Merged
Conversation
- EC2 직접 배포에서 ECS 롤링 업데이트 배포로 전환 - wait-for-service-stability로 배포 안정화 확인
6 tasks
|
No actionable comments were generated in the recent review. 🎉 ℹ️ Recent review infoConfiguration used: Organization UI Review profile: CHILL Plan: Pro 📒 Files selected for processing (1)
🚧 Files skipped from review as they are similar to previous changes (1)
WalkthroughGitHub Actions에 새로운 CD 워크플로우 Changes
Sequence Diagram(s)sequenceDiagram
participant GH as GitHub Actions
participant ECR as AWS ECR
participant EC2 as EC2 Instance
participant Docker as Docker Daemon
GH->>GH: CI 성공 감지 (workflow_run)
GH->>ECR: AWS 자격증명 설정 & ECR 로그인
GH->>Docker: 이미지 빌드 및 태그(commit, latest)
GH->>ECR: 이미지 푸시
ECR-->>GH: 푸시 완료 및 이미지 리퍼런스 제공
GH->>EC2: SSH 연결 (appleboy/ssh-action) 및 스크립트 실행
EC2->>ECR: ECR 로그인
EC2->>ECR: 이미지 풀
EC2->>Docker: 기존 컨테이너 중지 및 제거 (chingoo-haja)
EC2->>Docker: 새 컨테이너 실행 (포트 8080:8080, env-file)
EC2->>EC2: 컨테이너 상태 확인(최대 60초)
EC2->>Docker: 불필요한 이미지 정리
EC2-->>GH: 배포 완료 / 로그 전송
Estimated code review effort🎯 2 (Simple) | ⏱️ ~10 minutes Poem
🚥 Pre-merge checks | ✅ 3✅ Passed checks (3 passed)
✏️ Tip: You can configure your own custom pre-merge checks in the settings. ✨ Finishing Touches🧪 Generate unit tests (beta)
Comment |
![coderabbitai[bot]](https://avatars.githubusercontent.com/in/347564?s=60&v=4){kind=small}
There was a problem hiding this comment.
Actionable comments posted: 3
🧹 Nitpick comments (1)
.github/workflows/cd.yml (1)
46-46:appleboy/ssh-action@v1은 부동(floating) 태그입니다.현재 최신 릴리즈는
v1.2.5입니다.@v1은 해당 메이저 버전의 최신 패치로 자동 이동하므로, 예기치 않은 변경이 반영될 수 있습니다. 재현 가능한 빌드와 공급망 보안을 위해 패치 버전으로 고정하는 것을 권장합니다.- uses: appleboy/ssh-action@v1 + uses: appleboy/ssh-action@v1.2.5🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed. In @.github/workflows/cd.yml at line 46, The workflow uses a floating tag for the SSH action ("appleboy/ssh-action@v1"); pin it to the current patch release to ensure reproducible builds and supply-chain stability by replacing the tag with the explicit patch version (for example "appleboy/ssh-action@v1.2.5") in the workflow step that references appleboy/ssh-action so the action will not automatically move to newer patch releases.
🤖 Prompt for all review comments with AI agents
Verify each finding against the current code and only fix it if needed.
Inline comments:
In @.github/workflows/cd.yml:
- Line 51: The workflow currently injects long-lived AWS credentials via the
envs entry "envs:
ECR_REGISTRY,ECR_REPOSITORY,IMAGE_TAG,AWS_ACCESS_KEY_ID,AWS_SECRET_ACCESS_KEY,AWS_REGION";
remove AWS_ACCESS_KEY_ID and AWS_SECRET_ACCESS_KEY from that envs list and from
any other identical occurrences (the other envs block around the later copy at
68-74) and rely on an EC2 IAM Instance Role with minimal ECR permissions
(ecr:GetAuthorizationToken, ecr:BatchCheckLayerAvailability,
ecr:GetDownloadUrlForLayer, ecr:BatchGetImage) so aws ecr get-login-password
works via instance metadata; also update README/deployment notes in the repo to
document that the EC2 instance must have the appropriate IAM role instead of
passing credentials.
- Around line 60-67: The workflow runs docker run (container name chingoo-haja)
then immediately docker image prune, but doesn't verify the container started
successfully; add a check after the docker run (targeting the chingoo-haja
container) that waits for service stability by polling container state (e.g.,
using docker inspect --format='{{.State.Health.Status}}' until "healthy" or
checking `docker ps`/exit code) with a timeout and fail the job if the container
exits or never becomes healthy; place this check between the docker run and
docker image prune steps so pruning only happens after successful startup.
- Around line 60-65: The docker run command uses $EC2_USER but EC2_USER is not
passed to the remote environment (missing from the action's envs: list and env:
block), causing --env-file /home//app/.env to break; fix by either referencing
$HOME in the docker run invocation (replace /home/$EC2_USER with $HOME) or
explicitly add EC2_USER to the appleboy/ssh-action envs: list and to the env:
block so the SSH action forwards it as a string (ensure EC2_USER is set to a
string value), updating the workflow to use the chosen variable in the docker
run command.
---
Nitpick comments:
In @.github/workflows/cd.yml:
- Line 46: The workflow uses a floating tag for the SSH action
("appleboy/ssh-action@v1"); pin it to the current patch release to ensure
reproducible builds and supply-chain stability by replacing the tag with the
explicit patch version (for example "appleboy/ssh-action@v1.2.5") in the
workflow step that references appleboy/ssh-action so the action will not
automatically move to newer patch releases.
- EC2 SSH 스크립트에서 장기 AWS 자격증명 제거 (IAM Instance Role 방식으로 전환) - docker run 후 컨테이너 기동 확인 로직 추가 (60초 타임아웃, 실패 시 로그 출력) - → /Users/nahyun 교체로 SSH 환경변수 누락 버그 수정 - appleboy/ssh-action 버전 고정 (@v1 → @v1.2.2)
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
⭐️ Issue Number
🚩 Summary
📋 To Do
Summary by CodeRabbit