solid-connect-server/.github/workflows/prod-cd.yml at develop · solid-connection/solid-connect-server · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
name: "[PROD] Build Gradle and Deploy"

on:
  release:
    types: [published]

  workflow_dispatch:
    inputs:
      tag_name:
        description: 'Docker Tag Name (e.g., v1.0.0)'
        required: true
        default: 'latest'

jobs:
  # --- Job 1: 빌드 및 이미지 푸시 (쓰기 권한) ---
  build-and-push:
    runs-on: ubuntu-latest
    permissions:
      contents: read
      packages: write

    outputs:
      image_tag: ${{ steps.image_meta.outputs.image_tag }}

    steps:
      - name: Checkout the code
        uses: actions/checkout@v4

      # --- Java, Gradle 설정 ---
      - name: Set up JDK 17
        uses: actions/setup-java@v4
        with:
          java-version: '17'
          distribution: 'temurin'
      - name: Setup Gradle
        uses: gradle/actions/setup-gradle@v3
      - name: Grant execute permission for Gradle wrapper
        run: chmod +x ./gradlew
      - name: Build with Gradle
        run: ./gradlew bootJar

      # --- Docker 설정 ---
      - name: Set up Docker Buildx
        uses: docker/setup-buildx-action@v3
        with:
          platforms: linux/arm64

      - name: Log in to GitHub Container Registry (GHCR)
        uses: docker/login-action@v3
        with:
          registry: ghcr.io
          username: ${{ github.actor }}
          password: ${{ secrets.GITHUB_TOKEN }}

      # --- 이미지 메타데이터 정의 (Prod용 이미지 이름) ---
      - name: Define image name and tag
        id: image_meta
        run: |
          OWNER_LOWERCASE=$(echo "${{ github.repository_owner }}" | tr '[:upper:]' '[:lower:]')

          # Trigger가 Release인 경우: Release의 Tag Name (예: v1.0.0) 사용
          if [ "${{ github.event_name }}" == "release" ]; then
            IMAGE_TAG="${{ github.ref_name }}"
          # Trigger가 수동(workflow_dispatch)인 경우: 입력받은 tag_name 사용
          else
            IMAGE_TAG="${{ inputs.tag_name }}"
          fi

          echo "Docker Image Tag: $IMAGE_TAG"

          echo "image_name=ghcr.io/${OWNER_LOWERCASE}/solid-connection-server" >> $GITHUB_OUTPUT
          echo "image_tag=${IMAGE_TAG}" >> $GITHUB_OUTPUT

      # --- Docker 빌드 및 푸시 ---
      - name: Build, push, and cache Docker image
        uses: docker/build-push-action@v5
        with:
          context: .
          platforms: linux/arm64
          push: true
          tags: ${{ format('{0}:{1}', steps.image_meta.outputs.image_name, steps.image_meta.outputs.image_tag) }}
          cache-from: type=registry,ref=${{ steps.image_meta.outputs.image_name }}:buildcache
          cache-to: type=registry,ref=${{ steps.image_meta.outputs.image_name }}:buildcache,mode=max

      # --- 이미지 정리 ---
      - name: Clean up old image versions from GHCR
        uses: snok/container-retention-policy@v2
        with:
          token: ${{ secrets.PACKAGE_DELETE_TOKEN }}
          image-names: solid-connection-server
          delete-untagged: true
          keep-n-tags: 5
          account-type: org
          org-name: ${{ github.repository_owner }}
          cut-off: '7 days ago UTC'

  # --- Job 2: 배포 (읽기 권한) ---
  deploy:
    needs: build-and-push
    runs-on: ubuntu-latest
    permissions:
      contents: read
      packages: read

    steps:
      # 설정 파일 전송을 위해 코드 체크아웃 (서브모듈 불필요)
      - name: Checkout config files
        uses: actions/checkout@v4
        with:
          sparse-checkout: |
            docker-compose.prod.yml
            docs/infra-config
          sparse-checkout-cone-mode: false

      # --- 설정 파일 전송 ---
      - name: Copy config files to remote
        run: |
          echo "${{ secrets.PRIVATE_KEY }}" > deploy_key.pem
          chmod 600 deploy_key.pem

          scp -i deploy_key.pem \
            -o StrictHostKeyChecking=no \
            ./docker-compose.prod.yml \
            ${{ secrets.USERNAME }}@${{ secrets.HOST }}:/home/${{ secrets.USERNAME }}/solid-connection-prod/

      # --- 서버에서 Docker Pull 및 재시작 ---
      - name: Run docker compose and apply nginx config
        run: |
          ssh -i deploy_key.pem \
           -o StrictHostKeyChecking=no \
           ${{ secrets.USERNAME }}@${{ secrets.HOST }} \
           '
            set -e

            # 1. 변수 설정 (이전 Job의 Output 사용)
            export OWNER_LOWERCASE=$(echo "${{ github.repository_owner }}" | tr "[:upper:]" "[:lower:]")
            export IMAGE_TAG_ONLY="${{ needs.build-and-push.outputs.image_tag }}"
            export FULL_IMAGE_NAME="ghcr.io/${OWNER_LOWERCASE}/solid-connection-server:${IMAGE_TAG_ONLY}"

            # 2. GHCR 로그인 & Pull
            # App Token 대신 현재 워크플로우의 임시 토큰을 사용합니다.
            echo "${{ secrets.GITHUB_TOKEN }}" | docker login ghcr.io -u ${{ github.actor }} --password-stdin
            echo "Pulling new image: $FULL_IMAGE_NAME"
            docker pull $FULL_IMAGE_NAME

            # 3. Spring Boot 앱 재시작
            echo "Restarting Docker Compose with tag: $IMAGE_TAG_ONLY"
            cd /home/${{ secrets.USERNAME }}/solid-connection-prod
            docker compose -f docker-compose.prod.yml down || true
            OWNER_LOWERCASE=$OWNER_LOWERCASE IMAGE_TAG=$IMAGE_TAG_ONLY docker compose -f docker-compose.prod.yml up -d

            # 6. 정리
            docker image prune -f
            echo "Deployment finished successfully."
           '