From 81860d7df23ba8efc7776f514f3c30ad2b6853c9 Mon Sep 17 00:00:00 2001
From: Code With Me <codewithme@ya.ru>
Date: Wed, 11 Mar 2026 22:11:49 +0300
Subject: [PATCH] feat: DB optimization, improved container security and
 improved pipeline checks

---
 .github/workflows/ci.yaml                     |  5 ++-
 Dockerfile                                    |  8 +++-
 app/services/inventory/models.py              |  6 ++-
 docker-compose.yaml                           |  3 ++
 ...a_add_indexes_to_status_and_created_at_.py | 43 +++++++++++++++++++
 pyproject.toml                                |  1 +
 6 files changed, 62 insertions(+), 4 deletions(-)
 create mode 100644 migrations/versions/da065d87e52a_add_indexes_to_status_and_created_at_.py

diff --git a/.github/workflows/ci.yaml b/.github/workflows/ci.yaml
index 8d6418c..32297e2 100644
--- a/.github/workflows/ci.yaml
+++ b/.github/workflows/ci.yaml
@@ -51,6 +51,9 @@ jobs:
       - name: Install dependencies
         run: uv sync --all-extras --dev
 
+      - name: Check lockfile
+        run: uv lock --check
+
       - name: Check formatting
         run: uv run ruff format --check .
 
@@ -58,7 +61,7 @@ jobs:
         run: uv run ruff check .
 
       - name: Run tests
-        run: uv run pytest
+        run: uv run pytest --cov-fail-under=70
 
       - name: Run mypy
         run: uv run mypy .
diff --git a/Dockerfile b/Dockerfile
index 75aa4a6..f5789b3 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -2,6 +2,8 @@ FROM python:3.11-slim
 
 RUN apt-get update && apt-get install -y curl
 
+RUN addgroup --system appuser && adduser --system --group appuser
+
 WORKDIR /app
 
 ENV UV_PROJECT_ENVIRONMENT=/app/.venv
@@ -14,4 +16,8 @@ RUN uv sync --frozen
 
 COPY . .
 
-CMD ["uv", "run", "uvicorn", "app.main:app", "--host", "0.0.0.0"]
\ No newline at end of file
+RUN chown -R appuser:appuser /app
+
+USER appuser
+
+CMD ["/app/.venv/bin/uvicorn", "app.main:app", "--host", "0.0.0.0"]
diff --git a/app/services/inventory/models.py b/app/services/inventory/models.py
index 00a9e04..fbdc36e 100644
--- a/app/services/inventory/models.py
+++ b/app/services/inventory/models.py
@@ -45,7 +45,9 @@ class Reservation(Base):
     qty_reserved: Mapped[int] = mapped_column(Integer, nullable=False, default=1)
     user_id: Mapped[UUID] = mapped_column(ForeignKey('users.id'), nullable=False)
     product_id: Mapped[UUID] = mapped_column(ForeignKey('products.id'), nullable=False)
-    status: Mapped[str] = mapped_column(String(), nullable=False, default='pending')
+    status: Mapped[str] = mapped_column(
+        String(), nullable=False, default='pending', index=True
+    )
     idempotency_key: Mapped[str] = mapped_column(String(), nullable=False, unique=True)
     order_id: Mapped[UUID | None] = mapped_column(
         ForeignKey('orders.id'), nullable=True
@@ -54,5 +56,5 @@ class Reservation(Base):
         DateTime(timezone=True), nullable=False
     )
     created_at: Mapped[datetime] = mapped_column(
-        DateTime(timezone=True), server_default=func.now()
+        DateTime(timezone=True), server_default=func.now(), index=True
     )
diff --git a/docker-compose.yaml b/docker-compose.yaml
index 3aba755..138b4b8 100644
--- a/docker-compose.yaml
+++ b/docker-compose.yaml
@@ -56,6 +56,9 @@ services:
       - fairdrop-s3:/data
 
   app:
+    read_only: true
+    tmpfs:
+      - /tmp
     build: .
     depends_on:
       postgres:
diff --git a/migrations/versions/da065d87e52a_add_indexes_to_status_and_created_at_.py b/migrations/versions/da065d87e52a_add_indexes_to_status_and_created_at_.py
new file mode 100644
index 0000000..5f42a28
--- /dev/null
+++ b/migrations/versions/da065d87e52a_add_indexes_to_status_and_created_at_.py
@@ -0,0 +1,43 @@
+"""add indexes to status and created_at fields
+
+Revision ID: da065d87e52a
+Revises: 2e443a9c1a0a
+Create Date: 2026-03-11 19:12:37.293427
+
+"""
+
+from collections.abc import Sequence
+
+from alembic import op
+
+# revision identifiers, used by Alembic.
+revision: str = 'da065d87e52a'
+down_revision: str | Sequence[str] | None = '2e443a9c1a0a'
+branch_labels: str | Sequence[str] | None = None
+depends_on: str | Sequence[str] | None = None
+
+
+def upgrade() -> None:
+    """Upgrade schema."""
+    # ### commands auto generated by Alembic - please adjust! ###
+    op.create_index(
+        op.f('ix_reservations_created_at'),
+        'reservations',
+        ['created_at'],
+        unique=False,
+    )
+    op.create_index(
+        op.f('ix_reservations_status'),
+        'reservations',
+        ['status'],
+        unique=False,
+    )
+    # ### end Alembic commands ###
+
+
+def downgrade() -> None:
+    """Downgrade schema."""
+    # ### commands auto generated by Alembic - please adjust! ###
+    op.drop_index(op.f('ix_reservations_status'), table_name='reservations')
+    op.drop_index(op.f('ix_reservations_created_at'), table_name='reservations')
+    # ### end Alembic commands ###
diff --git a/pyproject.toml b/pyproject.toml
index c3d7309..528eb2f 100644
--- a/pyproject.toml
+++ b/pyproject.toml
@@ -51,6 +51,7 @@ quote-style = 'single'
 'migrations/env.py' = ['F401']
 
 [tool.pytest.ini_options]
+addopts = '-v --asyncio-mode=auto --cov=app --cov-report=term-missing'
 testpaths = ['tests']
 python_files = ['test_*.py']
 python_classes = ['Test*']