Skip to content

프론트엔드 릴리즈 워크플로우 및 Vercel 배포 자동화 #516

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
Goder-0 wants to merge 2 commits into
base: main
Choose a base branch
from
Open

프론트엔드 릴리즈 워크플로우 및 Vercel 배포 자동화 #516

Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
b780595
Chore: add Vercel release workflows (#514)
Goder-0 May 27, 2026
1fb28ee
Refine Vercel release workflow
Goder-0 Jun 21, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
70 changes: 70 additions & 0 deletions .github/workflows/release.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,70 @@
name: Linkiving frontend release

on:
push:
tags:
- 'v*'

permissions:
contents: write

concurrency:
group: vercel-release-${{ github.ref }}
cancel-in-progress: false

env:
VERCEL_ORG_ID: ${{ secrets.VERCEL_ORG_ID }}
VERCEL_PROJECT_ID: ${{ secrets.VERCEL_PROJECT_ID }}

jobs:
deploy-production:
runs-on: ubuntu-latest
env:
TAG_NAME: ${{ github.ref_name }}

steps:
- name: Checkout repository
uses: actions/checkout@v4

@coderabbitai coderabbitai Bot Jun 21, 2026

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🟠 Major

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
# Verify all unpinned GitHub Actions references in workflow files
rg -nP 'uses:\s*[^@\s]+@(?![0-9a-fA-F]{40}\b)[^\s]+' .github/workflows

Repository: Team-SoFa/linkiving

Length of output: 904

uses 액션을 커밋 SHA로 고정하여 공급망 리스크를 줄여주세요.

라인 27의 actions/checkout@v4는 태그 기반 참조라서 업스트림 변경 영향을 받을 수 있습니다. 릴리즈 워크플로우는 프로덕션 배포 권한을 가지므로 전체 40자 커밋 SHA로 고정을 권장합니다.

수정 예시 
        uses: actions/checkout@<40자-커밋-SHA>
🧰 Tools
🪛 zizmor (1.25.2)

[error] 27-27: unpinned action reference (unpinned-uses): action is not pinned to a hash (required by blanket policy)

(unpinned-uses)

🤖 Prompt for AI Agents 
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/release.yml at line 27, The actions/checkout action on
line 27 is pinned to a version tag (v4) instead of a specific commit SHA, which
creates a supply chain risk since upstream changes could affect the release
workflow that has production deployment permissions. Replace the tag-based
reference in the uses field with the full 40-character commit SHA that
corresponds to the v4 version of the actions/checkout action to ensure
immutability and reduce security risks.

Source: Linters/SAST tools

with:
persist-credentials: false

- name: Setup pnpm
uses: pnpm/action-setup@v4
with:
version: 10.19.0

- name: Setup Node.js
uses: actions/setup-node@v4
with:
node-version: '22.x'
cache: 'pnpm'

- name: Install dependencies
run: pnpm install --frozen-lockfile

- name: Install Vercel CLI
run: npm install --global vercel@latest

- name: Pull Vercel production environment
run: vercel pull --yes --environment=production --token=${{ secrets.VERCEL_TOKEN }}

- name: Build production artifacts
run: vercel build --prod --token=${{ secrets.VERCEL_TOKEN }}

- name: Deploy production to Vercel
id: deploy
shell: bash
run: |
deployment_url="$(vercel deploy --prebuilt --archive=tgz --prod --token=${{ secrets.VERCEL_TOKEN }})"
echo "deployment_url=${deployment_url}" >> "$GITHUB_OUTPUT"
{
echo "Production release deployed."
echo
echo "- Tag: ${TAG_NAME}"
echo "- URL: ${deployment_url}"
} >> "$GITHUB_STEP_SUMMARY"
Comment thread
coderabbitai[bot] marked this conversation as resolved.

- name: Create GitHub release
uses: softprops/action-gh-release@v2
with:
generate_release_notes: true
Loading