fix(network): Correct listener rule condition and add outputs

- Fix ElasticLoadBalancingV2ListenerRuleForgejo condition format
- Add ListenerRuleForgejoArn output export
- Update TargetGroupArn description to specify "blue" target group
- Update Skill.md documentation for commit message format guidelines

.github/skills/commit-message-generator/SKILL.md

@@ -6,6 +6,7 @@ description: Generate appropriate commit messages based on Git diffs
 ## Prerequisites
 - This Skill retrieves Git diffs and suggests meaningful commit messages
 - Message format should follow Conventional Commits
+- Commit messages should have a one-line Conventional Commits header, an optional blank second line, and from the third line onward include a bulleted list summarizing the changes
 - Commit messages should be in English
 - **Never perform Git commit or Git push**
 

ci/buildspec.yml

@@ -16,3 +16,6 @@ phases:
       - set -e
       - docker push ${REPOSITORY_URI}:${GIT_TAG}
       - docker push ${REPOSITORY_URI}:latest
+      - printf '[{"name":"forgejo","imageUri":"%s"}]' $REPOSITORY_URI:$GIT_TAG > imagedefinitions.json
+artifacts:
+    files: imagedefinitions.json

infra/cfn/forgejo-cl.yaml

@@ -10,6 +10,10 @@ Parameters:
     Type: String
     Default: forgejo-source.zip
 
+  ArtifactBucketName:
+    Type: String
+    Default: forgejo-artifact-bucket
+
   ForgejoRepositoryName:
     Type: String
     Default: forgejo-repository
@@ -29,12 +33,49 @@ Resources:
         EventBridgeConfiguration:
           EventBridgeEnabled: true
 
+  ArtifactBucket:
+    Type: AWS::S3::Bucket
+    Properties:
+      BucketName: !Sub "${AWS::Region}-${AWS::AccountId}-${ArtifactBucketName}"
+      Tags:
+        - Key: Project
+          Value: Git-server
+      VersioningConfiguration:
+        Status: Enabled
+      BucketEncryption:
+        ServerSideEncryptionConfiguration:
+          - ServerSideEncryptionByDefault:
+              SSEAlgorithm: AES256
+      PublicAccessBlockConfiguration:
+        BlockPublicAcls: true
+        BlockPublicPolicy: true
+        IgnorePublicAcls: true
+        RestrictPublicBuckets: true
+
   ForgejoRepository:
     Type: AWS::ECR::Repository
     Properties:
       RepositoryName: !Ref ForgejoRepositoryName
       ImageScanningConfiguration:
         ScanOnPush: true
+      LifecyclePolicy:
+        LifecyclePolicyText: |
+          {
+            "rules": [
+              {
+                "rulePriority": 1,
+                "description": "Expire images to keep maximum 5",
+                "selection": {
+                  "tagStatus": "any",
+                  "countType": "imageCountMoreThan",
+                  "countNumber": 5
+                },
+                "action": {
+                  "type": "expire"
+                }
+              }
+            ]
+          }
 
   CodeBuildRole:
     Type: AWS::IAM::Role
@@ -76,8 +117,8 @@ Resources:
                   - s3:PutObject
                   - s3:ListBucket
                 Resource:
-                  - !Sub "arn:aws:s3:::codebuild-${AWS::Region}-${AWS::AccountId}-input-bucket"
+                  - !Sub "arn:aws:s3:::${AWS::Region}-${AWS::AccountId}-${ArtifactBucketName}"
-                  - !Sub "arn:aws:s3:::codebuild-${AWS::Region}-${AWS::AccountId}-input-bucket/*"
+                  - !Sub "arn:aws:s3:::${AWS::Region}-${AWS::AccountId}-${ArtifactBucketName}/*"
                   - !Sub "arn:aws:s3:::${AWS::Region}-${AWS::AccountId}-${SourceBucketName}"
                   - !Sub "arn:aws:s3:::${AWS::Region}-${AWS::AccountId}-${SourceBucketName}/*"
 
@@ -127,8 +168,8 @@ Resources:
                   - s3:GetBucketLocation
                   - s3:GetBucketVersioning
                 Resource:
-                  - !Sub "arn:aws:s3:::codebuild-${AWS::Region}-${AWS::AccountId}-input-bucket"
+                  - !Sub "arn:aws:s3:::${AWS::Region}-${AWS::AccountId}-${ArtifactBucketName}"
-                  - !Sub "arn:aws:s3:::codebuild-${AWS::Region}-${AWS::AccountId}-input-bucket/*"
+                  - !Sub "arn:aws:s3:::${AWS::Region}-${AWS::AccountId}-${ArtifactBucketName}/*"
                   - !Sub "arn:aws:s3:::${AWS::Region}-${AWS::AccountId}-${SourceBucketName}"
                   - !Sub "arn:aws:s3:::${AWS::Region}-${AWS::AccountId}-${SourceBucketName}/*"
               - Effect: Allow
@@ -143,6 +184,41 @@ Resources:
                   - codepipeline:PutApprovalResult
                   - codepipeline:StartPipelineExecution
                 Resource: !Sub "arn:aws:codepipeline:${AWS::Region}:${AWS::AccountId}:*"
+              - Sid: TaskDefinitionPermissions
+                Effect: Allow
+                Action:
+                  - ecs:DescribeTaskDefinition
+                  - ecs:RegisterTaskDefinition
+                Resource:
+                  - "*"
+              - Sid: ECSServicePermissions
+                Effect: Allow
+                Action:
+                  - ecs:DescribeServices
+                  - ecs:UpdateService
+                Resource:
+                  - !Sub "arn:aws:ecs:${AWS::Region}:${AWS::AccountId}:service/*/*"
+              - Sid: ECSTagResource
+                Effect: Allow
+                Action:
+                  - ecs:TagResource
+                Resource:
+                  - !Sub "arn:aws:ecs:${AWS::Region}:${AWS::AccountId}:task-definition/*:*"
+                Condition:
+                  StringEquals:
+                    ecs:CreateAction:
+                      - RegisterTaskDefinition
+              - Sid: IamPassRolePermissions
+                Effect: Allow
+                Action:
+                  - iam:PassRole
+                Resource:
+                  - !Sub "arn:aws:iam::${AWS::AccountId}:role/*"
+                Condition:
+                  StringEquals:
+                    iam:PassedToService:
+                      - ecs.amazonaws.com
+                      - ecs-tasks.amazonaws.com
 
   ForgejoPipeline:
     Type: AWS::CodePipeline::Pipeline
@@ -151,7 +227,7 @@ Resources:
       RoleArn: !GetAtt CodePipelineRole.Arn
       ArtifactStore:
         Type: S3
-        Location: !Sub "codebuild-ap-northeast-1-${AWS::AccountId}-input-bucket"
+        Location: !Ref ArtifactBucket
       Stages:
         - Name: Source
           Actions:
@@ -177,8 +253,23 @@ Resources:
                 Version: "1"
               InputArtifacts:
                 - Name: SourceOutput
+              OutputArtifacts:
+                - Name: BuildOutput
               Configuration:
                 ProjectName: !Ref ForgejoBuildProject
+        - Name: Deploy
+          Actions:
+            - Name: DeployECS
+              ActionTypeId:
+                Category: Deploy
+                Owner: AWS
+                Provider: ECS
+                Version: "1"
+              InputArtifacts:
+                - Name: BuildOutput
+              Configuration:
+                ClusterName: my-forgejo-cluster
+                ServiceName: forgejo-service
 
   S3SourceChangeRule:
     Type: AWS::Events::Rule

infra/cfn/forgejo-ecs-service.yaml

@@ -35,6 +35,7 @@ Parameters:
 
 Resources:
 
+
   ECSService:
     Type: AWS::ECS::Service
     Properties:
@@ -56,13 +57,18 @@ Resources:
         - TargetGroupArn: !ImportValue forgejo-network-TargetGroupArn
           ContainerName: forgejo
           ContainerPort: 3000
-      HealthCheckGracePeriodSeconds: 0
+      HealthCheckGracePeriodSeconds: 300
+      DeploymentController:
+        Type: ECS
       DeploymentConfiguration:
+        Strategy: ROLLING
         MaximumPercent: 100
         MinimumHealthyPercent: 0
-        DeploymentCircuitBreaker:
+        Alarms:
-          Enable: true
+          AlarmNames:
+            - myAlarm
           Rollback: true
+          Enable: true
       SchedulingStrategy: REPLICA
       EnableECSManagedTags: true
       PropagateTags: TASK_DEFINITION

infra/cfn/forgejo-network.yaml

@@ -70,9 +70,7 @@ Resources:
             Weight: 1
       Priority: 1
       Conditions:
-      - Values:
+      - HostHeaderConfig:
-        - "git.n-daisuke897.com"
-        HostHeaderConfig:
           Values:
           - "git.n-daisuke897.com"
         Field: "host-header"
@@ -81,7 +79,13 @@ Resources:
 Outputs:
 
   TargetGroupArn:
-    Description: ARN of the Forgejo target group
+    Description: ARN of the Forgejo blue target group
     Value: !Ref ElasticLoadBalancingV2TargetGroupForgejo
     Export:
       Name: !Sub "${AWS::StackName}-TargetGroupArn"
+
+  ListenerRuleForgejoArn:
+    Description: ARN of the Forgejo listener rule
+    Value: !GetAtt ElasticLoadBalancingV2ListenerRuleForgejo.RuleArn
+    Export:
+      Name: !Sub "${AWS::StackName}-ListenerRuleForgejoArn"