Skip to content

๐Ÿ’ซ feat: GitHub Actions ๋ฐ ECR ๊ธฐ๋ฐ˜ CI/CD ํŒŒ์ดํ”„๋ผ์ธ ๊ตฌ์ถ•#4

Merged
JoonKyoLee merged 16 commits into
developfrom
feature/github-actions-ecr-cicd
Jul 14, 2026
Merged

๐Ÿ’ซ feat: GitHub Actions ๋ฐ ECR ๊ธฐ๋ฐ˜ CI/CD ํŒŒ์ดํ”„๋ผ์ธ ๊ตฌ์ถ•#4
JoonKyoLee merged 16 commits into
developfrom
feature/github-actions-ecr-cicd

Conversation

@JoonKyoLee

@JoonKyoLee JoonKyoLee commented Jul 14, 2026

Copy link
Copy Markdown
Member

#๏ธโƒฃ Issue Number

๐Ÿ“ ์š”์•ฝ(Summary)

  • Terraform์œผ๋กœ GitHub Actions OIDC Provider, ๋ฐฐํฌ์šฉ IAM Role, ECR ๋ฆฌํฌ์ง€ํ† ๋ฆฌ, ECR ๋ผ์ดํ”„์‚ฌ์ดํด ์ •์ฑ…์„ ๊ตฌ์„ฑํ–ˆ์Šต๋‹ˆ๋‹ค.
  • GitHub Actions์—์„œ develop/main ๋ธŒ๋žœ์น˜๋ฅผ ๊ธฐ์ค€์œผ๋กœ dev/prod ๋ฐฐํฌ๊ฐ€ ๋ถ„๋ฆฌ๋˜๋„๋ก CI/CD ์›Œํฌํ”Œ๋กœ์šฐ๋ฅผ ๊ตฌ์„ฑํ–ˆ์Šต๋‹ˆ๋‹ค.
  • ๋‹จ์ผ EC2 ํ™˜๊ฒฝ์—์„œ Docker Compose์™€ Nginx๋ฅผ ์ด์šฉํ•ด dev/prod ์• ํ”Œ๋ฆฌ์ผ€์ด์…˜์„ ๋ถ„๋ฆฌ ๋ฐฐํฌํ•  ์ˆ˜ ์žˆ๋„๋ก ๊ตฌ์„ฑํ–ˆ์Šต๋‹ˆ๋‹ค.
  • EC2 ์ ‘์† ์•ˆ์ •์„ฑ์„ ์œ„ํ•ด Elastic IP๋ฅผ ์—ฐ๊ฒฐํ•˜๊ณ , GitHub Actions SSH ๋ฐฐํฌ๋Š” host key ๊ฒ€์ฆ ๊ธฐ๋ฐ˜์œผ๋กœ ๋ณด๊ฐ•ํ–ˆ์Šต๋‹ˆ๋‹ค.
  • Spring ์„ค์ •์„ application.yml, application-dev.yml, application-prod.yml, application-test.yml๋กœ ์ •๋ฆฌํ•˜๊ณ , datasource ๋ฏผ๊ฐ์ •๋ณด๋Š” ํ™˜๊ฒฝ๋ณ€์ˆ˜๋กœ ์ฃผ์ž…ํ•˜๋„๋ก ๊ตฌ์„ฑํ–ˆ์Šต๋‹ˆ๋‹ค.
  • ํ…Œ์ŠคํŠธ ํ™˜๊ฒฝ์€ H2 ๊ธฐ๋ฐ˜ test ํ”„๋กœํ•„๋กœ ๋ถ„๋ฆฌํ•ด CI์—์„œ DB ์˜์กด ์—†์ด ์• ํ”Œ๋ฆฌ์ผ€์ด์…˜ ์ปจํ…์ŠคํŠธ ๊ฒ€์ฆ์ด ๊ฐ€๋Šฅํ•˜๋„๋ก ์ˆ˜์ •ํ–ˆ์Šต๋‹ˆ๋‹ค.
  • ์ปจํ…Œ์ด๋„ˆ๋Š” non-root ์‚ฌ์šฉ์ž๋กœ ์‹คํ–‰ํ•˜๊ณ , ์• ํ”Œ๋ฆฌ์ผ€์ด์…˜ ํฌํŠธ๋Š” loopback ๋ฐ”์ธ๋”ฉ ๋ฐ healthcheck ๊ธฐ๋ฐ˜ ๋ฐฐํฌ ๋Œ€๊ธฐ๋กœ ๋ณด๊ฐ•ํ–ˆ์Šต๋‹ˆ๋‹ค.

๐Ÿ“ ๋ฆฌ๋ทฐ ์š”์ฒญ์‚ฌํ•ญ

  • GitHub Actions ์ธ์ฆ์€ ์žฅ๊ธฐ Access Key ๋Œ€์‹  OIDC ๊ธฐ๋ฐ˜ AssumeRole ๋ฐฉ์‹์œผ๋กœ ๊ตฌ์„ฑํ–ˆ์Šต๋‹ˆ๋‹ค.
  • ๋‹จ์ผ EC2์—์„œ dev/prod๋ฅผ ์„œ๋ธŒ๋„๋ฉ”์ธ, ํฌํŠธ, Nginx reverse proxy ๊ธฐ์ค€์œผ๋กœ ๋ถ„๋ฆฌํ•˜๋Š” ํ๋ฆ„์œผ๋กœ ๊ตฌ์„ฑํ–ˆ์Šต๋‹ˆ๋‹ค.
  • ๋ฐฐํฌ ์›Œํฌํ”Œ๋กœ์šฐ๋Š” SSH host key ๊ฒ€์ฆ, concurrency ์ œ์–ด, ํ™˜๊ฒฝํŒŒ์ผ ๊ถŒํ•œ ์ œํ•œ์„ ํฌํ•จํ•˜๋„๋ก ๋ณด๊ฐ•ํ–ˆ์Šต๋‹ˆ๋‹ค.
  • ECR ์ด๋ฏธ์ง€๋Š” SHA ํƒœ๊ทธ ๊ธฐ๋ฐ˜์œผ๋กœ ๊ด€๋ฆฌํ•˜๊ณ , GitHub Actions์˜ ECR ๊ถŒํ•œ์€ ๋ฆฌํฌ์ง€ํ† ๋ฆฌ ๋‹จ์œ„ ์ตœ์†Œ ๊ถŒํ•œ์œผ๋กœ ์ถ•์†Œํ–ˆ์Šต๋‹ˆ๋‹ค.
  • ์• ํ”Œ๋ฆฌ์ผ€์ด์…˜ ์„ค์ •์€ ๊ณตํ†ต ์„ค์ •๊ณผ ํ”„๋กœํ•„๋ณ„ ์„ค์ •์œผ๋กœ ๋ถ„๋ฆฌํ•˜๊ณ , ๋ฏผ๊ฐ์ •๋ณด๋Š” GitHub Secrets๋ฅผ ํ†ตํ•ด ์ฃผ์ž…ํ•˜๋„๋ก ์ •๋ฆฌํ–ˆ์Šต๋‹ˆ๋‹ค.

๐Ÿ’ป ํ…Œ์ŠคํŠธ ๊ฒฐ๊ณผ

  • ./gradlew test ํ†ต๊ณผ
  • terraform plan -var-file="terraform.tfvars" ๊ธฐ์ค€์œผ๋กœ OIDC, IAM Role, ECR, EC2/EIP ๊ด€๋ จ ๋ณ€๊ฒฝ ๊ณ„ํš์„ ํ™•์ธํ–ˆ์Šต๋‹ˆ๋‹ค.
  • EC2์—์„œ docker, docker compose, nginx, /opt/zerost/nginx ๊ตฌ์„ฑ์ด ์ •์ƒ ๋™์ž‘ํ•˜๋Š” ๊ฒƒ์„ ํ™•์ธํ–ˆ์Šต๋‹ˆ๋‹ค.
  • EC2์—์„œ nginx -t ๋ฐ ์„œ๋น„์Šค ์‹คํ–‰ ์ƒํƒœ๋ฅผ ํ™•์ธํ–ˆ์Šต๋‹ˆ๋‹ค.
  • GitHub Secrets / Variables ์žฌ๊ตฌ์„ฑ๊ณผ EC2 ์žฌ์ ‘์† ๊ธฐ์ค€(EIP, known_hosts) ์ •๋ฆฌ๊นŒ์ง€ ์™„๋ฃŒํ–ˆ์Šต๋‹ˆ๋‹ค.
  • ์‹ค์ œ develop, main ๋ธŒ๋žœ์น˜ ๋ฐฐํฌ ๋™์ž‘ ๊ฒ€์ฆ์€ GitHub Secrets ๊ฐฑ์‹  ํ›„ ์ง„ํ–‰ ์˜ˆ์ •์ž…๋‹ˆ๋‹ค.

๐Ÿ“Œ ํฌ์ธํŠธ

  • ์žฅ๊ธฐ AWS Access Key ๋Œ€์‹  OIDC ๊ธฐ๋ฐ˜ AssumeRole ๋ฐฉ์‹์„ ์ ์šฉํ•ด ๋ฐฐํฌ ์ž๊ฒฉ ์ฆ๋ช… ๋…ธ์ถœ ์œ„ํ—˜์„ ์ค„์˜€์Šต๋‹ˆ๋‹ค.
  • ECR, OIDC, IAM Role, Elastic IP๊นŒ์ง€ Terraform์œผ๋กœ ๊ด€๋ฆฌํ•ด ์ธํ”„๋ผ์™€ ๋ฐฐํฌ ๊ถŒํ•œ ์ฒด๊ณ„๋ฅผ ํ•จ๊ป˜ ์ฝ”๋“œํ™”ํ–ˆ์Šต๋‹ˆ๋‹ค.
  • ๋‹จ์ผ EC2 ํ™˜๊ฒฝ์—์„œ ๋น„์šฉ์„ ํ†ต์ œํ•˜๋ฉด์„œ๋„ dev/prod ๋ฐฐํฌ ํ๋ฆ„์„ ๋ถ„๋ฆฌํ•  ์ˆ˜ ์žˆ๋„๋ก ์„ค๊ณ„ํ–ˆ์Šต๋‹ˆ๋‹ค.
  • Spring Profile ๊ตฌ์กฐ์™€ test ํ”„๋กœํ•„์„ ๋จผ์ € ์ •๋ฆฌํ•ด ์ดํ›„ ํ™˜๊ฒฝ ํ™•์žฅ๊ณผ CI ์•ˆ์ •์„ฑ์„ ํ•จ๊ป˜ ํ™•๋ณดํ–ˆ์Šต๋‹ˆ๋‹ค.
  • ๋ฐฐํฌ ํŒŒ์ดํ”„๋ผ์ธ ๋ณด์•ˆ ์ธก๋ฉด์—์„œ SSH host key ๊ฒ€์ฆ, env ํŒŒ์ผ ๊ถŒํ•œ ์ œํ•œ, ECR ์ตœ์†Œ ๊ถŒํ•œ ์ •์ฑ…์„ ๋ฐ˜์˜ํ–ˆ์Šต๋‹ˆ๋‹ค.

โœ๏ธ ํšŒ๊ณ 

  • ์ธํ”„๋ผ ๊ตฌ์„ฑ์— ๊ทธ์น˜์ง€ ์•Š๊ณ  ๋ฐฐํฌ ๊ถŒํ•œ, ์‹คํ–‰ ํ™˜๊ฒฝ, ํ…Œ์ŠคํŠธ ์•ˆ์ •์„ฑ, ์ ‘์† ์•ˆ์ •์„ฑ(EIP)๊นŒ์ง€ ํ•จ๊ป˜ ์ •๋ฆฌํ•˜๋ฉด์„œ ์šด์˜ ํ๋ฆ„์˜ ์ผ๊ด€์„ฑ์„ ๋งž์ท„์Šต๋‹ˆ๋‹ค.

Summary by CodeRabbit

Summary

  • New Features

    • Added Spring dev, prod, and test runtime profiles with MySQL/H2 configuration.
    • Introduced multi-stage Docker builds and Docker Compose services for separate dev/prod deployments (including health checks).
    • Added Nginx dev/prod proxy configurations plus an automated deployment script.
    • Added CI and branch-based automated dev/prod deployment workflows using container images.
    • Extended Terraform to provision an ECR repository (with lifecycle rules), an OIDC-based deploy role, and an Elastic IP, plus new outputs.
  • Documentation

    • Added/updated example environment files and deployment/Terraform setup documentation.
  • Chores

    • Improved ignore rules for Docker and local environment files.
    • Updated VM provisioning to install required services and adjust Nginx default behavior.

@JoonKyoLee JoonKyoLee self-assigned this Jul 14, 2026
@coderabbitai

coderabbitai Bot commented Jul 14, 2026

Copy link
Copy Markdown

Review Change Stack

No actionable comments were generated in the recent review. ๐ŸŽ‰

โ„น๏ธ Recent review info
โš™๏ธ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro Plus

Run ID: 13557036-ce18-4cb1-b518-f2cbd22c626a

๐Ÿ“ฅ Commits

Reviewing files that changed from the base of the PR and between 9ac8500 and 4ad0379.

๐Ÿ“’ Files selected for processing (3)
  • .github/workflows/deploy-dev.yml
  • .github/workflows/deploy-prod.yml
  • scripts/deploy.sh
๐Ÿ’ค Files with no reviewable changes (2)
  • .github/workflows/deploy-dev.yml
  • .github/workflows/deploy-prod.yml
๐Ÿšง Files skipped from review as they are similar to previous changes (1)
  • scripts/deploy.sh

๐Ÿ“ Walkthrough

Walkthrough

Adds containerized Spring profiles, Docker Compose and Nginx routing, Terraform-managed ECR/OIDC infrastructure, CI checks, and branch-specific GitHub Actions deployments to EC2 for dev and prod environments.

Changes

CI/CD deployment pipeline

Layer / File(s) Summary
Container runtime and application profiles
.env.*.example, src/main/resources/*, src/test/..., Dockerfile, compose.yaml, nginx/*, .dockerignore, .gitignore
Defines dev, prod, and test Spring settings, a multi-stage image, separate Compose services and ports, environment-specific Nginx proxies, and ignored local files.
ECR and GitHub Actions AWS foundation
terraform/*
Adds ECR lifecycle management, GitHub OIDC trust and IAM deployment access, Terraform variables and outputs, and EC2 Docker/Nginx bootstrap configuration.
Continuous integration build
.github/workflows/ci.yml
Runs Gradle tests and BootJar generation, then builds a commit-tagged Docker image on pull requests and branch pushes.
Environment deployment orchestration
.github/workflows/deploy-dev.yml, .github/workflows/deploy-prod.yml
Builds and pushes branch-specific ECR images, transfers deployment files and environment configuration to EC2, and invokes the selected deployment target.
EC2 deployment execution
scripts/deploy.sh
Validates the target, writes Compose image variables, updates Nginx, validates its configuration, and pulls and starts the selected service.

Estimated code review effort: 4 (Complex) | ~60 minutes

Sequence Diagram(s)

sequenceDiagram
  participant GitHubActions
  participant ECR
  participant EC2
  participant Nginx
  participant DockerCompose
  GitHubActions->>ECR: Build and push dev or prod image
  GitHubActions->>EC2: Upload deployment files and environment configuration
  EC2->>DockerCompose: Pull and start selected application service
  Nginx->>DockerCompose: Proxy requests to port 8080 or 8081
Loading

Possibly related issues

Possibly related PRs

  • team-0st/BE#2: Updates the related EC2 bootstrap and Nginx provisioning logic in terraform/user_data.sh.tftpl.
๐Ÿšฅ Pre-merge checks | โœ… 5
โœ… Passed checks (5 passed)
Check name Status Explanation
Title check โœ… Passed The title clearly summarizes the main change: building a GitHub Actions and ECR-based CI/CD pipeline.
Description check โœ… Passed The description follows the template sections and includes the required issue number, summary, review notes, and test results.
Linked Issues check โœ… Passed The changes implement the requested GitHub Actions, ECR, EC2 deploy flow, dev/prod branching, Compose, Nginx, and secret-based configuration.
Out of Scope Changes check โœ… Passed No clearly unrelated code changes appear; the Terraform, deployment, config, and workflow updates all support the stated CI/CD objectives.
Docstring Coverage โœ… Passed No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
โœจ Finishing Touches
๐Ÿ“ Generate docstrings
  • Create stacked PR
  • Commit on current branch
๐Ÿงช Generate unit tests (beta)
  • Create PR with unit tests
  • Commit unit tests in branch feature/github-actions-ecr-cicd

Comment @coderabbitai help to get the list of available commands.

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 12

๐Ÿงน Nitpick comments (3)
.github/workflows/deploy-dev.yml (1)

22-23: ๐Ÿ”’ Security & Privacy | ๐Ÿ”ต Trivial | โšก Quick win

Stop persisting the GitHub token in both deployment workspaces.

  • .github/workflows/deploy-dev.yml#L22-L23: set persist-credentials: false.
  • .github/workflows/deploy-prod.yml#L22-L23: set persist-credentials: false.
๐Ÿค– Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/deploy-dev.yml around lines 22 - 23, Disable GitHub token
persistence on the Checkout action by setting persist-credentials to false in
.github/workflows/deploy-dev.yml lines 22-23 and
.github/workflows/deploy-prod.yml lines 22-23.

Source: Linters/SAST tools

terraform/main.tf (1)

258-260: ๐Ÿ”’ Security & Privacy | ๐Ÿ”ต Trivial | ๐Ÿ’ค Low value

Drop the placeholder thumbprint for GitHub OIDC. thumbprint_list is optional for token.actions.githubusercontent.com with AWS provider ~> 5.0, so this all-f value is unnecessary. If this provider has already been applied, removing the argument wonโ€™t clear the stored thumbprint; recreate it if you need the config and state to match.

๐Ÿค– Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@terraform/main.tf` around lines 258 - 260, Remove the placeholder all-`f`
value from the GitHub OIDC providerโ€™s `thumbprint_list` in the Terraform
configuration, omitting the optional argument entirely. Do not add a replacement
thumbprint; recreate the provider separately only if existing state must match
the configuration.
.github/workflows/ci.yml (1)

16-25: ๐Ÿ”’ Security & Privacy | ๐Ÿ”ต Trivial | โšก Quick win

Pin third-party actions to immutable commit SHAs.

The mutable @v4 tags can be retargeted, changing code executed in CI. Pin actions/checkout, actions/setup-java, and gradle/actions/setup-gradle to verified full-length commit SHAs while retaining the release version in comments.

๐Ÿค– Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/ci.yml around lines 16 - 25, Update the workflow steps
using actions/checkout@v4, actions/setup-java@v4, and
gradle/actions/setup-gradle@v4 to reference verified full-length immutable
commit SHAs instead. Retain each actionโ€™s release version in an adjacent comment
for readability, while preserving the existing checkout, JDK setup, and Gradle
setup behavior.
๐Ÿค– Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In @.github/workflows/ci.yml:
- Around line 10-12: Add an explicit permissions block to the test-build
workflow job, granting only contents: read. Keep the existing runs-on
configuration unchanged and ensure no broader default token permissions are
inherited.

In @.github/workflows/deploy-dev.yml:
- Around line 81-107: Replace every StrictHostKeyChecking=no usage in
.github/workflows/deploy-dev.yml lines 81-107 with pinned SSH host-key
verification by installing a trusted known_hosts entry before the SSH/scp
commands. Apply the same host-key pinning and removal of disabled verification
in .github/workflows/deploy-prod.yml lines 81-107, including before transmitting
production secrets.
- Around line 93-95: Update the environment-file creation commands in
.github/workflows/deploy-dev.yml lines 93-95 and
.github/workflows/deploy-prod.yml lines 93-95 so .env.dev and .env.prod are
written with owner-only permissions mode 0600.
- Around line 17-19: Configure the deploy-dev and deploy-prod jobs with the same
concurrency.group value so deployments to /opt/zerost cannot overlap. Update the
job definitions in .github/workflows/deploy-dev.yml (lines 17-19) and
.github/workflows/deploy-prod.yml (lines 17-19); both sites require the shared
concurrency setting.

In `@compose.yaml`:
- Around line 8-18: Update the ports mappings for the application services in
the Compose configuration to bind host port 8080 and app-dev host port 8081 to
127.0.0.1, while preserving their container port 8080 mappings so Nginx
upstreams continue to work.

In `@Dockerfile`:
- Around line 15-23: Update the runtime stage after WORKDIR and before
ENTRYPOINT to create a dedicated non-root application user, ensure /app and
app.jar are accessible to that user, and switch the image to that user with USER
so the existing Java ENTRYPOINT runs without root privileges.

In `@scripts/deploy.sh`:
- Around line 48-49: Update the deployment flow in scripts/deploy.sh after the
docker compose up command for app-${TARGET_ENV} to wait until the application is
healthy before completing. Add or use a container healthcheck and block until it
reports healthy, or perform an equivalent explicit readiness probe, ensuring
deployment does not finish while the service is still starting or has failed.

In `@src/main/resources/application-dev.yml`:
- Around line 7-9: Unify the datasource variable contract by making
application-dev.yml and application-prod.yml consume the SPRING_DATASOURCE_*
names provided by deployment, then update .env.dev.example and .env.prod.example
to use the same names consistently; apply the corresponding changes at
src/main/resources/application-dev.yml lines 7-9, .env.dev.example lines 1-4,
src/main/resources/application-prod.yml lines 7-9, and .env.prod.example lines
1-4.

In `@terraform/main.tf`:
- Around line 276-279: Replace the AmazonEC2ContainerRegistryPowerUser
attachment in github_actions_ecr_power_user with a custom IAM policy allowing
required ECR push/pull actions only on aws_ecr_repository.app.arn, while
retaining ecr:GetAuthorizationToken with Resource "*". Update the attachment to
reference the custom policy and remove the broad managed-policy grant.
- Around line 219-221: Set the ECR repository resource in terraform/main.tf
(lines 219-221) to immutable image tags, and update
.github/workflows/deploy-dev.yml (lines 50-66) and
.github/workflows/deploy-prod.yml (lines 50-66) so only the rolling dev-latest
and prod-latest aliases are force-moved or otherwise exempted as required;
preserve immutable dev-${github.sha} and prod-${github.sha} tags.

In `@terraform/README.md`:
- Around line 25-30: Update the Terraform README configuration instructions to
document the ecr_repository_name input and the required GitHub Actions Variables
AWS_REGION and ECR_REPOSITORY, alongside the existing AWS_ROLE_ARN Secret setup.
Ensure the documented values cover the required inputs for both deployment
workflows.

In `@terraform/user_data.sh.tftpl`:
- Line 5: Update the bootstrap package installation in user_data.sh.tftpl to
include the Docker Compose plugin alongside docker, then validate the
installation by running docker compose version and fail bootstrap if that
command does not succeed.

---

Nitpick comments:
In @.github/workflows/ci.yml:
- Around line 16-25: Update the workflow steps using actions/checkout@v4,
actions/setup-java@v4, and gradle/actions/setup-gradle@v4 to reference verified
full-length immutable commit SHAs instead. Retain each actionโ€™s release version
in an adjacent comment for readability, while preserving the existing checkout,
JDK setup, and Gradle setup behavior.

In @.github/workflows/deploy-dev.yml:
- Around line 22-23: Disable GitHub token persistence on the Checkout action by
setting persist-credentials to false in .github/workflows/deploy-dev.yml lines
22-23 and .github/workflows/deploy-prod.yml lines 22-23.

In `@terraform/main.tf`:
- Around line 258-260: Remove the placeholder all-`f` value from the GitHub OIDC
providerโ€™s `thumbprint_list` in the Terraform configuration, omitting the
optional argument entirely. Do not add a replacement thumbprint; recreate the
provider separately only if existing state must match the configuration.
๐Ÿช„ Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

  • Push a commit to this branch (recommended)
  • Create a new PR with the fixes

โ„น๏ธ Review info
โš™๏ธ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro Plus

Run ID: 3b7f0f8b-6cb5-4ed7-8b4f-1227e05fa9c5

๐Ÿ“ฅ Commits

Reviewing files that changed from the base of the PR and between 40e9f03 and 282de14.

๐Ÿ“’ Files selected for processing (21)
  • .dockerignore
  • .env.dev.example
  • .env.prod.example
  • .github/workflows/ci.yml
  • .github/workflows/deploy-dev.yml
  • .github/workflows/deploy-prod.yml
  • .gitignore
  • Dockerfile
  • compose.yaml
  • nginx/dev.conf
  • nginx/prod.conf
  • scripts/deploy.sh
  • src/main/resources/application-dev.yml
  • src/main/resources/application-prod.yml
  • src/main/resources/application.yaml
  • terraform/README.md
  • terraform/main.tf
  • terraform/outputs.tf
  • terraform/terraform.tfvars.example
  • terraform/user_data.sh.tftpl
  • terraform/variables.tf

Comment thread .github/workflows/ci.yml
Comment on lines +17 to +19
jobs:
deploy-dev:
runs-on: ubuntu-latest

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

๐Ÿฉบ Stability & Availability | ๐ŸŸ  Major | โšก Quick win

๐Ÿงฉ Analysis chain

๐Ÿ Script executed:

#!/bin/bash
set -euo pipefail

printf '\n== Workflow files ==\n'
for f in .github/workflows/deploy-dev.yml .github/workflows/deploy-prod.yml; do
  echo "--- $f"
  cat -n "$f"
done

printf '\n== Search for shared deployment directory references ==\n'
rg -n "EC2|deploy|directory|rsync|scp|/var/www|/opt|shared|concurrency|group:" .github/workflows . -g '!**/node_modules/**' -g '!**/dist/**' -g '!**/build/**' || true

Repository: team-0st/BE

Length of output: 16046


Serialize both deploy workflows with a shared concurrency group.
.github/workflows/deploy-dev.yml and .github/workflows/deploy-prod.yml both write to /opt/zerost on the same EC2 host, so give both jobs the same concurrency.group to prevent overlapping deploys.

๐Ÿ“ Affects 2 files
  • .github/workflows/deploy-dev.yml#L17-L19 (this comment)
  • .github/workflows/deploy-prod.yml#L17-L19
๐Ÿค– Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/deploy-dev.yml around lines 17 - 19, Configure the
deploy-dev and deploy-prod jobs with the same concurrency.group value so
deployments to /opt/zerost cannot overlap. Update the job definitions in
.github/workflows/deploy-dev.yml (lines 17-19) and
.github/workflows/deploy-prod.yml (lines 17-19); both sites require the shared
concurrency setting.

Comment thread .github/workflows/deploy-dev.yml Outdated
Comment thread .github/workflows/deploy-dev.yml Outdated
Comment on lines +93 to +95
ssh -i ~/.ssh/zerost_key.pem -o StrictHostKeyChecking=no "${EC2_USER}@${EC2_HOST}" "cat > ${APP_DIR}/.env.dev" <<EOF
${ENV_FILE_DEV}
EOF

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

๐Ÿ”’ Security & Privacy | ๐ŸŸ  Major | โšก Quick win

Enforce owner-only permissions for both secret environment files.

  • .github/workflows/deploy-dev.yml#L93-L95: write .env.dev with mode 0600.
  • .github/workflows/deploy-prod.yml#L93-L95: write .env.prod with mode 0600.
๐Ÿ“ Affects 2 files
  • .github/workflows/deploy-dev.yml#L93-L95 (this comment)
  • .github/workflows/deploy-prod.yml#L93-L95
๐Ÿค– Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/deploy-dev.yml around lines 93 - 95, Update the
environment-file creation commands in .github/workflows/deploy-dev.yml lines
93-95 and .github/workflows/deploy-prod.yml lines 93-95 so .env.dev and
.env.prod are written with owner-only permissions mode 0600.

Comment thread compose.yaml Outdated
Comment thread src/main/resources/application-dev.yml Outdated
Comment on lines +7 to +9
url: ${DEV_DB_URL}
username: ${DEV_DB_USERNAME}
password: ${DEV_DB_PASSWORD}

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

๐Ÿ—„๏ธ Data Integrity & Integration | ๐Ÿ”ด Critical | โšก Quick win

Unify the datasource environment-variable contract across both profiles.

The deployment files provide SPRING_DATASOURCE_*, while the profile YAML files consume profile-prefixed *_DB_* variables, leaving datasource placeholders unresolved at startup.

  • src/main/resources/application-dev.yml#L7-L9: consume the SPRING_DATASOURCE_* names or rename the dev example keys.
  • .env.dev.example#L1-L4: match the chosen dev datasource naming convention.
  • src/main/resources/application-prod.yml#L7-L9: consume the SPRING_DATASOURCE_* names or rename the prod example keys.
  • .env.prod.example#L1-L4: match the chosen prod datasource naming convention.
๐Ÿ“ Affects 4 files
  • src/main/resources/application-dev.yml#L7-L9 (this comment)
  • .env.dev.example#L1-L4
  • src/main/resources/application-prod.yml#L7-L9
  • .env.prod.example#L1-L4
๐Ÿค– Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@src/main/resources/application-dev.yml` around lines 7 - 9, Unify the
datasource variable contract by making application-dev.yml and
application-prod.yml consume the SPRING_DATASOURCE_* names provided by
deployment, then update .env.dev.example and .env.prod.example to use the same
names consistently; apply the corresponding changes at
src/main/resources/application-dev.yml lines 7-9, .env.dev.example lines 1-4,
src/main/resources/application-prod.yml lines 7-9, and .env.prod.example lines
1-4.

Comment thread terraform/main.tf Outdated
Comment thread terraform/main.tf Outdated
Comment thread terraform/README.md
Comment thread terraform/user_data.sh.tftpl

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 2

๐Ÿค– Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In @.github/workflows/deploy-dev.yml:
- Around line 81-91: Update the โ€œSync deployment filesโ€ step and the related
scripts/deploy.sh flow so a develop deployment does not upload or install the
branch-local nginx/prod.conf as the live zerost-prod.conf. Preserve the dev
configuration deployment and ensure production Nginx configuration is sourced
only from the intended production artifact or deployment path.

In @.github/workflows/deploy-prod.yml:
- Around line 81-91: Remove the nginx/dev.conf scp command from the โ€œSync
deployment filesโ€ workflow step so production deployments copy only the
production Nginx configuration. Keep the existing compose.yaml, deploy.sh, and
nginx/prod.conf transfers unchanged.
๐Ÿช„ Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

  • Push a commit to this branch (recommended)
  • Create a new PR with the fixes

โ„น๏ธ Review info
โš™๏ธ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro Plus

Run ID: abcd5fea-99c7-4ae8-9880-0756d4f5e557

๐Ÿ“ฅ Commits

Reviewing files that changed from the base of the PR and between c350c09 and 9ac8500.

๐Ÿ“’ Files selected for processing (10)
  • .github/workflows/ci.yml
  • .github/workflows/deploy-dev.yml
  • .github/workflows/deploy-prod.yml
  • Dockerfile
  • compose.yaml
  • scripts/deploy.sh
  • terraform/README.md
  • terraform/main.tf
  • terraform/outputs.tf
  • terraform/user_data.sh.tftpl
๐Ÿšง Files skipped from review as they are similar to previous changes (6)
  • terraform/README.md
  • compose.yaml
  • Dockerfile
  • .github/workflows/ci.yml
  • terraform/user_data.sh.tftpl
  • scripts/deploy.sh

Comment thread .github/workflows/deploy-dev.yml
Comment thread .github/workflows/deploy-prod.yml
@JoonKyoLee JoonKyoLee merged commit 5bb99cb into develop Jul 14, 2026
2 checks passed
JoonKyoLee added a commit that referenced this pull request Jul 14, 2026
โ€ฆtion

๐Ÿ’ซ [feature] #4 - CI/CD ์‹คํ–‰ ์‹œ๊ฐ„ ์ตœ์ ํ™” ๋ฐ ์›Œํฌํ”Œ๋กœ์šฐ ๊ตฌ์กฐ ๊ฐœ์„ 
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

๐Ÿ’ซ [feature] GitHub Actions ๊ธฐ๋ฐ˜ CI/CD ํŒŒ์ดํ”„๋ผ์ธ ๊ตฌ์ถ•

1 participant