name: Deploy Baron SSO Production Images on: workflow_dispatch: inputs: image_tag: description: "배포할 공용 저장소 이미지 태그 (예: v1.2606.ab12)" required: true type: string jobs: deploy-production-images: runs-on: ubuntu-latest steps: - name: Checkout deployment scripts and templates uses: actions/checkout@v4 - name: Setup SSH uses: webfactory/ssh-agent@v0.9.0 with: ssh-private-key: ${{ secrets.PROD_SSH_PRIVATE_KEY }} - name: Build production deployment bundle env: IMAGE_TAG: ${{ github.event.inputs.image_tag }} IMAGE_DEPLOY_ENV: production IMAGE_DEPLOY_INSTANCE_NAME: ${{ vars.PROD_INSTANCE_NAME }} IMAGE_DEPLOY_PORT_PREFIX: ${{ vars.PROD_PORT_PREFIX }} IMAGE_DEPLOY_PUBLIC_URL: ${{ vars.PROD_FRONTEND_URL }} IMAGE_DEPLOY_COMPOSE_TEMPLATE: deploy/templates/docker-compose.images.yaml IMAGE_DEPLOY_BUNDLE_FILE: prod-image-deploy-bundle.tgz ADMINFRONT_URL: ${{ vars.PROD_ADMINFRONT_URL }} DEVFRONT_URL: ${{ vars.PROD_DEVFRONT_URL }} ORGFRONT_URL: ${{ vars.PROD_ORGFRONT_URL }} VITE_OIDC_AUTHORITY: ${{ vars.PROD_VITE_OIDC_AUTHORITY }} IMAGE_DEPLOY_BACKEND_LOG_LEVEL: ${{ vars.PROD_BACKEND_LOG_LEVEL }} IMAGE_DEPLOY_CLIENT_LOG_DEBUG: ${{ vars.PROD_CLIENT_LOG_DEBUG }} IMAGE_DEPLOY_BACKEND_PUBLIC_URL: ${{ vars.PROD_BACKEND_URL || vars.PROD_FRONTEND_URL }} IMAGE_DEPLOY_BACKEND_URL: ${{ vars.PROD_BACKEND_URL || vars.PROD_FRONTEND_URL }} WORKS_ADMIN_API_BASE_URL: ${{ vars.PROD_WORKS_ADMIN_API_BASE_URL }} WORKS_ADMIN_OAUTH_TOKEN_URL: ${{ vars.PROD_WORKS_ADMIN_OAUTH_TOKEN_URL }} PROFILE_CACHE_TTL: ${{ vars.PROD_PROFILE_CACHE_TTL }} NAVER_CLOUD_ACCESS_KEY: ${{ secrets.PROD_NAVER_CLOUD_ACCESS_KEY }} NAVER_CLOUD_SECRET_KEY: ${{ secrets.PROD_NAVER_CLOUD_SECRET_KEY }} NAVER_CLOUD_SERVICE_ID: ${{ vars.PROD_NAVER_CLOUD_SERVICE_ID }} NAVER_SENDER_PHONE_NUMBER: ${{ vars.PROD_NAVER_SENDER_PHONE_NUMBER }} AWS_REGION: ${{ vars.PROD_AWS_REGION }} AWS_ACCESS_KEY_ID: ${{ vars.PROD_AWS_ACCESS_KEY_ID }} AWS_SECRET_ACCESS_KEY: ${{ secrets.PROD_AWS_SECRET_ACCESS_KEY }} AWS_SES_SENDER: ${{ vars.PROD_AWS_SES_SENDER }} CORS_ALLOWED_ORIGINS: ${{ vars.PROD_CORS_ALLOWED_ORIGINS }} OATHKEEPER_API_URL: ${{ vars.PROD_OATHKEEPER_API_URL }} CLICKHOUSE_HOST: ${{ vars.PROD_CLICKHOUSE_HOST }} CLICKHOUSE_USER: ${{ vars.PROD_CLICKHOUSE_USER }} IMAGE_DEPLOY_DB_PORT: ${{ vars.PROD_DB_PORT }} IMAGE_DEPLOY_REDIS_PORT: ${{ vars.PROD_REDIS_PORT }} IMAGE_DEPLOY_CLICKHOUSE_PORT_HTTP: ${{ vars.PROD_CLICKHOUSE_PORT_HTTP }} IMAGE_DEPLOY_CLICKHOUSE_PORT_NATIVE: ${{ vars.PROD_CLICKHOUSE_PORT_NATIVE }} IMAGE_DEPLOY_BACKEND_PORT: ${{ vars.PROD_BACKEND_PORT }} IMAGE_DEPLOY_FRONTEND_PORT: ${{ vars.PROD_FRONTEND_PORT }} ADMINFRONT_PORT: ${{ vars.PROD_ADMINFRONT_PORT }} DEVFRONT_PORT: ${{ vars.PROD_DEVFRONT_PORT }} ORGFRONT_PORT: ${{ vars.PROD_ORGFRONT_PORT }} IMAGE_DEPLOY_OATHKEEPER_PROXY_PORT: ${{ vars.PROD_OATHKEEPER_PROXY_PORT }} IMAGE_DEPLOY_DOMAIN_SUFFIX: ${{ vars.PROD_DOMAIN_SUFFIX }} ADMINFRONT_CALLBACK_URLS: ${{ vars.PROD_ADMINFRONT_CALLBACK_URLS }} DEVFRONT_CALLBACK_URLS: ${{ vars.PROD_DEVFRONT_CALLBACK_URLS }} ORGFRONT_CALLBACK_URLS: ${{ vars.PROD_ORGFRONT_CALLBACK_URLS }} HYDRA_REFRESH_TOKEN_TTL: ${{ vars.PROD_HYDRA_REFRESH_TOKEN_TTL }} ORY_POSTGRES_USER: ${{ vars.PROD_ORY_POSTGRES_USER }} ORY_POSTGRES_DB: ${{ vars.PROD_ORY_POSTGRES_DB }} KRATOS_DB: ${{ vars.PROD_KRATOS_DB }} HYDRA_DB: ${{ vars.PROD_HYDRA_DB }} KETO_DB: ${{ vars.PROD_KETO_DB }} KRATOS_VERSION: ${{ vars.PROD_KRATOS_VERSION }} HYDRA_VERSION: ${{ vars.PROD_HYDRA_VERSION }} KETO_VERSION: ${{ vars.PROD_KETO_VERSION }} OATHKEEPER_VERSION: ${{ vars.PROD_OATHKEEPER_VERSION }} ORY_POSTGRES_TAG: ${{ vars.PROD_ORY_POSTGRES_TAG }} OATHKEEPER_UID: ${{ vars.PROD_OATHKEEPER_UID }} OATHKEEPER_GID: ${{ vars.PROD_OATHKEEPER_GID }} OATHKEEPER_INTROSPECT_CLIENT_ID: ${{ vars.PROD_OATHKEEPER_INTROSPECT_CLIENT_ID }} ADMIN_EMAIL: ${{ vars.PROD_ADMIN_EMAIL }} HARBOR_HOSTNAME: ${{ vars.HARBOR_HOSTNAME }} BACKEND_IMAGE_NAME: ${{ vars.HARBOR_HOSTNAME }}/baron_sso/backend USERFRONT_IMAGE_NAME: ${{ vars.HARBOR_HOSTNAME }}/baron_sso/userfront ADMINFRONT_IMAGE_NAME: ${{ vars.HARBOR_HOSTNAME }}/baron_sso/adminfront DEVFRONT_IMAGE_NAME: ${{ vars.HARBOR_HOSTNAME }}/baron_sso/devfront ORGFRONT_IMAGE_NAME: ${{ vars.HARBOR_HOSTNAME }}/baron_sso/orgfront IMAGE_DEPLOY_DB_PASSWORD: ${{ secrets.PROD_DB_PASSWORD }} IMAGE_DEPLOY_ORY_POSTGRES_PASSWORD: ${{ secrets.PROD_ORY_POSTGRES_PASSWORD }} IMAGE_DEPLOY_OATHKEEPER_INTROSPECT_CLIENT_SECRET: ${{ secrets.PROD_OATHKEEPER_INTROSPECT_CLIENT_SECRET }} IMAGE_DEPLOY_CLICKHOUSE_PASSWORD: ${{ secrets.PROD_CLICKHOUSE_PASSWORD }} IMAGE_DEPLOY_COOKIE_SECRET: ${{ secrets.PROD_COOKIE_SECRET }} IMAGE_DEPLOY_JWT_SECRET: ${{ secrets.PROD_JWT_SECRET }} IMAGE_DEPLOY_CSRF_COOKIE_SECRET: ${{ secrets.PROD_CSRF_COOKIE_SECRET }} IMAGE_DEPLOY_ADMIN_PASSWORD: ${{ secrets.PROD_ADMIN_PASSWORD }} run: | set -euo pipefail # Same image tag contract as staging: production must consume the # immutable image tag that already passed staging verification. scripts/deploy/build_image_deploy_bundle.sh - name: Upload bundle and run requested production image tag env: IMAGE_DEPLOY_BUNDLE_FILE: prod-image-deploy-bundle.tgz DEPLOY_HOST: ${{ vars.PROD_HOST }} DEPLOY_USER: ${{ vars.PROD_USER }} DEPLOY_PATH: ${{ vars.PROD_DEPLOY_PATH }} HARBOR_ENDPOINT: ${{ vars.HARBOR_ENDPOINT }} HARBOR_ROBOT_ACCOUNT: ${{ vars.HARBOR_ROBOT_ACCOUNT }} HARBOR_ROBOT_KEY: ${{ secrets.HARBOR_ROBOT_KEY }} run: | set -euo pipefail scripts/deploy/upload_and_run_image_deploy.sh