Chore/comment cleanup

.github/workflows/cd.yml

@@ -0,0 +1,47 @@
+name: VidCast CD — Deploy to EKS
+
+on:
+  workflow_run:
+    workflows: ["VidCast CI — Lint, Scan, Build, Push"]
+    types: [completed]
+    branches: [main]
+
+permissions:
+  id-token: write   # required to request the OIDC token
+  contents: read
+
+jobs:
+  deploy:
+    if: ${{ github.event.workflow_run.conclusion == 'success' }}
+    runs-on: ubuntu-latest
+
+    steps:
+      - uses: actions/checkout@v4
+
+      - name: Configure AWS credentials (OIDC)
+        uses: aws-actions/configure-aws-credentials@v4
+        with:
+          role-to-assume: ${{ secrets.AWS_DEPLOY_ROLE_ARN }}
+          aws-region: ${{ secrets.AWS_REGION }}
+
+      - name: Update kubeconfig for EKS
+        run: |
+          aws eks update-kubeconfig \
+            --name ${{ secrets.EKS_CLUSTER_NAME }} \
+            --region ${{ secrets.AWS_REGION }}
+
+      - name: Set short SHA from triggering workflow
+        run: |
+          echo "SHORT_SHA=$(echo ${{ github.event.workflow_run.head_sha }} | cut -c1-7)" >> $GITHUB_ENV
+
+      - name: Deploy services to EKS
+        run: |
+          for svc in auth-service gateway-service converter-service notification-service; do
+            deploy_name="${svc%-service}"
+            kubectl set image deployment/${deploy_name} \
+              ${deploy_name}=${{ secrets.DOCKERHUB_USERNAME }}/${svc}:${{ env.SHORT_SHA }} || true
+            kubectl rollout status deployment/${deploy_name} --timeout=120s || true
+          done
+
+      - name: Verify all pods running
+        run: kubectl get pods -o wide

.github/workflows/ci.yml

@@ -0,0 +1,65 @@
+name: VidCast CI — Lint, Scan, Build, Push
+
+on:
+  push:
+    branches: [main]
+    paths: ['src/**']
+  pull_request:
+    branches: [main]
+    paths: ['src/**']
+
+jobs:
+  lint:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+
+      - uses: actions/setup-python@v5
+        with:
+          python-version: '3.10'
+
+      - name: Install ruff
+        run: pip install ruff
+
+      - name: Lint Python services
+        run: ruff check src/ --exclude src/frontend
+
+  build-and-scan:
+    needs: lint
+    runs-on: ubuntu-latest
+    strategy:
+      fail-fast: false
+      matrix:
+        service: [auth-service, gateway-service, converter-service, notification-service, outbox-relay]
+
+    steps:
+      - uses: actions/checkout@v4
+
+      - name: Set short SHA
+        run: echo "SHORT_SHA=${GITHUB_SHA::7}" >> $GITHUB_ENV
+
+      - name: Build Docker image
+        run: |
+          docker build \
+            -t ${{ secrets.DOCKERHUB_USERNAME }}/${{ matrix.service }}:${{ env.SHORT_SHA }} \
+            src/${{ matrix.service }}/
+
+      - name: Trivy vulnerability scan
+        uses: aquasecurity/trivy-action@master
+        with:
+          image-ref: ${{ secrets.DOCKERHUB_USERNAME }}/${{ matrix.service }}:${{ env.SHORT_SHA }}
+          severity: CRITICAL,HIGH
+          exit-code: '1'
+          ignore-unfixed: true
+          format: table
+
+      - name: Login to Docker Hub
+        if: github.ref == 'refs/heads/main' && github.event_name == 'push'
+        uses: docker/login-action@v3
+        with:
+          username: ${{ secrets.DOCKERHUB_USERNAME }}
+          password: ${{ secrets.DOCKERHUB_TOKEN }}
+
+      - name: Push image to Docker Hub
+        if: github.ref == 'refs/heads/main' && github.event_name == 'push'
+        run: docker push ${{ secrets.DOCKERHUB_USERNAME }}/${{ matrix.service }}:${{ env.SHORT_SHA }}

.gitignore

@@ -0,0 +1,75 @@
+# Terraform
+terraform.tfvars
+terraform.tfvars.json
+*.tfstate
+*.tfstate.*
+.terraform/
+.terraform.lock.hcl
+tfplan
+*.tfplan
+crash.log
+
+# Kubernetes secrets
+**/secret.yaml
+# ...except Helm chart secret *templates*, which hold no literal credentials
+# (they reference values.yaml via {{ .Values.secret.* }}) and must be tracked
+# so a clean `helm install` can render the Secret resource.
+!Helm_charts/MongoDB/templates/secret.yaml
+!Helm_charts/RabbitMQ/templates/secret.yaml
+!Helm_charts/Postgres/templates/secret.yaml
+
+# Deployment-specific files
+DEPLOYMENT_CONFIG.md
+# DEPLOYMENT_GUIDE.md is now a tracked runbook + newcomer guide (no secrets;
+# secrets live in DEPLOYMENT_CONFIG.md / Parameter Store).
+DEPLOYMENT_REPORT.md
+SESSION_SUMMARY.md
+DEPLOYMENT_PROBLEMS.md
+deployment-ids.txt
+# customise.sh is now tracked: it auto-detects identity and reads new values from
+# env vars, so it contains no secrets or personal data (it just repoints the repo
+# to your Docker Hub / AWS / GitHub for a fork).
+
+# Local session artifacts / working notes (may contain account IDs, IPs, secrets).
+# Keep on disk, never commit.
+[0-9][0-9]_[0-9][0-9]_[0-9][0-9]_*.md
+FRONTEND_IMPROVEMENTS.md
+VIDCAST_PLAIN_ENGLISH_GUIDE.md
+CLAUDE.md
+PR_DESCRIPTION.md
+
+# Build artifacts
+*.mp3
+!assets/video.mp4
+output.*
+
+# Python
+__pycache__/
+*.pyc
+*.pyo
+.env
+venv/
+*.egg-info/
+
+# Node
+node_modules/
+dist/
+build/
+.cache/
+
+# IDE
+.vscode/
+.idea/
+*.swp
+*.swo
+*~
+
+# OS
+.DS_Store
+Thumbs.db
+
+# Logs
+*.log
+
+# Explanation files (study material, not production)
+*_EXPLAINED.md