Spring/.github/workflows/deploy.yml at master · 26-1-Capstone/Spring · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
name: Deploy to EC2

on:
  push:
    branches:
      - master

jobs:
  build-and-deploy:
    runs-on: ubuntu-latest

    steps:
      - uses: actions/checkout@v4

      - name: GitHub 필수 시크릿 체크
        run: |
          missing=""
          check() {
            if [ -z "$2" ]; then
              missing="$missing $1"
            fi
          }
          check DOCKER_USERNAME "${{ secrets.DOCKER_USERNAME }}"
          check DOCKER_PASSWORD "${{ secrets.DOCKER_PASSWORD }}"
          check EC2_HOST "${{ secrets.EC2_HOST }}"
          check EC2_USER "${{ secrets.EC2_USER }}"
          check EC2_KEY "${{ secrets.EC2_KEY }}"
          if [ -n "$missing" ]; then
            echo "❌ GitHub Actions 실행에 필요한 시크릿 누락:$missing"
            exit 1
          fi
          echo "✅ GitHub Actions 필수 시크릿 확인 완료"

      - name: Docker Hub 로그인
        uses: docker/login-action@v3
        with:
          username: ${{ secrets.DOCKER_USERNAME }}
          password: ${{ secrets.DOCKER_PASSWORD }}

      - name: 이미지 빌드 & Push
        run: |
          docker build -t ${{ secrets.DOCKER_USERNAME }}/nutrishare:latest .
          docker push ${{ secrets.DOCKER_USERNAME }}/nutrishare:latest

      - name: EC2 배포
        uses: appleboy/ssh-action@v1.0.3
        with:
          host: ${{ secrets.EC2_HOST }}
          username: ${{ secrets.EC2_USER }}
          key: ${{ secrets.EC2_KEY }}
          script: |
            cd ~/Spring || exit 1
            git fetch --prune origin master || exit 1
            git checkout master || exit 1
            git reset --hard origin/master || exit 1

            compose() {
              if command -v docker-compose >/dev/null 2>&1; then
                docker-compose "$@"
              else
                docker compose "$@"
              fi
            }

            old_env=.env
            tmp_env=$(mktemp .env.XXXXXX)
            missing_runtime=""
            trap 'rm -f "$tmp_env"' EXIT

            existing_env_value() {
              key="$1"
              if [ -f "$old_env" ]; then
                awk -v key="$key" '
                  index($0, key "=") == 1 {
                    value = substr($0, length(key) + 2)
                    found = 1
                  }
                  END {
                    if (found) {
                      printf "%s", value
                    }
                  }
                ' "$old_env" || true
              fi
              return 0
            }

            write_env() {
              key="$1"
              incoming="$2"
              required="${3:-optional}"

              if [ -n "$incoming" ]; then
                value="$incoming"
                source="github-secret"
              else
                value=$(existing_env_value "$key")
                source="server-env"
              fi

              if [ -z "$(printf '%s' "$value" | tr -d '[:space:]')" ] && [ "$required" = "required" ]; then
                missing_runtime="$missing_runtime $key"
              fi

              printf '%s=%s\n' "$key" "$value" >> "$tmp_env" || exit 1
              echo "${key}: ${source}"
              return 0
            }

            write_env DOCKER_USERNAME "${{ secrets.DOCKER_USERNAME }}" required
            write_env MYSQL_ROOT_PASSWORD "${{ secrets.MYSQL_ROOT_PASSWORD }}" required
            write_env MYSQL_DATABASE "${{ secrets.MYSQL_DATABASE }}" required
            write_env MYSQL_USER "${{ secrets.MYSQL_USER }}" required
            write_env MYSQL_PASSWORD "${{ secrets.MYSQL_PASSWORD }}" required
            write_env DB_URL "${{ secrets.DB_URL }}" required
            write_env DB_USERNAME "${{ secrets.DB_USERNAME }}" required
            write_env DB_PASSWORD "${{ secrets.DB_PASSWORD }}" required
            write_env REDIS_HOST "${{ secrets.REDIS_HOST }}" required
            write_env REDIS_PORT "${{ secrets.REDIS_PORT }}" required
            write_env GOOGLE_CLIENT_ID "${{ secrets.GOOGLE_CLIENT_ID }}" optional
            write_env GOOGLE_CLIENT_SECRET "${{ secrets.GOOGLE_CLIENT_SECRET }}" optional
            write_env KAKAO_CLIENT_ID "${{ secrets.KAKAO_CLIENT_ID }}" optional
            write_env KAKAO_CLIENT_SECRET "${{ secrets.KAKAO_CLIENT_SECRET }}" optional
            write_env KAKAO_ADMIN_KEY "${{ secrets.KAKAO_ADMIN_KEY }}" required
            write_env JWT_SECRET "${{ secrets.JWT_SECRET }}" required
            write_env FRONTEND_URL "${{ secrets.FRONTEND_URL }}" required
            write_env APP_QA_SEED_ENABLED "${{ secrets.APP_QA_SEED_ENABLED }}" optional

            if [ -n "$missing_runtime" ]; then
              echo "❌ GitHub Secret도 없고 EC2 기존 .env에도 없는 런타임 값:$missing_runtime"
              rm -f "$tmp_env"
              exit 1
            fi

            mv "$tmp_env" .env
            trap - EXIT

            compose config >/dev/null || exit 1
            docker pull ${{ secrets.DOCKER_USERNAME }}/nutrishare:latest || exit 1
            compose up -d --force-recreate app || exit 1
            compose exec -T app sh -lc 'test -n "${KAKAO_ADMIN_KEY:-}"' || exit 1
            echo "✅ KAKAO_ADMIN_KEY injected into app container"
            compose ps || exit 1