Chore/ci consolidation

.github/workflows/ci.yml

@@ -1,62 +1,47 @@
-name: CI - Quality Checks
+name: CI – Quality Gate
 
 on:
   pull_request:
-    branches: [main]
+    branches: [ main ]
   push:
-    branches:
-      - "feature/**"
+    branches: [ "feature/**" ]
 
 jobs:
-  quality-checks:
+  quality:
     runs-on: ubuntu-latest
     strategy:
-      fail-fast: false
       matrix:
-        python-version: ["3.11", "3.12"]
+        python-version: ["3.11"]
 
     steps:
-      - name: Checkout repository
-        uses: actions/checkout@v4
+      - uses: actions/checkout@v4
 
-      - name: Setup Python
-        uses: actions/setup-python@v5
+      - uses: actions/setup-python@v5
         with:
           python-version: ${{ matrix.python-version }}
 
-      - name: Get pip cache dir
-        id: pip-cache
-        run: |
-          echo "dir=$(pip cache dir)" >> $GITHUB_OUTPUT
-
-      - name: Cache dependencies
-        uses: actions/cache@v4
-        with:
-          path: ${{ steps.pip-cache.outputs.dir }}
-          key: ${{ runner.os }}-pip-${{ matrix.python-version }}-${{ hashFiles('**/requirements.txt') }}
-          restore-keys: |
-            ${{ runner.os }}-pip-${{ matrix.python-version }}-
-            ${{ runner.os }}-pip-
-
-      - name: Install dependencies and tools
+      - name: Install dependencies
         run: |
           pip install --upgrade pip
           pip install -r requirements.txt
-          pip install black isort autoflake bandit safety pytest pytest-asyncio pytest-cov
+          pip install black isort bandit safety pytest pytest-asyncio pytest-cov
 
-      - name: Run linters
+      - name: Lint
         run: |
-          echo "--- Running Black ---"
           black --check app
-          echo "--- Running isort ---"
           isort --check-only app
 
-      - name: Run security scans
+      - name: Security scan
         run: |
-          echo "--- Running Bandit ---"
           bandit -r app -ll
-          echo "--- Running Safety ---"
           safety check -r requirements.txt || true
 
-      - name: Run unit tests
-        run: pytest -q --disable-warnings --maxfail=1
+      - name: Run tests
+        env:
+          API_KEY: test-api-key-12345678
+          SECRET_KEY: test-secret-key-87654321
+          CORS_ORIGINS: '["*"]'
+          ENVIRONMENT: testing
+          DEBUG: false
+          LOG_LEVEL: INFO
+        run: pytest -q --disable-warnings --maxfail=1

.github/workflows/deploy.yml

@@ -1,97 +1,38 @@
-name: CD - NeuroBank Deployment (Karpathy Edition)
+name: CD – NeuroBank Deployment
 
 on:
   push:
-    branches: [main]
+    branches: [ main ]
 
 jobs:
   deploy:
-    name: Build & Deploy
     runs-on: ubuntu-latest
     permissions:
       contents: read
       packages: write
 
     env:
       IMAGE_NAME: ghcr.io/${{ github.repository_owner }}/neurobank:${{ github.sha }}
-      SERVICE_ID: "REPLACE_ME"     # <- luego pones el tuyo
       RAILWAY_API: https://backboard.railway.app/graphql
 
     steps:
+      - uses: actions/checkout@v4
 
-      - name: Checkout repository
-        uses: actions/checkout@v4
-
-      # ============================================================
-      # A — BUILD DOCKER IMAGE
-      # ============================================================
-      - name: Log in to GHCR
+      - name: Login to GHCR
         run: |
-          echo "${{ secrets.GITHUB_TOKEN }}" | docker login ghcr.io \
-          echo "${{ secrets.GHCR_PAT }}" | docker login ghcr.io \
-            -u "${{ github.actor }}" --password-stdin
+          echo "${{ secrets.GHCR_PAT }}" | docker login ghcr.io -u ${{ github.actor }} --password-stdin
 
       - name: Build Docker image
-        run: |
-          echo "➜ Building Docker image: $IMAGE_NAME"
-          docker build -t $IMAGE_NAME .
+        run: docker build -t $IMAGE_NAME .
 
-      - name: Push Docker image to GHCR
-        run: |
-          echo "➜ Pushing image to GHCR..."
-          docker push $IMAGE_NAME
+      - name: Push Docker image
+        run: docker push $IMAGE_NAME
 
-      # ============================================================
-      # B — TRY RAILWAY CLI (NON-BLOCKING)
-      # ============================================================
-      - name: Try installing Railway CLI
-        id: cli_install
+      # Railway CLI (best-effort)
+      - name: Try Railway CLI
         continue-on-error: true
-        run: |
-          echo "➜ Attempting Railway CLI install…"
-          curl -fsSL https://railway.app/install.sh | sh
-          if command -v railway > /dev/null; then
-            echo "cli=true" >> $GITHUB_OUTPUT
-          else
-            echo "cli=false" >> $GITHUB_OUTPUT
-          fi
-
-      - name: Deploy using Railway CLI
-        if: steps.cli_install.outputs.cli == 'true'
         env:
           RAILWAY_TOKEN: ${{ secrets.RAILWAY_TOKEN }}
-        continue-on-error: true
         run: |
-          echo "➜ Railway CLI OK → Trying deploy…"
-          railway up --ci || echo "⚠️ CLI deploy failed, continuing with API fallback"
-
-      # ============================================================
-      # C — API FALLBACK DEPLOY (INFALIBLE)
-      # ============================================================
-      - name: Trigger Railway deployment via API (fallback)
-        if: steps.cli_install.outputs.cli == 'false'
-        env:
-          RAILWAY_TOKEN: ${{ secrets.RAILWAY_TOKEN }}
-        run: |
-          echo "⚠️ CLI unavailable → Using API fallback mode."
-          echo "➜ Deploying image: $IMAGE_NAME"
-
-          curl -X POST "$RAILWAY_API" \
-            -H "Content-Type: application/json" \
-            -H "Authorization: Bearer $RAILWAY_TOKEN" \
-            -d "{
-              \"query\": \"mutation { deployService(input: { serviceId: \\\"$SERVICE_ID\\\", image: \\\"$IMAGE_NAME\\\" }) { id } }\"
-            }"
-
-          echo "✔ Deployment requested successfully via Railway API."
-
-      - name: Final status
-        run: |
-          echo ""
-          echo "-------------------------------------------"
-          echo "   KARPATHY DEPLOY PIPELINE COMPLETED"
-          echo "-------------------------------------------"
-          echo "Image: $IMAGE_NAME"
-          echo "Service: $SERVICE_ID"
-          echo "If Railway falla → tú no fallas."
-          echo "-------------------------------------------"
+          curl -fsSL https://railway.app/install.sh | sh
+          railway up || true

.github/workflows/docker-security.yml

@@ -1,34 +1,27 @@
-name: docker-security
+name: Docker Security (Trivy)
 
 on:
   pull_request:
     branches: [ main ]
-  push:
-    branches: [ main ]
   workflow_dispatch:
 
 jobs:
   trivy:
-    name: Trivy Security
     runs-on: ubuntu-latest
-
     permissions:
       contents: read
       security-events: write
 
     steps:
-      - name: Checkout repository
-        uses: actions/checkout@v6
+      - uses: actions/checkout@v4
 
-      - name: Run Trivy vulnerability scanner (fs)
-        uses: aquasecurity/[email protected]
+      - uses: aquasecurity/[email protected]
         with:
-          scan-type: "fs"
-          format: "sarif"
-          output: "trivy-results.sarif"
-          severity: "CRITICAL,HIGH"
+          scan-type: fs
+          format: sarif
+          output: trivy-results.sarif
+          severity: CRITICAL,HIGH
 
-      - name: Upload SARIF results to GitHub Security
-        uses: github/codeql-action/upload-sarif@v4
+      - uses: github/codeql-action/upload-sarif@v4
         with:
           sarif_file: trivy-results.sarif

.github/workflows/security.yml

@@ -1,29 +1,18 @@
-name: CI - Security Scan
+name: CI – Security Scan
 
 on:
   pull_request:
-    branches: [main]
-  push:
-    branches:
-      - "feature/**"
+    branches: [ main ]
 
 jobs:
   security:
     runs-on: ubuntu-latest
-
     steps:
       - uses: actions/checkout@v4
-
-      - name: Setup Python
-        uses: actions/setup-python@v5
+      - uses: actions/setup-python@v5
         with:
           python-version: "3.11"
 
-      - name: Install security tooling
-        run: pip install bandit safety
-
-      - name: Run Bandit
-        run: bandit -r app -ll
-
-      - name: Dependency vulnerability scan
-        run: safety check -r requirements.txt || true
+      - run: pip install bandit safety
+      - run: bandit -r app -ll
+      - run: safety check -r requirements.txt || true

.python-version

@@ -1 +1 @@
-3.11.8
+3.12.3