Skip to content

fix(ci): restore green main (workflow callers, type errors, coverage, hardening) #24

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
williaby wants to merge 10 commits into
base: main
Choose a base branch
from
Open

fix(ci): restore green main (workflow callers, type errors, coverage, hardening) #24

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
10 commits
Select commit Hold shift + click to select a range
496524c
fix(ci): repair reusable-workflow callers, type errors, and coverage
williaby May 29, 2026
6c9b634
chore(security): harden workflows, pin actions, accurate README
claude May 15, 2026
bcdad33
fix(ci): drop setup-python pip cache from SonarCloud workflow
williaby May 26, 2026
63be743
fix(compliance): cover pre-existing files in REUSE.toml
williaby May 9, 2026
95585f5
fix(compliance): remove unused LICENSE files
williaby May 9, 2026
b76c478
fix(ci): set no-build:false for hatchling on org reusable workflows
williaby May 29, 2026
80dac4d
fix(deps): patch dependency CVEs, fix docs strict build and compat ma…
williaby May 29, 2026
a4ad68c
fix(docker): keep README.md in build context, silence DL3008
williaby May 29, 2026
1b22b47
fix(docker): place hadolint ignore directive immediately before RUN
williaby May 29, 2026
cd3be61
fix(docker)!: migrate to Chainguard Wolfi base for zero-CVE image
williaby May 29, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
4 changes: 3 additions & 1 deletion .dockerignore
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -155,7 +155,9 @@ secrets*.json
# Project-Specific
# =============================================================================
# Add project-specific files to ignore
README.md
# NOTE: README.md is intentionally NOT ignored. pyproject.toml declares
# readme = "README.md", so the hatchling build backend requires it in the
# build context, otherwise `uv sync` fails with "Readme file does not exist".
LICENSE
CHANGELOG.md
CONTRIBUTING.md
Expand Down
13 changes: 6 additions & 7 deletions .github/workflows/ci.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -31,27 +31,26 @@ jobs:
name: CI Pipeline
uses: ByronWilliamsCPA/.github/.github/workflows/python-ci.yml@main
with:
no-build: false # hatchling build backend: editable install must build
python-version: '3.12'
coverage-threshold: 80
source-directory: 'src'
test-directory: 'tests'
enable-sonarcloud: true
sonarcloud-organization: 'ByronWilliamsCPA'
sonarcloud-project-key: 'ByronWilliamsCPA_foundry_unify'
enable-codecov: true
run-integration-tests: true
run-security-tests: true
fail-on-llm-tags: false
secrets:
SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }}
CODECOV_TOKEN: ${{ secrets.CODECOV_TOKEN }}

ci-gate:
name: CI Gate
runs-on: ubuntu-latest
needs: [ci]
if: always()
steps:
- name: Harden the runner
uses: step-security/harden-runner@91182cccc01eb5e619899d80e4e971d6181294a7 # v2.10.1
with:
egress-policy: audit

- name: Check CI results
run: |
if [ "${{ needs.ci.result }}" != "success" ]; then
Expand Down
5 changes: 5 additions & 0 deletions .github/workflows/codecov.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -38,6 +38,11 @@ jobs:
runs-on: ubuntu-latest
if: ${{ github.event.workflow_run.conclusion == 'failure' }}
steps:
- name: Harden the runner
uses: step-security/harden-runner@91182cccc01eb5e619899d80e4e971d6181294a7 # v2.10.1
with:
egress-policy: audit

- name: Report status
run: |
echo "## Coverage Upload Skipped" >> $GITHUB_STEP_SUMMARY
Expand Down
7 changes: 6 additions & 1 deletion .github/workflows/dependency-review.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -24,11 +24,16 @@ jobs:
name: Dependency Review
runs-on: ubuntu-latest
steps:
- name: Harden the runner
uses: step-security/harden-runner@91182cccc01eb5e619899d80e4e971d6181294a7 # v2.10.1
with:
egress-policy: audit

- name: Checkout repository
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
Comment on lines 32 to 33
Copy link
Copy Markdown

@coderabbitai coderabbitai Bot May 29, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🧹 Nitpick | 🔵 Trivial | ⚡ Quick win

Set persist-credentials: false on checkout.

This job only reads the dependency diff and never pushes, so the GITHUB_TOKEN does not need to persist in .git/config. Disabling persistence reduces the credential-exfiltration surface for the subsequently invoked third-party action.

🛡️ Proposed hardening 
       - name: Checkout repository
         uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+        with:
+          persist-credentials: false

As per coding guidelines for .github/workflows/**: review for "Security best practices (minimal permissions, pinned actions)" and "Proper secret handling".

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change
- name: Checkout repository
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
- name: Checkout repository
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
with:
persist-credentials: false
🧰 Tools
🪛 zizmor (1.25.2)

[warning] 32-33: credential persistence through GitHub Actions artifacts (artipacked): does not set persist-credentials: false

(artipacked)

🤖 Prompt for AI Agents 
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/dependency-review.yml around lines 32 - 33, Update the
checkout step that uses
"actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683" to explicitly set
persist-credentials: false so the GITHUB_TOKEN is not written into .git/config;
locate the checkout step (the line with uses: actions/checkout...) in the
workflow and add the persist-credentials: false key under that step to disable
credential persistence for this read-only job.


- name: Dependency Review
uses: actions/dependency-review-action@v4
uses: actions/dependency-review-action@3b139cfc5fae8b618d3eae3675e383bb1769c019 # v4.5.0
with:
fail-on-severity: high
# Deny copyleft and restrictive licenses (deny-list approach)
Expand Down
1 change: 1 addition & 0 deletions .github/workflows/docs.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -31,6 +31,7 @@ jobs:
name: Build & Deploy Docs
uses: ByronWilliamsCPA/.github/.github/workflows/python-docs.yml@main
with:
no-build: false # hatchling build backend: editable install must build
python-version: '3.12'
deploy-to-pages: >-
${{
Expand Down
14 changes: 12 additions & 2 deletions .github/workflows/fips-compatibility.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -54,11 +54,16 @@ jobs:
runs-on: ubuntu-latest

steps:
- name: Harden the runner
uses: step-security/harden-runner@91182cccc01eb5e619899d80e4e971d6181294a7 # v2.10.1
with:
egress-policy: audit

- name: Checkout repository
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
Comment on lines 62 to 63
Copy link
Copy Markdown

@coderabbitai coderabbitai Bot May 29, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🧹 Nitpick | 🔵 Trivial | ⚡ Quick win

Set persist-credentials: false on checkout (applies to both jobs).

Neither fips-check nor fips-runtime-test pushes to the repo, but both execute repository scripts and a github-script step after checkout. Persisting the GITHUB_TOKEN in .git/config is unnecessary and widens the exfiltration surface. The same applies to the checkout in fips-runtime-test at Line 213-214.

🛡️ Proposed hardening (apply to both checkout steps) 
       - name: Checkout repository
         uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+        with:
+          persist-credentials: false

As per coding guidelines for .github/workflows/**: review for "Security best practices (minimal permissions, pinned actions)" and "Proper secret handling".

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change
- name: Checkout repository
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
- name: Checkout repository
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
with:
persist-credentials: false
🧰 Tools
🪛 zizmor (1.25.2)

[warning] 62-63: credential persistence through GitHub Actions artifacts (artipacked): does not set persist-credentials: false

(artipacked)

🤖 Prompt for AI Agents 
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/fips-compatibility.yml around lines 62 - 63, Update both
checkout steps that use the pinned actions/checkout invocation (the one shown
and the second at the checkout in the fips-runtime-test job) to disable
persisting the GITHUB_TOKEN by adding persist-credentials: false to the checkout
step inputs; specifically, in the fips-check and fips-runtime-test jobs modify
the checkout step that currently reads "uses:
actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683" to include the
persist-credentials: false key so the GITHUB_TOKEN is not written into
.git/config.


- name: Install uv
uses: astral-sh/setup-uv@v7
uses: astral-sh/setup-uv@2ddd2b9cb38ad8efd50337e8ab201519a34c9f24 # v7.1.1
with:
enable-cache: true

Expand Down Expand Up @@ -200,11 +205,16 @@ jobs:
needs: fips-check

steps:
- name: Harden the runner
uses: step-security/harden-runner@91182cccc01eb5e619899d80e4e971d6181294a7 # v2.10.1
with:
egress-policy: audit

- name: Checkout repository
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2

- name: Install uv
uses: astral-sh/setup-uv@v7
uses: astral-sh/setup-uv@2ddd2b9cb38ad8efd50337e8ab201519a34c9f24 # v7.1.1
with:
enable-cache: true

Expand Down
1 change: 1 addition & 0 deletions .github/workflows/mutation-testing.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -42,6 +42,7 @@ jobs:
if: github.event_name != 'pull_request' || github.event.pull_request.head.repo.full_name == github.repository
uses: ByronWilliamsCPA/.github/.github/workflows/python-mutation.yml@main
with:
no-build: false # hatchling build backend: editable install must build
python-version: '3.12'
source-directory: 'src'
test-directory: 'tests'
Expand Down
7 changes: 6 additions & 1 deletion .github/workflows/pr-validation.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -60,7 +60,7 @@ jobs:
python-version: "3.12"

- name: Install UV
uses: astral-sh/setup-uv@v7
uses: astral-sh/setup-uv@2ddd2b9cb38ad8efd50337e8ab201519a34c9f24 # v7.1.1
with:
enable-cache: true
cache-dependency-glob: "uv.lock"
Expand Down Expand Up @@ -123,6 +123,11 @@ jobs:
needs: [core-validation, dead-code, link-check]
if: always()
steps:
- name: Harden the runner
uses: step-security/harden-runner@91182cccc01eb5e619899d80e4e971d6181294a7 # v2.10.1
with:
egress-policy: audit

- name: Check validation results
run: |
echo "## Dependency & Standards Validation" >> $GITHUB_STEP_SUMMARY
Expand Down
6 changes: 5 additions & 1 deletion .github/workflows/python-compatibility.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -37,12 +37,16 @@ jobs:
name: Python Compatibility Matrix
uses: ByronWilliamsCPA/.github/.github/workflows/python-compatibility.yml@main
with:
no-build: false # hatchling build backend: editable install must build
python-versions: '["3.10", "3.11", "3.12", "3.13"]'
operating-systems: '["ubuntu-latest"]'
include-macos: true
include-windows: true
source-directory: 'src'
test-command: 'pytest tests/ -v --tb=short -x --ignore=tests/integration --ignore=tests/load -m "not slow and not integration"'
# No -m marker expression: the embedded quotes do not survive the org
# workflow's shell expansion (pytest then reads "slow" as a path). The
# integration/load suites are excluded by path instead.
test-command: 'pytest tests/ -v --tb=short -x --ignore=tests/integration --ignore=tests/load'
Comment on lines +46 to +49
Copy link
Copy Markdown

@coderabbitai coderabbitai Bot May 29, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🟡 Minor | ⚡ Quick win

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
# Find tests marked slow that are outside tests/integration and tests/load.
rg -nP '`@pytest`\.mark\.slow' -g 'tests/**/*.py' \
  -g '!tests/integration/**' -g '!tests/load/**'

Repository: ByronWilliamsCPA/Unify

Length of output: 48

🏁 Script executed:

#!/bin/bash
set -euo pipefail

# 1) Show the workflow around the cited lines and also any prior `-m` usage in the file
echo "---- workflow snippet (.github/workflows/python-compatibility.yml) ----"
nl -ba .github/workflows/python-compatibility.yml | sed -n '1,120p'

# 2) Search for any `-m` expressions mentioning slow/integration in this workflow
echo "---- -m expressions in workflow ----"
rg -n "pytest.*-m|--ignore=tests/integration|--ignore=tests/load|slow|integration" .github/workflows/python-compatibility.yml

# 3) Find slow-marked tests anywhere
echo "---- `@pytest.mark.slow` anywhere under tests ----"
rg -nP '`@pytest`\.mark\.slow' tests/**/*.py || true

# 4) Re-run the original "outside integration/load" query (the earlier run returned exit 1)
echo "---- `@pytest.mark.slow` outside tests/integration and tests/load ----"
rg -nP '`@pytest`\.mark\.slow' -g 'tests/**/*.py' \
  -g '!tests/integration/**' -g '!tests/load/**' || true

Repository: ByronWilliamsCPA/Unify

Length of output: 199

🏁 Script executed:

#!/bin/bash
set -euo pipefail

echo "---- workflow file head (with line numbers) ----"
cat -n .github/workflows/python-compatibility.yml | sed -n '1,120p'

echo "---- -m / slow / ignore usage in workflow ----"
rg -n "pytest.*-m|--ignore=tests/integration|--ignore=tests/load|slow|integration" .github/workflows/python-compatibility.yml || true

echo "---- `@pytest.mark.slow` anywhere under tests ----"
rg -nP '`@pytest`\.mark\.slow' tests/**/*.py || true

echo "---- `@pytest.mark.slow` outside integration/load dirs ----"
rg -nP '`@pytest`\.mark\.slow' -g 'tests/**/*.py' \
  -g '!tests/integration/**' -g '!tests/load/**' || true

Repository: ByronWilliamsCPA/Unify

Length of output: 2545

🏁 Script executed:

#!/bin/bash
set -euo pipefail

echo "---- any pytest -m usage mentioning slow/integration in workflows ----"
rg -n "pytest .* -m|pytest.*--ignore=tests/integration|--ignore=tests/load|not slow|slow and not|integration and not" .github/workflows || true

echo "---- references to 'slow' in tests (broader than mark.slow) ----"
rg -n "slow" tests || true

echo "---- pytest marker declarations for slow (pytest.ini/pyproject/etc.) ----"
rg -n "markers:|@?pytest\.mark|slow" pyproject.toml tests . || true

Repository: ByronWilliamsCPA/Unify

Length of output: 26934

🏁 Script executed:

#!/bin/bash
set -euo pipefail

echo "---- any pytest.mark.slow / mark.slow usage ----"
rg -nP 'pytest\.mark\.slow|mark\.slow' tests/**/*.py || true

echo "---- any -m selections referencing slow in workflows ----"
rg -n "pytest .* -m|pytest.*--ignore|not slow|not slow and|slow and" .github/workflows || true

echo "---- any 'slow' marker selection in repo docs/config (for context) ----"
rg -n "not slow|mark.slow|`@pytest`\.mark\.slow" pyproject.toml tests .github/workflows || true

Repository: ByronWilliamsCPA/Unify

Length of output: 563

🏁 Script executed:

#!/bin/bash
set -euo pipefail

echo "---- `@pytest.mark.integration` anywhere ----"
rg -nP '`@pytest`\.mark\.integration|pytestmark\s*=\s*pytest\.mark\.integration' tests/**/*.py || true

echo "---- `@pytest.mark.integration` outside tests/integration dir ----"
rg -nP '`@pytest`\.mark\.integration|pytestmark\s*=\s*pytest\.mark\.integration' \
  -g 'tests/**/*.py' \
  -g '!tests/integration/**' \
  || true

Repository: ByronWilliamsCPA/Unify

Length of output: 386

🏁 Script executed:

#!/bin/bash
set -euo pipefail

echo "---- tests/conftest.py (relevant range) ----"
cat -n tests/conftest.py | sed -n '1,140p'

echo "---- any code that programmatically applies the 'slow' mark ----"
rg -n "add_marker\\(['\"]slow['\"]\\)|mark\\.slow|pytest\\.mark\\.slow|\\bslow\\b.*mark|mark.*\\bslow\\b" tests/**/*.py tests/conftest.py pyproject.toml || true

Repository: ByronWilliamsCPA/Unify

Length of output: 5226

🏁 Script executed:

#!/bin/bash
set -euo pipefail

echo "---- all occurrences of 'slow' in tests/conftest.py ----"
rg -n "slow" tests/conftest.py || true

echo "---- pytest collection hooks in tests/conftest.py ----"
rg -n "pytest_collection_|add_marker|collect|modifyitems" tests/conftest.py || true

Repository: ByronWilliamsCPA/Unify

Length of output: 296

🏁 Script executed:

#!/bin/bash
set -euo pipefail

cat -n tests/test_example.py | sed -n '150,240p'

Repository: ByronWilliamsCPA/Unify

Length of output: 2455

Fix test selection semantics: --ignore doesn’t replace marker deselection for integration

      # No -m marker expression: the embedded quotes do not survive the org
      # workflow's shell expansion (pytest then reads "slow" as a path). The
      # integration/load suites are excluded by path instead.
      test-command: 'pytest tests/ -v --tb=short -x --ignore=tests/integration --ignore=tests/load'

The workflow no longer uses -m marker filtering, but the repo contains no @pytest.mark.slow tests, so dropping the slow deselection isn’t a concern here. The real change is that integration-marked tests outside tests/integration will now run (e.g., tests/test_example.py), so align the desired selection by either moving those tests under tests/integration or excluding them by path as well.

🤖 Prompt for AI Agents 
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/python-compatibility.yml around lines 46 - 49, The
workflow currently runs pytest via the test-command string and only excludes
files by path (--ignore=tests/integration --ignore=tests/load), which lets tests
marked `@pytest.mark.integration` outside tests/integration still run; either move
all integration-marked tests into tests/integration (so the existing --ignore
covers them) or update the test-command to explicitly deselect the marker (e.g.,
invoke pytest with -m "not integration and not load") while ensuring the YAML
quoting preserves the -m argument (adjust the YAML string quoting or use a
multiline/pipe scalar so the embedded quotes survive); locate the test-command
string in the workflow and apply one of these two fixes.

coverage-report: false
fail-fast: false
timeout-minutes: 30
Expand Down
1 change: 1 addition & 0 deletions .github/workflows/release.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -46,6 +46,7 @@ jobs:
name: Release Pipeline
uses: ByronWilliamsCPA/.github/.github/workflows/python-release.yml@main
with:
no-build: false # hatchling build backend: editable install must build
python-version: '3.12'
coverage-threshold: 80
source-directory: 'src'
Expand Down
10 changes: 10 additions & 0 deletions .github/workflows/reuse.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -25,6 +25,11 @@ jobs:
name: Check REUSE Compliance
runs-on: ubuntu-latest
steps:
- name: Harden the runner
uses: step-security/harden-runner@91182cccc01eb5e619899d80e4e971d6181294a7 # v2.10.1
with:
egress-policy: audit

- name: Checkout repository
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2

Expand All @@ -48,6 +53,11 @@ jobs:
name: Validate License Files
runs-on: ubuntu-latest
steps:
- name: Harden the runner
uses: step-security/harden-runner@91182cccc01eb5e619899d80e4e971d6181294a7 # v2.10.1
with:
egress-policy: audit

- name: Checkout repository
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2

Expand Down
1 change: 1 addition & 0 deletions .github/workflows/sbom.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -39,6 +39,7 @@ jobs:
name: SBOM & Security
uses: ByronWilliamsCPA/.github/.github/workflows/python-sbom.yml@main
with:
no-build: false # hatchling build backend: editable install must build
python-version: '3.12'
fail-on-vulnerabilities: true
severity-threshold: 'CRITICAL,HIGH'
Expand Down
2 changes: 1 addition & 1 deletion .github/workflows/security-analysis.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -34,14 +34,14 @@ jobs:
name: Security Scan
uses: ByronWilliamsCPA/.github/.github/workflows/python-security-analysis.yml@main
with:
no-build: false # hatchling build backend: editable install must build
source-directory: 'src'
python-version: '3.12'
fail-on-high: true
fail-on-medium: false
run-codeql: true
run-dependency-review: true
run-bandit: true
run-safety: true
run-osv: true

security-gate-success:
Expand Down
2 changes: 1 addition & 1 deletion .github/workflows/slsa-provenance.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -56,7 +56,7 @@ jobs:
python-version: "3.12"

- name: Install UV
uses: astral-sh/setup-uv@v7
uses: astral-sh/setup-uv@2ddd2b9cb38ad8efd50337e8ab201519a34c9f24 # v7.1.1
with:
enable-cache: true

Expand Down
13 changes: 11 additions & 2 deletions .github/workflows/sonarcloud.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -40,6 +40,11 @@ jobs:
outputs:
has-token: ${{ steps.check.outputs.has-token }}
steps:
- name: Harden the runner
uses: step-security/harden-runner@91182cccc01eb5e619899d80e4e971d6181294a7 # v2.10.1
with:
egress-policy: audit

- name: Check for SONAR_TOKEN
id: check
run: |
Expand All @@ -63,6 +68,11 @@ jobs:
timeout-minutes: 15

steps:
- name: Harden the runner
uses: step-security/harden-runner@91182cccc01eb5e619899d80e4e971d6181294a7 # v2.10.1
with:
egress-policy: audit

- name: Checkout repository
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
with:
Expand All @@ -83,7 +93,6 @@ jobs:
uses: actions/setup-python@0b93645e9fea7318ecaed2b359559ac225c90a2b # v5.3.0
with:
python-version: '3.12'
cache: 'pip'

- name: Install UV
if: steps.check-code.outputs.has-code == 'true'
Expand Down Expand Up @@ -133,7 +142,7 @@ jobs:
-Dsonar.python.version=3.12

- name: Check Quality Gate
uses: sonarsource/sonarqube-quality-gate-action@master
uses: sonarsource/sonarqube-quality-gate-action@cf038b0e0cdecfa9e56c198bbb7d21d751d62c3b # v1.2.0
timeout-minutes: 5
env:
SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }}
Expand Down
89 changes: 33 additions & 56 deletions Dockerfile
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,41 +1,43 @@
# Multi-stage Dockerfile for Foundry Unify
# Optimized for production with security best practices and minimal image size
# Optimized for production with security best practices and minimal image size.
#
# Both stages use Chainguard's Wolfi-based Python images, which are rebuilt
# continuously and ship with a near-zero CVE surface (no perl, curl, ncurses,
# or other base-OS packages that carry the CVEs debian-slim and distroless do).
# The -dev variant provides a shell and apk for building; the minimal runtime
# has neither. Both pin the same Python version, so the resolved virtual
# environment's interpreter symlink stays valid when copied across stages.

# =============================================================================
# Stage 1: Builder - Install dependencies
# =============================================================================
FROM python:3.12-slim AS builder
# Chainguard python:latest-dev (Wolfi). Digest-pinned for reproducibility and
# to satisfy DL3007; Renovate updates the digest as the image is rebuilt.
FROM cgr.dev/chainguard/python@sha256:ddd3811dcbef56aa9f3882ae16fdc2920174ac6028c12e76cfb64c1d37b7abe2 AS builder

# Set working directory
WORKDIR /app

# Install system dependencies for building Python packages
RUN apt-get update && apt-get install -y --no-install-recommends \
build-essential \
curl \
git \
&& rm -rf /var/lib/apt/lists/*
# Use the image's own Python; never let uv download a standalone interpreter,
# otherwise the venv would reference a path that does not exist in the runtime.
ENV UV_PYTHON=/usr/bin/python \
UV_PYTHON_DOWNLOADS=never \
UV_LINK_MODE=copy

# Install UV for fast dependency management
# Install UV (static binary) for fast dependency management
COPY --from=ghcr.io/astral-sh/uv:latest /uv /usr/local/bin/uv

# Copy dependency files
# Install dependencies first (cached layer), then the project itself
COPY pyproject.toml uv.lock ./

# Install dependencies to a virtual environment
# This creates .venv/ which we'll copy to the final stage
RUN uv sync --frozen --no-dev --no-install-project

# Copy application code
COPY . .

# Install the project itself
RUN uv sync --frozen --no-dev

# =============================================================================
# Stage 2: Runtime - Minimal production image
# Stage 2: Runtime - Minimal Wolfi production image
# =============================================================================
FROM python:3.12-slim
# Chainguard python:latest (Wolfi minimal runtime). Digest-pinned; Renovate
# updates the digest as the image is rebuilt.
FROM cgr.dev/chainguard/python@sha256:30ac20a34bae29023ae54b454e85fedb5cfb7de5f206dc73112bf8b0e3e3e190

# Metadata labels (OCI standard)
LABEL org.opencontainers.image.title="Foundry Unify"
Expand All @@ -46,50 +48,25 @@ LABEL org.opencontainers.image.url="https://github.com/ByronWilliamsCPA/Unify"
LABEL org.opencontainers.image.source="https://github.com/ByronWilliamsCPA/Unify"
LABEL org.opencontainers.image.licenses="MIT"

# Install runtime dependencies only
RUN apt-get update && apt-get install -y --no-install-recommends \
ca-certificates \
curl \
&& rm -rf /var/lib/apt/lists/*

# Security: Create non-root user
RUN groupadd -r appuser && useradd -r -g appuser -u 1000 appuser

# Set working directory
WORKDIR /app

# Copy virtual environment from builder
COPY --from=builder --chown=appuser:appuser /app/.venv /app/.venv

# Copy application code
COPY --chown=appuser:appuser . .
# Chainguard runtime already runs as the unprivileged "nonroot" user (uid 65532).
# Copy the resolved venv and the application source with that ownership.
COPY --from=builder --chown=65532:65532 /app/.venv /app/.venv
COPY --chown=65532:65532 src /app/src

# Set environment variables
ENV PYTHONUNBUFFERED=1 \
PYTHONDONTWRITEBYTECODE=1 \
PATH="/app/.venv/bin:$PATH" \
PYTHONPATH=/app/src

# Switch to non-root user
USER appuser

# Expose port (default for FastAPI/web apps)
EXPOSE 8000
# Health check - adjust endpoint based on your app
HEALTHCHECK --interval=30s --timeout=3s --start-period=40s --retries=3 \
CMD curl -f http://localhost:8000/health/live || exit 1

# Default command - run web server
CMD ["uvicorn", "foundry_unify.main:app", "--host", "0.0.0.0", "--port", "8000"]
# =============================================================================
# Build Arguments (optional, for build-time configuration)
# =============================================================================
# Example:
# ARG BUILD_ENV=production
# ENV ENVIRONMENT=${BUILD_ENV}
# Python-based health check (no curl/shell in the runtime image)
HEALTHCHECK --interval=30s --timeout=3s --start-period=40s --retries=3 \
CMD ["python", "-c", "import urllib.request,sys; sys.exit(0 if urllib.request.urlopen('http://localhost:8000/health/live').status == 200 else 1)"]

# =============================================================================
# Multi-architecture support
# =============================================================================
# Build for multiple platforms:
# docker buildx build --platform linux/amd64,linux/arm64 -t myimage:latest .
# Chainguard python sets ENTRYPOINT ["python"]; clear it so CMD is the full
# invocation, then run uvicorn from the venv.
ENTRYPOINT []
CMD ["python", "-m", "uvicorn", "foundry_unify.main:app", "--host", "0.0.0.0", "--port", "8000"]
Loading
Loading