fix: harden deploy pipeline, k8s manifests, and CI tooling

- Deploy workflow now uses immutable sha-<commit> image tags instead of :latest
- K8s deployments updated from placeholder ghcr.io/example/ to ghcr.io/evalops/keep/
- Fixed authz probe YAML indentation (scheme was sibling of httpGet, not child)
- Added Service resources for authz, inventory, and app
- Expanded .gitignore (sarif, .env, certs, pem/key) and removed committed gosec.sarif
- Aligned OTEL exporter packages to v1.42.0 (was v1.38.0 vs core v1.42.0)
- Switched CI and Makefile from pip to uv for Python package management

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

Author: haasonsaas

.github/workflows/ci.yml

@@ -28,10 +28,11 @@ jobs:
         with:
           python-version: ${{ env.PYTHON_VERSION }}
 
+      - name: Install uv
+        uses: astral-sh/setup-uv@v5
+
       - name: Install toolchains
-        run: |
-          python -m pip install --upgrade pip
-          make install-tools
+        run: make install-tools
 
       - name: Format check
         run: make ci-format-check
@@ -80,10 +81,12 @@ jobs:
         with:
           python-version: ${{ env.PYTHON_VERSION }}
 
+      - name: Install uv
+        uses: astral-sh/setup-uv@v5
+
       - name: Install Python dependencies
         run: |
-          pip install --upgrade pip
-          pip install -r app/requirements.txt
+          uv pip install --system -r app/requirements.txt
           make install-tools
 
       - name: Wait for database
@@ -118,10 +121,11 @@ jobs:
           go-version-file: go.mod
           check-latest: true
 
+      - name: Install uv
+        uses: astral-sh/setup-uv@v5
+
       - name: Prepare tooling
-        run: |
-          python -m pip install --upgrade pip
-          make install-tools
+        run: make install-tools
 
       - name: Run security checks
         run: make security

.github/workflows/deploy.yml

@@ -35,25 +35,30 @@ jobs:
           context: .
           file: services/authz/Dockerfile
           push: true
-          tags: ghcr.io/${{ github.repository }}/authz:latest
+          tags: |
+            ghcr.io/${{ github.repository }}/authz:sha-${{ github.sha }}
 
       - name: Build and push inventory image
         uses: docker/build-push-action@v6
         with:
           context: .
           file: services/inventory/Dockerfile
           push: true
-          tags: ghcr.io/${{ github.repository }}/inventory:latest
+          tags: |
+            ghcr.io/${{ github.repository }}/inventory:sha-${{ github.sha }}
 
       - name: Build and push app image
         uses: docker/build-push-action@v6
         with:
           context: .
           file: app/Dockerfile
           push: true
-          tags: ghcr.io/${{ github.repository }}/app:latest
+          tags: |
+            ghcr.io/${{ github.repository }}/app:sha-${{ github.sha }}
 
-      - name: Deploy manifests
+      - name: Update Kubernetes manifests with new image tags
         run: |
-          echo "Kubeconfig secret missing, running in dry-run mode"
-          kubectl apply --dry-run=client -k deploy/kubernetes
+          cd deploy/kubernetes
+          sed -i "s|image: ghcr.io/evalops/keep/authz:.*|image: ghcr.io/${{ github.repository }}/authz:sha-${{ github.sha }}|" authz-deployment.yaml
+          sed -i "s|image: ghcr.io/evalops/keep/inventory:.*|image: ghcr.io/${{ github.repository }}/inventory:sha-${{ github.sha }}|" inventory-deployment.yaml
+          sed -i "s|image: ghcr.io/evalops/keep/app:.*|image: ghcr.io/${{ github.repository }}/app:sha-${{ github.sha }}|" app-deployment.yaml

.gitignore

@@ -5,5 +5,16 @@ __pycache__/
 .venv/
 venv/
 app/venv/
+
+# Go build artifacts
 agent/attestor-agent
 
+# Security scan artifacts
+*.sarif
+
+# Secrets and certificates
+.env
+certs/
+test-certs/
+*.pem
+*.key

Makefile

@@ -126,12 +126,11 @@ install-tools:
 		mv $(GOBIN)/opa.tmp $(GOBIN)/opa; \
 	fi
 	@echo "Installing Python tools..."
-	$(PIP_BIN) install black flake8 isort mypy
+	uv pip install --system black flake8 isort mypy
 
 setup-venv:
-	python3 -m venv $(VENV)
-	$(VENV_BIN)/python3 -m pip install --upgrade pip
-	$(VENV_BIN)/pip install -r app/requirements.txt
+	uv venv $(VENV)
+	uv pip install -r app/requirements.txt
 dev-bootstrap:
 	./scripts/dev-bootstrap.sh
 

deploy/kubernetes/app-deployment.yaml

@@ -14,7 +14,7 @@ spec:
     spec:
       containers:
         - name: keep-app
-          image: ghcr.io/example/app:latest
+          image: ghcr.io/evalops/keep/app:latest
           env:
             - name: APP_ENV
               valueFrom:

deploy/kubernetes/app-service.yaml

@@ -0,0 +1,12 @@
+apiVersion: v1
+kind: Service
+metadata:
+  name: keep-app
+spec:
+  selector:
+    app: keep-app
+  ports:
+    - name: http
+      port: 5000
+      targetPort: 5000
+      protocol: TCP

deploy/kubernetes/authz-deployment.yaml

@@ -14,7 +14,7 @@ spec:
     spec:
       containers:
         - name: authz
-          image: ghcr.io/example/authz:latest
+          image: ghcr.io/evalops/keep/authz:latest
           env:
             - name: OPA_URL
               valueFrom:
@@ -37,14 +37,14 @@ spec:
             httpGet:
               path: /health
               port: 8443
-            scheme: HTTPS
+              scheme: HTTPS
             initialDelaySeconds: 5
             periodSeconds: 10
           livenessProbe:
             httpGet:
               path: /health
               port: 8443
-            scheme: HTTPS
+              scheme: HTTPS
             initialDelaySeconds: 15
             periodSeconds: 20
           resources:

deploy/kubernetes/authz-service.yaml

@@ -0,0 +1,12 @@
+apiVersion: v1
+kind: Service
+metadata:
+  name: authz
+spec:
+  selector:
+    app: authz
+  ports:
+    - name: https
+      port: 8443
+      targetPort: 8443
+      protocol: TCP

deploy/kubernetes/inventory-deployment.yaml

@@ -14,7 +14,7 @@ spec:
     spec:
       containers:
         - name: inventory
-          image: ghcr.io/example/inventory:latest
+          image: ghcr.io/evalops/keep/inventory:latest
           env:
             - name: INVENTORY_ADDR
               value: ":8080"

deploy/kubernetes/inventory-service.yaml

@@ -0,0 +1,12 @@
+apiVersion: v1
+kind: Service
+metadata:
+  name: inventory
+spec:
+  selector:
+    app: inventory
+  ports:
+    - name: http
+      port: 8080
+      targetPort: 8080
+      protocol: TCP