GDGoCINHA · CSE-Shaco · Feb 12, 2026 · Jan 8, 2026 · Jan 8, 2026 · Jan 8, 2026
diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
@@ -20,13 +20,24 @@ jobs:
   build:
     runs-on: ubuntu-latest
 
+    services:
+      redis:
+        image: redis
+        ports:
+          - 6379:6379
+        options: >-
+          --health-cmd "redis-cli ping"
+          --health-interval 10s
+          --health-timeout 5s
+          --health-retries 5
+
     steps:
       - uses: actions/checkout@v4
 
       - uses: actions/setup-java@v4
         with:
           distribution: temurin
-          java-version: 17
+          java-version: 21
 
       - uses: gradle/actions/setup-gradle@v3
         if: ${{ !env.ACT }}
@@ -35,7 +46,14 @@ jobs:
           gradle-home-cache-cleanup: true
 
       - name: Create dummy .env for CI
-        run: echo "# ci dummy" > .env
+        env:
+          AUDIENCE_SECRET: ${{ secrets.JWT_AUDIENCE }}
+        run: |
+          AUDIENCE_VALUE="${AUDIENCE_SECRET:-ci-audience}"
+          cat > .env <<EOF
+          # ci dummy
+          JWT_AUDIENCE=${AUDIENCE_VALUE}
+          EOF
 
       - name: Gradle build (skip tests)
         id: assemble
@@ -57,6 +75,8 @@ jobs:
           SPRING_JPA_DATABASE_PLATFORM: org.hibernate.dialect.H2Dialect
           SPRING_JPA_HIBERNATE_DDL_AUTO: create-drop
           SPRING_FLYWAY_ENABLED: "false"
+          SPRING_DATA_REDIS_HOST: localhost
+          SPRING_DATA_REDIS_PORT: 6379
         run: ./gradlew test --no-daemon --stacktrace --info --no-watch-fs | tee test.log
 
       - name: Publish unit-test results (check UI)

diff --git a/.github/workflows/deploy-dev.yml b/.github/workflows/deploy-dev.yml
@@ -36,11 +36,16 @@ jobs:
           DB_NAME_DEV=${{ secrets.DB_NAME_DEV }}
           DB_USERNAME=${{ secrets.DB_USERNAME }}
           DB_PASSWORD=${{ secrets.DB_PASSWORD }}
+          REDIS_HOST=${{ secrets.REDIS_HOST || 'localhost' }}
+          REDIS_PORT=${{ secrets.REDIS_PORT || '6379' }}
+          REDIS_PASSWORD=${{ secrets.REDIS_PASSWORD }}
           GOOGLE_CLIENT_ID=${{ secrets.GOOGLE_CLIENT_ID }}
-          GOOGLE_CLIENT_SECRET=${{ secrets.GOOGLE_CLIENT_SECRET }}
-          GOOGLE_REDIRECT_URI=${{ secrets.GOOGLE_REDIRECT_URI }}
           GOOGLE_ISSUER=${{ secrets.GOOGLE_ISSUER }}
           SELF_ISSUER=${{ secrets.SELF_ISSUER }}
+          JWT_AUDIENCE=${{ secrets.JWT_AUDIENCE }}
+          REFRESH_COOKIE_SECURE=${{ secrets.REFRESH_COOKIE_SECURE || 'false' }}
+          REFRESH_COOKIE_SAME_SITE=${{ secrets.REFRESH_COOKIE_SAME_SITE || 'Lax' }}
+          REFRESH_COOKIE_DOMAIN=${{ secrets.REFRESH_COOKIE_DOMAIN }}
           SECRET_KEY=${{ secrets.SECRET_KEY }}
           AWS_ACCESS_KEY_ID=${{ secrets.AWS_ACCESS_KEY_ID }}
           AWS_SECRET_ACCESS_KEY=${{ secrets.AWS_SECRET_ACCESS_KEY }}

diff --git a/.github/workflows/deploy-prod.yml b/.github/workflows/deploy-prod.yml
@@ -39,11 +39,16 @@ jobs:
           DB_NAME=${{ secrets.DB_NAME }}
           DB_USERNAME=${{ secrets.DB_USERNAME }}
           DB_PASSWORD=${{ secrets.DB_PASSWORD }}
+          REDIS_HOST=${{ secrets.REDIS_HOST }}
+          REDIS_PORT=${{ secrets.REDIS_PORT }}
+          REDIS_PASSWORD=${{ secrets.REDIS_PASSWORD }}
           GOOGLE_CLIENT_ID=${{ secrets.GOOGLE_CLIENT_ID }}
-          GOOGLE_CLIENT_SECRET=${{ secrets.GOOGLE_CLIENT_SECRET }}
-          GOOGLE_REDIRECT_URI=${{ secrets.GOOGLE_REDIRECT_URI }}
           GOOGLE_ISSUER=${{ secrets.GOOGLE_ISSUER }}
           SELF_ISSUER=${{ secrets.SELF_ISSUER }}
+          JWT_AUDIENCE=${{ secrets.JWT_AUDIENCE }}
+          REFRESH_COOKIE_SECURE=${{ secrets.REFRESH_COOKIE_SECURE || 'false' }}
+          REFRESH_COOKIE_SAME_SITE=${{ secrets.REFRESH_COOKIE_SAME_SITE || 'Lax' }}
+          REFRESH_COOKIE_DOMAIN=${{ secrets.REFRESH_COOKIE_DOMAIN }}
           SECRET_KEY=${{ secrets.SECRET_KEY }}
           AWS_ACCESS_KEY_ID=${{ secrets.AWS_ACCESS_KEY_ID }}
           AWS_SECRET_ACCESS_KEY=${{ secrets.AWS_SECRET_ACCESS_KEY }}

diff --git a/Dockerfile b/Dockerfile
@@ -1,7 +1,7 @@
 # syntax=docker/dockerfile:1
 
 # --- Build stage ---
-FROM gradle:8.11.1-jdk17 AS build
+FROM eclipse-temurin:21-jdk AS build
 WORKDIR /app
 
 # 루트 프로젝트 전체 복사
@@ -18,7 +18,7 @@ RUN ./gradlew clean bootJar -x test --no-daemon
 RUN cp "$(ls build/libs/*.jar | head -n 1)" build/libs/app.jar
 
 # --- Runtime stage ---
-FROM eclipse-temurin:17-jre
+FROM eclipse-temurin:21-jre
 WORKDIR /app
 
 COPY --from=build /app/build/libs/app.jar app.jar

diff --git a/build.gradle b/build.gradle
@@ -1,32 +1,52 @@
 plugins {
     id 'java'
-    id 'org.springframework.boot' version '3.3.6'
+    id 'org.springframework.boot' version '3.5.9'
     id 'io.spring.dependency-management' version '1.1.7'
+    id 'com.diffplug.spotless' version '6.25.0'
 }
 
 group = 'inha'
 version = '0.0.1-SNAPSHOT'
 
-/* ===== Java Toolchain ===== */
 java {
     toolchain {
-        languageVersion = JavaLanguageVersion.of(17)
+        languageVersion = JavaLanguageVersion.of(21)
     }
 }
 
-/* ===== Configurations ===== */
 configurations {
     compileOnly {
         extendsFrom annotationProcessor
     }
 }
 
-/* ===== Repositories ===== */
 repositories {
     mavenCentral()
 }
 
-/* ===== Dependencies ===== */
+/* ===== Version Pins (필요한 것만) ===== */
+ext {
+    awspringBomVersion = '3.4.2'
+    springdocVersion = '2.8.15'
+    flywayVersion = '11.19.0'
+    postgresVersion = '42.7.3'
+    hibernateTypes60 = '2.21.1'
+    dotenvVersion = '5.2.2'
+    querydslVersion = '6.10.1'
+    jjwtVersion = '0.13.0'
+    googleApiClientVersion = '2.6.0'
+}
+
+/* ===== Vulnerability Pins (정확한 CVE 기반 대응) ===== */
+configurations.configureEach {
+    resolutionStrategy {
+        // CVE-2024-47554 대응 (commons-compress 체인 영향 → commons-lang3 3.18.0 필요)
+        force 'org.apache.commons:commons-lang3:3.18.0'
+        // springdoc transitive classgraph 취약점 대응 버전으로 상향
+        force 'io.github.classgraph:classgraph:4.8.179'
+    }
+}
+
 dependencies {
     // --- Spring Boot Starters ---
     implementation 'org.springframework.boot:spring-boot-starter-web'
@@ -35,62 +55,77 @@ dependencies {
     implementation 'org.springframework.boot:spring-boot-starter-oauth2-client'
     implementation 'org.springframework.boot:spring-boot-starter-mail'
 
-    // --- DB & JPA Utils ---
-    implementation 'com.vladmihalcea:hibernate-types-60:2.21.1'
-    implementation 'org.postgresql:postgresql:42.7.3'
-    runtimeOnly  'com.h2database:h2'   // 테스트/로컬용 인메모리 DB
+    // --- Swagger / OpenAPI (springdoc) ---
+    implementation("org.springdoc:springdoc-openapi-starter-webmvc-ui:${springdocVersion}") {
+        exclude group: "org.apache.commons", module: "commons-lang3"
+    }
+    implementation "org.apache.commons:commons-lang3:3.18.0"
+
+    // --- DB & JPA Utils (Boot 관리 버전과 동기화 필요) ---
+    implementation "com.vladmihalcea:hibernate-types-60:${hibernateTypes60}"
+    implementation "org.postgresql:postgresql:${postgresVersion}"
+    testRuntimeOnly 'com.h2database:h2' // 테스트 환경 전용, 운영 패키지에서는 제외
+
+    // --- Cache / Redis ---
+    implementation 'org.springframework.boot:spring-boot-starter-data-redis'
+
+    // --- Querydsl (OpenFeign fork) ---
+    implementation "io.github.openfeign.querydsl:querydsl-jpa:${querydslVersion}"
+    annotationProcessor "io.github.openfeign.querydsl:querydsl-apt:${querydslVersion}:jakarta"
+    annotationProcessor "org.springframework.boot:spring-boot-configuration-processor"
 
-    // --- QueryDSL ---
-    implementation       'com.querydsl:querydsl-jpa:5.0.0:jakarta'
-    annotationProcessor  'com.querydsl:querydsl-apt:5.0.0:jakarta'
-    annotationProcessor  'jakarta.annotation:jakarta.annotation-api'
-    annotationProcessor  'jakarta.persistence:jakarta.persistence-api'
+    // Querydsl APT helper APIs (컴파일 타임만)
+    compileOnly 'jakarta.annotation:jakarta.annotation-api'
+    compileOnly 'jakarta.persistence:jakarta.persistence-api'
 
-    // --- JWT (JJWT 0.9.x, 레거시 패키지) ---
-    implementation 'io.jsonwebtoken:jjwt:0.9.1'
+    // --- JWT ---
+    implementation "io.jsonwebtoken:jjwt-api:${jjwtVersion}"
+    runtimeOnly "io.jsonwebtoken:jjwt-impl:${jjwtVersion}"
+    runtimeOnly "io.jsonwebtoken:jjwt-jackson:${jjwtVersion}"
 
     // --- AWS (S3) ---
     implementation 'io.awspring.cloud:spring-cloud-aws-starter-s3'
 
-    // --- Flyway (DB Migration) ---
-    implementation "org.flywaydb:flyway-core:10.21.0"
-    implementation "org.flywaydb:flyway-database-postgresql:10.21.0"
+    // --- Flyway ---
+    implementation "org.flywaydb:flyway-core:${flywayVersion}"
+    implementation "org.flywaydb:flyway-database-postgresql:${flywayVersion}"
 
     // --- 환경변수(.env) ---
-    implementation 'io.github.cdimascio:java-dotenv:5.2.2'
+    implementation "io.github.cdimascio:java-dotenv:${dotenvVersion}"
 
     // --- Lombok ---
-    compileOnly        'org.projectlombok:lombok'
+    compileOnly 'org.projectlombok:lombok'
     annotationProcessor 'org.projectlombok:lombok'
 
     // --- Test ---
     testImplementation 'org.springframework.boot:spring-boot-starter-test'
     testImplementation 'org.mockito:mockito-core:5.6.0'
     testImplementation 'org.mockito:mockito-junit-jupiter:5.6.0'
     testImplementation 'org.assertj:assertj-core:3.24.2'
-    testRuntimeOnly   'org.junit.platform:junit-platform-launcher'
+    testRuntimeOnly 'org.junit.platform:junit-platform-launcher'
 
-    // swagger
-    implementation 'org.springdoc:springdoc-openapi-starter-webmvc-ui:2.6.0'
+    //Google API Client
+    implementation "com.google.api-client:google-api-client:${googleApiClientVersion}"
 }
 
 dependencyManagement {
     imports {
-        mavenBom "io.awspring.cloud:spring-cloud-aws-dependencies:3.1.1"
-        // ↑ 3.x 대 사용 (프로젝트에 맞는 최신 3.x 가능)
+        mavenBom "io.awspring.cloud:spring-cloud-aws-dependencies:${awspringBomVersion}"
     }
 }
 
-/* ===== Tasks ===== */
+spotless {
+    java {
+        googleJavaFormat('1.22.0')
+        target 'src/**/*.java'
+    }
+}
 
-// 테스트: 프로필과 JUnit 플랫폼 한 곳에서 설정
 tasks.test {
     useJUnitPlatform()
     systemProperty "spring.profiles.active", "test"
 }
 
-// QueryDSL 생성물 경로 고정
 tasks.withType(JavaCompile).configureEach {
-    options.annotationProcessorGeneratedSourcesDirectory = file("build/generated/sources/annotationProcessor/java/main")
+    options.generatedSourceOutputDirectory.set(file("build/generated/sources/annotationProcessor/java/main"))
 }
-