๐ซ feat: GitHub Actions ๋ฐ ECR ๊ธฐ๋ฐ CI/CD ํ์ดํ๋ผ์ธ ๊ตฌ์ถ#4
Conversation
|
No actionable comments were generated in the recent review. ๐ โน๏ธ Recent review infoโ๏ธ Run configurationConfiguration used: defaults Review profile: CHILL Plan: Pro Plus Run ID: ๐ Files selected for processing (3)
๐ค Files with no reviewable changes (2)
๐ง Files skipped from review as they are similar to previous changes (1)
๐ WalkthroughWalkthroughAdds containerized Spring profiles, Docker Compose and Nginx routing, Terraform-managed ECR/OIDC infrastructure, CI checks, and branch-specific GitHub Actions deployments to EC2 for dev and prod environments. ChangesCI/CD deployment pipeline
Estimated code review effort: 4 (Complex) | ~60 minutes Sequence Diagram(s)sequenceDiagram
participant GitHubActions
participant ECR
participant EC2
participant Nginx
participant DockerCompose
GitHubActions->>ECR: Build and push dev or prod image
GitHubActions->>EC2: Upload deployment files and environment configuration
EC2->>DockerCompose: Pull and start selected application service
Nginx->>DockerCompose: Proxy requests to port 8080 or 8081
Possibly related issues
Possibly related PRs
๐ฅ Pre-merge checks | โ 5โ Passed checks (5 passed)
โจ Finishing Touches๐ Generate docstrings
๐งช Generate unit tests (beta)
Comment |
There was a problem hiding this comment.
Actionable comments posted: 12
๐งน Nitpick comments (3)
.github/workflows/deploy-dev.yml (1)
22-23: ๐ Security & Privacy | ๐ต Trivial | โก Quick winStop persisting the GitHub token in both deployment workspaces.
.github/workflows/deploy-dev.yml#L22-L23: setpersist-credentials: false..github/workflows/deploy-prod.yml#L22-L23: setpersist-credentials: false.๐ค Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the rest with a brief reason, keep changes minimal, and validate. In @.github/workflows/deploy-dev.yml around lines 22 - 23, Disable GitHub token persistence on the Checkout action by setting persist-credentials to false in .github/workflows/deploy-dev.yml lines 22-23 and .github/workflows/deploy-prod.yml lines 22-23.Source: Linters/SAST tools
terraform/main.tf (1)
258-260: ๐ Security & Privacy | ๐ต Trivial | ๐ค Low valueDrop the placeholder thumbprint for GitHub OIDC.
thumbprint_listis optional fortoken.actions.githubusercontent.comwith AWS provider~> 5.0, so this all-fvalue is unnecessary. If this provider has already been applied, removing the argument wonโt clear the stored thumbprint; recreate it if you need the config and state to match.๐ค Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the rest with a brief reason, keep changes minimal, and validate. In `@terraform/main.tf` around lines 258 - 260, Remove the placeholder all-`f` value from the GitHub OIDC providerโs `thumbprint_list` in the Terraform configuration, omitting the optional argument entirely. Do not add a replacement thumbprint; recreate the provider separately only if existing state must match the configuration..github/workflows/ci.yml (1)
16-25: ๐ Security & Privacy | ๐ต Trivial | โก Quick winPin third-party actions to immutable commit SHAs.
The mutable
@v4tags can be retargeted, changing code executed in CI. Pinactions/checkout,actions/setup-java, andgradle/actions/setup-gradleto verified full-length commit SHAs while retaining the release version in comments.๐ค Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the rest with a brief reason, keep changes minimal, and validate. In @.github/workflows/ci.yml around lines 16 - 25, Update the workflow steps using actions/checkout@v4, actions/setup-java@v4, and gradle/actions/setup-gradle@v4 to reference verified full-length immutable commit SHAs instead. Retain each actionโs release version in an adjacent comment for readability, while preserving the existing checkout, JDK setup, and Gradle setup behavior.
๐ค Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
Inline comments:
In @.github/workflows/ci.yml:
- Around line 10-12: Add an explicit permissions block to the test-build
workflow job, granting only contents: read. Keep the existing runs-on
configuration unchanged and ensure no broader default token permissions are
inherited.
In @.github/workflows/deploy-dev.yml:
- Around line 81-107: Replace every StrictHostKeyChecking=no usage in
.github/workflows/deploy-dev.yml lines 81-107 with pinned SSH host-key
verification by installing a trusted known_hosts entry before the SSH/scp
commands. Apply the same host-key pinning and removal of disabled verification
in .github/workflows/deploy-prod.yml lines 81-107, including before transmitting
production secrets.
- Around line 93-95: Update the environment-file creation commands in
.github/workflows/deploy-dev.yml lines 93-95 and
.github/workflows/deploy-prod.yml lines 93-95 so .env.dev and .env.prod are
written with owner-only permissions mode 0600.
- Around line 17-19: Configure the deploy-dev and deploy-prod jobs with the same
concurrency.group value so deployments to /opt/zerost cannot overlap. Update the
job definitions in .github/workflows/deploy-dev.yml (lines 17-19) and
.github/workflows/deploy-prod.yml (lines 17-19); both sites require the shared
concurrency setting.
In `@compose.yaml`:
- Around line 8-18: Update the ports mappings for the application services in
the Compose configuration to bind host port 8080 and app-dev host port 8081 to
127.0.0.1, while preserving their container port 8080 mappings so Nginx
upstreams continue to work.
In `@Dockerfile`:
- Around line 15-23: Update the runtime stage after WORKDIR and before
ENTRYPOINT to create a dedicated non-root application user, ensure /app and
app.jar are accessible to that user, and switch the image to that user with USER
so the existing Java ENTRYPOINT runs without root privileges.
In `@scripts/deploy.sh`:
- Around line 48-49: Update the deployment flow in scripts/deploy.sh after the
docker compose up command for app-${TARGET_ENV} to wait until the application is
healthy before completing. Add or use a container healthcheck and block until it
reports healthy, or perform an equivalent explicit readiness probe, ensuring
deployment does not finish while the service is still starting or has failed.
In `@src/main/resources/application-dev.yml`:
- Around line 7-9: Unify the datasource variable contract by making
application-dev.yml and application-prod.yml consume the SPRING_DATASOURCE_*
names provided by deployment, then update .env.dev.example and .env.prod.example
to use the same names consistently; apply the corresponding changes at
src/main/resources/application-dev.yml lines 7-9, .env.dev.example lines 1-4,
src/main/resources/application-prod.yml lines 7-9, and .env.prod.example lines
1-4.
In `@terraform/main.tf`:
- Around line 276-279: Replace the AmazonEC2ContainerRegistryPowerUser
attachment in github_actions_ecr_power_user with a custom IAM policy allowing
required ECR push/pull actions only on aws_ecr_repository.app.arn, while
retaining ecr:GetAuthorizationToken with Resource "*". Update the attachment to
reference the custom policy and remove the broad managed-policy grant.
- Around line 219-221: Set the ECR repository resource in terraform/main.tf
(lines 219-221) to immutable image tags, and update
.github/workflows/deploy-dev.yml (lines 50-66) and
.github/workflows/deploy-prod.yml (lines 50-66) so only the rolling dev-latest
and prod-latest aliases are force-moved or otherwise exempted as required;
preserve immutable dev-${github.sha} and prod-${github.sha} tags.
In `@terraform/README.md`:
- Around line 25-30: Update the Terraform README configuration instructions to
document the ecr_repository_name input and the required GitHub Actions Variables
AWS_REGION and ECR_REPOSITORY, alongside the existing AWS_ROLE_ARN Secret setup.
Ensure the documented values cover the required inputs for both deployment
workflows.
In `@terraform/user_data.sh.tftpl`:
- Line 5: Update the bootstrap package installation in user_data.sh.tftpl to
include the Docker Compose plugin alongside docker, then validate the
installation by running docker compose version and fail bootstrap if that
command does not succeed.
---
Nitpick comments:
In @.github/workflows/ci.yml:
- Around line 16-25: Update the workflow steps using actions/checkout@v4,
actions/setup-java@v4, and gradle/actions/setup-gradle@v4 to reference verified
full-length immutable commit SHAs instead. Retain each actionโs release version
in an adjacent comment for readability, while preserving the existing checkout,
JDK setup, and Gradle setup behavior.
In @.github/workflows/deploy-dev.yml:
- Around line 22-23: Disable GitHub token persistence on the Checkout action by
setting persist-credentials to false in .github/workflows/deploy-dev.yml lines
22-23 and .github/workflows/deploy-prod.yml lines 22-23.
In `@terraform/main.tf`:
- Around line 258-260: Remove the placeholder all-`f` value from the GitHub OIDC
providerโs `thumbprint_list` in the Terraform configuration, omitting the
optional argument entirely. Do not add a replacement thumbprint; recreate the
provider separately only if existing state must match the configuration.
๐ช Autofix (Beta)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
โน๏ธ Review info
โ๏ธ Run configuration
Configuration used: defaults
Review profile: CHILL
Plan: Pro Plus
Run ID: 3b7f0f8b-6cb5-4ed7-8b4f-1227e05fa9c5
๐ Files selected for processing (21)
.dockerignore.env.dev.example.env.prod.example.github/workflows/ci.yml.github/workflows/deploy-dev.yml.github/workflows/deploy-prod.yml.gitignoreDockerfilecompose.yamlnginx/dev.confnginx/prod.confscripts/deploy.shsrc/main/resources/application-dev.ymlsrc/main/resources/application-prod.ymlsrc/main/resources/application.yamlterraform/README.mdterraform/main.tfterraform/outputs.tfterraform/terraform.tfvars.exampleterraform/user_data.sh.tftplterraform/variables.tf
| jobs: | ||
| deploy-dev: | ||
| runs-on: ubuntu-latest |
There was a problem hiding this comment.
๐ฉบ Stability & Availability | ๐ Major | โก Quick win
๐งฉ Analysis chain
๐ Script executed:
#!/bin/bash
set -euo pipefail
printf '\n== Workflow files ==\n'
for f in .github/workflows/deploy-dev.yml .github/workflows/deploy-prod.yml; do
echo "--- $f"
cat -n "$f"
done
printf '\n== Search for shared deployment directory references ==\n'
rg -n "EC2|deploy|directory|rsync|scp|/var/www|/opt|shared|concurrency|group:" .github/workflows . -g '!**/node_modules/**' -g '!**/dist/**' -g '!**/build/**' || trueRepository: team-0st/BE
Length of output: 16046
Serialize both deploy workflows with a shared concurrency group.
.github/workflows/deploy-dev.yml and .github/workflows/deploy-prod.yml both write to /opt/zerost on the same EC2 host, so give both jobs the same concurrency.group to prevent overlapping deploys.
๐ Affects 2 files
.github/workflows/deploy-dev.yml#L17-L19(this comment).github/workflows/deploy-prod.yml#L17-L19
๐ค Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
In @.github/workflows/deploy-dev.yml around lines 17 - 19, Configure the
deploy-dev and deploy-prod jobs with the same concurrency.group value so
deployments to /opt/zerost cannot overlap. Update the job definitions in
.github/workflows/deploy-dev.yml (lines 17-19) and
.github/workflows/deploy-prod.yml (lines 17-19); both sites require the shared
concurrency setting.
| ssh -i ~/.ssh/zerost_key.pem -o StrictHostKeyChecking=no "${EC2_USER}@${EC2_HOST}" "cat > ${APP_DIR}/.env.dev" <<EOF | ||
| ${ENV_FILE_DEV} | ||
| EOF |
There was a problem hiding this comment.
๐ Security & Privacy | ๐ Major | โก Quick win
Enforce owner-only permissions for both secret environment files.
.github/workflows/deploy-dev.yml#L93-L95: write.env.devwith mode0600..github/workflows/deploy-prod.yml#L93-L95: write.env.prodwith mode0600.
๐ Affects 2 files
.github/workflows/deploy-dev.yml#L93-L95(this comment).github/workflows/deploy-prod.yml#L93-L95
๐ค Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
In @.github/workflows/deploy-dev.yml around lines 93 - 95, Update the
environment-file creation commands in .github/workflows/deploy-dev.yml lines
93-95 and .github/workflows/deploy-prod.yml lines 93-95 so .env.dev and
.env.prod are written with owner-only permissions mode 0600.
| url: ${DEV_DB_URL} | ||
| username: ${DEV_DB_USERNAME} | ||
| password: ${DEV_DB_PASSWORD} |
There was a problem hiding this comment.
๐๏ธ Data Integrity & Integration | ๐ด Critical | โก Quick win
Unify the datasource environment-variable contract across both profiles.
The deployment files provide SPRING_DATASOURCE_*, while the profile YAML files consume profile-prefixed *_DB_* variables, leaving datasource placeholders unresolved at startup.
src/main/resources/application-dev.yml#L7-L9: consume theSPRING_DATASOURCE_*names or rename the dev example keys..env.dev.example#L1-L4: match the chosen dev datasource naming convention.src/main/resources/application-prod.yml#L7-L9: consume theSPRING_DATASOURCE_*names or rename the prod example keys..env.prod.example#L1-L4: match the chosen prod datasource naming convention.
๐ Affects 4 files
src/main/resources/application-dev.yml#L7-L9(this comment).env.dev.example#L1-L4src/main/resources/application-prod.yml#L7-L9.env.prod.example#L1-L4
๐ค Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
In `@src/main/resources/application-dev.yml` around lines 7 - 9, Unify the
datasource variable contract by making application-dev.yml and
application-prod.yml consume the SPRING_DATASOURCE_* names provided by
deployment, then update .env.dev.example and .env.prod.example to use the same
names consistently; apply the corresponding changes at
src/main/resources/application-dev.yml lines 7-9, .env.dev.example lines 1-4,
src/main/resources/application-prod.yml lines 7-9, and .env.prod.example lines
1-4.
There was a problem hiding this comment.
Actionable comments posted: 2
๐ค Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
Inline comments:
In @.github/workflows/deploy-dev.yml:
- Around line 81-91: Update the โSync deployment filesโ step and the related
scripts/deploy.sh flow so a develop deployment does not upload or install the
branch-local nginx/prod.conf as the live zerost-prod.conf. Preserve the dev
configuration deployment and ensure production Nginx configuration is sourced
only from the intended production artifact or deployment path.
In @.github/workflows/deploy-prod.yml:
- Around line 81-91: Remove the nginx/dev.conf scp command from the โSync
deployment filesโ workflow step so production deployments copy only the
production Nginx configuration. Keep the existing compose.yaml, deploy.sh, and
nginx/prod.conf transfers unchanged.
๐ช Autofix (Beta)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
โน๏ธ Review info
โ๏ธ Run configuration
Configuration used: defaults
Review profile: CHILL
Plan: Pro Plus
Run ID: abcd5fea-99c7-4ae8-9880-0756d4f5e557
๐ Files selected for processing (10)
.github/workflows/ci.yml.github/workflows/deploy-dev.yml.github/workflows/deploy-prod.ymlDockerfilecompose.yamlscripts/deploy.shterraform/README.mdterraform/main.tfterraform/outputs.tfterraform/user_data.sh.tftpl
๐ง Files skipped from review as they are similar to previous changes (6)
- terraform/README.md
- compose.yaml
- Dockerfile
- .github/workflows/ci.yml
- terraform/user_data.sh.tftpl
- scripts/deploy.sh
โฆtion ๐ซ [feature] #4 - CI/CD ์คํ ์๊ฐ ์ต์ ํ ๋ฐ ์ํฌํ๋ก์ฐ ๊ตฌ์กฐ ๊ฐ์
#๏ธโฃ Issue Number
๐ ์์ฝ(Summary)
develop/main๋ธ๋์น๋ฅผ ๊ธฐ์ค์ผ๋ก dev/prod ๋ฐฐํฌ๊ฐ ๋ถ๋ฆฌ๋๋๋ก CI/CD ์ํฌํ๋ก์ฐ๋ฅผ ๊ตฌ์ฑํ์ต๋๋ค.application.yml,application-dev.yml,application-prod.yml,application-test.yml๋ก ์ ๋ฆฌํ๊ณ , datasource ๋ฏผ๊ฐ์ ๋ณด๋ ํ๊ฒฝ๋ณ์๋ก ์ฃผ์ ํ๋๋ก ๊ตฌ์ฑํ์ต๋๋ค.testํ๋กํ๋ก ๋ถ๋ฆฌํด CI์์ DB ์์กด ์์ด ์ ํ๋ฆฌ์ผ์ด์ ์ปจํ ์คํธ ๊ฒ์ฆ์ด ๊ฐ๋ฅํ๋๋ก ์์ ํ์ต๋๋ค.๐ ๋ฆฌ๋ทฐ ์์ฒญ์ฌํญ
๐ป ํ ์คํธ ๊ฒฐ๊ณผ
./gradlew testํต๊ณผterraform plan -var-file="terraform.tfvars"๊ธฐ์ค์ผ๋ก OIDC, IAM Role, ECR, EC2/EIP ๊ด๋ จ ๋ณ๊ฒฝ ๊ณํ์ ํ์ธํ์ต๋๋ค.docker,docker compose,nginx,/opt/zerost/nginx๊ตฌ์ฑ์ด ์ ์ ๋์ํ๋ ๊ฒ์ ํ์ธํ์ต๋๋ค.nginx -t๋ฐ ์๋น์ค ์คํ ์ํ๋ฅผ ํ์ธํ์ต๋๋ค.develop,main๋ธ๋์น ๋ฐฐํฌ ๋์ ๊ฒ์ฆ์ GitHub Secrets ๊ฐฑ์ ํ ์งํ ์์ ์ ๋๋ค.๐ ํฌ์ธํธ
โ๏ธ ํ๊ณ
Summary by CodeRabbit
Summary
New Features
dev,prod, andtestruntime profiles with MySQL/H2 configuration.Documentation
Chores