for 'docker pull' in workflow:"
rg -n 'docker pull' -C5 .github/workflows/production-deploy.yml || echo "No docker pull found"

echo -e "\nSearching for existing 'docker login' steps:"
rg -n 'docker login' -C5 .github/workflows/production-deploy.yml || echo "No docker login found"

Length of output: 943

---

Add Docker login and fail-fast in production-deploy workflow

Without authenticating first, sudo docker pull will fail on private images. Prepend the deploy script with strict error handling and, when credentials are set, log in before pulling:

             # EC2에서 Docker Hub 이미지 pull
+            set -Eeuo pipefail
+            # Required only if the image is private
+            if [ -n "${DOCKERHUB_USERNAME:-}" ] && [ -n "${DOCKERHUB_TOKEN:-}" ]; then
+              echo "${DOCKERHUB_TOKEN}" | sudo docker login -u "${DOCKERHUB_USERNAME}" --password-stdin
+            fi
             sudo docker pull ${{ secrets.DOCKERHUB_USERNAME }}/motimo-fe-production:${{ github.sha }}

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	sudo docker pull ${{ secrets.DOCKERHUB_USERNAME }}/motimo-fe-production:${{ github.sha }}
	# EC2에서 Docker Hub 이미지 pull
	set -Eeuo pipefail
	# Required only if the image is private
	if [ -n "${DOCKERHUB_USERNAME:-}" ] && [ -n "${DOCKERHUB_TOKEN:-}" ]; then
	echo "${DOCKERHUB_TOKEN}" | sudo docker login -u "${DOCKERHUB_USERNAME}" --password-stdin
	fi
	sudo docker pull ${{ secrets.DOCKERHUB_USERNAME }}/motimo-fe-production:${{ github.sha }}

🤖 Prompt for AI Agents

.github/workflows/production-deploy.yml around lines 40 to 41: the workflow
calls sudo docker pull without authenticating and lacks fail-fast behavior;
modify the deploy step to enable strict error handling (e.g., run the script
with set -e or use shell: bash -e) and, when DOCKERHUB_USERNAME and
DOCKERHUB_PASSWORD (or DOCKERHUB_TOKEN) secrets are provided, perform a docker
login using those credentials before attempting docker pull so private images
can be accessed and the job fails immediately on errors.

[coderabbitai]

⚠️ Potential issue

Fix container existence check; current test breaks on empty output and misses stopped containers.

• Unquoted command substitution can make [ ] empty and error.
• docker ps (without -a) only sees running containers.
• Use anchored name match and rm -f to stop+remove in one go.

Apply:

-            if [ $(sudo docker ps -q -f name=motimo-fe-production) ]; then
-              sudo docker stop motimo-fe-production
-              sudo docker rm motimo-fe-production
-            fi
+            cid="$(sudo docker ps -aq -f name=^motimo-fe-production$)"
+            if [ -n "$cid" ]; then
+              sudo docker rm -f "$cid"
+            fi

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	if [ $(sudo docker ps -q -f name=motimo-fe-production) ]; then
	sudo docker stop motimo-fe-production
	sudo docker rm motimo-fe-production
	fi
	cid="$(sudo docker ps -aq -f name=^motimo-fe-production$)"
	if [ -n "$cid" ]; then
	sudo docker rm -f "$cid"
	fi

🤖 Prompt for AI Agents

In .github/workflows/production-deploy.yml around lines 43 to 46, the current
container-existence check is unsafe (unquoted command substitution can break on
empty output) and only checks running containers; replace it with a test that
quotes the command substitution and includes stopped containers (use docker ps
-aq with an anchored name filter), and then use docker rm -f
motimo-fe-production to force-stop and remove the container in one step; ensure
the conditional uses -n "($(...))" or equivalent quoting so the test never
receives an empty string.