ci: harden workflows with safe proxy secret test and improved docker metadata

.github/workflows/ci.yml

@@ -6,70 +6,70 @@ on:
   pull_request:
 
 concurrency:
-  group: ci-${{ github.ref }}
+  group: ${{ github.workflow }}-${{ github.ref }}
   cancel-in-progress: true
 
 jobs:
   build-test:
+    name: 🧪 Build & Test
     runs-on: ubuntu-latest
     permissions:
       contents: read
     env:
-      # App env (if your tests need them)
       PROXY_API_KEY: ${{ secrets.PROXY_API_KEY }}
       PROXY_BASE_URL: ${{ secrets.PROXY_BASE_URL }}
-      # Ensure imports work when running `pytest` via Makefile
       PYTHONPATH: ${{ github.workspace }}
 
     steps:
-      - name: Checkout
+      - name: 🧾 Checkout
         uses: actions/checkout@v4
 
-      - name: Set up Python
+      - name: 🐍 Set up Python
         uses: actions/setup-python@v5
         with:
           python-version: "3.12"
           cache: pip
-          cache-dependency-path: |
-            requirements.txt
+          cache-dependency-path: requirements.txt
 
-      - name: Install dependencies
+      - name: 📦 Install dependencies
         run: |
-            python -m pip install -U pip wheel
-            pip install -r requirements.txt
-            pip install ruff mypy pytest pytest-cov
+          python -m pip install -U pip wheel
+          pip install -r requirements.txt
+          pip install ruff mypy pytest pytest-cov
 
-      # Optional caches for tool state (speed up CI on subsequent runs)
-      - name: Cache Ruff
+      # ---------- Cache tool states ----------
+      - name: ⚙️ Cache Ruff
         uses: actions/cache@v4
         with:
           path: .ruff_cache
-          key: ruff-${{ runner.os }}-${{ hashFiles('**/*.py', 'pyproject.toml', 'ruff.toml', '.pre-commit-config.yaml') }}
+          key: ruff-${{ runner.os }}-${{ hashFiles('pyproject.toml', 'ruff.toml', '.pre-commit-config.yaml', '**/*.py') }}
 
-      - name: Cache Mypy
+      - name: ⚙️ Cache Mypy
         uses: actions/cache@v4
         with:
           path: .mypy_cache
-          key: mypy-${{ runner.os }}-${{ hashFiles('**/*.py', 'mypy.ini', 'pyproject.toml') }}
+          key: mypy-${{ runner.os }}-${{ hashFiles('mypy.ini', 'pyproject.toml', '**/*.py') }}
 
-      - name: Cache Pytest
+      - name: ⚙️ Cache Pytest
         uses: actions/cache@v4
         with:
           path: .pytest_cache
-          key: pytest-${{ runner.os }}-${{ hashFiles('**/*.py', 'pyproject.toml') }}
+          key: pytest-${{ runner.os }}-${{ hashFiles('pyproject.toml', '**/*.py') }}
 
-      - name: Quality gate (format check, lint, typecheck, tests)
+      # ---------- Quality Gate ----------
+      - name: 🧹 Quality gate (format, lint, typecheck, tests)
         run: make check
 
-      - name: Upload coverage (optional)
+      - name: 📊 Upload coverage report
         if: always()
         uses: actions/upload-artifact@v4
         with:
-          name: coverage-report
-          path: ./.coverage
+          name: coverage-xml
+          path: coverage.xml
           if-no-files-found: ignore
 
   docker-build:
+    name: 🐳 Build & Push Docker
     needs: build-test
     runs-on: ubuntu-latest
     if: ${{ github.ref == 'refs/heads/main' }}
@@ -84,32 +84,39 @@ jobs:
     steps:
       - uses: actions/checkout@v4
 
-      - name: Set up QEMU
+      - name: ⚙️ Set up QEMU
         uses: docker/setup-qemu-action@v3
 
-      - name: Set up Docker Buildx
+      - name: ⚙️ Set up Docker Buildx
         uses: docker/setup-buildx-action@v3
 
-      - name: Login to GHCR
+      - name: 🔐 Login to GHCR
         uses: docker/login-action@v3
         with:
           registry: ${{ env.REGISTRY }}
           username: ${{ github.actor }}
           password: ${{ secrets.GITHUB_TOKEN }}
 
-      - name: Compute image refs
-        run: |
-          OWNER_LC=$(echo "${{ github.repository_owner }}" | tr '[:upper:]' '[:lower:]')
-          echo "OWNER_LC=$OWNER_LC" >> $GITHUB_ENV
-          echo "IMAGE=${{ env.REGISTRY }}/${OWNER_LC}/${{ env.IMAGE_NAME }}:${{ github.sha }}" >> $GITHUB_ENV
-          echo "LATEST=${{ env.REGISTRY }}/${OWNER_LC}/${{ env.IMAGE_NAME }}:latest" >> $GITHUB_ENV
-
-      - name: Build and push (with cache)
+      - name: 🧾 Docker metadata
+        id: meta
+        uses: docker/metadata-action@v5
+        with:
+          images: |
+            ${{ env.REGISTRY }}/${{ github.repository_owner }}/nl2sql-copilot
+          tags: |
+            type=raw,value=latest
+            type=sha
+          labels: |
+            org.opencontainers.image.source=${{ github.repository }}
+            org.opencontainers.image.revision=${{ github.sha }}
+            org.opencontainers.image.created=${{ github.run_id }}
+
+      - name: 🏗️ Build and push image
         uses: docker/build-push-action@v6
         with:
           push: true
-          tags: |
-            ${{ env.IMAGE }}
-            ${{ env.LATEST }}
+          tags: ${{ steps.meta.outputs.tags }}
+          labels: ${{ steps.meta.outputs.labels }}
           cache-from: type=gha
           cache-to: type=gha,mode=max
+          platforms: linux/amd64

.github/workflows/test-proxy-secrets.yml

@@ -9,6 +9,7 @@ jobs:
     env:
       PROXY_API_KEY: ${{ secrets.PROXY_API_KEY }}
       PROXY_BASE_URL: ${{ secrets.PROXY_BASE_URL }}
+
     steps:
       - name: 🧾 Check runner environment
         run: |
@@ -29,11 +30,8 @@ jobs:
           fi
           echo "✅ Both secrets are present."
 
-      - name: 🧪 Safe test with masking
+      - name: 🧪 Validate secrets accessibility (Python)
         run: |
-          echo "PROXY_API_KEY (masked) = ${PROXY_API_KEY}"
-          echo "Length of PROXY_API_KEY = ${#PROXY_API_KEY}"
-          echo "PROXY_BASE_URL = ${PROXY_BASE_URL}"
           python3 - << 'PY'
           import os
           key = os.getenv("PROXY_API_KEY")