fastapi · amostt · Feb 26, 2026 · Feb 26, 2026 · Feb 27, 2026 · Feb 27, 2026
diff --git a/.dockerignore b/.dockerignore
@@ -0,0 +1,29 @@
+# Secrets
+.env
+.env.*
+!.env.example
+
+# Version control
+.git
+.github
+
+# IDE
+.vscode
+.idea
+
+# Dependencies (installed in container)
+node_modules
+frontend/node_modules
+
+# Caches and build artifacts
+**/__pycache__
+**/.mypy_cache
+**/.pytest_cache
+**/htmlcov
+**/.coverage
+**/.ruff_cache
+
+# Documentation and config
+docs/
+*.md
+!backend/README.md
diff --git a/.env b/.env
diff --git a/.env.example b/.env.example
@@ -0,0 +1,42 @@
+# ─── Domain & Routing ────────────────────────────────────────────────────────
+# Domain used by Traefik for routing and TLS certificates
+DOMAIN=localhost
+# STACK_NAME=app              # Docker stack name prefix
+
+# ─── Environment ─────────────────────────────────────────────────────────────
+# Options: local | staging | production
+ENVIRONMENT=local
+
+# ─── Supabase (required) ──────────────────────────────────────────────────────
+SUPABASE_URL=https://your-project.supabase.co
+SUPABASE_SERVICE_KEY=your-supabase-service-key
+
+# ─── Clerk Authentication (required) ─────────────────────────────────────────
+CLERK_SECRET_KEY=sk_test_your-clerk-secret-key
+# CLERK_JWKS_URL=              # Optional: override the Clerk JWKS endpoint URL
+# CLERK_AUTHORIZED_PARTIES=    # Optional: comma-separated authorized parties
+
+# ─── Backend ──────────────────────────────────────────────────────────────────
+SERVICE_NAME=my-service
+SERVICE_VERSION=0.1.0
+BACKEND_CORS_ORIGINS=http://localhost,http://localhost:5173
+# API_V1_STR=/api/v1           # Default: /api/v1
+# HTTP_CLIENT_TIMEOUT=30       # HTTP client timeout in seconds
+# HTTP_CLIENT_MAX_RETRIES=3    # HTTP client retry count
+
+# ─── Logging ──────────────────────────────────────────────────────────────────
+# LOG_LEVEL options: DEBUG | INFO | WARNING | ERROR
+LOG_LEVEL=INFO
+# LOG_FORMAT options: json | console
+LOG_FORMAT=json
+
+# ─── Frontend ─────────────────────────────────────────────────────────────────
+# WITH_UI=false                # Set to true to enable frontend services
+DOCKER_IMAGE_BACKEND=backend
+DOCKER_IMAGE_FRONTEND=frontend
+# TAG=latest                   # Docker image tag
+
+# ─── Observability ────────────────────────────────────────────────────────────
+SENTRY_DSN=
+# GIT_COMMIT=                  # Set automatically by CI (git commit SHA)
+# BUILD_TIME=                  # Set automatically by CI (build timestamp)
diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
@@ -0,0 +1,115 @@
+name: CI
+
+on:
+  push:
+    branches:
+      - main
+  pull_request:
+    types:
+      - opened
+      - synchronize
+
+jobs:
+  backend-lint:
+    name: Backend Lint & Type Check
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v6
+      - name: Set up Python
+        uses: actions/setup-python@v6
+        with:
+          python-version: "3.10"
+      - name: Install uv
+        uses: astral-sh/setup-uv@v7
+      - name: Install dependencies
+        run: uv sync
+        working-directory: backend
+      - name: Ruff check
+        run: uv run ruff check app/
+        working-directory: backend
+      - name: Ruff format check
+        run: uv run ruff format --check app/
+        working-directory: backend
+      - name: Mypy
+        run: uv run mypy app
+        working-directory: backend
+
+  backend-test:
+    name: Backend Tests
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v6
+      - name: Set up Python
+        uses: actions/setup-python@v6
+        with:
+          python-version: "3.10"
+      - name: Install uv
+        uses: astral-sh/setup-uv@v7
+      - name: Install dependencies
+        run: uv sync
+        working-directory: backend
+      - name: Run tests
+        run: uv run coverage run -m pytest tests/unit/ tests/integration/ -v
+        working-directory: backend
+        env:
+          SUPABASE_URL: "http://localhost:54321"
+          SUPABASE_SERVICE_KEY: "test-service-key"
+          CLERK_SECRET_KEY: "test-clerk-key"
+          ENVIRONMENT: "local"
+      - name: Coverage report
+        run: uv run coverage report --fail-under=90
+        working-directory: backend
+      - name: Coverage HTML
+        run: uv run coverage html
+        working-directory: backend
+      - name: Store coverage files
+        uses: actions/upload-artifact@v6
+        with:
+          name: coverage-html
+          path: backend/htmlcov
+          include-hidden-files: true
+
+  frontend-ci:
+    name: Frontend Lint & Build
+    runs-on: ubuntu-latest
+    # Only run if frontend/ directory exists
+    if: hashFiles('frontend/package.json') != ''
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v6
+      - name: Setup Bun
+        uses: oven-sh/setup-bun@v2
+      - name: Install dependencies
+        run: bun install --frozen-lockfile
+        working-directory: frontend
+      - name: Lint
+        run: bun run lint
+        working-directory: frontend
+      - name: Build
+        run: bun run build
+        working-directory: frontend
+
+  docker-build:
+    name: Docker Build
+    runs-on: ubuntu-latest
+    needs: [backend-lint, backend-test]
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v6
+      - name: Build backend image
+        run: docker build -t test-backend . -f backend/Dockerfile
+
+  # Branch protection gate
+  alls-green:
+    name: CI Complete
+    runs-on: ubuntu-latest
+    needs: [backend-lint, backend-test, docker-build, frontend-ci]
+    if: always()
+    steps:
+      - name: Check all jobs
+        uses: re-actors/alls-green@release/v1
+        with:
+          jobs: ${{ toJSON(needs) }}
+          allowed-skips: frontend-ci
diff --git a/.github/workflows/deploy-production.yml b/.github/workflows/deploy-production.yml
@@ -7,7 +7,6 @@ on:
 
 jobs:
   deploy:
-    # Do not deploy in the main repository, only in user projects
     if: github.repository_owner != 'fastapi'
     runs-on:
       - self-hosted
@@ -16,15 +15,14 @@ jobs:
       ENVIRONMENT: production
       DOMAIN: ${{ secrets.DOMAIN_PRODUCTION }}
       STACK_NAME: ${{ secrets.STACK_NAME_PRODUCTION }}
-      SECRET_KEY: ${{ secrets.SECRET_KEY }}
-      FIRST_SUPERUSER: ${{ secrets.FIRST_SUPERUSER }}
-      FIRST_SUPERUSER_PASSWORD: ${{ secrets.FIRST_SUPERUSER_PASSWORD }}
-      SMTP_HOST: ${{ secrets.SMTP_HOST }}
-      SMTP_USER: ${{ secrets.SMTP_USER }}
-      SMTP_PASSWORD: ${{ secrets.SMTP_PASSWORD }}
-      EMAILS_FROM_EMAIL: ${{ secrets.EMAILS_FROM_EMAIL }}
-      POSTGRES_PASSWORD: ${{ secrets.POSTGRES_PASSWORD }}
+      SUPABASE_URL: ${{ secrets.SUPABASE_URL }}
+      SUPABASE_SERVICE_KEY: ${{ secrets.SUPABASE_SERVICE_KEY }}
+      CLERK_SECRET_KEY: ${{ secrets.CLERK_SECRET_KEY }}
+      BACKEND_CORS_ORIGINS: ${{ secrets.BACKEND_CORS_ORIGINS }}
       SENTRY_DSN: ${{ secrets.SENTRY_DSN }}
+      SERVICE_NAME: ${{ secrets.SERVICE_NAME }}
+      DOCKER_IMAGE_BACKEND: ${{ secrets.DOCKER_IMAGE_BACKEND }}
+      DOCKER_IMAGE_FRONTEND: ${{ secrets.DOCKER_IMAGE_FRONTEND }}
     steps:
       - name: Checkout
         uses: actions/checkout@v6

diff --git a/.github/workflows/deploy-staging.yml b/.github/workflows/deploy-staging.yml
@@ -3,11 +3,10 @@ name: Deploy to Staging
 on:
   push:
     branches:
-      - master
+      - main
 
 jobs:
   deploy:
-    # Do not deploy in the main repository, only in user projects
     if: github.repository_owner != 'fastapi'
     runs-on:
       - self-hosted
@@ -16,15 +15,14 @@ jobs:
       ENVIRONMENT: staging
       DOMAIN: ${{ secrets.DOMAIN_STAGING }}
       STACK_NAME: ${{ secrets.STACK_NAME_STAGING }}
-      SECRET_KEY: ${{ secrets.SECRET_KEY }}
-      FIRST_SUPERUSER: ${{ secrets.FIRST_SUPERUSER }}
-      FIRST_SUPERUSER_PASSWORD: ${{ secrets.FIRST_SUPERUSER_PASSWORD }}
-      SMTP_HOST: ${{ secrets.SMTP_HOST }}
-      SMTP_USER: ${{ secrets.SMTP_USER }}
-      SMTP_PASSWORD: ${{ secrets.SMTP_PASSWORD }}
-      EMAILS_FROM_EMAIL: ${{ secrets.EMAILS_FROM_EMAIL }}
-      POSTGRES_PASSWORD: ${{ secrets.POSTGRES_PASSWORD }}
+      SUPABASE_URL: ${{ secrets.SUPABASE_URL }}
+      SUPABASE_SERVICE_KEY: ${{ secrets.SUPABASE_SERVICE_KEY }}
+      CLERK_SECRET_KEY: ${{ secrets.CLERK_SECRET_KEY }}
+      BACKEND_CORS_ORIGINS: ${{ secrets.BACKEND_CORS_ORIGINS }}
       SENTRY_DSN: ${{ secrets.SENTRY_DSN }}
+      SERVICE_NAME: ${{ secrets.SERVICE_NAME }}
+      DOCKER_IMAGE_BACKEND: ${{ secrets.DOCKER_IMAGE_BACKEND }}
+      DOCKER_IMAGE_FRONTEND: ${{ secrets.DOCKER_IMAGE_FRONTEND }}
     steps:
       - name: Checkout
         uses: actions/checkout@v6

diff --git a/.github/workflows/latest-changes.yml b/.github/workflows/latest-changes.yml
@@ -3,7 +3,7 @@ name: Latest Changes
 on:
   pull_request_target:
     branches:
-      - master
+      - main
     types:
       - closed
   workflow_dispatch:

diff --git a/.github/workflows/playwright.yml b/.github/workflows/playwright.yml
@@ -3,7 +3,7 @@ name: Playwright Tests
 on:
   push:
     branches:
-    - master
+    - main
   pull_request:
     types:
     - opened

diff --git a/.github/workflows/smokeshow.yml b/.github/workflows/smokeshow.yml
@@ -2,7 +2,7 @@ name: Smokeshow
 
 on:
   workflow_run:
-    workflows: [Test Backend]
+    workflows: [CI]
     types: [completed]
 
 jobs:

diff --git a/.github/workflows/test-backend.yml b/.github/workflows/test-backend.yml
diff --git a/.github/workflows/test-docker-compose.yml b/.github/workflows/test-docker-compose.yml
-Original file line number
+Diff line change
@@ Expand Up / @@ -3,7 +3,7 @@ name: Latest Changes @@
     on:
       pull_request_target:
         branches:
-          - master
+          - main
         types:
           - closed
       workflow_dispatch:
@@ Expand Down @@