kevin/baron-sso
1
0
Fork 0
forked from baron/baron-sso
Code Pull Requests Activity

printf에서 cat <<'EOF' (HEREDOC) 방식으로 변경

Browse Source
This commit is contained in:
조찬영
2026-02-06 16:15:03 +09:00
parent cf521f848f
commit e0ea0c7048
1 changed files with 77 additions and 73 deletions
Download Patch File Download Diff File Expand all files Collapse all files

150
.gitea/workflows/staging_release.yml
View File

@@ -25,10 +25,14 @@ jobs:
IMAGE_TAG: ${{ github.event.inputs.rc_version_tag }} IMAGE_TAG: ${{ github.event.inputs.rc_version_tag }}
BACKEND_IMAGE_NAME: ${{ vars.HARBOR_HOSTNAME }}/baron_sso/backend BACKEND_IMAGE_NAME: ${{ vars.HARBOR_HOSTNAME }}/baron_sso/backend
USERFRONT_IMAGE_NAME: ${{ vars.HARBOR_HOSTNAME }}/baron_sso/userfront USERFRONT_IMAGE_NAME: ${{ vars.HARBOR_HOSTNAME }}/baron_sso/userfront
# Staging-specific variables (STAGE_*) ADMINFRONT_IMAGE_NAME: ${{ vars.HARBOR_HOSTNAME }}/baron_sso/adminfront
DEVFRONT_IMAGE_NAME: ${{ vars.HARBOR_HOSTNAME }}/baron_sso/devfront
# Staging-specific variables
DEPLOY_PATH: ${{ vars.STAGE_DEPLOY_PATH }} DEPLOY_PATH: ${{ vars.STAGE_DEPLOY_PATH }}
STAGE_HOST: ${{ vars.STAGE_HOST }} STAGE_HOST: ${{ vars.STAGE_HOST }}
STAGE_USER: ${{ vars.STAGE_USER }} STAGE_USER: ${{ vars.STAGE_USER }}
HARBOR_ENDPOINT: ${{ vars.HARBOR_ENDPOINT }} HARBOR_ENDPOINT: ${{ vars.HARBOR_ENDPOINT }}
HARBOR_ROBOT_ACCOUNT: ${{ vars.HARBOR_ROBOT_ACCOUNT }} HARBOR_ROBOT_ACCOUNT: ${{ vars.HARBOR_ROBOT_ACCOUNT }}
HARBOR_ROBOT_KEY: ${{ secrets.HARBOR_ROBOT_KEY }} HARBOR_ROBOT_KEY: ${{ secrets.HARBOR_ROBOT_KEY }}
@@ -49,77 +53,75 @@ jobs:
ssh "${STAGE_USER}@${STAGE_HOST}" "mkdir -p '${DEPLOY_PATH}'" ssh "${STAGE_USER}@${STAGE_HOST}" "mkdir -p '${DEPLOY_PATH}'"
# Create .env for Staging # Create .env for Staging using a HEREDOC to prevent shell expansion issues
# Mapped from Gitea secrets/vars to .env.sample structure cat <<'EOF' > .env
# Note: Common vars like DB_PORT do not have STAGE_ prefix in Gitea settings based on user input. APP_ENV=stage
# Secrets have STG_ prefix. TZ=Asia/Seoul
cat <<'EOF' > .env \ IDP_PROVIDER=ory
"APP_ENV=stage" \ DB_PORT=${{ vars.DB_PORT }}
"TZ=Asia/Seoul" \ CLICKHOUSE_PORT_HTTP=${{ vars.CLICKHOUSE_PORT_HTTP }}
"IDP_PROVIDER=ory" \ CLICKHOUSE_PORT_NATIVE=${{ vars.CLICKHOUSE_PORT_NATIVE }}
"DB_PORT=${{ vars.DB_PORT }}" \ BACKEND_PORT=${{ vars.BACKEND_PORT }}
"CLICKHOUSE_PORT_HTTP=${{ vars.CLICKHOUSE_PORT_HTTP }}" \ ADMINFRONT_PORT=${{ vars.ADMINFRONT_PORT }}
"CLICKHOUSE_PORT_NATIVE=${{ vars.CLICKHOUSE_PORT_NATIVE }}" \ DEVFRONT_PORT=${{ vars.DEVFRONT_PORT }}
"BACKEND_PORT=${{ vars.BACKEND_PORT }}" \ USERFRONT_PORT=${{ vars.USERFRONT_PORT }}
"ADMINFRONT_PORT=${{ vars.ADMINFRONT_PORT }}" \ DB_USER=${{ vars.DB_USER }}
"DEVFRONT_PORT=${{ vars.DEVFRONT_PORT }}" \ DB_PASSWORD=${{ secrets.STG_DB_PASSWORD }}
"USERFRONT_PORT=${{ vars.USERFRONT_PORT }}" \ DB_NAME=${{ vars.DB_NAME }}
"DB_USER=${{ vars.DB_USER }}" \ COOKIE_SECRET=${{ secrets.STG_COOKIE_SECRET }}
"DB_PASSWORD=${{ secrets.STG_DB_PASSWORD }}" \ JWT_SECRET=${{ secrets.STG_JWT_SECRET }}
"DB_NAME=${{ vars.DB_NAME }}" \ REDIS_ADDR=${{ vars.REDIS_ADDR }}
"COOKIE_SECRET=${{ secrets.STG_COOKIE_SECRET }}" \ CORS_ALLOWED_ORIGINS=${{ vars.CORS_ALLOWED_ORIGINS }}
"REDIS_ADDR=${{ vars.REDIS_ADDR }}" \ AUDIT_WORKER_COUNT=5
"CORS_ALLOWED_ORIGINS=${{ vars.CORS_ALLOWED_ORIGINS }}" \ AUDIT_QUEUE_SIZE=2000
"AUDIT_WORKER_COUNT=5" \ PROFILE_CACHE_TTL=${{ vars.PROFILE_CACHE_TTL }}
"AUDIT_QUEUE_SIZE=2000" \ DESCOPE_PROJECT_ID=${{ vars.DESCOPE_PROJECT_ID }}
"PROFILE_CACHE_TTL=${{ vars.PROFILE_CACHE_TTL }}" \ DESCOPE_MANAGEMENT_KEY=${{ secrets.DESCOPE_MANAGEMENT_KEY }}
"DESCOPE_PROJECT_ID=${{ vars.DESCOPE_PROJECT_ID }}" \ DESCOPE_TEST_ACCOUNT=${{ vars.DESCOPE_TEST_ACCOUNT }}
"DESCOPE_MANAGEMENT_KEY=${{ secrets.DESCOPE_MANAGEMENT_KEY }}" \ NAVER_CLOUD_ACCESS_KEY=${{ vars.NAVER_CLOUD_ACCESS_KEY }}
"DESCOPE_TEST_ACCOUNT=${{ vars.DESCOPE_TEST_ACCOUNT }}" \ NAVER_CLOUD_SECRET_KEY=${{ secrets.NAVER_CLOUD_SECRET_KEY }}
"NAVER_CLOUD_ACCESS_KEY=${{ vars.NAVER_CLOUD_ACCESS_KEY }}" \ NAVER_CLOUD_SERVICE_ID=${{ vars.NAVER_CLOUD_SERVICE_ID }}
"NAVER_CLOUD_SECRET_KEY=${{ secrets.NAVER_CLOUD_SECRET_KEY }}" \ NAVER_SENDER_PHONE_NUMBER=${{ vars.NAVER_SENDER_PHONE_NUMBER }}
"NAVER_CLOUD_SERVICE_ID=${{ vars.NAVER_CLOUD_SERVICE_ID }}" \ AWS_REGION=${{ vars.AWS_REGION }}
"NAVER_SENDER_PHONE_NUMBER=${{ vars.NAVER_SENDER_PHONE_NUMBER }}" \ AWS_ACCESS_KEY_ID=${{ vars.AWS_ACCESS_KEY_ID }}
"AWS_REGION=${{ vars.AWS_REGION }}" \ AWS_SECRET_ACCESS_KEY=${{ secrets.AWS_SECRET_ACCESS_KEY }}
"AWS_ACCESS_KEY_ID=${{ vars.AWS_ACCESS_KEY_ID }}" \ AWS_SES_SENDER=${{ vars.AWS_SES_SENDER }}
"AWS_SECRET_ACCESS_KEY=${{ secrets.AWS_SECRET_ACCESS_KEY }}" \ ADMIN_EMAIL=${{ vars.ADMIN_EMAIL }}
"AWS_SES_SENDER=${{ vars.AWS_SES_SENDER }}" \ ADMIN_PASSWORD=${{ secrets.STG_ADMIN_PASSWORD }}
"ADMIN_EMAIL=${{ vars.ADMIN_EMAIL }}" \ USERFRONT_URL=${{ vars.USERFRONT_URL }}
"ADMIN_PASSWORD=${{ secrets.STG_ADMIN_PASSWORD }}" \ BACKEND_URL=${{ vars.BACKEND_URL }}
"USERFRONT_URL=${{ vars.USERFRONT_URL }}" \ OATHKEEPER_PUBLIC_URL=${{ vars.OATHKEEPER_PUBLIC_URL }}
"BACKEND_URL=${{ vars.BACKEND_URL }}" \ ORY_POSTGRES_TAG=${{ vars.ORY_POSTGRES_TAG }}
"OATHKEEPER_PUBLIC_URL=${{ vars.OATHKEEPER_PUBLIC_URL }}" \ ORY_POSTGRES_USER=${{ vars.ORY_POSTGRES_USER }}
"ORY_POSTGRES_TAG=${{ vars.ORY_POSTGRES_TAG }}" \ ORY_POSTGRES_PASSWORD=${{ secrets.STG_ORY_POSTGRES_PASSWORD }}
"ORY_POSTGRES_USER=${{ vars.ORY_POSTGRES_USER }}" \ ORY_POSTGRES_DB=${{ vars.ORY_POSTGRES_DB }}
"ORY_POSTGRES_PASSWORD=${{ secrets.STG_ORY_POSTGRES_PASSWORD }}" \ KRATOS_DB=${{ vars.KRATOS_DB }}
"ORY_POSTGRES_DB=${{ vars.ORY_POSTGRES_DB }}" \ HYDRA_DB=${{ vars.HYDRA_DB }}
"KRATOS_DB=${{ vars.KRATOS_DB }}" \ KETO_DB=${{ vars.KETO_DB }}
"HYDRA_DB=${{ vars.HYDRA_DB }}" \ KRATOS_VERSION=${{ vars.KRATOS_VERSION }}
"KETO_DB=${{ vars.KETO_DB }}" \ KRATOS_UI_NODE_VERSION=${{ vars.KRATOS_UI_NODE_VERSION }}
"KRATOS_VERSION=${{ vars.KRATOS_VERSION }}" \ HYDRA_VERSION=${{ vars.HYDRA_VERSION }}
"KRATOS_UI_NODE_VERSION=${{ vars.KRATOS_UI_NODE_VERSION }}" \ KETO_VERSION=${{ vars.KETO_VERSION }}
"HYDRA_VERSION=${{ vars.HYDRA_VERSION }}" \ ORY_SDK_URL=${{ vars.ORY_SDK_URL }}
"KETO_VERSION=${{ vars.KETO_VERSION }}" \ KRATOS_PUBLIC_URL=${{ vars.KRATOS_PUBLIC_URL }}
"ORY_SDK_URL=${{ vars.ORY_SDK_URL }}" \ KRATOS_ADMIN_URL=${{ vars.KRATOS_ADMIN_URL }}
"KRATOS_PUBLIC_URL=${{ vars.KRATOS_PUBLIC_URL }}" \ KRATOS_BROWSER_URL=${{ vars.KRATOS_BROWSER_URL }}
"KRATOS_ADMIN_URL=${{ vars.KRATOS_ADMIN_URL }}" \ KRATOS_UI_URL=${{ vars.KRATOS_UI_URL }}
"KRATOS_BROWSER_URL=${{ vars.KRATOS_BROWSER_URL }}" \ HYDRA_ADMIN_URL=${{ vars.HYDRA_ADMIN_URL }}
"KRATOS_UI_URL=${{ vars.KRATOS_UI_URL }}" \ HYDRA_PUBLIC_URL=${{ vars.HYDRA_PUBLIC_URL }}
"HYDRA_ADMIN_URL=${{ vars.HYDRA_ADMIN_URL }}" \ JWKS_URL=${{ vars.JWKS_URL }}
"HYDRA_PUBLIC_URL=${{ vars.HYDRA_PUBLIC_URL }}" \ OATHKEEPER_VERSION=${{ vars.OATHKEEPER_VERSION }}
"JWKS_URL=${{ vars.JWKS_URL }}" \ OATHKEEPER_UID=${{ vars.OATHKEEPER_UID }}
"OATHKEEPER_VERSION=${{ vars.OATHKEEPER_VERSION }}" \ OATHKEEPER_GID=${{ vars.OATHKEEPER_GID }}
"OATHKEEPER_UID=${{ vars.OATHKEEPER_UID }}" \ OATHKEEPER_HEALTH_URL=${{ vars.OATHKEEPER_HEALTH_URL }}
"OATHKEEPER_GID=${{ vars.OATHKEEPER_GID }}" \ OATHKEEPER_HEALTH_INTERVAL_SECONDS=${{ vars.OATHKEEPER_HEALTH_INTERVAL_SECONDS }}
"OATHKEEPER_HEALTH_URL=${{ vars.OATHKEEPER_HEALTH_URL }}" \ OATHKEEPER_HEALTH_TIMEOUT_SECONDS=${{ vars.OATHKEEPER_HEALTH_TIMEOUT_SECONDS }}
"OATHKEEPER_HEALTH_INTERVAL_SECONDS=${{ vars.OATHKEEPER_HEALTH_INTERVAL_SECONDS }}" \ OATHKEEPER_HEALTH_ENABLED=${{ vars.OATHKEEPER_HEALTH_ENABLED }}
"OATHKEEPER_HEALTH_TIMEOUT_SECONDS=${{ vars.OATHKEEPER_HEALTH_TIMEOUT_SECONDS }}" \ CSRF_COOKIE_NAME=${{ vars.CSRF_COOKIE_NAME }}
"OATHKEEPER_HEALTH_ENABLED=${{ vars.OATHKEEPER_HEALTH_ENABLED }}" \ CSRF_COOKIE_SECRET=${{ secrets.STG_CSRF_COOKIE_SECRET }}
"CSRF_COOKIE_NAME=${{ vars.CSRF_COOKIE_NAME }}" \ OATHKEEPER_INTROSPECT_CLIENT_ID=${{ vars.OATHKEEPER_INTROSPECT_CLIENT_ID }}
"CSRF_COOKIE_SECRET=${{ secrets.STG_CSRF_COOKIE_SECRET }}" \ OATHKEEPER_INTROSPECT_CLIENT_SECRET=${{ secrets.STG_OATHKEEPER_INTROSPECT_CLIENT_SECRET }}
"OATHKEEPER_INTROSPECT_CLIENT_ID=${{ vars.OATHKEEPER_INTROSPECT_CLIENT_ID }}" \ EOF
"OATHKEEPER_INTROSPECT_CLIENT_SECRET=${{ secrets.STG_OATHKEEPER_INTROSPECT_CLIENT_SECRET }}" \
EOF
# Copy artifacts to remote # Copy artifacts to remote
# Using compose.infra.yaml as base for staging (assuming simplified structure compared to prod) # Using compose.infra.yaml as base for staging (assuming simplified structure compared to prod)
@@ -135,6 +137,8 @@ jobs:
"export DEPLOY_PATH='${DEPLOY_PATH}'; \ "export DEPLOY_PATH='${DEPLOY_PATH}'; \
export BACKEND_IMAGE_NAME='${BACKEND_IMAGE_NAME}'; \ export BACKEND_IMAGE_NAME='${BACKEND_IMAGE_NAME}'; \
export USERFRONT_IMAGE_NAME='${USERFRONT_IMAGE_NAME}'; \ export USERFRONT_IMAGE_NAME='${USERFRONT_IMAGE_NAME}'; \
export ADMINFRONT_IMAGE_NAME='${ADMINFRONT_IMAGE_NAME}'; \
export DEVFRONT_IMAGE_NAME='${DEVFRONT_IMAGE_NAME}'; \
export IMAGE_TAG='${IMAGE_TAG}'; \ export IMAGE_TAG='${IMAGE_TAG}'; \
export HARBOR_ENDPOINT='${HARBOR_ENDPOINT}'; \ export HARBOR_ENDPOINT='${HARBOR_ENDPOINT}'; \
export HARBOR_ROBOT_ACCOUNT='${HARBOR_ROBOT_ACCOUNT}'; \ export HARBOR_ROBOT_ACCOUNT='${HARBOR_ROBOT_ACCOUNT}'; \
@@ -149,4 +153,4 @@ jobs:
# Pull & Up # Pull & Up
# Assuming staging runs both infra, ory, and app stack # Assuming staging runs both infra, ory, and app stack
docker compose -f compose.infra.yml -f compose.ory.yml -f docker-compose.yml pull; \ docker compose -f compose.infra.yml -f compose.ory.yml -f docker-compose.yml pull; \
docker compose -f compose.infra.yml -f compose.ory.yml -f docker-compose.yml up -d --remove-orphans" docker compose -f compose.infra.yml -f compose.ory.yml -f docker-compose.yml up -d --remove-orphans"