feat: GitHub Actions CI/CD#6
Conversation
📝 WalkthroughWalkthrough
ChangesECS 배포 워크플로
Sequence Diagram(s)sequenceDiagram
participant Dev as 개발자 (main 푸시)
participant GHA as GitHub Actions
participant ECR as Amazon ECR
participant ECS as Amazon ECS
Dev->>GHA: main 브랜치 푸시 / 수동 실행
GHA->>ECR: AWS 자격 증명 설정 및 로그인
GHA->>ECR: Docker 이미지 빌드(linux/amd64) 후 푸시
GHA->>ECS: update-service --force-new-deployment
ECS-->>GHA: wait services-stable (안정화 완료)
GHA-->>Dev: 배포 완료
Estimated code review effort🎯 2 (Simple) | ⏱️ ~10 minutes Poem
🚥 Pre-merge checks | ✅ 4 | ❌ 1❌ Failed checks (1 inconclusive)
✅ Passed checks (4 passed)
✏️ Tip: You can configure your own custom pre-merge checks in the settings. ✨ Finishing Touches📝 Generate docstrings
🧪 Generate unit tests (beta)
Comment |
![coderabbitai[bot]](https://avatars.githubusercontent.com/in/347564?s=60&v=4){kind=small}
There was a problem hiding this comment.
Actionable comments posted: 3
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
Inline comments:
In @.github/workflows/deploy.yml:
- Line 15: Replace the hardcoded IMAGE_TAG: latest with an immutable tag using
the commit SHA (e.g., ${{ github.sha }}) to ensure each deployment tracks to a
specific commit. Update the ECR push step to use this immutable tag instead of
overwriting 'latest'. In the ECS deployment step, use register-task-definition
to create a new task definition revision that explicitly references the specific
image tag (not 'latest'), and deploy this new revision instead of relying only
on --force-new-deployment. Additionally, add a concurrency configuration to the
workflow to ensure main branch deployments execute sequentially rather than in
parallel, preventing race conditions where older commits could be redeployed.
- Around line 18-24: The workflow lacks explicit GITHUB_TOKEN permission
restrictions and the checkout step stores credentials in the git configuration,
which could expose them when the Docker build context includes the .git
directory. Add a `permissions:` block at the deploy job level to explicitly
limit token scope to minimum necessary permissions, and configure the checkout
step with `persist-credentials: false` to prevent storing the token in git
config, thereby reducing the risk of credential exposure in the Docker build
context.
- Around line 23-37: Pin all GitHub Actions to their full commit SHA values
instead of version tags to mitigate supply chain security risks in this
deployment workflow. Replace the `@v4`, `@v5`, `@v2`, and `@v3` version tags in
the `uses:` statements for actions/checkout,
aws-actions/configure-aws-credentials, aws-actions/amazon-ecr-login, and
docker/setup-buildx-action with their corresponding full commit SHAs. Add the
original version tag as a comment after each SHA for readability (for example,
`uses: actions/checkout@<full-commit-sha> # v4`). Consider using Renovate or
Dependabot to automatically manage and update these SHAs in the future.
🪄 Autofix (Beta)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration
Configuration used: Organization UI
Review profile: CHILL
Plan: Pro Plus
Run ID: 5bb381ab-53e5-4020-9133-20fdfda962ad
📒 Files selected for processing (1)
.github/workflows/deploy.yml
| ECR_REPOSITORY: momentlit/user | ||
| ECS_CLUSTER: default | ||
| ECS_SERVICE: momentlit-user-service | ||
| IMAGE_TAG: latest |
There was a problem hiding this comment.
🧩 Analysis chain
🏁 Script executed:
fd -type f -name "deploy.yml" | head -20Repository: MomentLit/User
Length of output: 229
🏁 Script executed:
cat -n .github/workflows/deploy.yml 2>/dev/null || cat -n ./.github/workflows/deploy.yml 2>/dev/null || find . -name "deploy.yml" -type fRepository: MomentLit/User
Length of output: 2138
불변 태그와 새 task definition 등록으로 배포 재현성 확보하기
IMAGE_TAG: latest를 계속 덮어쓰고 --force-new-deployment만 호출하면, 동시에 실행 중인 여러 워크플로우에서 늦게 끝난 실행이 더 오래된 커밋의 이미지를 다시 배포할 수 있습니다. 이전 이미지를 덮어쓰므로 배포 추적과 롤백도 어렵습니다.
커밋 SHA(예: ${{ github.sha }})를 불변 태그로 ECR에 푸시하고, 그 이미지를 지정하는 새 task definition revision을 register-task-definition으로 등록한 후 배포하세요. 추가로 workflow concurrency를 설정하여 main 브랜치 배포가 순차 실행되도록 하면 더욱 안전합니다.
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
In @.github/workflows/deploy.yml at line 15, Replace the hardcoded IMAGE_TAG:
latest with an immutable tag using the commit SHA (e.g., ${{ github.sha }}) to
ensure each deployment tracks to a specific commit. Update the ECR push step to
use this immutable tag instead of overwriting 'latest'. In the ECS deployment
step, use register-task-definition to create a new task definition revision that
explicitly references the specific image tag (not 'latest'), and deploy this new
revision instead of relying only on --force-new-deployment. Additionally, add a
concurrency configuration to the workflow to ensure main branch deployments
execute sequentially rather than in parallel, preventing race conditions where
older commits could be redeployed.
| deploy: | ||
| name: Build and Deploy User | ||
| runs-on: ubuntu-latest | ||
|
|
||
| steps: | ||
| - name: Checkout source code | ||
| uses: actions/checkout@v4 |
There was a problem hiding this comment.
🧩 Analysis chain
🏁 Script executed:
find . -name "deploy.yml" -type f | head -20Repository: MomentLit/User
Length of output: 89
🏁 Script executed:
cat -n .github/workflows/deploy.ymlRepository: MomentLit/User
Length of output: 2138
GITHUB_TOKEN 범위를 명시적으로 제한하고 checkout 자격 증명 저장을 비활성화하세요.
워크플로우에 permissions: 블록이 없어 기본 권한이 적용되며, actions/checkout@v4는 기본적으로 토큰을 작업 디렉터리의 git 설정에 저장합니다. 이후 라인 47의 docker buildx build . 명령이 .git 디렉터리를 포함한 전체 저장소를 빌드 컨텍스트로 전달하므로, 이 자격 증명이 필요 이상으로 노출될 위험이 있습니다.
수정 예시
jobs:
deploy:
name: Build and Deploy User
runs-on: ubuntu-latest
+ permissions:
+ contents: read
steps:
- name: Checkout source code
uses: actions/checkout@v4
+ with:
+ persist-credentials: false🧰 Tools
🪛 zizmor (1.25.2)
[warning] 23-24: credential persistence through GitHub Actions artifacts (artipacked): does not set persist-credentials: false
(artipacked)
[warning] 18-63: overly broad permissions (excessive-permissions): default permissions used due to no permissions: block
(excessive-permissions)
[error] 24-24: unpinned action reference (unpinned-uses): action is not pinned to a hash (required by blanket policy)
(unpinned-uses)
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
In @.github/workflows/deploy.yml around lines 18 - 24, The workflow lacks
explicit GITHUB_TOKEN permission restrictions and the checkout step stores
credentials in the git configuration, which could expose them when the Docker
build context includes the .git directory. Add a `permissions:` block at the
deploy job level to explicitly limit token scope to minimum necessary
permissions, and configure the checkout step with `persist-credentials: false`
to prevent storing the token in git config, thereby reducing the risk of
credential exposure in the Docker build context.
Source: Linters/SAST tools
| - name: Checkout source code | ||
| uses: actions/checkout@v4 | ||
|
|
||
| - name: Configure AWS credentials | ||
| uses: aws-actions/configure-aws-credentials@v5 | ||
| with: | ||
| aws-region: ${{ env.AWS_REGION }} | ||
| aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }} | ||
| aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }} | ||
|
|
||
| - name: Login to Amazon ECR | ||
| uses: aws-actions/amazon-ecr-login@v2 | ||
|
|
||
| - name: Set up Docker Buildx | ||
| uses: docker/setup-buildx-action@v3 |
There was a problem hiding this comment.
깃허브 액션을 전체 커밋 SHA로 고정하세요.
현재 @v4, @v5, @v2, @v3 같은 버전 태그를 사용하고 있는데, 이 태그들은 이동 가능해서 공급망 보안 위험을 야기합니다. 배포 권한을 가진 워크플로이므로 각 uses: 항목을 검증된 전체 커밋 SHA로 고정하고, 가독성을 위해 버전을 주석으로 추가하는 것이 권장됩니다 (예: uses: actions/checkout@<full-sha> # v4). Renovate나 Dependabot 같은 자동화 도구를 사용해 SHA 업데이트를 관리하면 유지보수가 용이합니다.
🧰 Tools
🪛 zizmor (1.25.2)
[warning] 23-24: credential persistence through GitHub Actions artifacts (artipacked): does not set persist-credentials: false
(artipacked)
[error] 24-24: unpinned action reference (unpinned-uses): action is not pinned to a hash (required by blanket policy)
(unpinned-uses)
[error] 27-27: unpinned action reference (unpinned-uses): action is not pinned to a hash (required by blanket policy)
(unpinned-uses)
[error] 34-34: unpinned action reference (unpinned-uses): action is not pinned to a hash (required by blanket policy)
(unpinned-uses)
[error] 37-37: unpinned action reference (unpinned-uses): action is not pinned to a hash (required by blanket policy)
(unpinned-uses)
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
In @.github/workflows/deploy.yml around lines 23 - 37, Pin all GitHub Actions to
their full commit SHA values instead of version tags to mitigate supply chain
security risks in this deployment workflow. Replace the `@v4`, `@v5`, `@v2`, and
`@v3` version tags in the `uses:` statements for actions/checkout,
aws-actions/configure-aws-credentials, aws-actions/amazon-ecr-login, and
docker/setup-buildx-action with their corresponding full commit SHAs. Add the
original version tag as a comment after each SHA for readability (for example,
`uses: actions/checkout@<full-commit-sha> # v4`). Consider using Renovate or
Dependabot to automatically manage and update these SHAs in the future.
1 participant
#️⃣ 연관된 이슈
📝 작업 내용
💻 스크린샷 (선택)
💬 리뷰 요청 사항 (선택)
Summary by CodeRabbit
릴리스 노트