Skip to content
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension


Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
16 changes: 11 additions & 5 deletions .github/workflows/cd.yml
Original file line number Diff line number Diff line change
Expand Up @@ -18,11 +18,6 @@ jobs:
- name: Checkout Source Code
uses: actions/checkout@v4

- name: Set up application.yml
run: |
mkdir -p ./src/main/resources
echo "${{ secrets.APPLICATION }}" > ./src/main/resources/application.yml

- name: Set up JDK 21
uses: actions/setup-java@v4
with:
Expand Down Expand Up @@ -74,6 +69,17 @@ jobs:
set -e
mkdir -p /home/ubuntu/app
cd /home/ubuntu/app
cat > docker-compose.yml <<EOF
services:
secause:
image: ${DOCKER_REPO}:latest

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🟠 Major | ⚡ Quick win

배포 이미지를 latest 대신 불변 태그로 고정하세요.

현재 배포가 ${DOCKER_REPO}:latest를 pull/up 하므로, 워크플로우가 연속 실행될 때 의도한 커밋이 아닌 이미지가 올라갈 수 있습니다. 빌드에서 이미 ${{ github.sha }}를 push하고 있으니 배포도 동일 SHA 태그를 사용해 원자적으로 맞추는 편이 안전합니다.

제안 변경안
       - name: Deploy to server with Docker
         uses: appleboy/ssh-action@master
         env:
           DOCKER_REPO: ${{ secrets.DOCKER_REPO }}
+          IMAGE_TAG: ${{ github.sha }}
         with:
@@
-          envs: DOCKER_REPO
+          envs: DOCKER_REPO,IMAGE_TAG
           script: |
@@
             cat > docker-compose.yml <<EOF
             services:
               secause:
-                image: ${DOCKER_REPO}:latest
+                image: ${DOCKER_REPO}:${IMAGE_TAG}
                 container_name: secause

Also applies to: 85-86

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/cd.yml at line 75, Replace the immutable image tag usage:
find occurrences of the literal string "image: ${DOCKER_REPO}:latest" used in
the deploy/pull steps and change them to use the commit SHA tag produced by the
build (e.g. "image: ${DOCKER_REPO}:${{ github.sha }}"); ensure every deployment
reference (including the repeated occurrences analogous to the one shown)
matches the tag the build/push step uses so the workflow pulls the exact image
built for that commit.

container_name: secause
env_file:
- /etc/secause/secause.env
ports:
- "8080:8080"
restart: unless-stopped
EOF

docker compose down --remove-orphans || true
docker compose pull
Expand Down
5 changes: 0 additions & 5 deletions .github/workflows/ci.yml
Original file line number Diff line number Diff line change
Expand Up @@ -32,11 +32,6 @@ jobs:
- name: Grant gradlew permission
run: chmod +x ./gradlew

- name: Set up application.yml
run: |
mkdir -p ./src/main/resources
echo "${{ secrets.APPLICATION }}" > ./src/main/resources/application.yml

- name: Build
run: ./gradlew build -x test

Expand Down
2 changes: 0 additions & 2 deletions .gitignore
Original file line number Diff line number Diff line change
Expand Up @@ -42,5 +42,3 @@ secrets.yml
.sts4-cache

.idea

src/main/resources/application.yml
Original file line number Diff line number Diff line change
Expand Up @@ -6,12 +6,15 @@
import io.swagger.v3.oas.models.OpenAPI;
import io.swagger.v3.oas.models.info.Info;
import io.swagger.v3.oas.models.security.SecurityScheme;
import org.springframework.beans.factory.annotation.Value;
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;

@Configuration
public class SwaggerConfig {

@Value("${springdoc.swagger-ui.prod-server}")
private String prodServerUrl;

@Bean
public OpenAPI secauseAPI(){
Expand All @@ -31,8 +34,12 @@ public OpenAPI secauseAPI(){
.scheme("bearer")
.bearerFormat("JWT"));

Server prodServer = new Server().url(prodServerUrl).description("운영 서버 (HTTPS)");
Server localServer = new Server().url("http://localhost:8080").description("로컬 테스트용 (HTTP)");

return new OpenAPI()
.addServersItem(new Server())
.addServersItem(prodServer)
.addServersItem(localServer)
.info(info)
.addSecurityItem(securityRequirement)
.components(components);
Expand Down
36 changes: 36 additions & 0 deletions src/main/resources/application-dev.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,36 @@
spring:
application:
name: SeCause-be
datasource:
driver-class-name: org.postgresql.Driver
url: ${DB_URL}
username: ${DB_USERNAME}
password: ${DB_PASSWORD}
sql:
init:
mode: always
separator: "@@"
jpa:
hibernate:
ddl-auto: validate

springdoc:
swagger-ui:
path: /swagger-ui.html
operations-sorter: method
prod-server: ${SWAGGER_SERVER_URL}
api-docs:
path: /api-docs

github:
oauth:
client-id: ${GITHUB_CLIENT_ID}
client-secret: ${GITHUB_CLIENT_SECRET}
redirect-uri: ${GITHUB_REDIRECT_URI}

jwt:
secret: ${JWT_SECRET}
access-token-expiration: ${JWT_ACCESS_TOKEN_EXPIRATION:3600000}
refresh-token-expiration: 1209600000 # 14일
refresh-secret: ${REFRESH_SECRET}
refresh-token-hash-secret: ${REFRESH_TOKEN_HASH_SECRET}
37 changes: 37 additions & 0 deletions src/main/resources/application-local.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,37 @@
spring:
application:
name: SeCause-be
datasource:
driver-class-name: org.postgresql.Driver
url: ${LOCAL_DB_URL:jdbc:postgresql://localhost:5433/secausedb}
username: ${LOCAL_DB_USERNAME:postgres}
password: ${LOCAL_DB_PASSWORD:}
sql:
init:
mode: always
separator: "@@"
jpa:
hibernate:
ddl-auto: update

springdoc:
swagger-ui:
path: /swagger-ui.html
operations-sorter: method
prod-server: ${SWAGGER_SERVER_URL:http://localhost:8080}
api-docs:
path: /api-docs


github:
oauth:
client-id: ${GITHUB_CLIENT_ID:}
client-secret: ${GITHUB_CLIENT_SECRET:}
redirect-uri: ${GITHUB_REDIRECT_URI:http://localhost:3000/login/callback}

jwt:
secret: ${JWT_SECRET:secause-local-jwt-secret-key-2026-development-only}
access-token-expiration: ${JWT_ACCESS_TOKEN_EXPIRATION:3600000}
Comment thread
dldusgh318 marked this conversation as resolved.
refresh-token-expiration: 1209600000 # 14일
refresh-secret: ${JWT_REFRESH_SECRET_LOCAL:secause-secret-key-for-local-development-2026}
refresh-token-hash-secret: ${JWT_REFRESH_HASH_SECRET_LOCAL:secause-hash-secret-key-for-local-development-2026}
3 changes: 3 additions & 0 deletions src/main/resources/application.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,3 @@
spring:
profiles:
active: local
Loading