GitHub Actions CI/CD¶

This document describes the GitHub Actions workflows for the tradai-uv platform.

Overview¶

The platform supports dual CI/CD - both GitHub Actions and Bitbucket Pipelines run in parallel. This allows flexibility during migration and redundancy.

Platform	Primary Use	Status
GitHub Actions	New development	Active
Bitbucket Pipelines	Legacy/backup	Active

Workflows¶

1. CI (`ci.yml`)¶

Triggers: Push to main, tags v*, pull requests

Runs code quality checks on every change:

install → lint ─────────┐
        → typecheck ────┼→ (PR only) performance-test
        → test ─────────┤
        → security-scan─┘

Job	Description	Duration
`install`	Install UV and sync packages	~2 min
`lint`	Ruff linter + formatter check	~30 sec
`typecheck`	MyPy type checking	~1 min
`test`	Pytest with 80% coverage threshold	~3 min
`security-scan`	pip-audit vulnerability scan	~30 sec
`performance-test`	Benchmark tests (PR only)	~2 min

2. Docker Build (`docker-build.yml`)¶

Triggers: Tags v*

Builds and pushes Docker images for all services to ECR:

Service	Image Name	Dockerfile
backend	`tradai-backend`	`services/backend/Dockerfile`
data-collection	`tradai-data-collection`	`services/data-collection/Dockerfile`
strategy-service	`tradai-strategy-service`	`services/strategy-service/Dockerfile`

Images are tagged with both the version (e.g., v1.2.3) and latest.

3. Publish Libraries (`publish-libs.yml`)¶

Triggers: Tags v*

Publishes the tradai-strategy library to AWS CodeArtifact for use by the strategies repository.

# The strategies repo consumes this via:
pip install tradai-strategy --index-url https://...codeartifact.../pypi/tradai/simple/

4. Deploy Lambdas (`deploy-lambdas.yml`)¶

Triggers: Tags v*, manual dispatch

Dynamically discovers and deploys all Lambda functions:

version ──→ build-wheel ──→ build-base ──→ discover ──→ build-lambdas ──→ update-functions
   │                            │              │              │
   │                            │              │              └─ Matrix: all lambdas
   │                            │              └─ Finds lambdas/*/Dockerfile
   │                            └─ Base image with tradai-common
   └─ Calculates version ONCE (prevents race condition)

Lambda Discovery: Automatically finds all directories in lambdas/ with a Dockerfile (excluding base/).

Manual Dispatch: Allows deploying to specific environments: - dev - Development - staging - Staging - prod - Production (default for tags)

5. Deploy Infrastructure (`deploy-infra.yml`)¶

Triggers: Manual dispatch only

Runs Pulumi infrastructure operations:

Input	Options	Description
`stack`	`dev`, `staging`, `prod`	Target environment
`command`	`preview`, `up`	Pulumi command

Usage: 1. Go to Actions → Deploy Infrastructure 2. Click "Run workflow" 3. Select stack and command 4. Review output before running up

Required Secrets¶

Configure these in GitHub Settings → Secrets → Actions:

Secret	Description	Example
`AWS_ACCESS_KEY_ID`	AWS access key	`AKIA...`
`AWS_SECRET_ACCESS_KEY`	AWS secret key	`...`
`AWS_REGION`	AWS region	`eu-west-1`
`AWS_ECR_REGISTRY`	ECR registry URL	`123456789.dkr.ecr.eu-west-1.amazonaws.com`
`AWS_ACCOUNT_ID`	AWS account ID	`123456789012`
`PULUMI_CONFIG_PASSPHRASE`	Pulumi encryption passphrase	`...`
`S3_PULUMI_BACKEND_URL`	Pulumi state backend	`s3://tradai-pulumi-state`

Dual-Platform Setup¶

Git Remotes¶

# View remotes
git remote -v

# Expected output:
# origin    git@bitbucket.org:tradai/tradai-uv.git (fetch)
# origin    git@bitbucket.org:tradai/tradai-uv.git (push)
# origin    git@github.com:tradai-bot/tradai-uv.git (push)
# github    git@github.com:tradai-bot/tradai-uv.git (fetch)
# github    git@github.com:tradai-bot/tradai-uv.git (push)

Push to Both Platforms¶

# Single push goes to both (if configured with --add --push)
git push origin main

# Or push explicitly to each
git push origin main && git push github main

# Push tags
git push origin --tags && git push github --tags

Initial Setup¶

# Add GitHub remote
git remote add github git@github.com:tradai-bot/tradai-uv.git

# Configure origin to push to both
git remote set-url --add --push origin git@github.com:tradai-bot/tradai-uv.git
git remote set-url --add --push origin git@bitbucket.org:tradai/tradai-uv.git

# Initial push
git push github main --tags

Workflow Comparison¶

Feature	GitHub Actions	Bitbucket Pipelines
Config file	`.github/workflows/*.yml`	`bitbucket-pipelines.yml`
Parallel jobs	Native (needs)	Steps within step
Matrix builds	`strategy.matrix`	Manual duplication
Caching	`actions/cache`	Bitbucket caches
Secrets	Repository secrets	Repository variables
Manual trigger	`workflow_dispatch`	Custom pipelines

Troubleshooting¶

Cache Issues¶

# GitHub Actions uses UV cache at ~/.cache/uv
# If dependencies seem stale, the cache key includes uv.lock hash
# Changing uv.lock will automatically invalidate cache

Failed Lambda Discovery¶

# Check lambdas directory structure
ls -la lambdas/

# Each lambda needs:
# lambdas/<name>/Dockerfile
# lambdas/<name>/handler.py (or similar)

ECR Push Failures¶

Verify AWS credentials are configured
Check ECR repository exists: aws ecr describe-repositories
Ensure IAM permissions include ecr:GetAuthorizationToken, ecr:BatchCheckLayerAvailability, ecr:PutImage

Pulumi State Lock¶

# If Pulumi reports state lock:
pulumi cancel  # Cancel stuck operation
# Or manually unlock in S3

Adding New Services¶

Create service directory: services/<name>/
Add Dockerfile: services/<name>/Dockerfile
Update docker-build.yml matrix:

matrix:
  include:
    # ... existing services
    - service: new-service
      dockerfile: services/new-service/Dockerfile
      image_name: tradai-new-service

Adding New Lambdas¶

Lambdas are auto-discovered. Just create:

lambdas/
└── new-lambda/
    ├── Dockerfile
    └── handler.py

The next tag release will automatically build and deploy it.