UMC-PRODUCT · kyeoungwoon · Jan 9, 2026 · Jan 8, 2026 · Jan 8, 2026 · Jan 8, 2026
diff --git a/.dockerignore b/.dockerignore
@@ -20,4 +20,7 @@ logs
 **/application-prod.yml
 **/application-dev.yml
 **/application-local.yml
-**/application-*.yml
+**/application-*.yml
+
+!build/libs
+!build/libs/*.jar
diff --git a/.github/workflows/cd-dev.yml b/.github/workflows/cd-dev.yml
@@ -0,0 +1,73 @@
+name: CD [Development]
+
+on:
+  push:
+    branches:
+      - develop
+    paths:
+      - 'src/**'
+      - 'build.gradle.kts'
+      - 'docker/**'
+      - 'cd.yml'
+
+  workflow_dispatch:
+    inputs:
+      environment:
+        description: 'Deploy environment'
+        required: true
+        type: choice
+        options:
+          - dev
+          - prod
+
+jobs:
+  # 1. 공통 빌드/테스트 워크플로우 호출 (ci.yml 재사용)
+  ci-and-build:
+    uses: ./.github/workflows/ci.yml
+    with:
+      environment: ${{ inputs.environment }}
+    secrets: inherit
+
+  # 2. Deploy Job
+  deploy:
+    needs: ci-and-build
+    runs-on: ubuntu-latest
+    # 빌드 단계에서 결정된 환경 사용
+    environment: ${{ needs.ci-and-build.outputs.environment }}
+
+    env:
+      ENVIRONMENT: ${{ needs.ci-and-build.outputs.environment }}
+      REPO_OWNER: ${{ needs.ci-and-build.outputs.repo_owner }}
+      IMAGE_TAG: ${{ needs.ci-and-build.outputs.image_tag }}
+
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v4
+
+      - name: SSH 접속 및 스크립트 실행
+        uses: appleboy/ssh-action@v1
+        env:
+          APPLICATION_PROD: ${{ secrets.APPLICATION_PROD }}
+          APPLICATION_DEV: ${{ secrets.APPLICATION_DEV }}
+          APPLICATION_SECRET: ${{ secrets.APPLICATION_SECRET }}
+          DOCKERHUB_TOKEN: ${{ secrets.DOCKERHUB_TOKEN }}
+          DOCKERHUB_USERNAME: ${{ secrets.DOCKERHUB_USERNAME }}
+        with:
+          host: ${{ secrets.SERVER_SSH_HOST }}
+          username: ${{ secrets.SERVER_SSH_USERNAME }}
+          key: ${{ secrets.SERVER_SSH_PRIVATE_KEY }}
+          port: ${{ secrets.SERVER_SSH_PORT }}
+          envs: APPLICATION_PROD,APPLICATION_DEV,APPLICATION_SECRET,ENVIRONMENT,IMAGE_TAG,REPO_OWNER,DOCKER_IMAGE_NAME,DOCKERHUB_TOKEN,DOCKERHUB_USERNAME
+          script_path: scripts/cd-dev.sh
+
-      - name: SSH 접속 및 스크립트 실행
-        uses: appleboy/ssh-action@v1
-        env:
-          APPLICATION_PROD: ${{ secrets.APPLICATION_PROD }}
-          APPLICATION_DEV: ${{ secrets.APPLICATION_DEV }}
-          APPLICATION_SECRET: ${{ secrets.APPLICATION_SECRET }}
-          DOCKERHUB_TOKEN: ${{ secrets.DOCKERHUB_TOKEN }}
-          DOCKERHUB_USERNAME: ${{ secrets.DOCKERHUB_USERNAME }}
-        with:
-          host: ${{ secrets.SERVER_SSH_HOST }}
-          username: ${{ secrets.SERVER_SSH_USERNAME }}
-          key: ${{ secrets.SERVER_SSH_PRIVATE_KEY }}
-          port: ${{ secrets.SERVER_SSH_PORT }}
-          envs: APPLICATION_PROD,APPLICATION_DEV,APPLICATION_SECRET,ENVIRONMENT,IMAGE_TAG,REPO_OWNER,DOCKER_IMAGE_NAME,DOCKERHUB_TOKEN,DOCKERHUB_USERNAME
-          script_path: scripts/cd-dev.sh
+      - name: SSH 접속 및 스크립트 실행
+        uses: appleboy/ssh-action@v1
+        env:
+          APPLICATION_PROD: ${{ secrets.APPLICATION_PROD }}
+          APPLICATION_DEV: ${{ secrets.APPLICATION_DEV }}
+          APPLICATION_SECRET: ${{ secrets.APPLICATION_SECRET }}
+          DOCKERHUB_TOKEN: ${{ secrets.DOCKERHUB_TOKEN }}
+          DOCKERHUB_USERNAME: ${{ secrets.DOCKERHUB_USERNAME }}
+          DOCKER_IMAGE_NAME: ${{ secrets.DOCKER_IMAGE_NAME }}
+          APP_DIR_PRODUCTION: ${{ secrets.APP_DIR_PRODUCTION }}
+          APP_DIR_DEVELOPMENT: ${{ secrets.APP_DIR_DEVELOPMENT }}
+        with:
+          host: ${{ secrets.SERVER_SSH_HOST }}
+          username: ${{ secrets.SERVER_SSH_USERNAME }}
+          key: ${{ secrets.SERVER_SSH_PRIVATE_KEY }}
+          port: ${{ secrets.SERVER_SSH_PORT }}
+          envs: APPLICATION_PROD,APPLICATION_DEV,APPLICATION_SECRET,ENVIRONMENT,IMAGE_TAG,REPO_OWNER,DOCKER_IMAGE_NAME,DOCKERHUB_TOKEN,DOCKERHUB_USERNAME,APP_DIR_PRODUCTION,APP_DIR_DEVELOPMENT
+          script_path: scripts/cd-dev.sh
-          script_path: scripts/cd-dev.sh
+          script: |
+            bash << 'EOF'
+            # scripts/cd-dev.sh의 내용을 여기에 그대로 붙여넣습니다.
+            # 예: 기존 scripts/cd-dev.sh 파일의 모든 쉘 명령들
+            EOF
-      - name: SSH 접속 및 스크립트 실행
-        uses: appleboy/ssh-action@v1
-        env:
-          APPLICATION_PROD: ${{ secrets.APPLICATION_PROD }}
-          APPLICATION_DEV: ${{ secrets.APPLICATION_DEV }}
-          APPLICATION_SECRET: ${{ secrets.APPLICATION_SECRET }}
-          DOCKERHUB_TOKEN: ${{ secrets.DOCKERHUB_TOKEN }}
-          DOCKERHUB_USERNAME: ${{ secrets.DOCKERHUB_USERNAME }}
-        with:
-          host: ${{ secrets.SERVER_SSH_HOST }}
-          username: ${{ secrets.SERVER_SSH_USERNAME }}
-          key: ${{ secrets.SERVER_SSH_PRIVATE_KEY }}
-          port: ${{ secrets.SERVER_SSH_PORT }}
-          envs: APPLICATION_PROD,APPLICATION_DEV,APPLICATION_SECRET,ENVIRONMENT,IMAGE_TAG,REPO_OWNER,DOCKER_IMAGE_NAME,DOCKERHUB_TOKEN,DOCKERHUB_USERNAME
-          script_path: scripts/cd-dev.sh
+      - name: SSH 접속 및 스크립트 실행
+        uses: appleboy/ssh-action@v1
+        env:
+          APPLICATION_PROD: ${{ secrets.APPLICATION_PROD }}
+          APPLICATION_DEV: ${{ secrets.APPLICATION_DEV }}
+          APPLICATION_SECRET: ${{ secrets.APPLICATION_SECRET }}
+          DOCKERHUB_TOKEN: ${{ secrets.DOCKERHUB_TOKEN }}
+          DOCKERHUB_USERNAME: ${{ secrets.DOCKERHUB_USERNAME }}
+          DOCKER_IMAGE_NAME: ${{ secrets.DOCKER_IMAGE_NAME }}
+          APP_DIR_PRODUCTION: ${{ secrets.APP_DIR_PRODUCTION }}
+          APP_DIR_DEVELOPMENT: ${{ secrets.APP_DIR_DEVELOPMENT }}
+        with:
+          host: ${{ secrets.SERVER_SSH_HOST }}
+          username: ${{ secrets.SERVER_SSH_USERNAME }}
+          key: ${{ secrets.SERVER_SSH_PRIVATE_KEY }}
+          port: ${{ secrets.SERVER_SSH_PORT }}
+          envs: APPLICATION_PROD,APPLICATION_DEV,APPLICATION_SECRET,ENVIRONMENT,IMAGE_TAG,REPO_OWNER,DOCKER_IMAGE_NAME,DOCKERHUB_TOKEN,DOCKERHUB_USERNAME,APP_DIR_PRODUCTION,APP_DIR_DEVELOPMENT
+          script_path: scripts/cd-dev.sh
-          script_path: scripts/cd-dev.sh
+          script: |
+            bash << 'EOF'
+            # scripts/cd-dev.sh의 내용을 여기에 그대로 붙여넣습니다.
+            # 예: 기존 scripts/cd-dev.sh 파일의 모든 쉘 명령들
+            EOF
+      - name: Deployment Summary
+        if: always()
+        run: |
+          echo "### Deployment Summary :rocket:" >> $GITHUB_STEP_SUMMARY
+          echo "" >> $GITHUB_STEP_SUMMARY
+          echo "- **Environment:** ${{ env.ENVIRONMENT }}" >> $GITHUB_STEP_SUMMARY
+          echo "- **Branch:** ${{ github.ref_name }}" >> $GITHUB_STEP_SUMMARY
+          echo "- **Commit:** ${{ github.sha }}" >> $GITHUB_STEP_SUMMARY
+          echo "- **Image:** ${{ secrets.DOCKER_IMAGE_NAME }}:${{ env.ENVIRONMENT }}-latest" >> $GITHUB_STEP_SUMMARY
+          echo "- **Server:** ${{ secrets.SERVER_SSH_HOST }}" >> $GITHUB_STEP_SUMMARY
+          echo "- **Status:** ${{ job.status }}" >> $GITHUB_STEP_SUMMARY
@@ -0,0 +1,190 @@
+name: CI
+
+on:
+  pull_request:
+    branches:
+      - develop
+      - main
+
+  workflow_dispatch:
+    inputs:
+      environment:
+        description: 'Deploy environment'
+        required: true
+        type: choice
+        options:
+          - dev
+          - prod
+
+  workflow_call:
+    inputs:
+      environment:
+        description: 'Deploy environment (optional)'
+        required: false
+        type: string
+    outputs:
+      environment:
+        description: "Determined environment"
+        value: ${{ jobs.build-and-test.outputs.environment }}
+      repo_owner:
+        description: "Repository owner"
+        value: ${{ jobs.build-and-test.outputs.repo_owner }}
+      image_tag:
+        description: "Docker image tag"
+        value: ${{ jobs.build-and-test.outputs.image_tag }}
+
+concurrency:
+  group: ci-${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: true  # 이전 실행 취소
+
+jobs:
+  # Job 1: 빌드 및 테스트 (한 번만 실행)
+  build-and-test:
+    runs-on: self-hosted
+
+    permissions:
+      contents: read
+      checks: write
+      pull-requests: write
+
+    outputs:
+      environment: ${{ steps.set-env.outputs.environment }}
+      repo_owner: ${{ steps.set-env.outputs.repo_owner }}
+      image_tag: ${{ steps.set-env.outputs.image_tag }}
+
+    #    strategy:
+    #      matrix:
+    #        platform: [ linux/amd64, linux/arm64 ]
+    #        include:
+    #          - platform: linux/amd64
+    #            tag-suffix: amd64
+    #          - platform: linux/arm64
+    #            tag-suffix: arm64
-    #    strategy:
-    #      matrix:
-    #        platform: [ linux/amd64, linux/arm64 ]
-    #        include:
-    #          - platform: linux/amd64
-    #            tag-suffix: amd64
-    #          - platform: linux/arm64
-    #            tag-suffix: arm64
+     steps:
-    #    strategy:
-    #      matrix:
-    #        platform: [ linux/amd64, linux/arm64 ]
-    #        include:
-    #          - platform: linux/amd64
-    #            tag-suffix: amd64
-    #          - platform: linux/arm64
-    #            tag-suffix: arm64
+     steps:
+
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v4
+
+      - name: Set deployment environment
+        id: set-env
+        run: |
+          INPUT_ENV="${{ inputs.environment }}"
+
+          # PR일 때는 'test' 환경으로 설정
+          if [[ "${{ github.event_name }}" == "pull_request" ]]; then
+            echo "Running in PR mode - Setting test environment for build"
+            ENVIRONMENT="test"
+          elif [[ -n "$INPUT_ENV" ]]; then
+            ENVIRONMENT="$INPUT_ENV"
+          
+          # CD에서 호출한 경우 branch에 따라서 환경 결정
+          elif [[ "${{ github.ref }}" == "refs/heads/main" ]]; then
+            ENVIRONMENT="prod"
+          elif [[ "${{ github.ref }}" == "refs/heads/develop" ]]; then
+            ENVIRONMENT="dev"
+          else
+            ENVIRONMENT="test"
+          fi
+
+          echo "environment=${ENVIRONMENT}" >> $GITHUB_OUTPUT
+
+          REPO_OWNER=$(echo "${{ github.repository_owner }}" | tr '[:upper:]' '[:lower:]')
+          echo "repo_owner=${REPO_OWNER}" >> $GITHUB_OUTPUT
+
+          SHORT_SHA=$(echo "${{ github.sha }}" | cut -c1-7)
+          IMAGE_TAG="${ENVIRONMENT}-${SHORT_SHA}"
+          echo "image_tag=${IMAGE_TAG}" >> $GITHUB_OUTPUT
+
+      - name: Setup JDK 21
+        uses: actions/setup-java@v4
+        with:
+          java-version: '21'
+          distribution: 'corretto'
+          cache: gradle
+
+      - name: Grant execute permission for gradlew
+        run: chmod +x gradlew
+
+      - name: Compile Check
+        run: ./gradlew compileJava compileTestJava
+
+      - name: Run Tests
+        run: ./gradlew test
+
+      - name: Publish Test Results
+        uses: EnricoMi/publish-unit-test-result-action@v2
+        if: always()
+        with:
+          files: build/test-results/test/*.xml
+          check_name: "Backend Test Results"
+
+      - name: Build JAR
+        run: ./gradlew bootJar
+
+      - name: Check build artifacts
+        run: |
+          ls -la build/libs/
+          echo "Current directory: $(pwd)"
+
+      - name: Set up QEMU
+        uses: docker/setup-qemu-action@v3
+
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@v3
+
+      - name: Log in to Docker Hub
+        uses: docker/login-action@v3
+        with:
+          username: ${{ secrets.DOCKERHUB_USERNAME }}
+          password: ${{ secrets.DOCKERHUB_TOKEN }}
+
+      - name: Build and push Docker image
+        uses: docker/build-push-action@v6
+        with:
+          context: .
-          context: .
+          context: .
+          # CI용 이미지 빌드를 위해 eclipse-temurin 기반 Dockerfile 사용
+          # (amazoncorretto 기반 docker/app/dockerfile은 런타임/기타 용도로 별도 관리)
-          context: .
+          context: .
+          # CI용 이미지 빌드를 위해 eclipse-temurin 기반 Dockerfile 사용
+          # (amazoncorretto 기반 docker/app/dockerfile은 런타임/기타 용도로 별도 관리)
+          file: docker/app/dockerfile
+          push: true
+          tags: |
+            ${{ secrets.DOCKER_IMAGE_NAME }}:${{ steps.set-env.outputs.image_tag }}
+            ${{ secrets.DOCKER_IMAGE_NAME }}:${{ steps.set-env.outputs.environment }}-latest
+          cache-from: type=gha
+          cache-to: type=gha,mode=max
+
+  # Job 3: Multi-arch manifest 생성
+  create-manifest:
+    needs: [ build-and-test ]
+    runs-on: self-hosted
+    steps:
+      - name: Log in to Docker Hub
+        uses: docker/login-action@v3
+        with:
+          username: ${{ secrets.DOCKERHUB_USERNAME }}
+          password: ${{ secrets.DOCKERHUB_TOKEN }}
+
+      - name: Create and push manifest
+        run: |
+          IMAGE_TAG="${{ needs.build-and-test.outputs.image_tag }}"
+          ENVIRONMENT="${{ needs.build-and-test.outputs.environment }}"
+          
+          # 특정 커밋용 manifest 생성
+          docker buildx imagetools create -t ${{ secrets.DOCKER_IMAGE_NAME }}:${IMAGE_TAG} \
+            ${{ secrets.DOCKER_IMAGE_NAME }}:${IMAGE_TAG}-amd64 \
+            ${{ secrets.DOCKER_IMAGE_NAME }}:${IMAGE_TAG}-arm64
+          
+          # 환경별 latest manifest 생성
+          docker buildx imagetools create -t ${{ secrets.DOCKER_IMAGE_NAME }}:${ENVIRONMENT}-latest \
+            ${{ secrets.DOCKER_IMAGE_NAME }}:${IMAGE_TAG}-amd64 \
+            ${{ secrets.DOCKER_IMAGE_NAME }}:${IMAGE_TAG}-arm64
+          
+          echo "✅ Created manifests:"
+          echo "  - ${{ secrets.DOCKER_IMAGE_NAME }}:${IMAGE_TAG}"
+          echo "  - ${{ secrets.DOCKER_IMAGE_NAME }}:${ENVIRONMENT}-latest"
+
+      - name: Build Summary
+        if: always()
+        run: |
+          echo "### Build Summary :package:" >> $GITHUB_STEP_SUMMARY
+          echo "" >> $GITHUB_STEP_SUMMARY
+          echo "- **Environment:** ${{ steps.set-env.outputs.environment }}" >> $GITHUB_STEP_SUMMARY
+          echo "- **Image Tag:** ${{ steps.set-env.outputs.image_tag }}" >> $GITHUB_STEP_SUMMARY
-          echo "- **Environment:** ${{ steps.set-env.outputs.environment }}" >> $GITHUB_STEP_SUMMARY
-          echo "- **Image Tag:** ${{ steps.set-env.outputs.image_tag }}" >> $GITHUB_STEP_SUMMARY
+          echo "- **Environment:** ${{ needs.build-and-test.outputs.environment }}" >> $GITHUB_STEP_SUMMARY
+          echo "- **Image Tag:** ${{ needs.build-and-test.outputs.image_tag }}" >> $GITHUB_STEP_SUMMARY
-          echo "- **Environment:** ${{ steps.set-env.outputs.environment }}" >> $GITHUB_STEP_SUMMARY
-          echo "- **Image Tag:** ${{ steps.set-env.outputs.image_tag }}" >> $GITHUB_STEP_SUMMARY
+          echo "- **Environment:** ${{ needs.build-and-test.outputs.environment }}" >> $GITHUB_STEP_SUMMARY
+          echo "- **Image Tag:** ${{ needs.build-and-test.outputs.image_tag }}" >> $GITHUB_STEP_SUMMARY
+          echo "- **Platforms:** linux/amd64, linux/arm64" >> $GITHUB_STEP_SUMMARY
-      - name: Build Summary
-        if: always()
-        run: |
-          echo "### Build Summary :package:" >> $GITHUB_STEP_SUMMARY
-          echo "" >> $GITHUB_STEP_SUMMARY
-          echo "- **Environment:** ${{ steps.set-env.outputs.environment }}" >> $GITHUB_STEP_SUMMARY
-          echo "- **Image Tag:** ${{ steps.set-env.outputs.image_tag }}" >> $GITHUB_STEP_SUMMARY
-          echo "- **Platforms:** linux/amd64, linux/arm64" >> $GITHUB_STEP_SUMMARY
+      - name: Build Summary
+        if: always()
+        run: |
+          echo "### Build Summary :package:" >> $GITHUB_STEP_SUMMARY
+          echo "" >> $GITHUB_STEP_SUMMARY
+          echo "- **Environment:** ${{ needs.build-and-test.outputs.environment }}" >> $GITHUB_STEP_SUMMARY
+          echo "- **Image Tag:** ${{ needs.build-and-test.outputs.image_tag }}" >> $GITHUB_STEP_SUMMARY
+          echo "- **Platforms:** linux/amd64, linux/arm64" >> $GITHUB_STEP_SUMMARY
-      - name: Build Summary
-        if: always()
-        run: |
-          echo "### Build Summary :package:" >> $GITHUB_STEP_SUMMARY
-          echo "" >> $GITHUB_STEP_SUMMARY
-          echo "- **Environment:** ${{ steps.set-env.outputs.environment }}" >> $GITHUB_STEP_SUMMARY
-          echo "- **Image Tag:** ${{ steps.set-env.outputs.image_tag }}" >> $GITHUB_STEP_SUMMARY
-          echo "- **Platforms:** linux/amd64, linux/arm64" >> $GITHUB_STEP_SUMMARY
+      - name: Build Summary
+        if: always()
+        run: |
+          echo "### Build Summary :package:" >> $GITHUB_STEP_SUMMARY
+          echo "" >> $GITHUB_STEP_SUMMARY
+          echo "- **Environment:** ${{ needs.build-and-test.outputs.environment }}" >> $GITHUB_STEP_SUMMARY
+          echo "- **Image Tag:** ${{ needs.build-and-test.outputs.image_tag }}" >> $GITHUB_STEP_SUMMARY
+          echo "- **Platforms:** linux/amd64, linux/arm64" >> $GITHUB_STEP_SUMMARY
@@ -11,9 +11,6 @@ application-*.yml
 
 .gradle
 build/
-!gradle/wrapper/gradle-wrapper.jar
-!**/src/main/**/build/
-!**/src/test/**/build/
 
 ### STS ###
 .apt_generated
@@ -33,10 +30,8 @@ bin/
 *.iml
 *.ipr
 
-!**/src/main/**/out/
-!**/src/test/**/out/
 # 빌드 결과물인 out은 무시해야 하나, 소스코드 내에 있는건 지켜야 함
-/out/
+out/
 
 ### NetBeans ###
 /nbproject/private/
@@ -237,3 +232,9 @@ $RECYCLE.BIN/
 *.lnk
 
 # End of https://www.toptal.com/developers/gitignore/api/java,intellij+all,macos,windows,linux
+
+!gradle/wrapper/gradle-wrapper.jar
+!**/src/main/**/build/
+!**/src/test/**/build/
+!**/src/main/**/out/
+!**/src/test/**/out/
@@ -0,0 +1,41 @@
+FROM amazoncorretto:21-alpine
+WORKDIR /app
+
+LABEL maintainer="UMC PRODUCT SERVER TEAM"
+LABEL description="UMC PRODUCT Official SpringBoot Backend Server"
+
+# curl 설치 (헬스체크용) + non-root 유저 생성
+RUN apk add --no-cache curl && \
+    addgroup -S spring && \
+    adduser -S spring -G spring && \
+    mkdir -p /app/logs && \
+    chown -R spring:spring /app
-RUN apk add --no-cache curl && \
-    addgroup -S spring && \
-    adduser -S spring -G spring && \
-    mkdir -p /app/logs && \
-    chown -R spring:spring /app
+RUN apk add --no-cache curl=8.5.0-r0 && \
+    addgroup -S spring && \
+    adduser -S spring -G spring && \
+    mkdir -p /app/logs && \
+    chown -R spring:spring /app
-# curl 설치 (헬스체크용) + non-root 유저 생성
-RUN apk add --no-cache curl && \
-    addgroup -S spring && \
-    adduser -S spring -G spring && \
-    mkdir -p /app/logs && \
-    chown -R spring:spring /app
+# curl 설치 (헬스체크용) + non-root 유저 생성
+RUN apk add --no-cache curl=8.5.0-r0 && \
+    addgroup -S spring && \
+    adduser -S spring -G spring && \
+    mkdir -p /app/logs && \
+    chown -R spring:spring /app
-RUN apk add --no-cache curl && \
-    addgroup -S spring && \
-    adduser -S spring -G spring && \
-    mkdir -p /app/logs && \
-    chown -R spring:spring /app
+RUN apk add --no-cache curl=8.5.0-r0 && \
+    addgroup -S spring && \
+    adduser -S spring -G spring && \
+    mkdir -p /app/logs && \
+    chown -R spring:spring /app
-# curl 설치 (헬스체크용) + non-root 유저 생성
-RUN apk add --no-cache curl && \
-    addgroup -S spring && \
-    adduser -S spring -G spring && \
-    mkdir -p /app/logs && \
-    chown -R spring:spring /app
+# curl 설치 (헬스체크용) + non-root 유저 생성
+RUN apk add --no-cache curl=8.5.0-r0 && \
+    addgroup -S spring && \
+    adduser -S spring -G spring && \
+    mkdir -p /app/logs && \
+    chown -R spring:spring /app
+
+# 이미 build된 jar 파일을 docker 안으로 복사
+COPY --chown=spring:spring build/libs/*.jar app.jar
+RUN chmod 444 app.jar
+
+# 로그 디렉토리 생성 및 권한 설정
+RUN mkdir -p /app/logs && chown -R spring:spring /app/logs
+
+# Switch to non-root user
+USER spring:spring
+
+# Expose application port
+EXPOSE 8080
+
+# JVM options
+ENV JAVA_OPTS="-XX:+UseContainerSupport \
+               -XX:MaxRAMPercentage=75.0 \
+               -XX:+UseG1GC \
+               -XX:+ExitOnOutOfMemoryError \
+               -XX:+HeapDumpOnOutOfMemoryError \
+               -XX:HeapDumpPath=/tmp/heapdump.hprof \
+               -Duser.timezone=Asia/Seoul \
+               -Djava.security.egd=file:/dev/./urandom"
+
+# Use exec form with sh -c so JAVA_OPTS is expanded and signals forwarded
+ENTRYPOINT ["sh", "-c", "exec java $JAVA_OPTS -jar app.jar"]
+
+# Optional healthcheck (uncomment if actuator/health endpoint exists)
+# HEALTHCHECK --interval=30s --timeout=5s CMD curl -f http://localhost:8080/actuator/health || exit 1
-# Optional healthcheck (uncomment if actuator/health endpoint exists)
-# HEALTHCHECK --interval=30s --timeout=5s CMD curl -f http://localhost:8080/actuator/health || exit 1
+HEALTHCHECK --interval=30s --timeout=5s CMD curl -f http://localhost:8080/actuator/health || exit 1
-# Optional healthcheck (uncomment if actuator/health endpoint exists)
-# HEALTHCHECK --interval=30s --timeout=5s CMD curl -f http://localhost:8080/actuator/health || exit 1
+HEALTHCHECK --interval=30s --timeout=5s CMD curl -f http://localhost:8080/actuator/health || exit 1
diff --git a/gradle/wrapper/gradle-wrapper.jar b/gradle/wrapper/gradle-wrapper.jar