Merge pull request #36 from Nexters/feat/add-slack #60
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Backend CD | |
| on: | |
| push: | |
| branches: | |
| - main | |
| jobs: | |
| build-and-push: | |
| runs-on: ubuntu-latest | |
| steps: | |
| - name: Checkout | |
| uses: actions/checkout@v4 | |
| - name: Set up JDK 21 | |
| uses: actions/setup-java@v4 | |
| with: | |
| java-version: "21" | |
| distribution: "temurin" | |
| - name: Gradle Caching | |
| uses: actions/cache@v3 | |
| with: | |
| path: | | |
| ~/.gradle/caches | |
| ~/.gradle/wrapper | |
| key: ${{ runner.os }}-gradle-${{ hashFiles('**/*.gradle*', '**/gradle-wrapper.properties') }} | |
| restore-keys: | | |
| ${{ runner.os }}-gradle- | |
| - name: Build and Push with Jib (API) | |
| uses: gradle/gradle-build-action@67421db6bd0bf253fb4bd25b31ebb98943c375e1 | |
| with: | |
| arguments: clean :tuk-api:jib -Djib.to.image=${{ secrets.NCP_CONTAINER_REGISTRY_API }}/tuk-api -Djib.to.tags=${{ github.sha }} -Djib.to.auth.username=${{ secrets.NCP_ACCESS_KEY }} -Djib.to.auth.password=${{ secrets.NCP_SECRET_KEY }} | |
| env: | |
| JIB_TO_IMAGE: ${{ secrets.NCP_CONTAINER_REGISTRY_API }}/tuk-api | |
| JIB_TO_TAGS: ${{ github.sha }} | |
| JIB_TO_AUTH_USERNAME: ${{ secrets.NCP_ACCESS_KEY }} | |
| JIB_TO_AUTH_PASSWORD: ${{ secrets.NCP_SECRET_KEY }} | |
| - name: Build and Push with Jib (BATCH) | |
| uses: gradle/gradle-build-action@67421db6bd0bf253fb4bd25b31ebb98943c375e1 | |
| with: | |
| arguments: clean :tuk-batch:jib -Djib.to.image=${{ secrets.NCP_CONTAINER_REGISTRY_API }}/tuk-batch -Djib.to.tags=${{ github.sha }} -Djib.to.auth.username=${{ secrets.NCP_ACCESS_KEY }} -Djib.to.auth.password=${{ secrets.NCP_SECRET_KEY }} | |
| env: | |
| JIB_TO_IMAGE: ${{ secrets.NCP_CONTAINER_REGISTRY_API }}/tuk-batch | |
| JIB_TO_TAGS: ${{ github.sha }} | |
| JIB_TO_AUTH_USERNAME: ${{ secrets.NCP_ACCESS_KEY }} | |
| JIB_TO_AUTH_PASSWORD: ${{ secrets.NCP_SECRET_KEY }} | |
| - name: Create directory and copy docker files to server | |
| run: | | |
| # 기본 디렉토리 생성 | |
| sshpass -p ${{ secrets.API_SERVER_PASSWORD }} ssh -p ${{ secrets.SSH_PORT }} -o StrictHostKeyChecking=no ${{ secrets.API_SERVER_USERNAME }}@${{ secrets.API_SERVER_HOST }} "mkdir -p ${{ secrets.DOCKER_COMPOSE_PATH }}" | |
| # nginx 관련 디렉토리 생성 | |
| sshpass -p ${{ secrets.API_SERVER_PASSWORD }} ssh -p ${{ secrets.SSH_PORT }} -o StrictHostKeyChecking=no ${{ secrets.API_SERVER_USERNAME }}@${{ secrets.API_SERVER_HOST }} "mkdir -p ${{ secrets.DOCKER_COMPOSE_PATH }}/nginx" | |
| sshpass -p ${{ secrets.API_SERVER_PASSWORD }} ssh -p ${{ secrets.SSH_PORT }} -o StrictHostKeyChecking=no ${{ secrets.API_SERVER_USERNAME }}@${{ secrets.API_SERVER_HOST }} "sudo mkdir -p /var/www/certbot" | |
| # Docker 파일들 복사 | |
| sshpass -p ${{ secrets.API_SERVER_PASSWORD }} scp -P ${{ secrets.SSH_PORT }} -o StrictHostKeyChecking=no ./docker/docker-compose.prod.yml ${{ secrets.API_SERVER_USERNAME }}@${{ secrets.API_SERVER_HOST }}:${{ secrets.DOCKER_COMPOSE_PATH }}/docker-compose.yml | |
| sshpass -p ${{ secrets.API_SERVER_PASSWORD }} scp -P ${{ secrets.SSH_PORT }} -o StrictHostKeyChecking=no ./docker/init.sql ${{ secrets.API_SERVER_USERNAME }}@${{ secrets.API_SERVER_HOST }}:${{ secrets.DOCKER_COMPOSE_PATH }}/ | |
| # nginx 설정 파일 복사 | |
| sshpass -p ${{ secrets.API_SERVER_PASSWORD }} scp -P ${{ secrets.SSH_PORT }} -o StrictHostKeyChecking=no ./nginx/nginx.conf ${{ secrets.API_SERVER_USERNAME }}@${{ secrets.API_SERVER_HOST }}:${{ secrets.DOCKER_COMPOSE_PATH }}/nginx/ | |
| shell: bash | |
| deploy-to-server: | |
| name: Connect api server ssh and pull from container registry | |
| needs: build-and-push | |
| runs-on: ubuntu-latest | |
| steps: | |
| ## SSL 인증서 설정 및 docker compose up | |
| - name: Deploy to api server | |
| uses: appleboy/ssh-action@master | |
| with: | |
| host: ${{ secrets.API_SERVER_HOST }} | |
| port: ${{ secrets.SSH_PORT }} | |
| username: ${{ secrets.API_SERVER_USERNAME }} | |
| password: ${{ secrets.API_SERVER_PASSWORD }} | |
| script: | | |
| cd ${{ secrets.DOCKER_COMPOSE_PATH }} | |
| # 기존 컨테이너 정리 | |
| sudo docker rm -f $(sudo docker ps -qa) 2>/dev/null || true | |
| # Login to NCP Container Registry | |
| echo "${{ secrets.NCP_SECRET_KEY }}" | sudo docker login ${{ secrets.NCP_CONTAINER_REGISTRY_API }} -u ${{ secrets.NCP_ACCESS_KEY }} --password-stdin | |
| # Run with environment variables | |
| sudo env \ | |
| MYSQL_USERNAME='${{ secrets.MYSQL_USERNAME }}' \ | |
| MYSQL_PASSWORD='${{ secrets.MYSQL_PASSWORD }}' \ | |
| MYSQL_ROOT_PASSWORD='${{ secrets.MYSQL_PASSWORD }}' \ | |
| APPLE_CLIENT_ID='${{ secrets.APPLE_CLIENT_ID }}' \ | |
| GOOGLE_CLIENT_ID='${{ secrets.GOOGLE_CLIENT_ID }}' \ | |
| GOOGLE_CLIENT_SECRET='${{ secrets.GOOGLE_CLIENT_SECRET }}' \ | |
| NCP_CONTAINER_REGISTRY_API='${{ secrets.NCP_CONTAINER_REGISTRY_API }}' \ | |
| JWT_SECRET='${{ secrets.JWT_SECRET }}' \ | |
| IMAGE_TAG='${{ github.sha }}' \ | |
| ENCODED_FIREBASE_ADMIN_SDK='${{ secrets.ENCODED_FIREBASE_ADMIN_SDK }}' \ | |
| SLACK_ERROR_ALERT_TOKEN='${{ secrets.SLACK_ERROR_ALERT_TOKEN }}' \ | |
| docker-compose up -d | |
| # 불필요한 Docker 이미지 정리 | |
| sudo docker image prune -f | |
| if ! sudo crontab -l 2>/dev/null | grep -q "certbot renew"; then | |
| echo "Setting up SSL auto-renewal..." | |
| (sudo crontab -l 2>/dev/null; echo "0 2 * * * certbot renew --quiet && docker-compose -f ${{ secrets.DOCKER_COMPOSE_PATH }}/docker-compose.yml restart nginx") | sudo crontab - | |
| fi |