アーキテクチャ刷新

.github/dependabot.yml

@@ -5,57 +5,27 @@ updates:
     schedule:
       interval: "daily"
     target-branch: "develop"
-    commit-message:
-      prefix: "(deps:github-actions)"
-    labels:
-      - "dependencies"
-      - "automated pr"
     assignees:
       - "ukwhatn"
     reviewers:
       - "ukwhatn"
 
-  - package-ecosystem: "pip"
+  - package-ecosystem: "uv"
     directory: "/"
     schedule:
       interval: "daily"
     target-branch: "develop"
     versioning-strategy: increase-if-necessary
-    commit-message:
-      prefix: "(deps:pip)"
-    labels:
-      - "dependencies"
-      - "automated pr"
     assignees:
       - "ukwhatn"
     reviewers:
       - "ukwhatn"
 
   - package-ecosystem: "docker"
-    directory: "/db"
+    directory: "/docker"
     schedule:
       interval: "daily"
     target-branch: "develop"
-    commit-message:
-      prefix: "(deps:dockerfile-db)"
-    labels:
-      - "dependencies"
-      - "automated pr"
-    assignees:
-      - "ukwhatn"
-    reviewers:
-      - "ukwhatn"
-
-  - package-ecosystem: "docker"
-    directory: "/discord"
-    schedule:
-      interval: "daily"
-    target-branch: "develop"
-    commit-message:
-      prefix: "(deps:dockerfile-bot)"
-    labels:
-      - "dependencies"
-      - "automated pr"
     assignees:
       - "ukwhatn"
     reviewers:

.github/workflows/ci.yml

@@ -0,0 +1,128 @@
+name: CI
+
+on:
+  pull_request_target:
+    branches:
+      - main
+      - develop
+  workflow_dispatch:
+
+jobs:
+  quality-checks:
+    runs-on: ubuntu-latest
+    if: |
+      (github.event_name == 'workflow_dispatch') ||
+      (github.event.pull_request.user.login == 'ukwhatn') ||
+      (github.event.pull_request.user.login == 'dependabot[bot]')
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+        with:
+          ref: ${{ github.event.pull_request.head.sha || github.ref }}
+
+      - name: Install uv
+        uses: astral-sh/setup-uv@v6
+        with:
+          enable-cache: true
+          cache-dependency-glob: "uv.lock"
+
+      - name: Set up Python
+        run: |
+          uv python install
+
+      - name: Install dependencies
+        run: |
+          uv sync --group dev --group discord --group db
+
+      - name: Run Quality and Security Checks
+        run: |
+          echo "Running linting and security checks..."
+          make lint &
+          LINT_PID=$!
+
+          echo "Installing Trivy Scanner..."
+          curl -sfL https://raw.githubusercontent.com/aquasecurity/trivy/main/contrib/install.sh | sh -s -- -b /usr/local/bin v0.46.1 &
+          TRIVY_INSTALL_PID=$!
+
+          echo "Running critical Bandit scan..."
+          uv run bandit -r app/ -x tests/,app/db/dump.py -ll &
+          BANDIT_PID=$!
+
+          echo "Running critical Semgrep scan..."
+          uv run semgrep scan --config=p/python --config=p/security-audit --config=p/owasp-top-ten --severity ERROR --error &
+          SEMGREP_PID=$!
+
+          wait $TRIVY_INSTALL_PID
+          echo "Scanning Dockerfiles..."
+          trivy config --exit-code 1 --severity CRITICAL ./docker/app.Dockerfile &
+          TRIVY_PID=$!
+
+          wait $LINT_PID || { echo "Linting failed"; exit 1; }
+          wait $BANDIT_PID || { echo "Bandit scan failed"; exit 1; }
+          wait $SEMGREP_PID || { echo "Semgrep scan failed"; exit 1; }
+          wait $TRIVY_PID || { echo "Trivy scan failed"; exit 1; }
+
+          echo "All quality and security checks passed!"
+
+  docker-tests:
+    runs-on: ubuntu-latest
+    if: |
+      (github.event_name == 'workflow_dispatch') ||
+      (github.event.pull_request.user.login == 'ukwhatn') ||
+      (github.event.pull_request.user.login == 'dependabot[bot]')
+    steps:
+      - uses: actions/checkout@v4
+        with:
+          ref: ${{ github.event.pull_request.head.sha || github.ref }}
+
+      - name: Setup environment
+        run: |
+          make envs:setup
+          sed -i 's/BOT_TOKEN=""/BOT_TOKEN="${{ secrets.CIBOT_TOKEN }}"/' envs/discord.env
+          sed -i 's/S3_ACCESS_KEY=""/S3_ACCESS_KEY="${{ secrets.S3_ACCESS_KEY }}"/' envs/aws-s3.env
+          sed -i 's/S3_SECRET_KEY=""/S3_SECRET_KEY="${{ secrets.S3_SECRET_KEY }}"/' envs/aws-s3.env
+
+      - name: Start services
+        run: make up ENV=test
+
+      - name: Health check with timeout
+        run: |
+          timeout=30
+          interval=5
+          elapsed=0
+
+          while [ $elapsed -lt $timeout ]; do
+            if ! make ps ENV=test | grep -qiE "(starting|restarting|unhealthy)"; then
+              echo "✅ すべてのサービスが正常に起動しました！"
+              break
+            fi
+
+            echo "🕒 サービス起動中... 経過時間: ${elapsed}秒/${timeout}秒"
+            make ps ENV=test
+            sleep $interval
+            elapsed=$((elapsed + interval))
+          done
+
+          if [ $elapsed -ge $timeout ]; then
+            echo "❌ タイムアウト: サービスが起動しませんでした"
+            make ps ENV=test
+            make logs:once ENV=test
+            exit 1
+          fi
+
+          if make ps ENV=test | grep -q "unhealthy"; then
+            echo "❌ 不健全なサービスがあります:"
+            make ps ENV=test
+            make logs:once ENV=test
+            exit 1
+          fi
+
+          make ps ENV=test
+
+      - name: Check Dumper service
+        run: |
+          make db:dump:test ENV=test
+
+      - name: Clean up
+        if: always()
+        run: make down ENV=test

.github/workflows/deploy.yml

@@ -1,8 +1,8 @@
 #file: noinspection YAMLSchemaValidation
-name: Deploy
+name: CD
 on:
   push:
-    branches: [ main ]
+    branches: [ change_this_value_to_main ]
 jobs:
   deploy:
     runs-on: ubuntu-latest

.gitignore

@@ -103,6 +103,10 @@ ipython_config.py
 #   https://python-poetry.org/docs/basic-usage/#commit-your-poetrylock-file-to-version-control
 #poetry.lock
 
+# uv
+#   uv.lock should be committed to version control for reproducible builds.
+#   It contains resolved dependencies and their versions.
+
 # pdm
 #   Similar to Pipfile.lock, it is generally recommended to include pdm.lock in version control.
 #pdm.lock

.tool-versions

@@ -0,0 +1 @@
+python 3.12.9