baron-sso/.gitea/workflows/production_image_deploy.yml

name: Deploy Baron SSO Production Images

on:
  workflow_dispatch:
    inputs:
      image_tag:
        description: "배포할 공용 저장소 이미지 태그 (예: v1.2606.ab12)"
        required: true
        type: string

jobs:
  deploy-production-images:
    runs-on: ubuntu-latest
    steps:
      - name: Checkout deployment scripts and templates
        uses: actions/checkout@v4

      - name: Setup SSH
        uses: webfactory/ssh-agent@v0.9.0
        with:
          ssh-private-key: ${{ secrets.PROD_SSH_PRIVATE_KEY }}

      - name: Build production deployment bundle
        env:
          IMAGE_TAG: ${{ github.event.inputs.image_tag }}
          IMAGE_DEPLOY_ENV: production
          IMAGE_DEPLOY_INSTANCE_NAME: ${{ vars.PROD_INSTANCE_NAME }}
          IMAGE_DEPLOY_PORT_PREFIX: ${{ vars.PROD_PORT_PREFIX }}
          IMAGE_DEPLOY_PUBLIC_URL: ${{ vars.PROD_FRONTEND_URL }}
          IMAGE_DEPLOY_COMPOSE_TEMPLATE: deploy/templates/docker-compose.images.yaml
          IMAGE_DEPLOY_BUNDLE_FILE: prod-image-deploy-bundle.tgz
          ADMINFRONT_URL: ${{ vars.ADMINFRONT_URL }}
          DEVFRONT_URL: ${{ vars.DEVFRONT_URL }}
          ORGFRONT_URL: ${{ vars.ORGFRONT_URL }}
          VITE_OIDC_AUTHORITY: ${{ vars.VITE_OIDC_AUTHORITY }}
          IMAGE_DEPLOY_DB_PORT: ${{ vars.PROD_DB_PORT }}
          IMAGE_DEPLOY_REDIS_PORT: ${{ vars.PROD_REDIS_PORT }}
          IMAGE_DEPLOY_CLICKHOUSE_PORT_HTTP: ${{ vars.PROD_CLICKHOUSE_PORT_HTTP }}
          IMAGE_DEPLOY_CLICKHOUSE_PORT_NATIVE: ${{ vars.PROD_CLICKHOUSE_PORT_NATIVE }}
          IMAGE_DEPLOY_BACKEND_PORT: ${{ vars.PROD_BACKEND_PORT }}
          IMAGE_DEPLOY_FRONTEND_PORT: ${{ vars.PROD_FRONTEND_PORT }}
          ADMINFRONT_PORT: ${{ vars.ADMINFRONT_PORT }}
          DEVFRONT_PORT: ${{ vars.DEVFRONT_PORT }}
          ORGFRONT_PORT: ${{ vars.ORGFRONT_PORT }}
          IMAGE_DEPLOY_OATHKEEPER_PROXY_PORT: ${{ vars.PROD_OATHKEEPER_PROXY_PORT }}
          IMAGE_DEPLOY_DOMAIN_SUFFIX: ${{ vars.PROD_DOMAIN_SUFFIX }}
          ADMINFRONT_CALLBACK_URLS: ${{ vars.ADMINFRONT_CALLBACK_URLS }}
          DEVFRONT_CALLBACK_URLS: ${{ vars.DEVFRONT_CALLBACK_URLS }}
          ORGFRONT_CALLBACK_URLS: ${{ vars.ORGFRONT_CALLBACK_URLS }}
          HYDRA_REFRESH_TOKEN_TTL: ${{ vars.HYDRA_REFRESH_TOKEN_TTL }}
          ORY_POSTGRES_USER: ${{ vars.ORY_POSTGRES_USER }}
          ORY_POSTGRES_DB: ${{ vars.ORY_POSTGRES_DB }}
          KRATOS_DB: ${{ vars.KRATOS_DB }}
          HYDRA_DB: ${{ vars.HYDRA_DB }}
          KETO_DB: ${{ vars.KETO_DB }}
          KRATOS_VERSION: ${{ vars.KRATOS_VERSION }}
          HYDRA_VERSION: ${{ vars.HYDRA_VERSION }}
          KETO_VERSION: ${{ vars.KETO_VERSION }}
          OATHKEEPER_VERSION: ${{ vars.OATHKEEPER_VERSION }}
          ORY_POSTGRES_TAG: ${{ vars.ORY_POSTGRES_TAG }}
          OATHKEEPER_UID: ${{ vars.OATHKEEPER_UID }}
          OATHKEEPER_GID: ${{ vars.OATHKEEPER_GID }}
          OATHKEEPER_INTROSPECT_CLIENT_ID: ${{ vars.OATHKEEPER_INTROSPECT_CLIENT_ID }}
          ADMIN_EMAIL: ${{ vars.ADMIN_EMAIL }}
          HARBOR_HOSTNAME: ${{ vars.HARBOR_HOSTNAME }}
          BACKEND_IMAGE_NAME: ${{ vars.HARBOR_HOSTNAME }}/baron_sso/backend
          USERFRONT_IMAGE_NAME: ${{ vars.HARBOR_HOSTNAME }}/baron_sso/userfront
          ADMINFRONT_IMAGE_NAME: ${{ vars.HARBOR_HOSTNAME }}/baron_sso/adminfront
          DEVFRONT_IMAGE_NAME: ${{ vars.HARBOR_HOSTNAME }}/baron_sso/devfront
          ORGFRONT_IMAGE_NAME: ${{ vars.HARBOR_HOSTNAME }}/baron_sso/orgfront
          IMAGE_DEPLOY_DB_PASSWORD: ${{ secrets.PROD_DB_PASSWORD }}
          IMAGE_DEPLOY_ORY_POSTGRES_PASSWORD: ${{ secrets.PROD_ORY_POSTGRES_PASSWORD }}
          IMAGE_DEPLOY_OATHKEEPER_INTROSPECT_CLIENT_SECRET: ${{ secrets.PROD_OATHKEEPER_INTROSPECT_CLIENT_SECRET }}
          IMAGE_DEPLOY_CLICKHOUSE_PASSWORD: ${{ secrets.PROD_CLICKHOUSE_PASSWORD }}
          IMAGE_DEPLOY_COOKIE_SECRET: ${{ secrets.PROD_COOKIE_SECRET }}
          IMAGE_DEPLOY_JWT_SECRET: ${{ secrets.PROD_JWT_SECRET }}
          IMAGE_DEPLOY_CSRF_COOKIE_SECRET: ${{ secrets.PROD_CSRF_COOKIE_SECRET }}
          IMAGE_DEPLOY_ADMIN_PASSWORD: ${{ secrets.PROD_ADMIN_PASSWORD }}
        run: |
          set -euo pipefail
          # Same image tag contract as staging: production must consume the
          # immutable image tag that already passed staging verification.
          scripts/deploy/build_image_deploy_bundle.sh

      - name: Upload bundle and run requested production image tag
        env:
          IMAGE_DEPLOY_BUNDLE_FILE: prod-image-deploy-bundle.tgz
          DEPLOY_HOST: ${{ vars.PROD_HOST }}
          DEPLOY_USER: ${{ vars.PROD_USER }}
          DEPLOY_PATH: ${{ vars.PROD_DEPLOY_PATH }}
          HARBOR_ENDPOINT: ${{ vars.HARBOR_ENDPOINT }}
          HARBOR_ROBOT_ACCOUNT: ${{ vars.HARBOR_ROBOT_ACCOUNT }}
          HARBOR_ROBOT_KEY: ${{ secrets.HARBOR_ROBOT_KEY }}
        run: |
          set -euo pipefail
          scripts/deploy/upload_and_run_image_deploy.sh