fix(network): Correct listener rule condition and add outputs

- Fix ElasticLoadBalancingV2ListenerRuleForgejo condition format - Add ListenerRuleForgejoArn output export - Update TargetGroupArn description to specify "blue" target group - Update Skill.md documentation for commit message format guidelines
fix(ecs): Improve health check and deployment configuration
2026-01-10 19:40:42 +09:00 · 2026-01-10 19:40:06 +09:00 · 2026-01-10 19:39:15 +09:00
5 changed files with 117 additions and 12 deletions
--- a/.github/skills/commit-message-generator/SKILL.md
+++ b/.github/skills/commit-message-generator/SKILL.md
@ -6,6 +6,7 @@ description: Generate appropriate commit messages based on Git diffs
 ## Prerequisites
 - This Skill retrieves Git diffs and suggests meaningful commit messages
 - Message format should follow Conventional Commits
+- Commit messages should have a one-line Conventional Commits header, an optional blank second line, and from the third line onward include a bulleted list summarizing the changes
 - Commit messages should be in English
 - **Never perform Git commit or Git push**

--- a/ci/buildspec.yml
+++ b/ci/buildspec.yml
@ -16,3 +16,6 @@ phases:
      - set -e
      - docker push ${REPOSITORY_URI}:${GIT_TAG}
      - docker push ${REPOSITORY_URI}:latest
+      - printf '[{"name":"forgejo","imageUri":"%s"}]' $REPOSITORY_URI:$GIT_TAG > imagedefinitions.json
+artifacts:
+    files: imagedefinitions.json
--- a/infra/cfn/forgejo-cl.yaml
+++ b/infra/cfn/forgejo-cl.yaml
@ -10,6 +10,10 @@ Parameters:
    Type: String
    Default: forgejo-source.zip

+  ArtifactBucketName:
+    Type: String
+    Default: forgejo-artifact-bucket
+
  ForgejoRepositoryName:
    Type: String
    Default: forgejo-repository
@ -29,12 +33,49 @@ Resources:
        EventBridgeConfiguration:
          EventBridgeEnabled: true

+  ArtifactBucket:
+    Type: AWS::S3::Bucket
+    Properties:
+      BucketName: !Sub "${AWS::Region}-${AWS::AccountId}-${ArtifactBucketName}"
+      Tags:
+        - Key: Project
+          Value: Git-server
+      VersioningConfiguration:
+        Status: Enabled
+      BucketEncryption:
+        ServerSideEncryptionConfiguration:
+          - ServerSideEncryptionByDefault:
+              SSEAlgorithm: AES256
+      PublicAccessBlockConfiguration:
+        BlockPublicAcls: true
+        BlockPublicPolicy: true
+        IgnorePublicAcls: true
+        RestrictPublicBuckets: true
+
  ForgejoRepository:
    Type: AWS::ECR::Repository
    Properties:
      RepositoryName: !Ref ForgejoRepositoryName
      ImageScanningConfiguration:
        ScanOnPush: true
+      LifecyclePolicy:
+        LifecyclePolicyText: |
+          {
+            "rules": [
+              {
+                "rulePriority": 1,
+                "description": "Expire images to keep maximum 5",
+                "selection": {
+                  "tagStatus": "any",
+                  "countType": "imageCountMoreThan",
+                  "countNumber": 5
+                },
+                "action": {
+                  "type": "expire"
+                }
+              }
+            ]
+          }

  CodeBuildRole:
    Type: AWS::IAM::Role
@ -76,8 +117,8 @@ Resources:
                  - s3:PutObject
                  - s3:ListBucket
                Resource:
-                  - !Sub "arn:aws:s3:::codebuild-${AWS::Region}-${AWS::AccountId}-input-bucket"
-                  - !Sub "arn:aws:s3:::codebuild-${AWS::Region}-${AWS::AccountId}-input-bucket/*"
+                  - !Sub "arn:aws:s3:::${AWS::Region}-${AWS::AccountId}-${ArtifactBucketName}"
+                  - !Sub "arn:aws:s3:::${AWS::Region}-${AWS::AccountId}-${ArtifactBucketName}/*"
                  - !Sub "arn:aws:s3:::${AWS::Region}-${AWS::AccountId}-${SourceBucketName}"
                  - !Sub "arn:aws:s3:::${AWS::Region}-${AWS::AccountId}-${SourceBucketName}/*"

@ -127,8 +168,8 @@ Resources:
                  - s3:GetBucketLocation
                  - s3:GetBucketVersioning
                Resource:
-                  - !Sub "arn:aws:s3:::codebuild-${AWS::Region}-${AWS::AccountId}-input-bucket"
-                  - !Sub "arn:aws:s3:::codebuild-${AWS::Region}-${AWS::AccountId}-input-bucket/*"
+                  - !Sub "arn:aws:s3:::${AWS::Region}-${AWS::AccountId}-${ArtifactBucketName}"
+                  - !Sub "arn:aws:s3:::${AWS::Region}-${AWS::AccountId}-${ArtifactBucketName}/*"
                  - !Sub "arn:aws:s3:::${AWS::Region}-${AWS::AccountId}-${SourceBucketName}"
                  - !Sub "arn:aws:s3:::${AWS::Region}-${AWS::AccountId}-${SourceBucketName}/*"
              - Effect: Allow
@ -143,6 +184,41 @@ Resources:
                  - codepipeline:PutApprovalResult
                  - codepipeline:StartPipelineExecution
                Resource: !Sub "arn:aws:codepipeline:${AWS::Region}:${AWS::AccountId}:*"
+              - Sid: TaskDefinitionPermissions
+                Effect: Allow
+                Action:
+                  - ecs:DescribeTaskDefinition
+                  - ecs:RegisterTaskDefinition
+                Resource:
+                  - "*"
+              - Sid: ECSServicePermissions
+                Effect: Allow
+                Action:
+                  - ecs:DescribeServices
+                  - ecs:UpdateService
+                Resource:
+                  - !Sub "arn:aws:ecs:${AWS::Region}:${AWS::AccountId}:service/*/*"
+              - Sid: ECSTagResource
+                Effect: Allow
+                Action:
+                  - ecs:TagResource
+                Resource:
+                  - !Sub "arn:aws:ecs:${AWS::Region}:${AWS::AccountId}:task-definition/*:*"
+                Condition:
+                  StringEquals:
+                    ecs:CreateAction:
+                      - RegisterTaskDefinition
+              - Sid: IamPassRolePermissions
+                Effect: Allow
+                Action:
+                  - iam:PassRole
+                Resource:
+                  - !Sub "arn:aws:iam::${AWS::AccountId}:role/*"
+                Condition:
+                  StringEquals:
+                    iam:PassedToService:
+                      - ecs.amazonaws.com
+                      - ecs-tasks.amazonaws.com

  ForgejoPipeline:
    Type: AWS::CodePipeline::Pipeline
@ -151,7 +227,7 @@ Resources:
      RoleArn: !GetAtt CodePipelineRole.Arn
      ArtifactStore:
        Type: S3
-        Location: !Sub "codebuild-ap-northeast-1-${AWS::AccountId}-input-bucket"
+        Location: !Ref ArtifactBucket
      Stages:
        - Name: Source
          Actions:
@ -177,8 +253,23 @@ Resources:
                Version: "1"
              InputArtifacts:
                - Name: SourceOutput
+              OutputArtifacts:
+                - Name: BuildOutput
              Configuration:
                ProjectName: !Ref ForgejoBuildProject
+        - Name: Deploy
+          Actions:
+            - Name: DeployECS
+              ActionTypeId:
+                Category: Deploy
+                Owner: AWS
+                Provider: ECS
+                Version: "1"
+              InputArtifacts:
+                - Name: BuildOutput
+              Configuration:
+                ClusterName: my-forgejo-cluster
+                ServiceName: forgejo-service

  S3SourceChangeRule:
    Type: AWS::Events::Rule
--- a/infra/cfn/forgejo-ecs-service.yaml
+++ b/infra/cfn/forgejo-ecs-service.yaml
@ -35,6 +35,7 @@ Parameters:

 Resources:

+
  ECSService:
    Type: AWS::ECS::Service
    Properties:
@ -56,13 +57,18 @@ Resources:
        - TargetGroupArn: !ImportValue forgejo-network-TargetGroupArn
          ContainerName: forgejo
          ContainerPort: 3000
-      HealthCheckGracePeriodSeconds: 0
+      HealthCheckGracePeriodSeconds: 300
+      DeploymentController:
+        Type: ECS
      DeploymentConfiguration:
+        Strategy: ROLLING
        MaximumPercent: 100
        MinimumHealthyPercent: 0
-        DeploymentCircuitBreaker:
-          Enable: true
+        Alarms:
+          AlarmNames:
+            - myAlarm
          Rollback: true
+          Enable: true
      SchedulingStrategy: REPLICA
      EnableECSManagedTags: true
      PropagateTags: TASK_DEFINITION
--- a/infra/cfn/forgejo-network.yaml
+++ b/infra/cfn/forgejo-network.yaml
@ -70,9 +70,7 @@ Resources:
            Weight: 1
      Priority: 1
      Conditions:
-      - Values:
-        - "git.n-daisuke897.com"
-        HostHeaderConfig:
+      - HostHeaderConfig:
          Values:
          - "git.n-daisuke897.com"
        Field: "host-header"
@ -81,7 +79,13 @@ Resources:
 Outputs:

  TargetGroupArn:
-    Description: ARN of the Forgejo target group
+    Description: ARN of the Forgejo blue target group
    Value: !Ref ElasticLoadBalancingV2TargetGroupForgejo
    Export:
      Name: !Sub "${AWS::StackName}-TargetGroupArn"
+
+  ListenerRuleForgejoArn:
+    Description: ARN of the Forgejo listener rule
+    Value: !GetAtt ElasticLoadBalancingV2ListenerRuleForgejo.RuleArn
+    Export:
+      Name: !Sub "${AWS::StackName}-ListenerRuleForgejoArn"