forked from Kori-AppTeam/Kori_Be
-
Notifications
You must be signed in to change notification settings - Fork 0
478 lines (392 loc) · 19.8 KB
/
Copy pathdev-cicd.yml
File metadata and controls
478 lines (392 loc) · 19.8 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
name: Deploy Foreigner (Dev via Docker Compose)
on:
push:
branches: [ prod ]
concurrency:
group: deploy-foreigner-dev
cancel-in-progress: true
jobs:
preflight:
runs-on: ubuntu-latest
steps:
- name: Validate required secrets
run: |
test -n "${{ secrets.DOCKERHUB_USERNAME }}" || (echo "DOCKERHUB_USERNAME is empty" && exit 1)
test -n "${{ secrets.DOCKERHUB_TOKEN }}" || (echo "DOCKERHUB_TOKEN is empty" && exit 1)
test -n "${{ secrets.DEV_HOST }}" || (echo "DEV_HOST is empty" && exit 1)
test -n "${{ secrets.DEV_USER }}" || (echo "DEV_USER is empty" && exit 1)
test -n "${{ secrets.DEV_SSH_KEY }}" || (echo "DEV_SSH_KEY is empty" && exit 1)
test -n "${{ secrets.DB_NAME }}" || (echo "DB_NAME is empty" && exit 1)
test -n "${{ secrets.DB_USER }}" || (echo "DB_USER is empty" && exit 1)
test -n "${{ secrets.DB_PASSWORD }}" || (echo "DB_PASSWORD is empty" && exit 1)
test -n "${{ secrets.JWT_SECRET }}" || (echo "JWT_SECRET is empty" && exit 1)
test -n "${{ secrets.DEV_SUDO_PASSWORD }}" || (echo "DEV_SUDO_PASSWORD is empty" && exit 1)
test -n "${{ secrets.PROD_ENCRYPTION_SECRET }}" || (echo "PROD_ENCRYPTION_SECRET is empty" && exit 1)
echo "All required secrets are set."
quality-tests:
needs: preflight
runs-on: ubuntu-latest
services:
postgres:
image: groonga/pgroonga:latest
env:
POSTGRES_DB: testdb
POSTGRES_USER: testuser
POSTGRES_PASSWORD: testpass
ports:
- 5432:5432
options: >-
--health-cmd="pg_isready -U testuser -d testdb"
--health-interval=5s
--health-timeout=5s
--health-retries=30
redis:
image: redis:7
ports:
- 6379:6379
options: >-
--health-cmd="redis-cli ping || exit 1"
--health-interval=5s
--health-timeout=5s
--health-retries=30
steps:
- uses: actions/checkout@v4
with:
fetch-depth: 0
- name: Setup JDK 17
uses: actions/setup-java@v4
with:
distribution: temurin
java-version: "17"
- name: Setup Gradle
uses: gradle/actions/setup-gradle@v4
- name: Run preflight (tests + coverage + sonar)
env:
CI: "true"
SPRING_PROFILES_ACTIVE: test
SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }}
JAVA_TOOL_OPTIONS: "-Xmx4g -XX:MaxMetaspaceSize=512m"
run: |
./gradlew preflight sonar --parallel --build-cache \
-Dorg.gradle.jvmargs="-Xmx4g -XX:MaxMetaspaceSize=512m" \
-Dspring.profiles.active=test \
-Dspring.datasource.url=jdbc:postgresql://localhost:5432/testdb \
-Dspring.datasource.username=testuser \
-Dspring.datasource.password=testpass \
-Dspring.data.redis.host=localhost \
-Dspring.data.redis.port=6379
# 실패 시에만 로그 덤프 (성공 시에는 시간 절약)
- name: Dump service logs on failure
if: failure()
run: |
echo "=== PostgreSQL Logs ==="
# groonga 이미지를 사용하는 컨테이너의 로그를 직접 출력
docker logs $(docker ps -q --filter "ancestor=groonga/pgroonga:latest")
echo "=== Redis Logs ==="
docker logs $(docker ps -q --filter "ancestor=redis:7")
build:
needs: [ preflight, quality-tests ]
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- name: Setup JDK 17
uses: actions/setup-java@v4
with:
distribution: temurin
java-version: "17"
cache: gradle
- name: Build JAR
run: ./gradlew clean bootJar -x test --no-daemon
- name: Set up Docker Buildx
uses: docker/setup-buildx-action@v3
- name: Login to DockerHub
uses: docker/login-action@v3
with:
username: ${{ secrets.DOCKERHUB_USERNAME }}
password: ${{ secrets.DOCKERHUB_TOKEN }}
- name: Build & Push
uses: docker/build-push-action@v6
with:
context: .
file: ./Dockerfile
push: true
tags: |
${{ secrets.DOCKERHUB_USERNAME }}/foreigner:latest
${{ secrets.DOCKERHUB_USERNAME }}/foreigner:${{ github.sha }}
cache-from: type=gha
cache-to: type=gha,mode=max
deploy-app:
needs: [ build ]
runs-on: ubuntu-latest
if: always()
steps:
- name: Deploy (Docker Compose, blue/green via gateway)
uses: appleboy/ssh-action@v1.0.3
with:
host: ${{ secrets.DEV_HOST }}
username: ${{ secrets.DEV_USER }}
password: ${{ secrets.DEV_SSH_KEY }}
script: |
set -euo pipefail
command -v docker >/dev/null || (echo "docker not found" && exit 1)
docker compose version || (echo "docker compose not found" && exit 1)
SMOKE_TOKEN="${{ secrets.SMOKE_TOKEN }}"
SMOKE_RETRIES="${{ secrets.SMOKE_RETRIES }}"
SMOKE_SLEEP="${{ secrets.SMOKE_SLEEP }}"
: "${SMOKE_TOKEN:?SMOKE_TOKEN is required}"
mkdir -p ~/foreigner
cd ~/foreigner
echo "${{ secrets.DOCKERHUB_TOKEN }}" | docker login -u "${{ secrets.DOCKERHUB_USERNAME }}" --password-stdin
echo "${{ secrets.GCP_SA_KEY_JSON }}" | base64 --decode > gcp-key.json
IMAGE="${{ secrets.DOCKERHUB_USERNAME }}/foreigner:${{ github.sha }}"
: "${IMAGE:?IMAGE is empty}"
echo "Using IMAGE=${IMAGE}"
# 공통 .env
cat > .env <<'EOF'
DB_NAME=${{ secrets.DB_NAME }}
DB_USERNAME=${{ secrets.DB_USER }}
DB_PASSWORD=${{ secrets.DB_PASSWORD }}
SPRING_DATA_REDIS_HOST=${{ secrets.REDIS_HOST }}
SPRING_DATA_REDIS_PORT=${{ secrets.REDIS_PORT }}
SPRING_DATA_REDIS_PASSWORD=${{ secrets.REDIS_PASSWORD }}
JWT_SECRET=${{ secrets.JWT_SECRET }}
ANDROID_CLIENT_ID=${{ secrets.ANDROID_CLIENT_ID }}
ANDROID_REDIRECT_URI=${{ secrets.ANDROID_REDIRECT_URI }}
IOS_CLIENT_ID=${{ secrets.IOS_CLIENT_ID }}
IOS_REDIRECT_URI=${{ secrets.IOS_REDIRECT_URI }}
WEB_CLIENT_ID=${{ secrets.WEB_CLIENT_ID }}
WEB_CLIENT_SECRET=${{ secrets.WEB_CLIENT_SECRET }}
WEB_REDIRECT_URI=${{ secrets.WEB_REDIRECT_URI }}
APPLE_TEAM_ID=${{ secrets.APPLE_TEAM_ID }}
APPLE_KEY_ID=${{ secrets.APPLE_KEY_ID }}
APPLE_CLIENT_ID=${{ secrets.APPLE_CLIENT_ID }}
APPLE_REDIRECT_URI=${{ secrets.APPLE_REDIRECT_URI }}
APPLE_APP_BUNDLE_ID=${{ secrets.APPLE_APP_BUNDLE_ID }}
NCP_ACCESS_KEY=${{ secrets.NCP_ACCESS_KEY }}
NCP_SECRET_KEY=${{ secrets.NCP_SECRET_KEY }}
NCP_BUCKET_NAME=${{ secrets.NCP_BUCKET_NAME }}
NCP_CDN_URL=${{ secrets.NCP_CDN_URL }}
NCP_MAIL_HOST=${{ secrets.NCP_MAIL_HOST }}
NCP_EMAIL=${{ secrets.NCP_EMAIL }}
NCP_EMAIL_PASSWORD=${{ secrets.NCP_EMAIL_PASSWORD }}
GOOGLE_MAIL_HOST=${{ secrets.GOOGLE_MAIL_HOST }}
GOOGLE_EMAIL=${{ secrets.GOOGLE_EMAIL }}
GOOGLE_EMAIL_PASSWORD=${{ secrets.GOOGLE_EMAIL_PASSWORD }}
CLOVA_STUDIO_API_KEY=${{ secrets.CLOVA_STUDIO_API_KEY }}
FEIGN_CONNECT_TIMEOUT=${{ secrets.FEIGN_CONNECT_TIMEOUT }}
FEIGN_READ_TIMEOUT=${{ secrets.FEIGN_READ_TIMEOUT }}
FEIGN_LOGGER_LEVEL=${{ secrets.FEIGN_LOGGER_LEVEL }}
FIREBASE_CREDENTIALS_JSON_PATH=./firebase.json
SERVER_URL=${{ secrets.SERVER_URL }}
SWAGGER_URL=${{ secrets.SWAGGER_URL }}
GCP_PERSPECTIVE_API_KEY=${{ secrets.GCP_PERSPECTIVE_API_KEY }}
GCP_PROJECT_ID=${{ secrets.GCP_PROJECT_ID }}
GCP_TRANSLATE_API_KEY=${{ secrets.GCP_TRANSLATE_API_KEY }}
GCP_MAP_API_KEY=${{ secrets.GCP_MAP_API_KEY }}
ENCRYPTION_SECRET=${{ secrets.PROD_ENCRYPTION_SECRET }}
NAVER_HOST=${{ secrets.NAVER_HOST }}
APP_NAME=${{ secrets.APP_NAME }}
GMAIL_APP_PASSWORD=${{ secrets.GMAIL_APP_PASSWORD }}
BASE_URL=${{ secrets.BASE_URL }}
SIGHTENGINE_API_USER=${{secrets.SIGHTENGINE_API_USER}}
SIGHTENGINE_API_SECRET=${{secrets.SIGHTENGINE_API_SECRET}}
OPEN_AI_KEY=${{secrets.OPEN_AI_KEY}}
SMOKE_ADMIN_EMAIL=${{secrets.SMOKE_ADMIN_EMAIL}}
SMOKE_ADMIN_PW=${{secrets.SMOKE_ADMIN_PW}}
SMOKE_ADMIN_LOGIN_URL=${{secrets.SMOKE_ADMIN_LOGIN_URL}}
ADMIN_OTP_SECRET=${{secrets.ADMIN_OTP_SECRET}}
IAP_ANDROID_SA_B64=${{secrets.IAP_ANDROID_SA_B64}}
IAP_IOS_ISSUER_ID=${{secrets.IAP_IOS_ISSUER_ID}}
IAP_IOS_KEY_ID=${{secrets.IAP_IOS_KEY_ID}}
IAP_IOS_P8_B64=${{secrets.IAP_IOS_P8_B64}}
APP_PACKAGE_NAME=${{secrets.APP_PACKAGE_NAME}}
IAP_ANDROID_SA_B64=${{secrets.IAP_ANDROID_SA_B64}}
IAP_IOS_ISSUER_ID=${{secrets.IAP_IOS_ISSUER_ID}}
IAP_IOS_KEY_ID=${{secrets.IAP_IOS_KEY_ID}}
IAP_IOS_P8_B64=${{secrets.IAP_IOS_P8_B64}}
SPRING_PROFILES_ACTIVE=dev
SPRINGDOC_ENABLED=false
JAVA_TOOL_OPTIONS="-Xms1g -Xmx3g -XX:+UseG1GC -XX:G1NewSizePercent=20 -XX:G1HeapRegionSize=16M -XX:MaxTenuringThreshold=15 -XX:MaxGCPauseMillis=100 -XX:InitiatingHeapOccupancyPercent=35 -XX:MaxMetaspaceSize=512M -XX:+ParallelRefProcEnabled"
EOF
echo "SMOKE_TOKEN=${SMOKE_TOKEN}" >> .env
echo "SMOKE_BASE_URL=http://localhost:8080" >> .env
cat > apple_key.pem <<PEM
${{ secrets.APPLE_PRIVATE_KEY_PEM }}
PEM
PEM_CONTENT=$(awk 'NF {printf "%s", $0}' apple_key.pem)
echo "APPLE_PRIVATE_KEY_PEM=\"$PEM_CONTENT\"" >> .env
cat > firebase.json <<'JSON'
${{ secrets.FIREBASE_CREDENTIALS_JSON }}
JSON
if command -v jq >/dev/null 2>&1; then
FIREBASE_JSON_COMPACT="$(jq -c . < firebase.json)"
else
FIREBASE_JSON_COMPACT="$(tr -d '\n' < firebase.json)"
fi
# 공백/특수문자 안전하게 기록
# 이미지 변수는 .env에 한 번만 기록
{
echo "IMAGE=${IMAGE}"
echo "IMAGE_BLUE=${IMAGE}"
echo "IMAGE_GREEN=${IMAGE}"
} >> .env
echo "FIREBASE_CREDENTIALS_JSON=${FIREBASE_JSON_COMPACT}" >> .env
chmod 600 .env apple_key.pem firebase.json || true
# compose/네트워크 확인
COMPOSE_APP="docker-compose.app.yml"
test -f "$COMPOSE_APP" || { echo "missing $COMPOSE_APP"; exit 1; }
docker network inspect foreigner_net >/dev/null 2>&1 || docker network create foreigner_net
# --- 필수 변수/상태 초기화 ---------------------------------------------------------
: "${COMPOSE_APP:?COMPOSE_APP is required}" # COMPOSE_APP 미설정 보호
ACTIVE_FILE="nginx/conf.d/.active"
# 폴더 없을 수 있으니 보호
mkdir -p "$(dirname "$ACTIVE_FILE")"
if [ -f "$ACTIVE_FILE" ]; then
ACTIVE_SLOT="$(tr -d '\n' < "$ACTIVE_FILE")"
else
ACTIVE_SLOT="blue"
printf '%s\n' "$ACTIVE_SLOT" > "$ACTIVE_FILE"
fi
case "$ACTIVE_SLOT" in
blue) NEXT_SLOT="green" ;;
green) NEXT_SLOT="blue" ;;
*) echo "WARN: unknown ACTIVE_SLOT=$ACTIVE_SLOT -> default NEXT_SLOT=green" >&2
NEXT_SLOT="green" ;;
esac
export ACTIVE_SLOT NEXT_SLOT
SMOKE_URL="http://app-${NEXT_SLOT}:8080/internal/smoke?mode=gate"
echo "SMOKE_URL=$SMOKE_URL"
echo "ACTIVE_SLOT=$ACTIVE_SLOT, NEXT_SLOT=$NEXT_SLOT"
# -------------------------------------------------------------------------------
# --- 0) 다음 슬롯 기동 + 헬스 대기 ------------------------------------------------
docker compose -p foreigner -f "$COMPOSE_APP" up -d "app-$NEXT_SLOT"
grep -n '^SMOKE_TOKEN=' .env | sed 's/=.*/=<redacted>/' || true
echo "[debug] SMOKE_TOKEN length=${#SMOKE_TOKEN}"
GW_ID="$(docker compose -p foreigner -f "$COMPOSE_APP" ps -q gateway)"
# 게이트웨이에서 Docker DNS에 등록되었는지 먼저 확인(최대 60초)
for i in $(seq 1 60); do
if docker exec "$GW_ID" getent hosts "app-$NEXT_SLOT" >/dev/null 2>&1; then
break
fi
sleep 1
done
# --- 1) 활성 슬롯 교체 (변수 한 줄만 토글) ---------------------------------------
if [ "$NEXT_SLOT" = "blue" ]; then
sed -i -E 's|^([[:space:]]*set[[:space:]]+\$active_upstream[[:space:]]+).*$|\1http://app-blue:8080;|' nginx/conf.d/default.conf
else
sed -i -E 's|^([[:space:]]*set[[:space:]]+\$active_upstream[[:space:]]+).*$|\1http://app-green:8080;|' nginx/conf.d/default.conf
fi
# --- 2) 게이트웨이 reload ----------------------------------------------------------
docker exec "$GW_ID" nginx -t
docker exec "$GW_ID" nginx -s reload
# --- 2.5) (선택) 전환 검증: 현재 업스트림 확인 -----------------------------------
docker exec "$GW_ID" sh -lc 'apk add --no-cache curl 2>/dev/null || true; curl -skI https://dev.ko-ri.cloud/ | grep -i x-upstream || true'
# --- 2.6) Smoke test (앱 + 외부 API) ------------------------------------------------
echo "Running smoke test: ${SMOKE_URL}"
set +e
RC=1
for i in $(seq 1 "${SMOKE_RETRIES}"); do
echo "Smoke attempt ${i}/${SMOKE_RETRIES}..."
docker exec \
-e SMOKE_URL="${SMOKE_URL}" \
-e SMOKE_TOKEN="${SMOKE_TOKEN}" \
"${GW_ID}" sh -lc '
set -eu
apk add --no-cache curl >/dev/null 2>&1 || true
BODY_FILE="/tmp/smoke.body"
echo "[smoke] request: ${SMOKE_URL}"
HTTP_CODE="$(curl -sS --max-time 10 \
-H "X-Smoke-Token: ${SMOKE_TOKEN}" \
-o "${BODY_FILE}" \
-w "%{http_code}" \
"${SMOKE_URL}" || true)"
echo "[smoke] http_code=${HTTP_CODE}"
echo "[smoke] body:"
cat "${BODY_FILE}" 2>/dev/null || true
case "${HTTP_CODE}" in
2??) exit 0 ;;
*) exit 1 ;;
esac
' >/tmp/smoke.out 2>/tmp/smoke.err
RC=$?
if [ "${RC}" -eq 0 ]; then
echo "✅ Smoke test passed."
cat /tmp/smoke.out || true
break
fi
echo "❌ Smoke failed (rc=${RC})."
echo "--- stdout ---"
cat /tmp/smoke.out || true
echo "--- stderr ---"
cat /tmp/smoke.err || true
sleep "${SMOKE_SLEEP}"
done
set -e
if [ "${RC}" -ne 0 ]; then
echo "🚨 Smoke test failed. Rolling back to ACTIVE_SLOT=${ACTIVE_SLOT}"
# 업스트림을 다시 ACTIVE_SLOT으로 원복
if [ "${ACTIVE_SLOT}" = "blue" ]; then
sed -i -E 's|^([[:space:]]*set[[:space:]]+\$active_upstream[[:space:]]+).*$|\1http://app-blue:8080;|' nginx/conf.d/default.conf
else
sed -i -E 's|^([[:space:]]*set[[:space:]]+\$active_upstream[[:space:]]+).*$|\1http://app-green:8080;|' nginx/conf.d/default.conf
fi
docker exec "${GW_ID}" nginx -t
docker exec "${GW_ID}" nginx -s reload
# NEXT 슬롯 정리
docker compose -p foreigner -f "${COMPOSE_APP}" stop "app-${NEXT_SLOT}" || true
docker compose -p foreigner -f "${COMPOSE_APP}" rm -f "app-${NEXT_SLOT}" || true
exit 1
fi
# --- 3) 활성 슬롯 기록 ------------------------------------------------------------
echo "$NEXT_SLOT" > "$ACTIVE_FILE"
# --- 4) 드레인 대기(웹소켓/롱요청 보호) ------------------------------------------
SLEEP_DRAIN="${SLEEP_DRAIN:-20}"
echo "Drain wait ${SLEEP_DRAIN}s before removing inactive slot..."
sleep "$SLEEP_DRAIN"
# --- 5) 이전 슬롯 정리 ------------------------------------------------------------
INACTIVE="app-${ACTIVE_SLOT}"
docker compose -p foreigner -f "$COMPOSE_APP" stop "$INACTIVE" || true
docker compose -p foreigner -f "$COMPOSE_APP" rm -f "$INACTIVE" || true
# (보호) 혹시라도 둘 다 떠 있으면 비활성은 내려버림
if docker compose -p foreigner -f "$COMPOSE_APP" ps "$INACTIVE" | grep -q 'Up'; then
docker compose -p foreigner -f "$COMPOSE_APP" stop "$INACTIVE" || true
docker compose -p foreigner -f "$COMPOSE_APP" rm -f "$INACTIVE" || true
fi
cleanup-images:
if: github.event_name == 'push'
needs: [ deploy-app ] # 배포 성공/실패와 무관하게
runs-on: ubuntu-latest
steps:
- name: Prune old images (keep 4 latest + any in-use)
uses: appleboy/ssh-action@v1.0.3
with:
host: ${{ secrets.DEV_HOST }}
username: ${{ secrets.DEV_USER }}
password: ${{ secrets.DEV_SSH_KEY }}
script: |
set -euo pipefail
REPO="${{ secrets.DOCKERHUB_USERNAME }}/foreigner"
KEEP=4
# 실행/중지 컨테이너가 쓰는 이미지 목록 (보존)
ALL_IN_USE="$(docker ps -a --format '{{.Image}}' | grep "^${REPO}:" | sort -u || true)"
# 최신 4개 태그 (롤백 대비 보존)
KEEP_TAGS="$(
docker image ls "$REPO" --format '{{.Tag}} {{.CreatedAt}}' \
| sort -rk2 | awk '{print $1}' | head -n "$KEEP"
)"
# 레포의 모든 태그 중, in-use/최신4개 제외하고 삭제
docker image ls "$REPO" --format '{{.Repository}}:{{.Tag}}' \
| while read -r IMG; do
TAG="${IMG#*:}"
if printf '%s\n' "$ALL_IN_USE" | grep -qx "$IMG"; then
echo "keep (in-use) $IMG"; continue
fi
if printf '%s\n' "$KEEP_TAGS" | grep -qx "$TAG"; then
echo "keep (recent) $IMG"; continue
fi
docker rmi "$IMG" || true
done
# dangling 레이어 추가 정리
docker image prune -f || true
echo "Remaining images:"
docker image ls "$REPO" --format '{{.Repository}}:{{.Tag}}\t{{.CreatedSince}}' | sort -k2