✅ [Deploy] v0.5.0 배포#135
Conversation
Feat/#128 CICD 설정 추가
|
No actionable comments were generated in the recent review. 🎉 ℹ️ Recent review info⚙️ Run configurationConfiguration used: Path: .coderabbit.yaml Review profile: CHILL Plan: Pro Plus Run ID: 📒 Files selected for processing (1)
🚧 Files skipped from review as they are similar to previous changes (1)
📝 WalkthroughWalkthroughGitHub Actions 기반 CI/CD 워크플로우와 Docker 실행 구성이 추가되고, CodeRabbit 설정이 도입되었습니다. Actuator/Prometheus 의존성과 공개 경로가 추가되었고, PR 템플릿·README·Swagger 버전 문구가 조정되었습니다. ChangesCI/CD 파이프라인 구축
Actuator 모니터링 노출
CodeRabbit 리뷰 자동화 설정
문서 문구 수정
Estimated code review effort: 3 (Moderate) | ~25 minutes 🚥 Pre-merge checks | ✅ 4 | ❌ 1❌ Failed checks (1 warning)
✅ Passed checks (4 passed)
✨ Finishing Touches🧪 Generate unit tests (beta)
Comment |
There was a problem hiding this comment.
Actionable comments posted: 9
Caution
Some comments are outside the diff and can’t be posted inline due to platform limitations.
⚠️ Outside diff range comments (1)
src/main/java/com/example/scoi/global/config/SecurityConfig.java (1)
34-41: 🔒 Security & Privacy | 🟠 Major | ⚡ Quick winActuator 허용 범위를 더 좁혀주세요.
/actuator/**를 공개하면, 현재/미래에 활성화되는 모든 actuator 엔드포인트가 인증 없이 열립니다.health,prometheus처럼 필요한 경로만 명시적으로 허용하는 쪽이 안전합니다.🔧 제안
- "/actuator/**", // 모니터링 + "/actuator/health", + "/actuator/prometheus",🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the rest with a brief reason, keep changes minimal, and validate. In `@src/main/java/com/example/scoi/global/config/SecurityConfig.java` around lines 34 - 41, The PUBLIC_ENDPOINTS list in SecurityConfig is too broad because it exposes every current and future actuator endpoint through "/actuator/**"; tighten this by replacing the wildcard with only the specific actuator paths that must remain public, such as health or prometheus. Update the endpoint whitelist in SecurityConfig so the security rules only permit the intended actuator endpoints and keep all others protected.
🧹 Nitpick comments (2)
.github/workflows/cd.yml (1)
53-58: 🩺 Stability & Availability | 🔵 Trivial | ⚡ Quick win이미지 태그가
:latest만 존재하여 롤백/추적이 어려움빌드된 이미지에 커밋 SHA 등 불변 태그를 함께 부여하지 않으면, 배포 이력 추적 및 특정 버전으로의 롤백이 어렵습니다.
🔧 제안 수정
- name: Docker 이미지 빌드 및 푸시 uses: docker/build-push-action@v5 with: context: . push: true - tags: ${{ env.DOCKER_IMAGE_NAME }}:latest + tags: | + ${{ env.DOCKER_IMAGE_NAME }}:latest + ${{ env.DOCKER_IMAGE_NAME }}:${{ github.sha }}🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the rest with a brief reason, keep changes minimal, and validate. In @.github/workflows/cd.yml around lines 53 - 58, The Docker publish step in the workflow only tags images as latest, which makes rollout tracking and rollback hard. Update the docker/build-push-action@v5 configuration in the build-and-push job to add an immutable tag alongside latest, such as the commit SHA from the workflow context, so each build can be uniquely identified and referenced later. Use the existing Docker image tag setup in the workflow and extend the tags field rather than replacing latest.docker-compose.yml (1)
13-14: 🩺 Stability & Availability | 🔵 Trivial | ⚡ Quick winRedis 준비 상태를 기다리지 않고 백엔드가 시작될 수 있음
depends_on은 컨테이너 시작 순서만 보장할 뿐 Redis가 실제로 요청을 처리할 준비가 되었는지는 보장하지 않습니다. 콜드 스타트 시 백엔드가 Redis 연결에 실패할 수 있습니다.🔧 제안 수정
depends_on: - - redis + redis: + condition: service_healthy그리고
redis서비스에 healthcheck를 추가해야 합니다:redis: image: redis:7-alpine container_name: scoi-redis + healthcheck: + test: ["CMD", "redis-cli", "ping"] + interval: 10s + timeout: 5s + retries: 3🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the rest with a brief reason, keep changes minimal, and validate. In `@docker-compose.yml` around lines 13 - 14, The backend can start before Redis is actually ready because depends_on only enforces startup order, so update the docker-compose configuration to wait for Redis health instead of just container start. Add a healthcheck to the redis service and then reference that readiness from the backend service’s depends_on so the backend only starts after Redis is healthy.
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
Inline comments:
In @.coderabbit.yaml:
- Around line 25-27: 주석의 의도와 `related_issues`/`related_prs` 설정이 맞지 않습니다;
`.coderabbit.yaml`의 관련 링크 설정을 검토해 주석처럼 둘 다 비활성화하려면 `related_prs`도 꺼지도록 맞추고, 반대로
PR 링크를 유지하려는 의도라면 주석 문구를 `related_prs` 활성화에 맞게 수정하세요. `related_issues`와
`related_prs` 항목의 의미가 일치하도록 정리해 설정과 주석이 서로 모순되지 않게 해주세요.
In @.github/workflows/cd.yml:
- Around line 1-13: The workflow in cd.yml is missing an explicit permissions
block, so it relies on the default GITHUB_TOKEN scope; add a minimal permissions
declaration at the workflow or build-and-push job level, using the GitHub
Actions workflow syntax, and keep it restricted to the symbols already present
in this file such as on, env, and build-and-push so the token only has the
needed read access.
- Around line 18-23: The Gradle cache usage in the JDK setup step is too broadly
shared for a trusted deployment job and may allow cache-poisoning from less
trusted workflows. Update the workflow around the actions/setup-java step in
this CD job to avoid sharing the same Gradle cache key with untrusted triggers,
either by disabling cache here or by scoping the cache key so only trusted
workflows can reuse it; verify the job remains safe for Docker Hub push and EC2
deployment.
- Around line 15-16: The checkout step in the CD workflow is leaving Git
credentials persisted, which increases the risk of exposing sensitive secrets
used later in deployment. Update the actions/checkout@v4 step to explicitly
disable credential persistence by setting persist-credentials to false, and keep
the change localized to the checkout job so the rest of the workflow can
continue using the existing deploy-related secrets safely.
In @.github/workflows/ci.yml:
- Around line 9-11: The CI workflow’s build job currently relies on the default
broad GITHUB_TOKEN scope because there is no explicit permissions block. Add a
workflow-level permissions section in the ci workflow and restrict it to the
minimum needed, using symbols like the build job and jobs block as the anchor
point, so the token is explicitly limited to read-only access such as contents:
read.
- Around line 24-28: The Redis service in the CI workflow is using an unpinned
image tag, which can change across runs; update the redis service definition to
use a fixed Redis version instead of redis:latest. Make the change in the
workflow’s redis service block so the image is deterministic and avoids
unpinned-images issues.
- Around line 31-32: The checkout step currently uses actions/checkout@v4
without disabling credential persistence, which can leave GITHUB_TOKEN in the
runner’s git config. Update the checkout configuration to set
persist-credentials to false in the checkout job step so the token is not
retained for later steps; use the checkout action block in the workflow as the
location to make this change.
In `@docker-compose.yml`:
- Around line 21-28: Redis is being exposed to the host without authentication
and with an unpinned image tag. Update the redis service in docker-compose.yml
to remove the host port mapping unless it is strictly required, keep access
internal to scoi-network, and replace redis:latest with a fixed version tag. If
external access is still needed, add Redis authentication via requirepass and
ensure the relevant service configuration handles it.
In `@Dockerfile`:
- Around line 1-7: The Dockerfile currently runs the container as root because
there is no USER switch. Update the image setup to create or use a non-root
account and add a USER directive before the ENTRYPOINT so the app runs with
least privilege. Use the existing Dockerfile instructions around WORKDIR, COPY,
and ENTRYPOINT to place the user change in the right spot.
---
Outside diff comments:
In `@src/main/java/com/example/scoi/global/config/SecurityConfig.java`:
- Around line 34-41: The PUBLIC_ENDPOINTS list in SecurityConfig is too broad
because it exposes every current and future actuator endpoint through
"/actuator/**"; tighten this by replacing the wildcard with only the specific
actuator paths that must remain public, such as health or prometheus. Update the
endpoint whitelist in SecurityConfig so the security rules only permit the
intended actuator endpoints and keep all others protected.
---
Nitpick comments:
In @.github/workflows/cd.yml:
- Around line 53-58: The Docker publish step in the workflow only tags images as
latest, which makes rollout tracking and rollback hard. Update the
docker/build-push-action@v5 configuration in the build-and-push job to add an
immutable tag alongside latest, such as the commit SHA from the workflow
context, so each build can be uniquely identified and referenced later. Use the
existing Docker image tag setup in the workflow and extend the tags field rather
than replacing latest.
In `@docker-compose.yml`:
- Around line 13-14: The backend can start before Redis is actually ready
because depends_on only enforces startup order, so update the docker-compose
configuration to wait for Redis health instead of just container start. Add a
healthcheck to the redis service and then reference that readiness from the
backend service’s depends_on so the backend only starts after Redis is healthy.
🪄 Autofix (Beta)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration
Configuration used: Path: .coderabbit.yaml
Review profile: CHILL
Plan: Pro Plus
Run ID: 970e400d-4564-44d3-a8ae-adfc0b711d6a
📒 Files selected for processing (12)
.coderabbit.yaml.github/pull_request_template.md.github/workflows/cd.yml.github/workflows/ci.yml.github/workflows/deploy.yml.gitignoreDockerfileREADME.mdbuild.gradledocker-compose.ymlsrc/main/java/com/example/scoi/global/config/SecurityConfig.javasrc/main/java/com/example/scoi/global/config/SwaggerConfig.java
💤 Files with no reviewable changes (1)
- .github/workflows/deploy.yml
📍 PR 타입 (하나 이상 선택)
❗️ 관련 이슈 링크
Close #
📌 개요
🔁 변경 사항
📸 스크린샷
👀 기타 더 이야기해볼 점
✅ 체크 리스트
Summary by CodeRabbit