name: Deploy Baron SSO Production Images on: workflow_dispatch: inputs: image_tag: description: "배포할 공용 저장소 이미지 태그 (예: v1.2606.ab12)" required: true type: string jobs: deploy-production-images: runs-on: ubuntu-latest steps: - name: Checkout deployment scripts and templates uses: actions/checkout@v4 - name: Setup SSH uses: webfactory/ssh-agent@v0.9.0 with: ssh-private-key: ${{ secrets.PROD_SSH_PRIVATE_KEY }} - name: Build production deployment bundle env: IMAGE_TAG: ${{ github.event.inputs.image_tag }} IMAGE_DEPLOY_ENV: production IMAGE_DEPLOY_INSTANCE_NAME: ${{ vars.PROD_INSTANCE_NAME }} IMAGE_DEPLOY_PORT_PREFIX: ${{ vars.PROD_PORT_PREFIX }} IMAGE_DEPLOY_PUBLIC_URL: ${{ vars.PROD_FRONTEND_URL }} IMAGE_DEPLOY_COMPOSE_TEMPLATE: deploy/templates/docker-compose.images.yaml IMAGE_DEPLOY_BUNDLE_FILE: prod-image-deploy-bundle.tgz ADMINFRONT_URL: ${{ vars.ADMINFRONT_URL }} DEVFRONT_URL: ${{ vars.DEVFRONT_URL }} ORGFRONT_URL: ${{ vars.ORGFRONT_URL }} VITE_OIDC_AUTHORITY: ${{ vars.VITE_OIDC_AUTHORITY }} IMAGE_DEPLOY_DB_PORT: ${{ vars.PROD_DB_PORT }} IMAGE_DEPLOY_REDIS_PORT: ${{ vars.PROD_REDIS_PORT }} IMAGE_DEPLOY_CLICKHOUSE_PORT_HTTP: ${{ vars.PROD_CLICKHOUSE_PORT_HTTP }} IMAGE_DEPLOY_CLICKHOUSE_PORT_NATIVE: ${{ vars.PROD_CLICKHOUSE_PORT_NATIVE }} IMAGE_DEPLOY_BACKEND_PORT: ${{ vars.PROD_BACKEND_PORT }} IMAGE_DEPLOY_FRONTEND_PORT: ${{ vars.PROD_FRONTEND_PORT }} ADMINFRONT_PORT: ${{ vars.ADMINFRONT_PORT }} DEVFRONT_PORT: ${{ vars.DEVFRONT_PORT }} ORGFRONT_PORT: ${{ vars.ORGFRONT_PORT }} IMAGE_DEPLOY_OATHKEEPER_PROXY_PORT: ${{ vars.PROD_OATHKEEPER_PROXY_PORT }} IMAGE_DEPLOY_DOMAIN_SUFFIX: ${{ vars.PROD_DOMAIN_SUFFIX }} ADMINFRONT_CALLBACK_URLS: ${{ vars.ADMINFRONT_CALLBACK_URLS }} DEVFRONT_CALLBACK_URLS: ${{ vars.DEVFRONT_CALLBACK_URLS }} ORGFRONT_CALLBACK_URLS: ${{ vars.ORGFRONT_CALLBACK_URLS }} HYDRA_REFRESH_TOKEN_TTL: ${{ vars.HYDRA_REFRESH_TOKEN_TTL }} ORY_POSTGRES_USER: ${{ vars.ORY_POSTGRES_USER }} ORY_POSTGRES_DB: ${{ vars.ORY_POSTGRES_DB }} KRATOS_DB: ${{ vars.KRATOS_DB }} HYDRA_DB: ${{ vars.HYDRA_DB }} KETO_DB: ${{ vars.KETO_DB }} KRATOS_VERSION: ${{ vars.KRATOS_VERSION }} HYDRA_VERSION: ${{ vars.HYDRA_VERSION }} KETO_VERSION: ${{ vars.KETO_VERSION }} OATHKEEPER_VERSION: ${{ vars.OATHKEEPER_VERSION }} ORY_POSTGRES_TAG: ${{ vars.ORY_POSTGRES_TAG }} OATHKEEPER_UID: ${{ vars.OATHKEEPER_UID }} OATHKEEPER_GID: ${{ vars.OATHKEEPER_GID }} OATHKEEPER_INTROSPECT_CLIENT_ID: ${{ vars.OATHKEEPER_INTROSPECT_CLIENT_ID }} ADMIN_EMAIL: ${{ vars.ADMIN_EMAIL }} HARBOR_HOSTNAME: ${{ vars.HARBOR_HOSTNAME }} BACKEND_IMAGE_NAME: ${{ vars.HARBOR_HOSTNAME }}/baron_sso/backend USERFRONT_IMAGE_NAME: ${{ vars.HARBOR_HOSTNAME }}/baron_sso/userfront ADMINFRONT_IMAGE_NAME: ${{ vars.HARBOR_HOSTNAME }}/baron_sso/adminfront DEVFRONT_IMAGE_NAME: ${{ vars.HARBOR_HOSTNAME }}/baron_sso/devfront ORGFRONT_IMAGE_NAME: ${{ vars.HARBOR_HOSTNAME }}/baron_sso/orgfront IMAGE_DEPLOY_DB_PASSWORD: ${{ secrets.PROD_DB_PASSWORD }} IMAGE_DEPLOY_ORY_POSTGRES_PASSWORD: ${{ secrets.PROD_ORY_POSTGRES_PASSWORD }} IMAGE_DEPLOY_OATHKEEPER_INTROSPECT_CLIENT_SECRET: ${{ secrets.PROD_OATHKEEPER_INTROSPECT_CLIENT_SECRET }} IMAGE_DEPLOY_CLICKHOUSE_PASSWORD: ${{ secrets.PROD_CLICKHOUSE_PASSWORD }} IMAGE_DEPLOY_COOKIE_SECRET: ${{ secrets.PROD_COOKIE_SECRET }} IMAGE_DEPLOY_JWT_SECRET: ${{ secrets.PROD_JWT_SECRET }} IMAGE_DEPLOY_CSRF_COOKIE_SECRET: ${{ secrets.PROD_CSRF_COOKIE_SECRET }} IMAGE_DEPLOY_ADMIN_PASSWORD: ${{ secrets.PROD_ADMIN_PASSWORD }} run: | set -euo pipefail # Same image tag contract as staging: production must consume the # immutable image tag that already passed staging verification. scripts/deploy/build_image_deploy_bundle.sh - name: Upload bundle and run requested production image tag env: IMAGE_DEPLOY_BUNDLE_FILE: prod-image-deploy-bundle.tgz DEPLOY_HOST: ${{ vars.PROD_HOST }} DEPLOY_USER: ${{ vars.PROD_USER }} DEPLOY_PATH: ${{ vars.PROD_DEPLOY_PATH }} HARBOR_ENDPOINT: ${{ vars.HARBOR_ENDPOINT }} HARBOR_ROBOT_ACCOUNT: ${{ vars.HARBOR_ROBOT_ACCOUNT }} HARBOR_ROBOT_KEY: ${{ secrets.HARBOR_ROBOT_KEY }} run: | set -euo pipefail scripts/deploy/upload_and_run_image_deploy.sh