Conversation
- EC2 직접 배포에서 ECS 롤링 업데이트 배포로 전환 - wait-for-service-stability로 배포 안정화 확인
|
No actionable comments were generated in the recent review. 🎉 ℹ️ Recent review infoConfiguration used: Organization UI Review profile: CHILL Plan: Pro 📒 Files selected for processing (1)
🚧 Files skipped from review as they are similar to previous changes (1)
WalkthroughGitHub Actions에 새로운 CD 워크플로우 Changes
Sequence Diagram(s)sequenceDiagram
participant GH as GitHub Actions
participant ECR as AWS ECR
participant EC2 as EC2 Instance
participant Docker as Docker Daemon
GH->>GH: CI 성공 감지 (workflow_run)
GH->>ECR: AWS 자격증명 설정 & ECR 로그인
GH->>Docker: 이미지 빌드 및 태그(commit, latest)
GH->>ECR: 이미지 푸시
ECR-->>GH: 푸시 완료 및 이미지 리퍼런스 제공
GH->>EC2: SSH 연결 (appleboy/ssh-action) 및 스크립트 실행
EC2->>ECR: ECR 로그인
EC2->>ECR: 이미지 풀
EC2->>Docker: 기존 컨테이너 중지 및 제거 (chingoo-haja)
EC2->>Docker: 새 컨테이너 실행 (포트 8080:8080, env-file)
EC2->>EC2: 컨테이너 상태 확인(최대 60초)
EC2->>Docker: 불필요한 이미지 정리
EC2-->>GH: 배포 완료 / 로그 전송
Estimated code review effort🎯 2 (Simple) | ⏱️ ~10 minutes Poem
🚥 Pre-merge checks | ✅ 3✅ Passed checks (3 passed)
✏️ Tip: You can configure your own custom pre-merge checks in the settings. ✨ Finishing Touches🧪 Generate unit tests (beta)
Comment |
There was a problem hiding this comment.
Actionable comments posted: 3
🧹 Nitpick comments (1)
.github/workflows/cd.yml (1)
46-46:appleboy/ssh-action@v1은 부동(floating) 태그입니다.현재 최신 릴리즈는
v1.2.5입니다.@v1은 해당 메이저 버전의 최신 패치로 자동 이동하므로, 예기치 않은 변경이 반영될 수 있습니다. 재현 가능한 빌드와 공급망 보안을 위해 패치 버전으로 고정하는 것을 권장합니다.- uses: appleboy/ssh-action@v1 + uses: appleboy/ssh-action@v1.2.5🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed. In @.github/workflows/cd.yml at line 46, The workflow uses a floating tag for the SSH action ("appleboy/ssh-action@v1"); pin it to the current patch release to ensure reproducible builds and supply-chain stability by replacing the tag with the explicit patch version (for example "appleboy/ssh-action@v1.2.5") in the workflow step that references appleboy/ssh-action so the action will not automatically move to newer patch releases.
🤖 Prompt for all review comments with AI agents
Verify each finding against the current code and only fix it if needed.
Inline comments:
In @.github/workflows/cd.yml:
- Line 51: The workflow currently injects long-lived AWS credentials via the
envs entry "envs:
ECR_REGISTRY,ECR_REPOSITORY,IMAGE_TAG,AWS_ACCESS_KEY_ID,AWS_SECRET_ACCESS_KEY,AWS_REGION";
remove AWS_ACCESS_KEY_ID and AWS_SECRET_ACCESS_KEY from that envs list and from
any other identical occurrences (the other envs block around the later copy at
68-74) and rely on an EC2 IAM Instance Role with minimal ECR permissions
(ecr:GetAuthorizationToken, ecr:BatchCheckLayerAvailability,
ecr:GetDownloadUrlForLayer, ecr:BatchGetImage) so aws ecr get-login-password
works via instance metadata; also update README/deployment notes in the repo to
document that the EC2 instance must have the appropriate IAM role instead of
passing credentials.
- Around line 60-67: The workflow runs docker run (container name chingoo-haja)
then immediately docker image prune, but doesn't verify the container started
successfully; add a check after the docker run (targeting the chingoo-haja
container) that waits for service stability by polling container state (e.g.,
using docker inspect --format='{{.State.Health.Status}}' until "healthy" or
checking `docker ps`/exit code) with a timeout and fail the job if the container
exits or never becomes healthy; place this check between the docker run and
docker image prune steps so pruning only happens after successful startup.
- Around line 60-65: The docker run command uses $EC2_USER but EC2_USER is not
passed to the remote environment (missing from the action's envs: list and env:
block), causing --env-file /home//app/.env to break; fix by either referencing
$HOME in the docker run invocation (replace /home/$EC2_USER with $HOME) or
explicitly add EC2_USER to the appleboy/ssh-action envs: list and to the env:
block so the SSH action forwards it as a string (ensure EC2_USER is set to a
string value), updating the workflow to use the chosen variable in the docker
run command.
---
Nitpick comments:
In @.github/workflows/cd.yml:
- Line 46: The workflow uses a floating tag for the SSH action
("appleboy/ssh-action@v1"); pin it to the current patch release to ensure
reproducible builds and supply-chain stability by replacing the tag with the
explicit patch version (for example "appleboy/ssh-action@v1.2.5") in the
workflow step that references appleboy/ssh-action so the action will not
automatically move to newer patch releases.
- EC2 SSH 스크립트에서 장기 AWS 자격증명 제거 (IAM Instance Role 방식으로 전환) - docker run 후 컨테이너 기동 확인 로직 추가 (60초 타임아웃, 실패 시 로그 출력) - → /Users/nahyun 교체로 SSH 환경변수 누락 버그 수정 - appleboy/ssh-action 버전 고정 (@v1 → @v1.2.2)
⭐️ Issue Number
🚩 Summary
📋 To Do
Summary by CodeRabbit