jaalten · jaalten · Mar 7, 2026 · Mar 7, 2026 · Mar 7, 2026 · Mar 7, 2026
diff --git a/.github/workflows/ci-cd.yml b/.github/workflows/ci-cd.yml
@@ -19,6 +19,17 @@ jobs:
       - name: Checkout code
         uses: actions/checkout@v4
 
+      - name: Set up Python
+        uses: actions/setup-python@v5
+        with:
+          python-version: '3.11'
+
+      - name: Install Ruff
+        run: pip install ruff==0.8.4
+
+      - name: Run Ruff
+        run: ruff check app/ tests/
+
   test:
     name: Run Tests
     runs-on: ubuntu-latest
@@ -28,15 +39,42 @@ jobs:
       - name: Checkout code
         uses: actions/checkout@v4
 
+      - name: Set up Python
+        uses: actions/setup-python@v5
+        with:
+          python-version: '3.11'
+
+      - name: Install dependencies
+        run: pip install -r requirements.txt
+
+      - name: Run tests with coverage
+        run: pytest --cov=app --cov-report=term-missing --cov-fail-under=80
+
   build:
     name: Build Docker Image
     runs-on: ubuntu-latest
     needs: [lint, test]
-    if: github.event_name == 'push' || github.event_name == 'release'
     permissions:
       contents: read
-      actions: read
       packages: write
     steps:
       - name: Checkout code
         uses: actions/checkout@v4
+
+      - name: Log in to GitHub Container Registry
+        uses: docker/login-action@v3
+        with:
+          registry: ghcr.io
+          username: ${{ github.actor }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: Build and push Docker image
+        run: |
+          IMAGE=ghcr.io/${GITHUB_REPOSITORY,,}
+          docker build -f docker/Dockerfile -t $IMAGE:latest .
+          docker push $IMAGE:latest
+          if [ "${{ github.event_name }}" == "release" ]; then
+            VERSION=${{ github.event.release.tag_name }}
+            docker tag $IMAGE:latest $IMAGE:$VERSION
+            docker push $IMAGE:$VERSION
+          fi
diff --git a/.github/workflows/markdown2pdf.yml b/.github/workflows/markdown2pdf.yml
@@ -19,7 +19,7 @@ jobs:
 
       - name: Replace links
         run: |
-          cp README.md README_WITH_LINKS.md 
+          cp README.md README_WITH_LINKS.md
           sed -i -e "s#\(^\!\[[^]]\+\](\)\(images/\)#\1$URL/\2#g" README_WITH_LINKS.md
           for file in sources/*; do sed -i -e "s#($file)#($URL/$file)#g" README_WITH_LINKS.md ; done
 
@@ -55,4 +55,4 @@ jobs:
         id: upload-readme-file
         with:
           name: 'README_WITH_LINKS.md'
-          path: README_WITH_LINKS.md
+          path: README_WITH_LINKS.md
diff --git a/.github/workflows/tests_md-urls.yml b/.github/workflows/tests_md-urls.yml
@@ -16,4 +16,4 @@ jobs:
         with:
           file_types: .md,yaml,json
           retry_count: 3
-          exclude_patterns: http://IP:NODE_PORT,http://localhost,http://xxxxxxxxx.compute-1.amazonaws.com,http://IP,http://minikube.test,http://prometheus.monitoring:9090
+          exclude_patterns: http://IP:NODE_PORT,http://localhost,http://xxxxxxxxx.compute-1.amazonaws.com,http://IP,http://minikube.test,http://prometheus.monitoring:9090
diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml
@@ -3,3 +3,31 @@ repos:
     rev: v5.0.0
     hooks:
       - id: trailing-whitespace
+      - id: end-of-file-fixer
+      - id: check-added-large-files
+      - id: check-yaml
+        exclude: ^helm/
+
+  - repo: https://github.com/astral-sh/ruff-pre-commit
+    rev: v0.8.4
+    hooks:
+      - id: ruff
+        args: [--fix]
+
+  - repo: https://github.com/psf/black-pre-commit-mirror
+    rev: 24.10.0
+    hooks:
+      - id: black
+
+  - repo: https://github.com/PyCQA/bandit
+    rev: 1.9.3
+    hooks:
+      - id: bandit
+        args: ["-c", "pyproject.toml"]
+        exclude: ^tests/
+
+  - repo: https://github.com/Yelp/detect-secrets
+    rev: v1.5.0
+    hooks:
+      - id: detect-secrets
+        args: ["--baseline", ".secrets.baseline"]
diff --git a/.secrets.baseline b/.secrets.baseline
@@ -0,0 +1,210 @@
+{
+  "version": "1.5.0",
+  "plugins_used": [
+    {
+      "name": "ArtifactoryDetector"
+    },
+    {
+      "name": "AWSKeyDetector"
+    },
+    {
+      "name": "AzureStorageKeyDetector"
+    },
+    {
+      "name": "Base64HighEntropyString",
+      "limit": 4.5
+    },
+    {
+      "name": "BasicAuthDetector"
+    },
+    {
+      "name": "CloudantDetector"
+    },
+    {
+      "name": "DiscordBotTokenDetector"
+    },
+    {
+      "name": "GitHubTokenDetector"
+    },
+    {
+      "name": "GitLabTokenDetector"
+    },
+    {
+      "name": "HexHighEntropyString",
+      "limit": 3.0
+    },
+    {
+      "name": "IbmCloudIamDetector"
+    },
+    {
+      "name": "IbmCosHmacDetector"
+    },
+    {
+      "name": "IPPublicDetector"
+    },
+    {
+      "name": "JwtTokenDetector"
+    },
+    {
+      "name": "KeywordDetector",
+      "keyword_exclude": ""
+    },
+    {
+      "name": "MailchimpDetector"
+    },
+    {
+      "name": "NpmDetector"
+    },
+    {
+      "name": "OpenAIDetector"
+    },
+    {
+      "name": "PrivateKeyDetector"
+    },
+    {
+      "name": "PypiTokenDetector"
+    },
+    {
+      "name": "SendGridDetector"
+    },
+    {
+      "name": "SlackDetector"
+    },
+    {
+      "name": "SoftlayerDetector"
+    },
+    {
+      "name": "SquareOAuthDetector"
+    },
+    {
+      "name": "StripeDetector"
+    },
+    {
+      "name": "TelegramBotTokenDetector"
+    },
+    {
+      "name": "TwilioKeyDetector"
+    }
+  ],
+  "filters_used": [
+    {
+      "path": "detect_secrets.filters.allowlist.is_line_allowlisted"
+    },
+    {
+      "path": "detect_secrets.filters.common.is_ignored_due_to_verification_policies",
+      "min_level": 2
+    },
+    {
+      "path": "detect_secrets.filters.heuristic.is_indirect_reference"
+    },
+    {
+      "path": "detect_secrets.filters.heuristic.is_likely_id_string"
+    },
+    {
+      "path": "detect_secrets.filters.heuristic.is_lock_file"
+    },
+    {
+      "path": "detect_secrets.filters.heuristic.is_not_alphanumeric_string"
+    },
+    {
+      "path": "detect_secrets.filters.heuristic.is_potential_uuid"
+    },
+    {
+      "path": "detect_secrets.filters.heuristic.is_prefixed_with_dollar_sign"
+    },
+    {
+      "path": "detect_secrets.filters.heuristic.is_sequential_string"
+    },
+    {
+      "path": "detect_secrets.filters.heuristic.is_swagger_file"
+    },
+    {
+      "path": "detect_secrets.filters.heuristic.is_templated_secret"
+    }
+  ],
+  "results": {
+    "external-services-values/argo-cd-values.yaml": [
+      {
+        "type": "Secret Keyword",
+        "filename": "external-services-values/argo-cd-values.yaml",
+        "hashed_secret": "9f7be9612bc530ef15cfc6ff8e07dad0a3278ea3",
+        "is_verified": false,
+        "line_number": 7
+      }
+    ],
+    "external-services-values/monitoring-values.yaml": [
+      {
+        "type": "Secret Keyword",
+        "filename": "external-services-values/monitoring-values.yaml",
+        "hashed_secret": "5baa61e4c9b93f3f0682250b6cf8331b7ee68fd8",
+        "is_verified": false,
+        "line_number": 5
+      }
+    ],
+    "helm/fastapi-gitops-starter/example-canary-with-analysis-values.yaml": [
+      {
+        "type": "Secret Keyword",
+        "filename": "helm/fastapi-gitops-starter/example-canary-with-analysis-values.yaml",
+        "hashed_secret": "962e01ff6a135d92494aac7d57464e637cd88249",
+        "is_verified": false,
+        "line_number": 16
+      }
+    ],
+    "helm/fastapi-gitops-starter/secret-example-canary-values.yaml": [
+      {
+        "type": "Secret Keyword",
+        "filename": "helm/fastapi-gitops-starter/secret-example-canary-values.yaml",
+        "hashed_secret": "962e01ff6a135d92494aac7d57464e637cd88249",
+        "is_verified": false,
+        "line_number": 16
+      },
+      {
+        "type": "Base64 High Entropy String",
+        "filename": "helm/fastapi-gitops-starter/secret-example-canary-values.yaml",
+        "hashed_secret": "6e01f523d5b539497b7dd212e79e7182fa9a4cab",
+        "is_verified": false,
+        "line_number": 18
+      },
+      {
+        "type": "GitHub Token",
+        "filename": "helm/fastapi-gitops-starter/secret-example-canary-values.yaml",
+        "hashed_secret": "e175c6f5f2a92e8623bd9a4820edb4e8c1b0fd10",
+        "is_verified": false,
+        "line_number": 18
+      }
+    ],
+    "helm/fastapi-gitops-starter/secret-example-values.yaml": [
+      {
+        "type": "Secret Keyword",
+        "filename": "helm/fastapi-gitops-starter/secret-example-values.yaml",
+        "hashed_secret": "962e01ff6a135d92494aac7d57464e637cd88249",
+        "is_verified": false,
+        "line_number": 12
+      },
+      {
+        "type": "Base64 High Entropy String",
+        "filename": "helm/fastapi-gitops-starter/secret-example-values.yaml",
+        "hashed_secret": "6e01f523d5b539497b7dd212e79e7182fa9a4cab",
+        "is_verified": false,
+        "line_number": 14
+      },
+      {
+        "type": "GitHub Token",
+        "filename": "helm/fastapi-gitops-starter/secret-example-values.yaml",
+        "hashed_secret": "e175c6f5f2a92e8623bd9a4820edb4e8c1b0fd10",
+        "is_verified": false,
+        "line_number": 14
+      }
+    ],
+    "helm/fastapi-gitops-starter/values.yaml": [
+      {
+        "type": "Secret Keyword",
+        "filename": "helm/fastapi-gitops-starter/values.yaml",
+        "hashed_secret": "962e01ff6a135d92494aac7d57464e637cd88249",
+        "is_verified": false,
+        "line_number": 15
+      }
+    ]
+  },
+  "generated_at": "2026-03-07T15:20:08Z"
+}