f-lab-edu · chan99k · Dec 9, 2025 · Dec 8, 2025 · Dec 8, 2025 · Dec 8, 2025
diff --git a/.github/auto-assign.yml b/.github/auto-assign.yml
@@ -0,0 +1,21 @@
+# Auto Assign Configuration
+# https://github.com/kentaro-m/auto-assign-action
+
+# 리뷰어 자동 할당
+addReviewers: true
+reviewers:
+# 리뷰어 목록 (GitHub username)
+# - reviewer1
+# - reviewer2
+
+# 랜덤으로 선택할 리뷰어 수 (0 = 모두 할당)
+numberOfReviewers: 0
+
+# PR 작성자를 리뷰어에서 제외
+skipKeywords:
+  - wip
+  - WIP
+  - draft
+
+# Assignee 자동 할당
+addAssignees: author
diff --git a/.github/workflows/_build.yml b/.github/workflows/_build.yml
@@ -0,0 +1,156 @@
+# Reusable Build Workflow
+# 다른 워크플로우에서 workflow_call로 호출하여 재사용
+
+name: Reusable Build
+
+on:
+  # workflow_call: 다른 워크플로우에서 "uses: ./.github/workflows/_build.yml"로 호출 가능하게 함
+  workflow_call:
+    # inputs: 호출하는 워크플로우에서 전달할 수 있는 매개변수 정의
+    inputs:
+      java-version:
+        description: 'Java version to use'
+        required: false
+        default: '17'
+        type: string
+      run-tests:
+        description: 'Run tests'
+        required: false
+        default: true
+        type: boolean
+      generate-coverage:
+        description: 'Generate Jacoco coverage report'
+        required: false
+        default: true
+        type: boolean
+      publish-build-scan:
+        description: 'Publish Gradle Build Scan'
+        required: false
+        default: true
+        type: boolean
+    # secrets: 호출하는 워크플로우에서 전달할 시크릿 정의
+    secrets:
+      SLACK_WEBHOOK_URL:
+        description: 'Slack Incoming Webhook URL for notifications'
+        required: false
+    # outputs: 이 워크플로우의 결과를 호출한 워크플로우에 반환
+    outputs:
+      build-outcome:
+        description: 'Build outcome (success/failure)'
+        # jobs.build.outputs.outcome 값을 외부로 노출
+        value: ${{ jobs.build.outputs.outcome }}
+      build-scan-url:
+        description: 'Gradle Build Scan URL'
+        value: ${{ jobs.build.outputs.build-scan-url }}
+
+jobs:
+  build:
+    name: Build & Test
+    runs-on: ubuntu-latest
+    # outputs: 이 job의 결과를 다른 job이나 워크플로우에서 참조 가능하게 함
+    outputs:
+      outcome: ${{ steps.build.outcome }}
+      build-scan-url: ${{ steps.gradle-build.outputs.build-scan-url }}
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+        with:
+          # fetch-depth: 0 = 전체 히스토리 가져옴 (SonarCloud 분석에 필요)
+          fetch-depth: 0
+
+      - name: Set up JDK ${{ inputs.java-version }}
+        uses: actions/setup-java@v4
+        with:
+          distribution: 'temurin'
+          java-version: ${{ inputs.java-version }}
+          # cache: gradle = ~/.gradle/caches 디렉토리를 자동으로 캐싱하여 빌드 속도 향상
+          cache: gradle
+
+      - name: Setup Gradle
+        uses: gradle/actions/setup-gradle@v4
+        with:
+          # build-scan-publish: true = Gradle Build Scan을 scans.gradle.com에 발행
+          # Build Scan은 빌드 성능, 의존성, 테스트 결과 등 상세 정보를 웹에서 확인 가능
+          build-scan-publish: ${{ inputs.publish-build-scan }}
+          build-scan-terms-of-use-url: "https://gradle.com/help/legal-terms-of-use"
+          build-scan-terms-of-use-agree: "yes"
+
+      - name: Grant execute permission
+        run: chmod +x gradlew
+
+      - name: Build
+        # id: gradle-build = Build Scan URL을 outputs로 가져오기 위해 필요
+        id: gradle-build
+        # generate-coverage가 true면 'jacocoAggregatedReport' 추가, false면 빈 문자열
+        run: ./gradlew clean build --parallel ${{ inputs.generate-coverage && 'jacocoAggregatedReport' || '' }}
+
+      - name: Upload build artifacts
+        uses: actions/upload-artifact@v4
+        with:
+          name: build-artifacts
+          # path: | = 여러 경로를 멀티라인으로 지정
+          # **/build/classes/ = 모든 하위 디렉토리의 build/classes 폴더
+          path: |
+            **/build/classes/
+            **/build/resources/
+            **/build/libs/
+          # retention-days: 1 = 아티팩트 보관 기간 (1일 후 자동 삭제)
+          retention-days: 1
+
+      - name: Upload Jacoco report
+        # if: 조건부 실행 - generate-coverage가 true일 때만 실행
+        if: inputs.generate-coverage
+        uses: actions/upload-artifact@v4
+        with:
+          name: jacoco-report
+          path: |
+            build/reports/jacoco/aggregated/
+            **/build/reports/jacoco/test/
+          retention-days: 14
+
+      - name: Upload test results
+        # always(): 이전 step이 실패해도 항상 실행 (테스트 실패 시에도 결과 업로드)
+        # inputs.run-tests && always(): 테스트 실행했을 때만 + 항상 실행
+        if: inputs.run-tests && always()
+        uses: actions/upload-artifact@v4
+        with:
+          name: test-results
+          path: '**/build/test-results/'
+          retention-days: 7
+
+      # Slack 알림 (빌드 실패 시 또는 Build Scan URL 공유)
+      - name: Notify Slack on failure
+        # secrets.SLACK_WEBHOOK_URL이 설정되어 있고 빌드 실패 시에만 실행
+        if: failure() && secrets.SLACK_WEBHOOK_URL != ''
+        uses: slackapi/[email protected]
+        with:
+          # webhook: Slack Incoming Webhook URL
+          webhook: ${{ secrets.SLACK_WEBHOOK_URL }}
+          webhook-type: incoming-webhook
+          # payload: Slack 메시지 JSON 형식
+          payload: |
+            {
+              "text": "빌드 실패",
+              "blocks": [
+                {
+                  "type": "section",
+                  "text": {
+                    "type": "mrkdwn",
+                    "text": "*빌드 실패*\n*Repository:* ${{ github.repository }}\n*Branch:* ${{ github.ref_name }}\n*Commit:* `${{ github.sha }}`"
+                  }
+                },
+                {
+                  "type": "section",
+                  "fields": [
+                    {
+                      "type": "mrkdwn",
+                      "text": "*Build Scan:*\n${{ steps.gradle-build.outputs.build-scan-url || 'N/A' }}"
+                    },
+                    {
+                      "type": "mrkdwn",
+                      "text": "*Workflow:*\n<${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }}|View Run>"
+                    }
+                  ]
+                }
+              ]
+            }
diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
@@ -0,0 +1,73 @@
+# CI Pipeline
+# 브랜치 푸시 시 빠른 검증 (빌드, 테스트, 보안 스캔)
+# 목표: 5분 이내 피드백
+name: CI
+
+on:
+  push:
+    branches:
+      - develop
+      - main
+    # 태그는 release.yml에서 처리
+    tags-ignore:
+      - '**'
+
+jobs:
+  # 1. 빌드 및 테스트
+  build:
+    name: Build & Test
+    uses: ./.github/workflows/_build.yml
+    with:
+      java-version: '17'
+      run-tests: true
+      generate-coverage: true
+      publish-build-scan: true
+    secrets:
+      SLACK_WEBHOOK_URL: ${{ secrets.SLACK_WEBHOOK_URL }}
+
+  # 2. 의존성 그래프 및 보안 스캔
+  security-scan:
+    name: Security Scan
+    needs: [ build ]
+    runs-on: ubuntu-latest
+    permissions:
+      contents: write
+      security-events: write
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+
+      - name: Set up JDK 17
+        uses: actions/setup-java@v4
+        with:
+          distribution: 'temurin'
+          java-version: 17
+          cache: gradle
+
+      - name: Setup Gradle
+        uses: gradle/actions/setup-gradle@v4
+
+      # GitHub Dependency Graph에 의존성 정보 제출
+      # Security > Dependabot alerts에서 취약점 확인 가능
+      - name: Submit Dependency Graph
+        uses: gradle/actions/dependency-submission@v4
+        with:
+          build-scan-publish: true
+          build-scan-terms-of-use-url: "https://gradle.com/help/legal-terms-of-use"
+          build-scan-terms-of-use-agree: "yes"
+
+      # 소스 코드 취약점 스캔 (develop 브랜치에서만)
+      - name: Code Vulnerability Scan
+        if: github.ref_name == 'develop'
+        uses: anchore/scan-action@v3
+        id: scan
+        with:
+          path: "${{ github.workspace }}"
+          fail-build: false
+          severity-cutoff: high
+
+      - name: Upload Vulnerability Report
+        if: github.ref_name == 'develop' && failure()
+        uses: github/codeql-action/upload-sarif@v3
+        with:
+          sarif_file: ${{ steps.scan.outputs.sarif }}
diff --git a/.github/workflows/commit-stage.yml b/.github/workflows/commit-stage.yml