Skip to content

✅ [Deploy] v0.5.0 배포#135

Merged
rlawngjs0313 merged 18 commits into
mainfrom
develop
Jul 2, 2026
Merged

✅ [Deploy] v0.5.0 배포#135
rlawngjs0313 merged 18 commits into
mainfrom
develop

Conversation

@rlawngjs0313

@rlawngjs0313 rlawngjs0313 commented Jul 2, 2026

Copy link
Copy Markdown
Member

📍 PR 타입 (하나 이상 선택)

  • 기능 추가
  • 버그 수정
  • 의존성, 환경 변수, 빌드 관련 코드 업데이트
  • 기타 사소한 수정

❗️ 관련 이슈 링크

Close #

📌 개요

🔁 변경 사항

📸 스크린샷

👀 기타 더 이야기해볼 점

✅ 체크 리스트

  • PR 템플릿에 맞추어 작성했어요.
  • 변경 내용에 대한 테스트를 진행했어요.
  • 프로그램이 정상적으로 동작해요.
  • PR에 적절한 라벨을 선택했어요.
  • 불필요한 코드는 삭제했어요.

Summary by CodeRabbit

  • 새 기능
    • 운영 모니터링을 위한 Actuator 엔드포인트와 Prometheus 메트릭이 추가되었습니다.
    • Actuator 경로가 인증 없이 접근 가능하도록 설정되었습니다.
    • Docker 기반 실행/배포 구성이 추가되어 컨테이너 환경에서 더 일관되게 운영할 수 있습니다.
  • 버그 수정
    • API 문서(버전) 정보가 최신으로 갱신되었습니다.
  • 문서
    • 프로젝트 개요 및 PR 템플릿 표기가 정리되었습니다.
  • Chores
    • CI/CD 워크플로우와 배포 파이프라인이 재정비되었습니다.

@rlawngjs0313 rlawngjs0313 self-assigned this Jul 2, 2026
@coderabbitai

coderabbitai Bot commented Jul 2, 2026

Copy link
Copy Markdown

Review Change Stack

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info
⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro Plus

Run ID: af0c7afb-1c21-42fe-9a9a-f16b4c85bc9f

📥 Commits

Reviewing files that changed from the base of the PR and between bee2ea5 and f6deab7.

📒 Files selected for processing (1)
  • .coderabbit.yaml
🚧 Files skipped from review as they are similar to previous changes (1)
  • .coderabbit.yaml

📝 Walkthrough

Walkthrough

GitHub Actions 기반 CI/CD 워크플로우와 Docker 실행 구성이 추가되고, CodeRabbit 설정이 도입되었습니다. Actuator/Prometheus 의존성과 공개 경로가 추가되었고, PR 템플릿·README·Swagger 버전 문구가 조정되었습니다.

Changes

CI/CD 파이프라인 구축

Layer / File(s) Summary
CI 워크플로우 신설
.github/workflows/ci.yml
main/develop 대상 push/pull_request에서 MySQL·Redis 서비스 컨테이너와 함께 JDK 21 설정, 시크릿 기반 설정 파일 주입 후 ./gradlew build를 수행하는 CI 워크플로우를 추가.
CD 워크플로우 및 배포 스크립트
.github/workflows/cd.yml
develop 브랜치 push 시 Docker 이미지를 빌드/푸시하고 EC2에 SSH로 접속해 docker-compose로 재실행하는 신규 CD 워크플로우를 추가.
Docker 이미지 및 컴포즈 구성
Dockerfile, docker-compose.yml, .gitignore
JDK 21 Alpine 기반 Dockerfile과 backend/redis 서비스를 정의하는 docker-compose.yml을 추가하고, .gitignore의 워크플로우 예외 범위를 디렉터리 전체로 확장.

Actuator 모니터링 노출

Layer / File(s) Summary
Actuator 의존성 및 보안 예외 추가
build.gradle, src/main/java/com/example/scoi/global/config/SecurityConfig.java
Spring Boot Actuator 및 Prometheus용 Micrometer 레지스트리 의존성을 추가하고, /actuator/**를 공개 엔드포인트 목록에 포함.

CodeRabbit 리뷰 자동화 설정

Layer / File(s) Summary
리뷰 및 자동화 옵션 구성
.coderabbit.yaml
리뷰 언어(ko-KR), 프로필, 자동 승인 비활성, 요약 표시, 자동 라벨/리뷰어 비활성, 자동 리뷰, 채팅 자동 응답, 지식 베이스 옵션을 설정.

문서 문구 수정

Layer / File(s) Summary
템플릿, README, Swagger 버전 변경
.github/pull_request_template.md, README.md, src/main/java/com/example/scoi/global/config/SwaggerConfig.java
PR 템플릿의 "Close #"를 "Closed #"로 변경, README 문단 서식을 조정, Swagger API 버전을 0.4.0에서 0.5.0으로 업데이트.

Estimated code review effort: 3 (Moderate) | ~25 minutes

🚥 Pre-merge checks | ✅ 4 | ❌ 1

❌ Failed checks (1 warning)

Check name Status Explanation Resolution
Description check ⚠️ Warning 템플릿 섹션은 있으나 대부분 비어 있어 개요, 변경 사항, 이슈 링크, 체크리스트를 확인할 수 없습니다. 관련 이슈, 개요, 변경 사항, 테스트 결과, 체크리스트를 실제 내용으로 채워 PR 템플릿을 완성하세요.
✅ Passed checks (4 passed)
Check name Status Explanation
Title check ✅ Passed 제목이 v0.5.0 배포라는 핵심 변경을 직접 요약하고 있어 PR 내용과 잘 맞습니다.
Docstring Coverage ✅ Passed No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check ✅ Passed Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check ✅ Passed Check skipped because no linked issues were found for this pull request.
✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Commit unit tests in branch develop

Comment @coderabbitai help to get the list of available commands.

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 9

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (1)
src/main/java/com/example/scoi/global/config/SecurityConfig.java (1)

34-41: 🔒 Security & Privacy | 🟠 Major | ⚡ Quick win

Actuator 허용 범위를 더 좁혀주세요.

/actuator/**를 공개하면, 현재/미래에 활성화되는 모든 actuator 엔드포인트가 인증 없이 열립니다. health, prometheus처럼 필요한 경로만 명시적으로 허용하는 쪽이 안전합니다.

🔧 제안
-            "/actuator/**",           // 모니터링
+            "/actuator/health",
+            "/actuator/prometheus",
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@src/main/java/com/example/scoi/global/config/SecurityConfig.java` around
lines 34 - 41, The PUBLIC_ENDPOINTS list in SecurityConfig is too broad because
it exposes every current and future actuator endpoint through "/actuator/**";
tighten this by replacing the wildcard with only the specific actuator paths
that must remain public, such as health or prometheus. Update the endpoint
whitelist in SecurityConfig so the security rules only permit the intended
actuator endpoints and keep all others protected.
🧹 Nitpick comments (2)
.github/workflows/cd.yml (1)

53-58: 🩺 Stability & Availability | 🔵 Trivial | ⚡ Quick win

이미지 태그가 :latest만 존재하여 롤백/추적이 어려움

빌드된 이미지에 커밋 SHA 등 불변 태그를 함께 부여하지 않으면, 배포 이력 추적 및 특정 버전으로의 롤백이 어렵습니다.

🔧 제안 수정
       - name: Docker 이미지 빌드 및 푸시
         uses: docker/build-push-action@v5
         with:
           context: .
           push: true
-          tags: ${{ env.DOCKER_IMAGE_NAME }}:latest
+          tags: |
+            ${{ env.DOCKER_IMAGE_NAME }}:latest
+            ${{ env.DOCKER_IMAGE_NAME }}:${{ github.sha }}
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/cd.yml around lines 53 - 58, The Docker publish step in
the workflow only tags images as latest, which makes rollout tracking and
rollback hard. Update the docker/build-push-action@v5 configuration in the
build-and-push job to add an immutable tag alongside latest, such as the commit
SHA from the workflow context, so each build can be uniquely identified and
referenced later. Use the existing Docker image tag setup in the workflow and
extend the tags field rather than replacing latest.
docker-compose.yml (1)

13-14: 🩺 Stability & Availability | 🔵 Trivial | ⚡ Quick win

Redis 준비 상태를 기다리지 않고 백엔드가 시작될 수 있음

depends_on은 컨테이너 시작 순서만 보장할 뿐 Redis가 실제로 요청을 처리할 준비가 되었는지는 보장하지 않습니다. 콜드 스타트 시 백엔드가 Redis 연결에 실패할 수 있습니다.

🔧 제안 수정
     depends_on:
-      - redis
+      redis:
+        condition: service_healthy

그리고 redis 서비스에 healthcheck를 추가해야 합니다:

   redis:
     image: redis:7-alpine
     container_name: scoi-redis
+    healthcheck:
+      test: ["CMD", "redis-cli", "ping"]
+      interval: 10s
+      timeout: 5s
+      retries: 3
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@docker-compose.yml` around lines 13 - 14, The backend can start before Redis
is actually ready because depends_on only enforces startup order, so update the
docker-compose configuration to wait for Redis health instead of just container
start. Add a healthcheck to the redis service and then reference that readiness
from the backend service’s depends_on so the backend only starts after Redis is
healthy.
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In @.coderabbit.yaml:
- Around line 25-27: 주석의 의도와 `related_issues`/`related_prs` 설정이 맞지 않습니다;
`.coderabbit.yaml`의 관련 링크 설정을 검토해 주석처럼 둘 다 비활성화하려면 `related_prs`도 꺼지도록 맞추고, 반대로
PR 링크를 유지하려는 의도라면 주석 문구를 `related_prs` 활성화에 맞게 수정하세요. `related_issues`와
`related_prs` 항목의 의미가 일치하도록 정리해 설정과 주석이 서로 모순되지 않게 해주세요.

In @.github/workflows/cd.yml:
- Around line 1-13: The workflow in cd.yml is missing an explicit permissions
block, so it relies on the default GITHUB_TOKEN scope; add a minimal permissions
declaration at the workflow or build-and-push job level, using the GitHub
Actions workflow syntax, and keep it restricted to the symbols already present
in this file such as on, env, and build-and-push so the token only has the
needed read access.
- Around line 18-23: The Gradle cache usage in the JDK setup step is too broadly
shared for a trusted deployment job and may allow cache-poisoning from less
trusted workflows. Update the workflow around the actions/setup-java step in
this CD job to avoid sharing the same Gradle cache key with untrusted triggers,
either by disabling cache here or by scoping the cache key so only trusted
workflows can reuse it; verify the job remains safe for Docker Hub push and EC2
deployment.
- Around line 15-16: The checkout step in the CD workflow is leaving Git
credentials persisted, which increases the risk of exposing sensitive secrets
used later in deployment. Update the actions/checkout@v4 step to explicitly
disable credential persistence by setting persist-credentials to false, and keep
the change localized to the checkout job so the rest of the workflow can
continue using the existing deploy-related secrets safely.

In @.github/workflows/ci.yml:
- Around line 9-11: The CI workflow’s build job currently relies on the default
broad GITHUB_TOKEN scope because there is no explicit permissions block. Add a
workflow-level permissions section in the ci workflow and restrict it to the
minimum needed, using symbols like the build job and jobs block as the anchor
point, so the token is explicitly limited to read-only access such as contents:
read.
- Around line 24-28: The Redis service in the CI workflow is using an unpinned
image tag, which can change across runs; update the redis service definition to
use a fixed Redis version instead of redis:latest. Make the change in the
workflow’s redis service block so the image is deterministic and avoids
unpinned-images issues.
- Around line 31-32: The checkout step currently uses actions/checkout@v4
without disabling credential persistence, which can leave GITHUB_TOKEN in the
runner’s git config. Update the checkout configuration to set
persist-credentials to false in the checkout job step so the token is not
retained for later steps; use the checkout action block in the workflow as the
location to make this change.

In `@docker-compose.yml`:
- Around line 21-28: Redis is being exposed to the host without authentication
and with an unpinned image tag. Update the redis service in docker-compose.yml
to remove the host port mapping unless it is strictly required, keep access
internal to scoi-network, and replace redis:latest with a fixed version tag. If
external access is still needed, add Redis authentication via requirepass and
ensure the relevant service configuration handles it.

In `@Dockerfile`:
- Around line 1-7: The Dockerfile currently runs the container as root because
there is no USER switch. Update the image setup to create or use a non-root
account and add a USER directive before the ENTRYPOINT so the app runs with
least privilege. Use the existing Dockerfile instructions around WORKDIR, COPY,
and ENTRYPOINT to place the user change in the right spot.

---

Outside diff comments:
In `@src/main/java/com/example/scoi/global/config/SecurityConfig.java`:
- Around line 34-41: The PUBLIC_ENDPOINTS list in SecurityConfig is too broad
because it exposes every current and future actuator endpoint through
"/actuator/**"; tighten this by replacing the wildcard with only the specific
actuator paths that must remain public, such as health or prometheus. Update the
endpoint whitelist in SecurityConfig so the security rules only permit the
intended actuator endpoints and keep all others protected.

---

Nitpick comments:
In @.github/workflows/cd.yml:
- Around line 53-58: The Docker publish step in the workflow only tags images as
latest, which makes rollout tracking and rollback hard. Update the
docker/build-push-action@v5 configuration in the build-and-push job to add an
immutable tag alongside latest, such as the commit SHA from the workflow
context, so each build can be uniquely identified and referenced later. Use the
existing Docker image tag setup in the workflow and extend the tags field rather
than replacing latest.

In `@docker-compose.yml`:
- Around line 13-14: The backend can start before Redis is actually ready
because depends_on only enforces startup order, so update the docker-compose
configuration to wait for Redis health instead of just container start. Add a
healthcheck to the redis service and then reference that readiness from the
backend service’s depends_on so the backend only starts after Redis is healthy.
🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

  • Push a commit to this branch (recommended)
  • Create a new PR with the fixes

ℹ️ Review info
⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro Plus

Run ID: 970e400d-4564-44d3-a8ae-adfc0b711d6a

📥 Commits

Reviewing files that changed from the base of the PR and between b8f03a7 and bee2ea5.

📒 Files selected for processing (12)
  • .coderabbit.yaml
  • .github/pull_request_template.md
  • .github/workflows/cd.yml
  • .github/workflows/ci.yml
  • .github/workflows/deploy.yml
  • .gitignore
  • Dockerfile
  • README.md
  • build.gradle
  • docker-compose.yml
  • src/main/java/com/example/scoi/global/config/SecurityConfig.java
  • src/main/java/com/example/scoi/global/config/SwaggerConfig.java
💤 Files with no reviewable changes (1)
  • .github/workflows/deploy.yml

Comment thread .coderabbit.yaml Outdated
Comment thread .github/workflows/cd.yml
Comment thread .github/workflows/cd.yml
Comment thread .github/workflows/cd.yml
Comment thread .github/workflows/ci.yml
Comment thread .github/workflows/ci.yml
Comment thread .github/workflows/ci.yml
Comment thread docker-compose.yml
Comment thread Dockerfile
@rlawngjs0313 rlawngjs0313 merged commit 5c6949c into main Jul 2, 2026
3 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants