ci: add GitHub Actions pipeline and fix legacy python linting errors

[Lokesh-Madiri]

Fixes Issue

Closes #295

Description

This PR introduces an enterprise-grade Continuous Integration (CI) pipeline using GitHub Actions to automate linting, testing, and merge conflict checks. To ensure the new pipeline is strictly enforced without relying on legacy ignore rules, I also took the initiative to clean up all existing Python linting violations across the backend.

What was done

• Added GitHub Actions Pipeline (.github/workflows/ci.yml)
  • Configured to trigger on pushes and PRs targeting main.
  • Explicitly uses Python 3.11.9 to match the runtime.txt production environment.
  • Implemented pip caching, action concurrency limits, and strict read-only permissions for performance and security.
• Added Fast-Fail Merge Conflict Detection
  • Added a quality-checks job that runs before linting and testing. It scans the codebase for leftover merge conflict markers (<<<<<<<, =======, >>>>>>>) to prevent broken code from being merged.
• Integrated Ruff Linting & Cleaned up Tech Debt
  • Added ruff check . to the CI pipeline to enforce strict Python linting.
  • Created ruff.toml to configure the target Python version.
  • Fixed 30 legacy linting errors across the backend so the CI pipeline can run strictly. This involved:
    • Auto-fixing unused imports (F401, F811).
    • Manually hoisting 13 late module imports to the top of settings.py, urls.py, and campaigns/views.py (E402).
    • Renaming ambiguous single-letter variables in the leads test suite (E741).
• Integrated Django Backend Testing
  • Added a test-backend job that safely installs dependencies and executes python manage.py test, ensuring all 71 backend tests pass automatically.

Verification

• Tested CI commands locally (All ruff and manage.py test checks passed).
• Verified git grep successfully detects merge conflict markers and fails the pipeline if found.

Screenshots

• Linting is Clean :

• Tests are passing :

Note : The current working repo contains merge conflicts merge the neccesary pr that fix's that issue , else the ci created would show a error.

Summary by CodeRabbit

• Chores
  • Established automated CI pipeline to enforce code quality checks and run backend tests on push and pull requests
  • Updated development tooling to target Python 3.11
  • Cleaned up and reorganized internal code structure

[coderabbitai]

📝 Walkthrough

Walkthrough

Adds a GitHub Actions CI workflow (.github/workflows/ci.yml) with three jobs: conflict-marker detection, Ruff linting, and Django backend tests. Sets ruff.toml target to Python 3.11. Cleans up unused imports across several backend modules and renames a loop variable in leads/tests.py to make the codebase pass the new lint checks.

Changes

CI Pipeline and Linting Cleanup

Layer / File(s)	Summary
CI workflow and Ruff configuration ruff.toml, .github/workflows/ci.yml	New ci.yml defines three jobs (conflict-marker check, Ruff lint, Django test) gated sequentially; ruff.toml sets target-version = "py311".
Backend unused-import and import-organization cleanup backend/backend/settings.py, backend/backend/urls.py, backend/campaigns/gmail_service.py, backend/campaigns/notifications.py, backend/campaigns/views.py, backend/leads/tests.py, backend/tenants/admin.py, backend/tenants/tests.py, backend/tenants/views.py, backend/users/views.py	Removes unused imports (timezone, credentials, User, render, TestCase, admin, SimpleUploadedFile, Q, SequenceStepViewSet), consolidates duplicate import blocks in campaigns/views.py, and renames the l loop variable to lead_data in LeadFilterTests set comprehensions.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

Poem

🐇 Hoppity-hop, the pipeline is here,
No broken merges shall ever appear!
Conflict markers begone, ruff says "clean code!"
Tests run on every PR down the road.
The imports are tidy, the variables named right —
A fluffy CI rabbit, guarding the night. 🌙

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title directly and concisely describes the main changes: adding a GitHub Actions CI pipeline and fixing Python linting errors related to legacy code.
Linked Issues check	✅ Passed	The PR fully addresses all core requirements from issue #295: GitHub Actions workflow on main branch, Python environment setup, backend tests, linting via ruff, merge conflict detection, and failing on validation errors.
Out of Scope Changes check	✅ Passed	All changes align with PR objectives: CI pipeline setup, linting configuration, unused import removals, variable naming improvements, and import reorganization are directly related to enabling strict pipeline enforcement.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 2

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In @.github/workflows/ci.yml:
- Line 28: The conflict-marker detection regex in the grep command uses
`^=======` which matches any line starting with 7 or more equals signs, causing
false positives when valid content contains multiple equals signs (like markdown
headers). Modify the pattern from `^=======` to `^=======$` to only match
exactly 7 equals signs on a line by themselves, which is the actual merge
conflict separator format.
- Around line 23-24: Replace all GitHub Actions version tags with full commit
SHAs instead of mutable tags like `@v4` or `@v5` to strengthen supply-chain
security. Specifically, update the actions/checkout references and any other
actions in the workflow file to use their commit SHA hashes. Additionally, add
`persist-credentials: false` to each checkout step to disable credential
persistence. Apply these changes across all affected locations where actions are
referenced in the CI workflow file.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro Plus

Run ID: fb1fb9c6-7a33-4602-8b84-99acb98197a6

📥 Commits

Reviewing files that changed from the base of the PR and between 90052f9 and 7ffedab.

📒 Files selected for processing (12)

• .github/workflows/ci.yml
• backend/backend/settings.py
• backend/backend/urls.py
• backend/campaigns/gmail_service.py
• backend/campaigns/notifications.py
• backend/campaigns/views.py
• backend/leads/tests.py
• backend/tenants/admin.py
• backend/tenants/tests.py
• backend/tenants/views.py
• backend/users/views.py
• ruff.toml

💤 Files with no reviewable changes (6)

• backend/tenants/views.py
• backend/users/views.py
• backend/campaigns/gmail_service.py
• backend/tenants/tests.py
• backend/campaigns/notifications.py
• backend/tenants/admin.py

[coderabbitai]

⚠️ Potential issue | 🟠 Major

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
# Verify mutable action refs still present (should be none after fix)
rg -n 'uses:\s*[^ ]+@v[0-9]+' .github/workflows/ci.yml

# Verify checkout steps explicitly disable credential persistence
rg -n -C2 'uses:\s*actions/checkout@' .github/workflows/ci.yml
rg -n 'persist-credentials:\s*false' .github/workflows/ci.yml

Repository: Kuldeeep18/LeadOrbit

Length of output: 655

---

Pin all GitHub Actions to commit SHAs and disable persisted checkout credentials.

Using mutable tags (@v4, @v5) instead of commit SHAs and leaving checkout credential persistence enabled weakens CI supply-chain hardening. Pin all actions to full commit SHAs and set persist-credentials: false on each checkout step.

Affected locations: lines 24, 39, 42, 61, 64.

Suggested hardening diff

-      - name: Checkout Code
-        uses: actions/checkout@v4
+      - name: Checkout Code
+        uses: actions/checkout@<FULL_LENGTH_COMMIT_SHA>
+        with:
+          persist-credentials: false

-      - name: Checkout Code
-        uses: actions/checkout@v4
+      - name: Checkout Code
+        uses: actions/checkout@<FULL_LENGTH_COMMIT_SHA>
+        with:
+          persist-credentials: false

-      - name: Set up Python
-        uses: actions/setup-python@v5
+      - name: Set up Python
+        uses: actions/setup-python@<FULL_LENGTH_COMMIT_SHA>

-      - name: Checkout Code
-        uses: actions/checkout@v4
+      - name: Checkout Code
+        uses: actions/checkout@<FULL_LENGTH_COMMIT_SHA>
+        with:
+          persist-credentials: false

-      - name: Set up Python
-        uses: actions/setup-python@v5
+      - name: Set up Python
+        uses: actions/setup-python@<FULL_LENGTH_COMMIT_SHA>

🧰 Tools

🪛 zizmor (1.25.2)

[warning] 23-24: credential persistence through GitHub Actions artifacts (artipacked): does not set persist-credentials: false

(artipacked)

---

[error] 24-24: unpinned action reference (unpinned-uses): action is not pinned to a hash (required by blanket policy)

(unpinned-uses)

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/ci.yml around lines 23 - 24, Replace all GitHub Actions
version tags with full commit SHAs instead of mutable tags like `@v4` or `@v5` to
strengthen supply-chain security. Specifically, update the actions/checkout
references and any other actions in the workflow file to use their commit SHA
hashes. Additionally, add `persist-credentials: false` to each checkout step to
disable credential persistence. Apply these changes across all affected
locations where actions are referenced in the CI workflow file.

Source: Linters/SAST tools

[coderabbitai]

⚠️ Potential issue | 🟡 Minor | ⚡ Quick win

Tighten conflict-marker regex to avoid false positives.

^======= matches any line that starts with 7 =, not only merge separators. Restrict it to ^=======$ so valid content doesn’t fail CI.

Suggested diff

-          if grep -rn --exclude-dir=.git -E "^<<<<<<< |^=======|^>>>>>>> " .; then
+          if grep -rn --exclude-dir=.git -E "^<<<<<<< .*$|^=======$|^>>>>>>> .*$" .; then
             echo "Unresolved merge conflict markers found!"
             exit 1
           fi

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	if grep -rn --exclude-dir=.git -E "^<<<<<<< |^=======|^>>>>>>> " .; then
	if grep -rn --exclude-dir=.git -E "^<<<<<<< .*$|^=======$|^>>>>>>> .*$" .; then
	echo "Unresolved merge conflict markers found!"
	exit 1
	fi

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/ci.yml at line 28, The conflict-marker detection regex in
the grep command uses `^=======` which matches any line starting with 7 or more
equals signs, causing false positives when valid content contains multiple
equals signs (like markdown headers). Modify the pattern from `^=======` to
`^=======$` to only match exactly 7 equals signs on a line by themselves, which
is the actual merge conflict separator format.

[Lokesh-Madiri]

starred the repo and NOTE that the Issue #301 should be cleared(merged ) to face no issues while merging this pr