forked from baron/baron-sso
116 lines
6.3 KiB
YAML
116 lines
6.3 KiB
YAML
name: Deploy Baron SSO Production Images
|
|
|
|
on:
|
|
workflow_dispatch:
|
|
inputs:
|
|
image_tag:
|
|
description: "배포할 공용 저장소 이미지 태그 (예: v1.2606.ab12)"
|
|
required: true
|
|
type: string
|
|
|
|
jobs:
|
|
deploy-production-images:
|
|
runs-on: ubuntu-latest
|
|
steps:
|
|
- name: Checkout deployment scripts and templates
|
|
uses: actions/checkout@v4
|
|
|
|
- name: Setup SSH
|
|
uses: webfactory/ssh-agent@v0.9.0
|
|
with:
|
|
ssh-private-key: ${{ secrets.PROD_SSH_PRIVATE_KEY }}
|
|
|
|
- name: Build production deployment bundle
|
|
env:
|
|
IMAGE_TAG: ${{ github.event.inputs.image_tag }}
|
|
IMAGE_DEPLOY_ENV: production
|
|
IMAGE_DEPLOY_INSTANCE_NAME: ${{ vars.PROD_INSTANCE_NAME }}
|
|
IMAGE_DEPLOY_PORT_PREFIX: ${{ vars.PROD_PORT_PREFIX }}
|
|
IMAGE_DEPLOY_PUBLIC_URL: ${{ vars.PROD_FRONTEND_URL }}
|
|
IMAGE_DEPLOY_COMPOSE_TEMPLATE: deploy/templates/docker-compose.images.yaml
|
|
IMAGE_DEPLOY_BUNDLE_FILE: prod-image-deploy-bundle.tgz
|
|
ADMINFRONT_URL: ${{ vars.PROD_ADMINFRONT_URL }}
|
|
DEVFRONT_URL: ${{ vars.PROD_DEVFRONT_URL }}
|
|
ORGFRONT_URL: ${{ vars.PROD_ORGFRONT_URL }}
|
|
VITE_OIDC_AUTHORITY: ${{ vars.PROD_VITE_OIDC_AUTHORITY }}
|
|
IMAGE_DEPLOY_BACKEND_LOG_LEVEL: ${{ vars.PROD_BACKEND_LOG_LEVEL }}
|
|
IMAGE_DEPLOY_CLIENT_LOG_DEBUG: ${{ vars.PROD_CLIENT_LOG_DEBUG }}
|
|
IMAGE_DEPLOY_BACKEND_PUBLIC_URL: ${{ vars.PROD_BACKEND_URL || vars.PROD_FRONTEND_URL }}
|
|
IMAGE_DEPLOY_BACKEND_URL: ${{ vars.PROD_BACKEND_URL || vars.PROD_FRONTEND_URL }}
|
|
WORKS_ADMIN_API_BASE_URL: ${{ vars.PROD_WORKS_ADMIN_API_BASE_URL }}
|
|
WORKS_ADMIN_OAUTH_TOKEN_URL: ${{ vars.PROD_WORKS_ADMIN_OAUTH_TOKEN_URL }}
|
|
PROFILE_CACHE_TTL: ${{ vars.PROD_PROFILE_CACHE_TTL }}
|
|
NAVER_CLOUD_ACCESS_KEY: ${{ secrets.PROD_NAVER_CLOUD_ACCESS_KEY }}
|
|
NAVER_CLOUD_SECRET_KEY: ${{ secrets.PROD_NAVER_CLOUD_SECRET_KEY }}
|
|
NAVER_CLOUD_SERVICE_ID: ${{ vars.PROD_NAVER_CLOUD_SERVICE_ID }}
|
|
NAVER_SENDER_PHONE_NUMBER: ${{ vars.PROD_NAVER_SENDER_PHONE_NUMBER }}
|
|
AWS_REGION: ${{ vars.PROD_AWS_REGION }}
|
|
AWS_ACCESS_KEY_ID: ${{ vars.PROD_AWS_ACCESS_KEY_ID }}
|
|
AWS_SECRET_ACCESS_KEY: ${{ secrets.PROD_AWS_SECRET_ACCESS_KEY }}
|
|
AWS_SES_SENDER: ${{ vars.PROD_AWS_SES_SENDER }}
|
|
CORS_ALLOWED_ORIGINS: ${{ vars.PROD_CORS_ALLOWED_ORIGINS }}
|
|
OATHKEEPER_API_URL: ${{ vars.PROD_OATHKEEPER_API_URL }}
|
|
CLICKHOUSE_HOST: ${{ vars.PROD_CLICKHOUSE_HOST }}
|
|
CLICKHOUSE_USER: ${{ vars.PROD_CLICKHOUSE_USER }}
|
|
IMAGE_DEPLOY_DB_PORT: ${{ vars.PROD_DB_PORT }}
|
|
IMAGE_DEPLOY_REDIS_PORT: ${{ vars.PROD_REDIS_PORT }}
|
|
IMAGE_DEPLOY_CLICKHOUSE_PORT_HTTP: ${{ vars.PROD_CLICKHOUSE_PORT_HTTP }}
|
|
IMAGE_DEPLOY_CLICKHOUSE_PORT_NATIVE: ${{ vars.PROD_CLICKHOUSE_PORT_NATIVE }}
|
|
IMAGE_DEPLOY_BACKEND_PORT: ${{ vars.PROD_BACKEND_PORT }}
|
|
IMAGE_DEPLOY_FRONTEND_PORT: ${{ vars.PROD_FRONTEND_PORT }}
|
|
ADMINFRONT_PORT: ${{ vars.PROD_ADMINFRONT_PORT }}
|
|
DEVFRONT_PORT: ${{ vars.PROD_DEVFRONT_PORT }}
|
|
ORGFRONT_PORT: ${{ vars.PROD_ORGFRONT_PORT }}
|
|
IMAGE_DEPLOY_OATHKEEPER_PROXY_PORT: ${{ vars.PROD_OATHKEEPER_PROXY_PORT }}
|
|
IMAGE_DEPLOY_DOMAIN_SUFFIX: ${{ vars.PROD_DOMAIN_SUFFIX }}
|
|
ADMINFRONT_CALLBACK_URLS: ${{ vars.PROD_ADMINFRONT_CALLBACK_URLS }}
|
|
DEVFRONT_CALLBACK_URLS: ${{ vars.PROD_DEVFRONT_CALLBACK_URLS }}
|
|
ORGFRONT_CALLBACK_URLS: ${{ vars.PROD_ORGFRONT_CALLBACK_URLS }}
|
|
HYDRA_REFRESH_TOKEN_TTL: ${{ vars.PROD_HYDRA_REFRESH_TOKEN_TTL }}
|
|
ORY_POSTGRES_USER: ${{ vars.PROD_ORY_POSTGRES_USER }}
|
|
ORY_POSTGRES_DB: ${{ vars.PROD_ORY_POSTGRES_DB }}
|
|
KRATOS_DB: ${{ vars.PROD_KRATOS_DB }}
|
|
HYDRA_DB: ${{ vars.PROD_HYDRA_DB }}
|
|
KETO_DB: ${{ vars.PROD_KETO_DB }}
|
|
KRATOS_VERSION: ${{ vars.PROD_KRATOS_VERSION }}
|
|
HYDRA_VERSION: ${{ vars.PROD_HYDRA_VERSION }}
|
|
KETO_VERSION: ${{ vars.PROD_KETO_VERSION }}
|
|
OATHKEEPER_VERSION: ${{ vars.PROD_OATHKEEPER_VERSION }}
|
|
ORY_POSTGRES_TAG: ${{ vars.PROD_ORY_POSTGRES_TAG }}
|
|
OATHKEEPER_UID: ${{ vars.PROD_OATHKEEPER_UID }}
|
|
OATHKEEPER_GID: ${{ vars.PROD_OATHKEEPER_GID }}
|
|
OATHKEEPER_INTROSPECT_CLIENT_ID: ${{ vars.PROD_OATHKEEPER_INTROSPECT_CLIENT_ID }}
|
|
ADMIN_EMAIL: ${{ vars.PROD_ADMIN_EMAIL }}
|
|
HARBOR_HOSTNAME: ${{ vars.HARBOR_HOSTNAME }}
|
|
BACKEND_IMAGE_NAME: ${{ vars.HARBOR_HOSTNAME }}/baron_sso/backend
|
|
USERFRONT_IMAGE_NAME: ${{ vars.HARBOR_HOSTNAME }}/baron_sso/userfront
|
|
ADMINFRONT_IMAGE_NAME: ${{ vars.HARBOR_HOSTNAME }}/baron_sso/adminfront
|
|
DEVFRONT_IMAGE_NAME: ${{ vars.HARBOR_HOSTNAME }}/baron_sso/devfront
|
|
ORGFRONT_IMAGE_NAME: ${{ vars.HARBOR_HOSTNAME }}/baron_sso/orgfront
|
|
IMAGE_DEPLOY_DB_PASSWORD: ${{ secrets.PROD_DB_PASSWORD }}
|
|
IMAGE_DEPLOY_ORY_POSTGRES_PASSWORD: ${{ secrets.PROD_ORY_POSTGRES_PASSWORD }}
|
|
IMAGE_DEPLOY_OATHKEEPER_INTROSPECT_CLIENT_SECRET: ${{ secrets.PROD_OATHKEEPER_INTROSPECT_CLIENT_SECRET }}
|
|
IMAGE_DEPLOY_CLICKHOUSE_PASSWORD: ${{ secrets.PROD_CLICKHOUSE_PASSWORD }}
|
|
IMAGE_DEPLOY_COOKIE_SECRET: ${{ secrets.PROD_COOKIE_SECRET }}
|
|
IMAGE_DEPLOY_JWT_SECRET: ${{ secrets.PROD_JWT_SECRET }}
|
|
IMAGE_DEPLOY_CSRF_COOKIE_SECRET: ${{ secrets.PROD_CSRF_COOKIE_SECRET }}
|
|
IMAGE_DEPLOY_ADMIN_PASSWORD: ${{ secrets.PROD_ADMIN_PASSWORD }}
|
|
run: |
|
|
set -euo pipefail
|
|
# Same image tag contract as staging: production must consume the
|
|
# immutable image tag that already passed staging verification.
|
|
scripts/deploy/build_image_deploy_bundle.sh
|
|
|
|
- name: Upload bundle and run requested production image tag
|
|
env:
|
|
IMAGE_DEPLOY_BUNDLE_FILE: prod-image-deploy-bundle.tgz
|
|
DEPLOY_HOST: ${{ vars.PROD_HOST }}
|
|
DEPLOY_USER: ${{ vars.PROD_USER }}
|
|
DEPLOY_PATH: ${{ vars.PROD_DEPLOY_PATH }}
|
|
HARBOR_ENDPOINT: ${{ vars.HARBOR_ENDPOINT }}
|
|
HARBOR_ROBOT_ACCOUNT: ${{ vars.HARBOR_ROBOT_ACCOUNT }}
|
|
HARBOR_ROBOT_KEY: ${{ secrets.HARBOR_ROBOT_KEY }}
|
|
run: |
|
|
set -euo pipefail
|
|
scripts/deploy/upload_and_run_image_deploy.sh
|