Prepare for CI #3
Conversation
tests: add testing
There was a problem hiding this comment.
Pull request overview
This PR modernizes the project infrastructure by converting from pip/requirements.txt to uv for dependency management and adds comprehensive test coverage. The changes include migrating to Pydantic v2 configuration style, updating deprecated datetime methods to timezone-aware alternatives, and modernizing SQLAlchemy imports.
Key changes:
- Converted project to use
uvpackage manager with pyproject.toml and uv.lock for reproducible builds - Added comprehensive test suite covering settings, security, mapping utilities, XML generation, and API endpoints
- Updated all Pydantic schemas from v1-style Config class to v2-style model_config with ConfigDict
- Replaced deprecated datetime.utcnow() with timezone-aware datetime.now(timezone.utc)
- Updated SQLAlchemy imports to use modern sqlalchemy.orm module
Reviewed changes
Copilot reviewed 21 out of 24 changed files in this pull request and generated 11 comments.
Show a summary per file
| File | Description |
|---|---|
| pyproject.toml | New project configuration defining dependencies, build system, and dev dependencies for uv-based workflow |
| requirements.txt | Removed in favor of pyproject.toml dependency specification |
| tests/test_xml_generator.py | Tests for XML generation utilities covering sample and experiment XML creation |
| tests/test_settings.py | Tests for settings configuration from environment variables |
| tests/test_security.py | Tests for JWT token creation, password hashing, and refresh token generation |
| tests/test_mapping.py | Tests for data mapping utilities including type coercion and model column mapping |
| tests/test_endpoints.py | Comprehensive API endpoint tests covering authentication, CRUD operations, and error handling |
| app/schemas/*.py | Updated 9 schema files to use Pydantic v2 model_config style |
| app/db/session.py | Updated declarative_base import to modern sqlalchemy.orm location |
| app/core/security.py | Replaced deprecated datetime.utcnow() with timezone-aware datetime.now(timezone.utc) |
| app/api/v1/endpoints/auth.py | Replaced deprecated datetime.utcnow() with timezone-aware datetime.now(timezone.utc) |
| Dockerfile | Updated to use uv Docker image and install dependencies via uv sync |
| README.md | Updated documentation to reflect uv-based workflow and GPL-3.0 license |
| .gitignore | Added uv and test-related directories to ignore list |
| .coveragerc | Added coverage configuration for test reporting |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
Dockerfile
Outdated
| # Command to run the application | ||
| CMD ["uvicorn", "app.main:app", "--host", "0.0.0.0", "--port", "8000"] | ||
| # Run the FastAPI app via uv (respects the lockfile) | ||
| CMD ["uv", "run", "--frozen", "uvicorn", "app.main:app", "--host", "0.0.0.0", "--port", "8000"] |
There was a problem hiding this comment.
The container runs the application as root by default (no USER specified), which is a security risk: if uvicorn or the app is compromised, the attacker gains root inside the container and can more easily escape or damage the host. Exploitation path: network-facing service on 0.0.0.0:8000 gets compromised → root privileges inside container. Fix by creating and switching to a non-privileged user and ensuring files have appropriate permissions, e.g.
RUN adduser --disabled-password --gecos "" appuser && chown -R appuser:appuser /app
USER appuser
refactor: convert into uv app
tests: add testing