Streamline CI/CD pipeline

[rajpandya737]

Summary

• add a validation gate before production image build/deploy
• switch CI from auto-format commits to read-only format/lint/test checks
• run Python tooling through uv with frozen dependencies
• add GitHub Actions cache settings for Docker Buildx builds
• turn off SSH deploy debug logging
• use npm ci for deterministic frontend dependency installs in the Docker build

Verification

• uv run ruff format --check .
• uv run ruff check
• uv run ty check src tests
• uv run pytest
• git diff --check

[qodo-code-review]

Code Review by Qodo

🐞 Bugs (1) 📘 Rule violations (0)

1. Ruff missing from lockfile 🐞 Bug ≡ Correctness

Description

ci.yml and the new build-and-deploy.yml validation job run uv run ruff ... after `uv sync
--frozen, but ruff is not declared in pyproject.toml nor present in uv.lock`, so these steps
will fail and block CI and production builds.

Code

.github/workflows/ci.yml[R43-48]

+      - name: Install dependencies
+        run: uv sync --frozen --all-groups
+      - name: Check Ruff formatting
+        run: uv run ruff format --check .
      - name: Run Ruff lint
-        run: ruff check --output-format=github .
+        run: uv run ruff check --output-format=github .

Evidence

The workflows execute uv run ruff ..., but the project lock/dependency metadata does not include
ruff, so the executable will not exist in the synced environment.

.github/workflows/ci.yml[39-52]
.github/workflows/build-and-deploy.yml[39-52]
pyproject.toml[1-26]
uv.lock[650-673]

Agent prompt

The issue below was found during a code review. Follow the provided context and guidance below and implement a solution

## Issue description
GitHub Actions now installs Python tooling via `uv sync --frozen --all-groups`, but the workflow then runs `uv run ruff ...`. Since `ruff` is not declared as a dependency group entry (and therefore is not in `uv.lock`), `uv run ruff` will fail and block CI and the production validation gate.

## Issue Context
- `uv sync --frozen` will not resolve/install packages that are not already in the lockfile.
- `ruff` currently appears only as configuration (`[tool.ruff]`), not as an installable dependency.

## Fix Focus Areas
- pyproject.toml[21-26]
- uv.lock[650-673]
- .github/workflows/ci.yml[43-48]
- .github/workflows/build-and-deploy.yml[43-48]

## Expected fix
1. Add `ruff` to a dependency group used by CI (e.g., `[dependency-groups].dev`).
2. Regenerate the lockfile (e.g., `uv lock`) and commit the updated `uv.lock`.
3. Keep the workflows as-is (`uv sync --frozen --all-groups` + `uv run ruff ...`).

ⓘ Copy this prompt and use it to remediate the issue with your preferred AI generation tools

---

[qodo-code-review]

Review Summary by Qodo

Streamline CI/CD pipeline with validation gates and uv tooling

✨ Enhancement

Walkthroughs

Description

• Add validation gate job before production image build/deploy
• Switch CI from auto-format commits to read-only format/lint/test checks
• Run Python tooling through uv with frozen dependencies
• Add GitHub Actions cache settings for Docker Buildx builds
• Turn off SSH deploy debug logging and restrict deploy to main branch
• Use npm ci for deterministic frontend dependency installs

Diagram

flowchart LR
  A["Code Push/PR"] --> B["Validate Job"]
  B --> C["Format & Lint Checks"]
  C --> D["Type Check & Tests"]
  D --> E["Build Job"]
  E --> F["Docker Build with Cache"]
  F --> G["Deploy Job"]
  G --> H["SSH Deploy to Main"]

Loading

File Changes

1. .github/workflows/build-and-deploy.yml ✨ Enhancement +36/-2

Add validation gate and Docker cache settings

• Add new validate job that runs format, lint, type, and test checks before build
• Make build job depend on validate job completion
• Add GitHub Actions cache configuration for Docker Buildx (cache-from and cache-to)
• Restrict deploy job to main branch only, removing pull request condition
• Disable SSH debug logging by setting debug: false

.github/workflows/build-and-deploy.yml

---

2. .github/workflows/ci.yml ✨ Enhancement +12/-28

Switch to read-only CI with uv tooling

• Change permissions from contents: write to contents: read for read-only mode
• Remove auto-format commits on push (ruff format, yamlfmt, git-auto-commit)
• Replace pip with uv for dependency management using frozen lockfile
• Consolidate format checks to run on all events instead of conditional logic
• Remove conditional YAML formatting check for pull requests only

.github/workflows/ci.yml

---

3. .github/workflows/docker-build-check.yml ✨ Enhancement +9/-1

Upgrade Docker build with Buildx and caching

• Add Docker Buildx setup action for improved build capabilities
• Replace basic docker build command with docker/build-push-action@v6
• Add GitHub Actions cache configuration for Docker builds
• Set push: false to prevent image push in check workflow

.github/workflows/docker-build-check.yml

---

View more (1)

4. Dockerfile ✨ Enhancement +2/-3

Use npm ci for deterministic installs

• Combine COPY package.json package-lock.json ./ into single line
• Replace npm install with npm ci for deterministic dependency installation

Dockerfile

---

[qodo-code-review]

CI Feedback 🧐

A test triggered by this PR failed. Here is an AI-generated analysis of the failure:

Action: build

Failed stage: Check Ruff formatting [❌]

Failed test name: ""

Failure summary: The action failed during a linting/formatting step because the workflow tried to execute ruff, but the ruff executable was not available on the runner. - Error shown at log lines 380-381: Failed to spawn: </code>ruff<code> caused by No such file or directory (os error 2) - The job exited with code 2 (line 382), indicating the command could not be started (likely ruff was not installed, not added to PATH, or the step assumed an existing tool installation).

Relevant error logs: 1: ##[group]Runner Image Provisioner 2: Hosted Compute Agent ... 365: GOOGLE_SETTINGS__PRIVATE_KEY: *** 366: 367: GOOGLE_SETTINGS__CLIENT_EMAIL: *** 368: GOOGLE_SETTINGS__PRIVATE_KEY_ID: *** 369: GOOGLE_SETTINGS__CLIENT_ID: *** 370: GOOGLE_SETTINGS__CLIENT_X509_CERT_URL: *** 371: 372: pythonLocation: /opt/hostedtoolcache/Python/3.13.13/x64 373: PKG_CONFIG_PATH: /opt/hostedtoolcache/Python/3.13.13/x64/lib/pkgconfig 374: Python_ROOT_DIR: /opt/hostedtoolcache/Python/3.13.13/x64 375: Python2_ROOT_DIR: /opt/hostedtoolcache/Python/3.13.13/x64 376: Python3_ROOT_DIR: /opt/hostedtoolcache/Python/3.13.13/x64 377: LD_LIBRARY_PATH: /opt/hostedtoolcache/Python/3.13.13/x64/lib 378: UV_CACHE_DIR: /home/runner/work/_temp/setup-uv-cache 379: ##[endgroup] 380: error: Failed to spawn: `ruff` 381: Caused by: No such file or directory (os error 2) 382: ##[error]Process completed with exit code 2. 383: Post job cleanup.

[qodo-code-review]

1. Ruff missing from lockfile 🐞 Bug ≡ Correctness

ci.yml and the new build-and-deploy.yml validation job run uv run ruff ... after `uv sync
--frozen, but ruff is not declared in pyproject.toml nor present in uv.lock`, so these steps
will fail and block CI and production builds.

Agent Prompt

## Issue description
GitHub Actions now installs Python tooling via `uv sync --frozen --all-groups`, but the workflow then runs `uv run ruff ...`. Since `ruff` is not declared as a dependency group entry (and therefore is not in `uv.lock`), `uv run ruff` will fail and block CI and the production validation gate.

## Issue Context
- `uv sync --frozen` will not resolve/install packages that are not already in the lockfile.
- `ruff` currently appears only as configuration (`[tool.ruff]`), not as an installable dependency.

## Fix Focus Areas
- pyproject.toml[21-26]
- uv.lock[650-673]
- .github/workflows/ci.yml[43-48]
- .github/workflows/build-and-deploy.yml[43-48]

## Expected fix
1. Add `ruff` to a dependency group used by CI (e.g., `[dependency-groups].dev`).
2. Regenerate the lockfile (e.g., `uv lock`) and commit the updated `uv.lock`.
3. Keep the workflows as-is (`uv sync --frozen --all-groups` + `uv run ruff ...`).

ⓘ Copy this prompt and use it to remediate the issue with your preferred AI generation tools