From e9411bac84d988d857b6aabc0cf0a6cad21f4bc2 Mon Sep 17 00:00:00 2001 From: dmori Date: Sat, 21 Feb 2026 15:26:16 +0900 Subject: [PATCH 1/6] =?UTF-8?q?improve:=20=EC=95=A0=ED=94=8C=20=ED=82=A4?= =?UTF-8?q?=20=ED=8C=8C=EC=9D=BC=EC=9D=84=20=ED=8C=8C=EC=9D=BC=EC=8B=9C?= =?UTF-8?q?=EC=8A=A4=ED=85=9C=20=EC=A0=88=EB=8C=80=EA=B2=BD=EB=A1=9C?= =?UTF-8?q?=EC=97=90=EC=84=9C=20=EC=9D=BD=EC=96=B4=EC=98=A4=EB=8F=84?= =?UTF-8?q?=EB=A1=9D=20=EB=B3=80=EA=B2=BD?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- .../global/security/util/AppleClientSecretGenerator.java | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) diff --git a/src/main/java/com/techfork/global/security/util/AppleClientSecretGenerator.java b/src/main/java/com/techfork/global/security/util/AppleClientSecretGenerator.java index 4e891ff5..e124318f 100644 --- a/src/main/java/com/techfork/global/security/util/AppleClientSecretGenerator.java +++ b/src/main/java/com/techfork/global/security/util/AppleClientSecretGenerator.java @@ -4,11 +4,11 @@ import io.jsonwebtoken.SignatureAlgorithm; import lombok.extern.slf4j.Slf4j; import org.springframework.beans.factory.annotation.Value; -import org.springframework.core.io.ClassPathResource; import org.springframework.stereotype.Component; import java.io.IOException; import java.nio.file.Files; +import java.nio.file.Paths; import java.security.KeyFactory; import java.security.PrivateKey; import java.security.spec.PKCS8EncodedKeySpec; @@ -65,8 +65,7 @@ public String generateClientSecret() { */ private PrivateKey getPrivateKey() throws Exception { try { - ClassPathResource resource = new ClassPathResource(privateKeyPath); - String privateKeyContent = new String(Files.readAllBytes(resource.getFile().toPath())); + String privateKeyContent = new String(Files.readAllBytes(Paths.get(privateKeyPath))); // PEM 파일에서 헤더/푸터 제거 privateKeyContent = privateKeyContent From 0077398a46154d7bf5f46a517d2950098fdcc8ce Mon Sep 17 00:00:00 2001 From: dmori Date: Sat, 21 Feb 2026 15:27:02 +0900 Subject: [PATCH 2/6] =?UTF-8?q?chore:=20docker=20compose=EC=97=90=20?= =?UTF-8?q?=EC=9D=BD=EA=B8=B0=20=EC=A0=84=EC=9A=A9=20=EB=B3=BC=EB=A5=A8=20?= =?UTF-8?q?=EB=A7=88=EC=9A=B4=ED=8A=B8?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- docker/docker-compose.blue.yml | 4 +++- docker/docker-compose.dev.yml | 4 +++- docker/docker-compose.green.yml | 4 +++- 3 files changed, 9 insertions(+), 3 deletions(-) diff --git a/docker/docker-compose.blue.yml b/docker/docker-compose.blue.yml index e493ca79..7777b793 100644 --- a/docker/docker-compose.blue.yml +++ b/docker/docker-compose.blue.yml @@ -18,11 +18,13 @@ services: - APPLE_TEAM_ID=${APPLE_TEAM_ID} - APPLE_KEY_ID=${APPLE_KEY_ID} - APPLE_CLIENT_ID=${APPLE_CLIENT_ID} - - APPLE_PRIVATE_KEY_PATH=keys/AuthKey_${APPLE_KEY_ID}.p8 + - APPLE_PRIVATE_KEY_PATH=/app/keys/AuthKey_${APPLE_KEY_ID}.p8 - JWT_SECRET=${JWT_SECRET} - JWT_REDIRECT_URI=${JWT_REDIRECT_URI} - JWT_LOGIN_FAILURE_REDIRECT_URI=${JWT_LOGIN_FAILURE_REDIRECT_URI} - SERVER_DOMAIN=${SERVER_DOMAIN} + volumes: + - ~/keys:/app/keys:ro networks: techfork-network: aliases: diff --git a/docker/docker-compose.dev.yml b/docker/docker-compose.dev.yml index 393bb697..773d16e4 100644 --- a/docker/docker-compose.dev.yml +++ b/docker/docker-compose.dev.yml @@ -18,11 +18,13 @@ services: - APPLE_TEAM_ID=${APPLE_TEAM_ID} - APPLE_KEY_ID=${APPLE_KEY_ID} - APPLE_CLIENT_ID=${APPLE_CLIENT_ID} - - APPLE_PRIVATE_KEY_PATH=keys/AuthKey_${APPLE_KEY_ID}.p8 + - APPLE_PRIVATE_KEY_PATH=/app/keys/AuthKey_${APPLE_KEY_ID}.p8 - JWT_SECRET=${JWT_SECRET} - JWT_REDIRECT_URI=${JWT_REDIRECT_URI_DEV} - JWT_LOGIN_FAILURE_REDIRECT_URI=${JWT_LOGIN_FAILURE_REDIRECT_URI_DEV} - SERVER_DOMAIN=${SERVER_DOMAIN} + volumes: + - ~/keys:/app/keys:ro networks: techfork-network: aliases: diff --git a/docker/docker-compose.green.yml b/docker/docker-compose.green.yml index 8349968b..b9b82664 100644 --- a/docker/docker-compose.green.yml +++ b/docker/docker-compose.green.yml @@ -18,11 +18,13 @@ services: - APPLE_TEAM_ID=${APPLE_TEAM_ID} - APPLE_KEY_ID=${APPLE_KEY_ID} - APPLE_CLIENT_ID=${APPLE_CLIENT_ID} - - APPLE_PRIVATE_KEY_PATH=keys/AuthKey_${APPLE_KEY_ID}.p8 + - APPLE_PRIVATE_KEY_PATH=/app/keys/AuthKey_${APPLE_KEY_ID}.p8 - JWT_SECRET=${JWT_SECRET} - JWT_REDIRECT_URI=${JWT_REDIRECT_URI} - JWT_LOGIN_FAILURE_REDIRECT_URI=${JWT_LOGIN_FAILURE_REDIRECT_URI} - SERVER_DOMAIN=${SERVER_DOMAIN} + volumes: + - ~/keys:/app/keys:ro networks: techfork-network: aliases: From 0fe4ca03df7e216f736be91afd9260d8ddc08615 Mon Sep 17 00:00:00 2001 From: dmori Date: Sat, 21 Feb 2026 15:52:49 +0900 Subject: [PATCH 3/6] =?UTF-8?q?chore:=20.p8=20=ED=82=A4=20=ED=8C=8C?= =?UTF-8?q?=EC=9D=BC=EC=9D=84=20EC2=EC=97=90=EC=84=9C=20=EC=83=9D=EC=84=B1?= =?UTF-8?q?=ED=95=98=EB=8F=84=EB=A1=9D=20=EB=B3=80=EA=B2=BD?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- .github/workflows/cd.yml | 24 +++++++++++++++++------- 1 file changed, 17 insertions(+), 7 deletions(-) diff --git a/.github/workflows/cd.yml b/.github/workflows/cd.yml index 5e484c64..8a431683 100644 --- a/.github/workflows/cd.yml +++ b/.github/workflows/cd.yml @@ -32,11 +32,6 @@ jobs: - name: Set up Docker Buildx uses: docker/setup-buildx-action@v3 - - name: Create Apple Private Key file - run: | - mkdir -p src/main/resources/keys - echo "${{ secrets.APPLE_PRIVATE_KEY }}" > src/main/resources/keys/AuthKey_${{ secrets.APPLE_KEY_ID }}.p8 - - name: Login to DockerHub uses: docker/login-action@v3 with: @@ -71,7 +66,6 @@ jobs: APPLE_TEAM_ID: ${{ secrets.APPLE_TEAM_ID }} APPLE_KEY_ID: ${{ secrets.APPLE_KEY_ID }} APPLE_CLIENT_ID: ${{ secrets.APPLE_CLIENT_ID }} - APPLE_PRIVATE_KEY: ${{ secrets.APPLE_PRIVATE_KEY }} JWT_SECRET: ${{ secrets.JWT_SECRET }} JWT_REDIRECT_URI: ${{ secrets.JWT_REDIRECT_URI }} JWT_REDIRECT_URI_DEV: ${{ secrets.JWT_REDIRECT_URI_DEV }} @@ -92,6 +86,22 @@ jobs: source: "docker/,scripts/deploy.sh" target: "~/deploy/" + - name: Place Apple private key on server + uses: appleboy/ssh-action@v1 + env: + APPLE_PRIVATE_KEY: ${{ secrets.APPLE_PRIVATE_KEY }} + APPLE_KEY_ID: ${{ secrets.APPLE_KEY_ID }} + with: + host: ${{ secrets.EC2_HOST }} + username: ${{ secrets.EC2_USERNAME }} + key: ${{ secrets.EC2_SSH_KEY }} + envs: APPLE_PRIVATE_KEY,APPLE_KEY_ID + script: | + mkdir -p ~/keys + chmod 700 ~/keys + printf '%s' "$APPLE_PRIVATE_KEY" > ~/keys/AuthKey_${APPLE_KEY_ID}.p8 + chmod 600 ~/keys/AuthKey_${APPLE_KEY_ID}.p8 + - name: Deploy with blue-green strategy uses: appleboy/ssh-action@v1 with: @@ -103,7 +113,7 @@ jobs: DOCKER_IMAGE,BRANCH,SPRING_PROFILES_ACTIVE,DB_URL,DB_PASSWORD,REDIS_PASSWORD, DISCORD_WEBHOOK_URL,ANTHROPIC_API_KEY,OPENAI_API_KEY, KAKAO_REST_API_KEY,KAKAO_CLIENT_SECRET, - APPLE_TEAM_ID,APPLE_KEY_ID,APPLE_CLIENT_ID,APPLE_PRIVATE_KEY, + APPLE_TEAM_ID,APPLE_KEY_ID,APPLE_CLIENT_ID, JWT_SECRET,JWT_REDIRECT_URI,JWT_REDIRECT_URI_DEV,JWT_LOGIN_FAILURE_REDIRECT_URI,JWT_LOGIN_FAILURE_REDIRECT_URI_DEV,SERVER_DOMAIN script: | cd ~/deploy From 66aa7a4b07f22ff79ed92a0f4ca774e2617d9b36 Mon Sep 17 00:00:00 2001 From: dmori Date: Sat, 21 Feb 2026 15:54:10 +0900 Subject: [PATCH 4/6] =?UTF-8?q?deploy:=20Apple=20Private=20Key=EB=8A=94=20?= =?UTF-8?q?=ED=99=98=EA=B2=BD=EB=B3=80=EC=88=98=EC=97=90=EC=84=9C=20?= =?UTF-8?q?=EC=A0=9C=EA=B1=B0?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- scripts/deploy.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/scripts/deploy.sh b/scripts/deploy.sh index 3d38a072..7cd9cd27 100644 --- a/scripts/deploy.sh +++ b/scripts/deploy.sh @@ -102,7 +102,7 @@ trap cleanup EXIT # Generate .env from SSH-injected environment variables log "Writing .env file..." -env | grep -E '^(DOCKER_IMAGE|BRANCH|SPRING_PROFILES_ACTIVE|DB_|REDIS_|ANTHROPIC_|OPENAI_|DISCORD_|KAKAO_|APPLE_|JWT_|SERVER_)' > "${DOCKER_DIR}/.env" +env | grep -E '^(DOCKER_IMAGE|BRANCH|SPRING_PROFILES_ACTIVE|DB_|REDIS_|ANTHROPIC_|OPENAI_|DISCORD_|KAKAO_|APPLE_TEAM_ID|APPLE_KEY_ID|APPLE_CLIENT_ID|JWT_|SERVER_)' > "${DOCKER_DIR}/.env" chmod 600 "${DOCKER_DIR}/.env" # Step 1: Ensure Docker network exists From 2a6164a4137b19a5c71ba45dfccb1bb24fbe56b0 Mon Sep 17 00:00:00 2001 From: dmori Date: Sat, 21 Feb 2026 15:54:43 +0900 Subject: [PATCH 5/6] =?UTF-8?q?chore:=20Apple=20Private=20Key=20=EA=B2=BD?= =?UTF-8?q?=EB=A1=9C=EB=A5=BC=20=EB=A1=9C=EC=BB=AC=EC=97=90=EC=84=A0=20?= =?UTF-8?q?=EC=83=81=EB=8C=80=EA=B2=BD=EB=A1=9C,=20=EB=B0=B0=ED=8F=AC?= =?UTF-8?q?=EC=97=90=EC=84=A0=20=EC=A0=88=EB=8C=80=EA=B2=BD=EB=A1=9C?= =?UTF-8?q?=EB=A1=9C=20=EC=A7=80=EC=A0=95?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- src/main/resources/application-dev.yml | 5 ++++- src/main/resources/application.yml | 2 +- 2 files changed, 5 insertions(+), 2 deletions(-) diff --git a/src/main/resources/application-dev.yml b/src/main/resources/application-dev.yml index c74af667..9329f70d 100644 --- a/src/main/resources/application-dev.yml +++ b/src/main/resources/application-dev.yml @@ -42,4 +42,7 @@ logging: com.techfork: INFO org.springframework.batch: INFO org.hibernate.SQL: INFO - org.hibernate.type.descriptor.sql.BasicBinder: WARN \ No newline at end of file + org.hibernate.type.descriptor.sql.BasicBinder: WARN + +apple: + private-key-path: /app/keys/AuthKey_${APPLE_KEY_ID}.p8 \ No newline at end of file diff --git a/src/main/resources/application.yml b/src/main/resources/application.yml index 7b32bb04..42e507d6 100644 --- a/src/main/resources/application.yml +++ b/src/main/resources/application.yml @@ -77,7 +77,7 @@ jwt: apple: team-id: ${APPLE_TEAM_ID} key-id: ${APPLE_KEY_ID} - private-key-path: ${APPLE_PRIVATE_KEY_PATH:keys/AppleAuthKey.p8} + private-key-path: keys/AppleAuthKey.p8 server: domain: ${SERVER_DOMAIN:localhost} From e415a9a42ac75626f1351ee84a0ae8de86f5ef71 Mon Sep 17 00:00:00 2001 From: dmori Date: Sat, 21 Feb 2026 16:03:50 +0900 Subject: [PATCH 6/6] =?UTF-8?q?chore:=20.gitignore=20keys=20=ED=8F=B4?= =?UTF-8?q?=EB=8D=94=20=EC=9C=84=EC=B9=98=20=EB=B3=80=EA=B2=BD=EC=97=90=20?= =?UTF-8?q?=EB=94=B0=EB=9D=BC=20=EC=97=85=EB=8D=B0=EC=9D=B4=ED=8A=B8?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- .gitignore | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.gitignore b/.gitignore index 24e7deb3..dbe08ede 100644 --- a/.gitignore +++ b/.gitignore @@ -56,7 +56,7 @@ stop-dev-tunnel.sh .env ### Apple Private Keys ### -src/main/resources/keys/ +/keys *.p8 ### Test json files ###