Update deploy.yml : EC2 호스트 키 검증하도록 설정 #71
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Deploy to GCP | |
| on: | |
| push: | |
| branches: | |
| - Master | |
| workflow_dispatch: | |
| jobs: | |
| build: | |
| runs-on: ubuntu-latest | |
| steps: | |
| - name: Checkout code | |
| uses: actions/checkout@v3 | |
| - name: Set up JDK 21 | |
| uses: actions/setup-java@v3 | |
| with: | |
| java-version: '21' | |
| distribution: 'adopt' | |
| - name : Override APPLICATION PROPERTIES | |
| run : echo "${{ secrets.APPLICATION_PROPERTIES }}" > ./src/main/resources/application.properties | |
| - name: Configure Production Properties | |
| run: | | |
| touch ./src/main/resources/application-prod.properties | |
| echo "${{ secrets.APPLICATION_PROD_PROPERTIES }}" > ./src/main/resources/application-prod.properties | |
| - name: Configure GCS Properties | |
| run: | | |
| touch ./src/main/resources/application-gcs.properties | |
| echo "${{ secrets.APPLICATION_GCS_PROPERTIES }}" > ./src/main/resources/application-gcs.properties | |
| - name: Configure Test Properties | |
| run: | | |
| touch ./src/main/resources/application-test.properties | |
| echo "${{ secrets.APPLICATION_TEST_PROPERTIES }}" > ./src/main/resources/application-test.properties | |
| - name: gradlew에 실행 권한 부여 | |
| run: chmod +x ./gradlew | |
| - name: 배포 파일 생성 | |
| run: ./gradlew bootJar | |
| - name: Upload JAR file | |
| uses: actions/upload-artifact@v3 | |
| with: | |
| name: team18-be-jar | |
| path: build/libs/team18-be-0.0.1-SNAPSHOT.jar | |
| deploy: | |
| runs-on: ubuntu-latest | |
| needs: build | |
| steps: | |
| - name: Download JAR file | |
| uses: actions/download-artifact@v3 | |
| with: | |
| name: team18-be-jar | |
| - name: Authenticate with GCP | |
| uses: google-github-actions/auth@v1 | |
| with: | |
| credentials_json: "${{ secrets.GCP_SERVICE_ACCOUNT_KEY }}" | |
| - name: Set up Google Cloud SDK | |
| uses: google-github-actions/setup-gcloud@v1 | |
| with: | |
| project_id: ${{ secrets.GCP_PROJECT_ID }} | |
| - name: Get GitHub Actions Runner IP | |
| id: get_ip | |
| run: | | |
| echo $(curl -s https://api64.ipify.org) > RUNNER_IP.txt | |
| - name: Add GitHub Actions IP to GCP Firewall | |
| run: | | |
| RUNNER_IP=$(cat RUNNER_IP.txt) | |
| # 기존의 source-ranges 값 가져오기 | |
| EXCLUDE_IPS=$(gcloud compute firewall-rules describe default-allow-ssh --format="get(sourceRanges)" || echo "") | |
| # 세미콜론 제거 | |
| EXCLUDE_IPS=$(echo $EXCLUDE_IPS | sed 's/;/,/g') | |
| # GitHub Actions IP를 추가 | |
| gcloud compute firewall-rules update default-allow-ssh \ | |
| --allow tcp:22 \ | |
| --source-ranges="${EXCLUDE_IPS},${RUNNER_IP}/32" | |
| - name: Configure SSH private key | |
| run: | | |
| touch ./key-hirehigher | |
| echo "${{ secrets.HIREHIGHER_GCP_SSH_KEY }}" > ./key-hirehigher | |
| chmod 600 ./key-hirehigher | |
| - name: Add GCP VM to known_hosts | |
| run: | | |
| mkdir -p ~/.ssh | |
| ssh-keyscan -H "${{ secrets.GCP_VM_IP }}" >> ~/.ssh/known_hosts | |
| - name: Deploy to GCP | |
| run: | | |
| # scp로 VM에 jar 파일 전송 | |
| scp -i ./key-hirehigher ./team18-be-0.0.1-SNAPSHOT.jar hirehigher@${{ secrets.GCP_VM_IP }}:/home/hirehigher/repository | |
| - name: Remove GitHub Actions IP from GCP Firewall | |
| run: | | |
| RUNNER_IP=$(cat RUNNER_IP.txt) | |
| # 기존 firewall 규칙 가져오기 | |
| EXCLUDE_IPS=$(gcloud compute firewall-rules describe default-allow-ssh --format="get(sourceRanges)" || echo "") | |
| # GitHub Actions IP를 제외한 source ranges 설정 | |
| NEW_SOURCE_RANGES=$(echo $EXCLUDE_IPS | sed "s/$RUNNER_IP\/32//g" | sed 's/;/,/g') | |
| # 업데이트된 firewall 규칙 적용 | |
| gcloud compute firewall-rules update default-allow-ssh \ | |
| --source-ranges=$NEW_SOURCE_RANGES | |
| - name: Clean up SSH key | |
| run: rm ./key-hirehigher |