Skip to content

Streamline CI/CD pipeline #261

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
rajpandya737 wants to merge 1 commit into
base: main
Choose a base branch
from
Open

Streamline CI/CD pipeline #261

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
38 changes: 36 additions & 2 deletions .github/workflows/build-and-deploy.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -19,8 +19,40 @@
PORT: ${{ vars.PORT }}
RUN_LIVE_PIPELINE_TEST: ${{ vars.RUN_LIVE_PIPELINE_TEST }}
jobs:
validate:
runs-on: ubuntu-latest
env:
GOOGLE_DRIVE_FOLDER_ID: ${{ vars.PARENT_FOLDER_ID }}
GOOGLE_SETTINGS__PROJECT_ID: ${{ secrets.GOOGLE_SETTINGS__PROJECT_ID }}
GOOGLE_SETTINGS__PRIVATE_KEY: ${{ secrets.GOOGLE_SETTINGS__PRIVATE_KEY }}
GOOGLE_SETTINGS__CLIENT_EMAIL: ${{ secrets.GOOGLE_SETTINGS__CLIENT_EMAIL }}
GOOGLE_SETTINGS__PRIVATE_KEY_ID: ${{ secrets.GOOGLE_SETTINGS__PRIVATE_KEY_ID }}
GOOGLE_SETTINGS__CLIENT_ID: ${{ secrets.GOOGLE_SETTINGS__CLIENT_ID }}
GOOGLE_SETTINGS__CLIENT_X509_CERT_URL: ${{ secrets.GOOGLE_SETTINGS__CLIENT_X509_CERT_URL }}
steps:
- name: Checkout code
uses: actions/checkout@v6
- name: Install Python
uses: actions/setup-python@v5
with:
python-version: "3.13"
- name: Install uv
uses: astral-sh/setup-uv@v5
with:
enable-cache: true
- name: Install dependencies
run: uv sync --frozen --all-groups
- name: Check Ruff formatting
run: uv run ruff format --check .
- name: Run Ruff lint
run: uv run ruff check --output-format=github .
- name: Run ty
run: uv run ty check src tests
- name: Run tests
run: uv run pytest -vv
build:

Check warning

Code scanning / CodeQL

Workflow does not contain permissions Medium

Actions job or workflow does not limit the permissions of the GITHUB_TOKEN. Consider setting an explicit permissions block, using the following as a minimal starting point: {contents: read}
runs-on: ubuntu-latest
needs: validate
steps:
- name: Checkout code
uses: actions/checkout@v6
Expand Down Expand Up @@ -50,6 +82,8 @@
${{ secrets.DOCKERHUB_USERNAME }}/purchase-request-site:main-${{ github.sha }}
${{ steps.meta.outputs.tags }}
labels: ${{ steps.meta.outputs.labels }}
cache-from: type=gha
cache-to: type=gha,mode=max
- name: Output image info
run: |
echo "Single deployment tag: ${{ secrets.DOCKERHUB_USERNAME }}/purchase-request-site:main-${{ github.sha }}"
Expand All @@ -58,7 +92,7 @@
deploy:
runs-on: ubuntu-latest
needs: build
if: github.event_name == 'pull_request' || (github.ref == 'refs/heads/main' && (github.event_name == 'push' || inputs.deploy == true))
if: github.ref == 'refs/heads/main' && (github.event_name == 'push' || inputs.deploy == true)
steps:
- name: Deploy to server
uses: appleboy/ssh-action@v1.0.3
Expand All @@ -67,7 +101,7 @@
username: ${{ secrets.USERNAME }}
key: ${{ secrets.SSH_KEY }}
command_timeout: 20m
debug: true
debug: false
script: |
cd /home/raj/purchase-request-site
echo "Starting deployment for commit: ${{ github.sha }}"
Expand Down
40 changes: 12 additions & 28 deletions .github/workflows/ci.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -6,7 +6,7 @@ on:
branches: [main, master]
workflow_dispatch:
permissions:
contents: write
contents: read
jobs:
build:
runs-on: ubuntu-latest
Expand Down Expand Up @@ -36,37 +36,21 @@ jobs:
uses: actions/setup-python@v5
with:
python-version: "3.13"
- name: Install dependencies
run: |
python -m pip install --upgrade pip
pip install . ruff pytest "ty>=0.0.29"
- name: Format code with Ruff (push only)
if: github.event_name == 'push'
run: ruff format .
- name: Format YAML with yamlfmt (push only)
if: github.event_name == 'push'
run: |
docker run --rm \
-v "${{ github.workspace }}:/workspace" \
ghcr.io/google/yamlfmt:latest \
/workspace
- name: Commit formatting changes (push only)
if: github.event_name == 'push'
uses: stefanzweifel/git-auto-commit-action@v5
- name: Install uv
uses: astral-sh/setup-uv@v5
with:
commit_message: "style: format code with ruff and yamlfmt"
- name: Check Ruff formatting (pull request only)
if: github.event_name == 'pull_request'
run: ruff format --check .
enable-cache: true
- name: Install dependencies
run: uv sync --frozen --all-groups
- name: Check Ruff formatting
run: uv run ruff format --check .
- name: Run Ruff lint
run: ruff check --output-format=github .
run: uv run ruff check --output-format=github .
Comment on lines +43 to +48

@qodo-code-review qodo-code-review Bot Jun 8, 2026

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Action required

1. Ruff missing from lockfile 🐞 Bug ≡ Correctness

ci.yml and the new build-and-deploy.yml validation job run uv run ruff ... after `uv sync
--frozen, but ruff is not declared in pyproject.toml nor present in uv.lock`, so these steps
will fail and block CI and production builds.
Agent Prompt 
## Issue description
GitHub Actions now installs Python tooling via `uv sync --frozen --all-groups`, but the workflow then runs `uv run ruff ...`. Since `ruff` is not declared as a dependency group entry (and therefore is not in `uv.lock`), `uv run ruff` will fail and block CI and the production validation gate.

## Issue Context
- `uv sync --frozen` will not resolve/install packages that are not already in the lockfile.
- `ruff` currently appears only as configuration (`[tool.ruff]`), not as an installable dependency.

## Fix Focus Areas
- pyproject.toml[21-26]
- uv.lock[650-673]
- .github/workflows/ci.yml[43-48]
- .github/workflows/build-and-deploy.yml[43-48]

## Expected fix
1. Add `ruff` to a dependency group used by CI (e.g., `[dependency-groups].dev`).
2. Regenerate the lockfile (e.g., `uv lock`) and commit the updated `uv.lock`.
3. Keep the workflows as-is (`uv sync --frozen --all-groups` + `uv run ruff ...`).

ⓘ Copy this prompt and use it to remediate the issue with your preferred AI generation tools

- name: Run ty
run: ty check src tests
run: uv run ty check src tests
- name: Run tests
run: pytest -vv
# Check YAML formatting (pull request only)
- name: Check YAML formatting (pull request only)
if: github.event_name == 'pull_request'
run: uv run pytest -vv
- name: Check YAML formatting
run: |
docker run --rm \
-v "${{ github.workspace }}:/workspace" \
Expand Down
10 changes: 9 additions & 1 deletion .github/workflows/docker-build-check.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -8,5 +8,13 @@ jobs:
steps:
- name: Checkout Repo in .venv
uses: actions/checkout@v4
- name: Set up Docker Buildx
uses: docker/setup-buildx-action@v3
- name: Build Docker image
run: docker build -t purchase-request-site:${{ github.sha }} .
uses: docker/build-push-action@v6
with:
context: .
push: false
tags: purchase-request-site:${{ github.sha }}
cache-from: type=gha
cache-to: type=gha,mode=max
5 changes: 2 additions & 3 deletions Dockerfile
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -28,9 +28,8 @@ COPY pyproject.toml uv.lock ./
RUN uv sync --frozen --no-dev

# Copy Node.js dependencies and install
COPY package.json ./
COPY package-lock.json* ./
RUN npm install
COPY package.json package-lock.json ./
RUN npm ci

# Copy Files for Tailwind CSS Scan + Build
COPY src/templates/ ./src/templates/
Expand Down
Loading