Skip to content

feat: GitHub Actions CI/CD #6

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
jhlarry1109 wants to merge 1 commit into
base: main
Choose a base branch
from
Open

feat: GitHub Actions CI/CD #6

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
63 changes: 63 additions & 0 deletions .github/workflows/deploy.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,63 @@
name: Deploy Auth to ECS

on:
push:
branches:
- main
workflow_dispatch:

env:
AWS_REGION: ap-northeast-2
AWS_ACCOUNT_ID: 727452759104
ECR_REPOSITORY: momentlit/auth
ECS_CLUSTER: default
ECS_SERVICE: momentlit-auth-service
IMAGE_TAG: latest

@coderabbitai coderabbitai Bot Jun 14, 2026

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🛠️ Refactor suggestion | 🟠 Major | ⚡ Quick win

이미지 태그에 동적 값 사용을 권장합니다.

이미지 태그가 latest로 고정되어 있어 다음 문제가 발생합니다:

  • 특정 버전으로 롤백이 어려움
  • 어떤 코드 버전이 배포되었는지 추적 불가
  • 이미지 캐싱 문제 발생 가능

Git 커밋 SHA 또는 타임스탬프를 사용하여 각 배포를 고유하게 식별할 수 있도록 개선하는 것이 좋습니다.

♻️ 제안하는 수정 방안 
-  IMAGE_TAG: latest
+  IMAGE_TAG: ${{ github.sha }}

또는 날짜와 SHA를 조합:

-  IMAGE_TAG: latest
+  IMAGE_TAG: ${{ github.run_number }}-${{ github.sha }}
📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change
IMAGE_TAG: latest
IMAGE_TAG: ${{ github.sha }}
🤖 Prompt for AI Agents 
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/deploy.yml at line 15, The IMAGE_TAG variable in the
deploy.yml workflow is hardcoded to 'latest', which prevents proper version
tracking and rollback capabilities. Replace the hardcoded 'latest' value with a
dynamic identifier such as the Git commit SHA (accessible via github.sha
context) or a combination of timestamp and commit SHA. This will ensure each
deployment is uniquely identifiable and enables tracking of which code version
is deployed.


jobs:
deploy:
name: Build and Deploy Auth
runs-on: ubuntu-latest

Comment on lines +17 to +21

@coderabbitai coderabbitai Bot Jun 14, 2026

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🟠 Major | ⚡ Quick win

최소 권한 원칙을 적용하여 명시적인 permissions를 설정하세요.

워크플로우에 명시적인 permissions 블록이 없어 기본 권한을 사용하고 있습니다. 보안 모범 사례에 따라 필요한 최소 권한만 부여해야 합니다.

🔒 제안하는 수정 방안 
 jobs:
   deploy:
     name: Build and Deploy Auth
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      id-token: write  # OIDC를 사용하는 경우
📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change
jobs:
deploy:
name: Build and Deploy Auth
runs-on: ubuntu-latest
jobs:
deploy:
name: Build and Deploy Auth
runs-on: ubuntu-latest
permissions:
contents: read
id-token: write # OIDC를 사용하는 경우
🤖 Prompt for AI Agents 
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/deploy.yml around lines 17 - 21, The workflow lacks
explicit permission declarations, relying on default permissions which violates
the principle of least privilege. Add a `permissions` block to the deploy job
with only the minimum required permissions needed for the build and deployment
tasks. Specify each required permission explicitly (such as contents, packages,
id-token, etc.) with appropriate access levels (read, write, or none) based on
what the job actually needs to accomplish.

Source: Linters/SAST tools

steps:
- name: Checkout source code
uses: actions/checkout@v4
Comment on lines +23 to +24

@coderabbitai coderabbitai Bot Jun 14, 2026

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🟠 Major | ⚡ Quick win

자격증명 유지를 비활성화하세요.

actions/checkout이 기본적으로 Git 자격증명을 유지하도록 설정되어 있어, 이후 단계에서 의도치 않게 자격증명이 노출될 수 있습니다.

🔒 제안하는 수정 방안 
       - name: Checkout source code
         uses: actions/checkout@v4
+        with:
+          persist-credentials: false
📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change
- name: Checkout source code
uses: actions/checkout@v4
- name: Checkout source code
uses: actions/checkout@v4
with:
persist-credentials: false
🧰 Tools
🪛 zizmor (1.25.2)

[warning] 23-24: credential persistence through GitHub Actions artifacts (artipacked): does not set persist-credentials: false

(artipacked)

[error] 24-24: unpinned action reference (unpinned-uses): action is not pinned to a hash (required by blanket policy)

(unpinned-uses)

🤖 Prompt for AI Agents 
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/deploy.yml around lines 23 - 24, The actions/checkout@v4
action is configured with default settings that persist Git credentials, which
could expose them in subsequent workflow steps. Add the persist-credentials
parameter set to false in the actions/checkout step to disable credential
persistence and prevent unintended credential exposure.

Source: Linters/SAST tools

@coderabbitai coderabbitai Bot Jun 14, 2026

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🟠 Major

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
# Description: 각 액션의 태그에 해당하는 커밋 해시 조회

echo "=== actions/checkout@v4 ==="
gh api repos/actions/checkout/git/ref/tags/v4 --jq '.object.sha'

echo "=== aws-actions/configure-aws-credentials@v5 ==="
gh api repos/aws-actions/configure-aws-credentials/git/ref/tags/v5 --jq '.object.sha'

echo "=== aws-actions/amazon-ecr-login@v2 ==="
gh api repos/aws-actions/amazon-ecr-login/git/ref/tags/v2 --jq '.object.sha'

echo "=== docker/setup-buildx-action@v3 ==="
gh api repos/docker/setup-buildx-action/git/ref/tags/v3 --jq '.object.sha'

Repository: MomentLit/Auth

Length of output: 377

🏁 Script executed:

cat .github/workflows/deploy.yml

Repository: MomentLit/Auth

Length of output: 1697

모든 GitHub Actions를 커밋 해시로 고정하세요.

워크플로우의 모든 액션이 버전 태그로만 참조되어 있어 공급망 공격에 취약합니다. 태그는 이동 가능하지만 커밋 해시는 불변이므로, 보안 모범 사례에 따라 각 액션을 특정 커밋 해시로 고정해야 합니다.

다음 액션들을 수정하세요:

  • actions/checkout@v4actions/checkout@34e1148
  • aws-actions/configure-aws-credentials@v5aws-actions/configure-aws-credentials@cabfdba
  • aws-actions/amazon-ecr-login@v2aws-actions/amazon-ecr-login@d539f09
  • docker/setup-buildx-action@v3docker/setup-buildx-action@8d2750c
🧰 Tools
🪛 zizmor (1.25.2)

[warning] 23-24: credential persistence through GitHub Actions artifacts (artipacked): does not set persist-credentials: false

(artipacked)

[error] 24-24: unpinned action reference (unpinned-uses): action is not pinned to a hash (required by blanket policy)

(unpinned-uses)

📍 Affects 1 file
  • .github/workflows/deploy.yml#L24-L24 (this comment)
  • .github/workflows/deploy.yml#L27-L27
  • .github/workflows/deploy.yml#L34-L34
  • .github/workflows/deploy.yml#L37-L37
🤖 Prompt for AI Agents 
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/deploy.yml at line 24, Pin all GitHub Actions in
.github/workflows/deploy.yml to specific commit hashes instead of version tags
to prevent supply chain attacks. At line 24, replace actions/checkout@v4 with
actions/checkout@34e1148. At line 27, replace
aws-actions/configure-aws-credentials@v5 with
aws-actions/configure-aws-credentials@cabfdba. At line 34, replace
aws-actions/amazon-ecr-login@v2 with aws-actions/amazon-ecr-login@d539f09. At
line 37, replace docker/setup-buildx-action@v3 with
docker/setup-buildx-action@8d2750c. This ensures immutable action references
that cannot be altered by tag reassignment.

Source: Linters/SAST tools


- name: Configure AWS credentials
uses: aws-actions/configure-aws-credentials@v5
with:
aws-region: ${{ env.AWS_REGION }}
aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }}
aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }}

- name: Login to Amazon ECR
uses: aws-actions/amazon-ecr-login@v2

- name: Set up Docker Buildx
uses: docker/setup-buildx-action@v3

- name: Build and push Docker image
run: |
IMAGE_URI=${AWS_ACCOUNT_ID}.dkr.ecr.${AWS_REGION}.amazonaws.com/${ECR_REPOSITORY}:${IMAGE_TAG}

docker buildx build \
--platform linux/amd64 \
--provenance=false \
-t $IMAGE_URI \
. \
--push

- name: Force new ECS deployment
run: |
aws ecs update-service \
--cluster $ECS_CLUSTER \
--service $ECS_SERVICE \
--force-new-deployment \
--region $AWS_REGION
Comment on lines +50 to +56

@coderabbitai coderabbitai Bot Jun 14, 2026

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🟠 Major | 🏗️ Heavy lift

Task definition을 업데이트하는 방식으로 개선하세요.

현재 --force-new-deployment만 사용하고 있는데, 이는 기존 task definition을 재배포할 뿐 새 이미지 태그를 반영하지 않습니다. IMAGE_TAGlatest이므로 작동할 수도 있지만, 명시적으로 task definition을 업데이트하여 새 이미지를 참조하도록 하는 것이 더 안전하고 예측 가능합니다.

특히 이미지 태그를 동적으로 변경하는 경우 (예: Git SHA 사용) task definition 업데이트가 필수입니다.

🔧 제안하는 수정 방안

aws-actions/amazon-ecs-deploy-task-definition 액션 사용:

+      - name: Download task definition
+        run: |
+          aws ecs describe-task-definition \
+            --task-definition momentlit-auth-task \
+            --region ${{ env.AWS_REGION }} \
+            --query 'taskDefinition' > task-definition.json
+
+      - name: Fill in the new image ID in the Amazon ECS task definition
+        id: task-def
+        uses: aws-actions/amazon-ecs-render-task-definition@v1
+        with:
+          task-definition: task-definition.json
+          container-name: auth
+          image: ${{ env.AWS_ACCOUNT_ID }}.dkr.ecr.${{ env.AWS_REGION }}.amazonaws.com/${{ env.ECR_REPOSITORY }}:${{ env.IMAGE_TAG }}
+
+      - name: Deploy Amazon ECS task definition
+        uses: aws-actions/amazon-ecs-deploy-task-definition@v1
+        with:
+          task-definition: ${{ steps.task-def.outputs.task-definition }}
+          service: ${{ env.ECS_SERVICE }}
+          cluster: ${{ env.ECS_CLUSTER }}
+          wait-for-service-stability: true
-
-      - name: Force new ECS deployment
-        run: |
-          aws ecs update-service \
-            --cluster $ECS_CLUSTER \
-            --service $ECS_SERVICE \
-            --force-new-deployment \
-            --region $AWS_REGION
-
-      - name: Wait for ECS service stable
-        run: |
-          aws ecs wait services-stable \
-            --cluster $ECS_CLUSTER \
-            --services $ECS_SERVICE \
-            --region $AWS_REGION

참고: task definition 이름과 컨테이너 이름을 실제 값으로 조정해야 합니다.

🤖 Prompt for AI Agents 
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/deploy.yml around lines 50 - 56, The current ECS
deployment step only uses --force-new-deployment without explicitly updating the
task definition to reference the new image, which is unreliable when using
dynamic image tags. Replace the aws ecs update-service command with the
aws-actions/amazon-ecs-deploy-task-definition GitHub Action, which will properly
update the task definition with the new image tag before deploying. Ensure you
reference the correct task definition name and container name (which need to
match your actual ECS configuration) in the action configuration, along with the
image parameter that includes the new IMAGE_TAG value.


- name: Wait for ECS service stable
run: |
aws ecs wait services-stable \
--cluster $ECS_CLUSTER \
--services $ECS_SERVICE \
--region $AWS_REGION