feat(course): build out all 27 modules, capstone, scaffold, and conventions
Scaffold the course repo and author the full curriculum in dependency-chain order, following the settled build decisions in handoff.md. - Scaffold: course README, vendor-neutral AGENTS.md (dogfoods Module 5), _TEMPLATE.md (the fixed 9-section module shape), root .gitignore, ship config. - Modules 1-2: reference exemplars (locked for tone/depth/lab style). - Modules 3-27: full lessons + runnable labs, each following the template, respecting the chain, vendor/model-agnostic, with "feel the pain" labs. - Module 8 hosting comparison web-researched and date-stamped (as of 2026-06-22), not written from memory; expansion-zone modules carry Verify-before-publish. - Capstone: the full loop end to end on the running tasks-app example. Lab code syntax-checked (Python/shell/YAML); every module has the 7 core template sections. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com> Claude-Session: https://claude.ai/code/session_01TfzV5QvtPDz8LJS3Pu5VLT
This commit is contained in:
@@ -0,0 +1,24 @@
|
||||
# The Module 16 container image for the tasks-app, set to run the HTTP service from serve.py.
|
||||
#
|
||||
# This is *what you ship* (Module 16). Continuous delivery/deployment (this module) builds this
|
||||
# once, tags it with the commit SHA, and runs that exact artifact everywhere.
|
||||
#
|
||||
# Note what is NOT here: no secrets, no environment-specific config. Those are injected at run time
|
||||
# (Module 17), which is why the same image can run in staging and prod unchanged.
|
||||
|
||||
FROM python:3.12-slim
|
||||
|
||||
WORKDIR /app
|
||||
|
||||
# The app is dependency-free (stdlib only), so there is nothing to pip install. Copy the source.
|
||||
COPY tasks.py cli.py serve.py ./
|
||||
|
||||
# Document the port the service listens on.
|
||||
EXPOSE 8000
|
||||
|
||||
# A built-in container health check. The deploy step also checks /health from outside, but this
|
||||
# lets the runtime itself know whether the container is healthy.
|
||||
HEALTHCHECK --interval=5s --timeout=3s --retries=3 \
|
||||
CMD python -c "import urllib.request,sys; sys.exit(0 if urllib.request.urlopen('http://localhost:8000/health').status==200 else 1)"
|
||||
|
||||
CMD ["python", "serve.py"]
|
||||
@@ -0,0 +1,87 @@
|
||||
# Starter CD pipeline for the tasks-app — GitHub Actions flavor, extending the Module 14 CI file.
|
||||
#
|
||||
# The whole idea: CD is not a new system. It is MORE STAGES on the SAME pipeline, after the checks
|
||||
# pass. The lint/test gates below are the Module 14 pipeline, unchanged. Everything from the
|
||||
# `build-and-publish` job down is new in this module.
|
||||
#
|
||||
# Where this file goes: .github/workflows/cd.yml (or fold it into your existing ci.yml). On GitLab,
|
||||
# the same shape is stages in .gitlab-ci.yml with `needs:`/`rules:`; Forgejo/Gitea use Actions-
|
||||
# compatible YAML. The concept — gated stages from merge to running — is identical everywhere.
|
||||
#
|
||||
# VERIFY BEFORE PUBLISH: action versions, the registry login/build-push action names, and the
|
||||
# manual-approval mechanism all drift. Check current forge docs at build time (see README checklist).
|
||||
|
||||
name: CD
|
||||
|
||||
on:
|
||||
push:
|
||||
branches: [main] # only a MERGE to main triggers a deploy
|
||||
pull_request: # PRs still run the gates, but never deploy
|
||||
|
||||
jobs:
|
||||
# ---- The Module 14 gates: nothing ships without passing these first. ----------------------------
|
||||
check:
|
||||
runs-on: ubuntu-latest
|
||||
steps:
|
||||
- uses: actions/checkout@v4
|
||||
- uses: actions/setup-python@v5
|
||||
with:
|
||||
python-version: "3.12"
|
||||
- run: pip install pytest ruff
|
||||
- run: ruff check . # lint
|
||||
- run: pytest -q # test
|
||||
# In a real pipeline a security-scan job (Module 15) would also gate here.
|
||||
|
||||
# ---- Build the artifact ONCE and publish it. The unit of deploy is an immutable, SHA-tagged image.
|
||||
build-and-publish:
|
||||
needs: check # only runs if the gates passed
|
||||
if: github.ref == 'refs/heads/main'
|
||||
runs-on: ubuntu-latest
|
||||
steps:
|
||||
- uses: actions/checkout@v4
|
||||
|
||||
# Log in to your container registry (Module 16's images need a durable home, like a Git remote
|
||||
# is for commits). Registry/credentials are provider-specific — supply them as secrets,
|
||||
# never inline (Module 17).
|
||||
# - uses: docker/login-action@v3
|
||||
# with:
|
||||
# registry: ${{ vars.REGISTRY }}
|
||||
# username: ${{ secrets.REGISTRY_USER }}
|
||||
# password: ${{ secrets.REGISTRY_TOKEN }}
|
||||
|
||||
# Build and push, tagging with the commit SHA (immutable + traceable) and :staging (moving).
|
||||
# - uses: docker/build-push-action@v6
|
||||
# with:
|
||||
# push: true
|
||||
# tags: |
|
||||
# ${{ vars.REGISTRY }}/tasks-app:${{ github.sha }}
|
||||
# ${{ vars.REGISTRY }}/tasks-app:staging
|
||||
- run: echo "build + push tasks-app:${{ github.sha }} (wire up the registry steps above)"
|
||||
|
||||
# ---- Deploy to a NON-prod environment automatically. Safe to do on every merge. ----------------
|
||||
deploy-staging:
|
||||
needs: build-and-publish
|
||||
if: github.ref == 'refs/heads/main'
|
||||
runs-on: ubuntu-latest
|
||||
steps:
|
||||
# The five deploy steps live in deploy.sh in this folder. On a real target this would run the
|
||||
# platform's deploy (kubectl / platform CLI / compose) against the SHA-tagged image, inject
|
||||
# runtime config + secrets (Module 17), health-check, and roll back on failure.
|
||||
- run: echo "deploy tasks-app:${{ github.sha }} to STAGING, health-check, roll back if red"
|
||||
|
||||
# ---- THIS JOB IS THE DELIVERY-vs-DEPLOYMENT SWITCH. ---------------------------------------------
|
||||
#
|
||||
# As written, `environment: production` requires a human to approve before this job runs (set a
|
||||
# required reviewer on the 'production' environment in the forge). That is CONTINUOUS DELIVERY:
|
||||
# the artifact is auto-built and staged; a person clicks to ship to prod.
|
||||
#
|
||||
# Delete the `environment:` block and this becomes CONTINUOUS DEPLOYMENT: merge -> prod, no human.
|
||||
# Only remove it once you trust your review + CI + security gates (Modules 10/14/15) more than you
|
||||
# trust the click. On GitLab the equivalent switch is `when: manual` vs. automatic.
|
||||
deploy-prod:
|
||||
needs: deploy-staging
|
||||
if: github.ref == 'refs/heads/main'
|
||||
runs-on: ubuntu-latest
|
||||
environment: production # <-- required-reviewer gate = delivery. Remove = deployment.
|
||||
steps:
|
||||
- run: echo "deploy tasks-app:${{ github.sha }} to PRODUCTION (gated on human approval)"
|
||||
@@ -0,0 +1,95 @@
|
||||
#!/usr/bin/env bash
|
||||
#
|
||||
# deploy.sh — the deploy step of CD, simulated with a local container run.
|
||||
#
|
||||
# The five steps of any deploy, provider-neutral (see the module README):
|
||||
# 1. build/pull the specific image tag 4. health-check before trusting it
|
||||
# 2. inject runtime config + secrets 5. cut over if healthy, ROLL BACK if not
|
||||
# 3. start the new version
|
||||
#
|
||||
# The *target* here is your own machine instead of a server, but the logic is the real thing.
|
||||
#
|
||||
# Usage:
|
||||
# ./deploy.sh <tag> # e.g. ./deploy.sh $(git rev-parse --short HEAD)
|
||||
# BREAK=1 ./deploy.sh <tag># force the new version's health check to fail, to demo rollback
|
||||
#
|
||||
# Requires: docker (or `alias docker=podman`), curl.
|
||||
|
||||
set -euo pipefail
|
||||
|
||||
IMAGE="tasks-app"
|
||||
CONTAINER="tasks-app"
|
||||
PORT="8000"
|
||||
STATE_FILE=".deploy-state" # records the last good tag, for rollback
|
||||
TAG="${1:-$(git rev-parse --short HEAD)}"
|
||||
|
||||
say() { printf '\n=== %s\n' "$*"; }
|
||||
|
||||
# --- Step 1: build the artifact for this tag (in real CD this was already built+pushed by CI) -----
|
||||
say "Building ${IMAGE}:${TAG}"
|
||||
docker build -t "${IMAGE}:${TAG}" .
|
||||
|
||||
# Remember what is currently running so we can roll back to it.
|
||||
PREVIOUS=""
|
||||
if [ -f "${STATE_FILE}" ]; then
|
||||
PREVIOUS="$(cat "${STATE_FILE}")"
|
||||
fi
|
||||
|
||||
# --- Steps 2 + 3: start the new version with runtime config/secrets injected (Module 17) ----------
|
||||
# Note: APP_VERSION is config supplied at run time, NOT baked into the image. A real deploy would
|
||||
# also pass secrets here (e.g. --env-file, a mounted secret, or a secrets-manager lookup) — never
|
||||
# committed, never in the image.
|
||||
start_version() {
|
||||
local tag="$1"
|
||||
docker rm -f "${CONTAINER}" >/dev/null 2>&1 || true
|
||||
docker run -d --name "${CONTAINER}" \
|
||||
-p "${PORT}:8000" \
|
||||
-e "APP_VERSION=${tag}" \
|
||||
${BREAK:+-e "BREAK=${BREAK}"} \
|
||||
"${IMAGE}:${tag}" >/dev/null
|
||||
}
|
||||
|
||||
say "Starting ${IMAGE}:${TAG}"
|
||||
start_version "${TAG}"
|
||||
|
||||
# --- Step 4: health-check the new version before trusting it --------------------------------------
|
||||
healthy() {
|
||||
for _ in $(seq 1 10); do
|
||||
if curl -fs "http://localhost:${PORT}/health" >/dev/null 2>&1; then
|
||||
return 0
|
||||
fi
|
||||
sleep 1
|
||||
done
|
||||
return 1
|
||||
}
|
||||
|
||||
say "Health-checking http://localhost:${PORT}/health"
|
||||
if healthy; then
|
||||
# --- Step 5a: cut over. Record this as the new known-good for the next deploy's rollback target.
|
||||
echo "${TAG}" > "${STATE_FILE}"
|
||||
say "DEPLOY OK — ${IMAGE}:${TAG} is live and healthy"
|
||||
curl -s "http://localhost:${PORT}/health"; echo
|
||||
exit 0
|
||||
fi
|
||||
|
||||
# --- Step 5b: ROLLBACK. The new version failed its health check. ----------------------------------
|
||||
say "HEALTH CHECK FAILED for ${IMAGE}:${TAG} — rolling back"
|
||||
docker rm -f "${CONTAINER}" >/dev/null 2>&1 || true
|
||||
|
||||
if [ -z "${PREVIOUS}" ]; then
|
||||
echo "No previous known-good version to roll back to. Service is DOWN." >&2
|
||||
echo "(Deploy a healthy version first, then re-run the BREAK=1 deploy to see rollback work.)" >&2
|
||||
exit 1
|
||||
fi
|
||||
|
||||
# Rollback is trivial because we deploy immutable tags: just run the old one again. No rebuild.
|
||||
say "Restoring previous good version ${IMAGE}:${PREVIOUS}"
|
||||
BREAK="" start_version "${PREVIOUS}" # clear BREAK so the good version comes up clean
|
||||
if healthy; then
|
||||
say "ROLLED BACK — ${IMAGE}:${PREVIOUS} is live and healthy. The bad deploy reverted itself."
|
||||
curl -s "http://localhost:${PORT}/health"; echo
|
||||
exit 1 # exit non-zero: the deploy you asked for did NOT ship, even though service recovered
|
||||
else
|
||||
echo "Rollback FAILED — service is DOWN. Investigate ${IMAGE}:${PREVIOUS}." >&2
|
||||
exit 2
|
||||
fi
|
||||
@@ -0,0 +1,67 @@
|
||||
"""Minimal HTTP face for the tasks-app, so there is something long-running to *deploy*.
|
||||
|
||||
Standard library only — no pip install, so the container image stays tiny and the lab has no
|
||||
dependencies to drift. It reuses the TaskList from tasks.py (Modules 1-2) unchanged.
|
||||
|
||||
Run it:
|
||||
python serve.py # serves on http://localhost:8000
|
||||
|
||||
Endpoints:
|
||||
GET /health -> {"status": "ok", "version": <APP_VERSION>} (200)
|
||||
GET /tasks -> the current tasks as JSON
|
||||
|
||||
Two environment knobs make this realistic for the CD lab (config injected at run time, Module 17):
|
||||
APP_VERSION what /health reports as the running version (set by deploy.sh to the commit SHA)
|
||||
BREAK=1 force /health to return 500 — a stand-in for "this build starts but is broken",
|
||||
used in Part D to trigger an automatic rollback.
|
||||
"""
|
||||
|
||||
import json
|
||||
import os
|
||||
from http.server import BaseHTTPRequestHandler, ThreadingHTTPServer
|
||||
from pathlib import Path
|
||||
|
||||
from tasks import Task, TaskList
|
||||
|
||||
STATE = Path(__file__).parent / "tasks.json"
|
||||
PORT = int(os.environ.get("PORT", "8000"))
|
||||
APP_VERSION = os.environ.get("APP_VERSION", "dev")
|
||||
BREAK = os.environ.get("BREAK") == "1"
|
||||
|
||||
|
||||
def load() -> TaskList:
|
||||
if not STATE.exists():
|
||||
return TaskList()
|
||||
raw = json.loads(STATE.read_text())
|
||||
return TaskList(tasks=[Task(**t) for t in raw])
|
||||
|
||||
|
||||
class Handler(BaseHTTPRequestHandler):
|
||||
def _send(self, code: int, payload: dict) -> None:
|
||||
body = json.dumps(payload).encode()
|
||||
self.send_response(code)
|
||||
self.send_header("Content-Type", "application/json")
|
||||
self.send_header("Content-Length", str(len(body)))
|
||||
self.end_headers()
|
||||
self.wfile.write(body)
|
||||
|
||||
def do_GET(self) -> None:
|
||||
if self.path == "/health":
|
||||
# A real health check would also confirm dependencies (db, etc.) are reachable.
|
||||
if BREAK:
|
||||
self._send(500, {"status": "unhealthy", "version": APP_VERSION})
|
||||
else:
|
||||
self._send(200, {"status": "ok", "version": APP_VERSION})
|
||||
elif self.path == "/tasks":
|
||||
tlist = load()
|
||||
self._send(200, {"tasks": [t.__dict__ for t in tlist.tasks]})
|
||||
else:
|
||||
self._send(404, {"error": "not found"})
|
||||
|
||||
def log_message(self, *args) -> None: # keep the lab output clean
|
||||
pass
|
||||
|
||||
|
||||
if __name__ == "__main__":
|
||||
print(f"serving tasks-app version={APP_VERSION} on http://localhost:{PORT}")
|
||||
ThreadingHTTPServer(("0.0.0.0", PORT), Handler).serve_forever()
|
||||
Reference in New Issue
Block a user