Note
This file is maintained by the foundry-python template and will be updated when you run mise run update_from_template.
This getting started guide covers everything needed to get this project fully operational.
This project was scaffolded using foundry-python:
| Category | Tools |
|---|---|
| Code Quality | Ruff (linting), PyRight (type checking) |
| Git Hooks | pre-commit, detect-secrets, pygrep, Commitizen |
| Testing | pytest (parallel execution), Nox (matrix testing), Codecov (coverage) |
| CI/CD | GitHub Actions (workflows), act (local testing) |
| Security | SonarQube, pip-audit, trivy, Dependabot |
| Dependencies | Renovate (updates), pip-licenses (compliance) |
| Observability | Sentry (errors, tracing, profiling), BetterStack (uptime monitoring) |
| Documentation | SBOM generation (CycloneDX, SPDX), auto-generated attributions, dynamic badges |
| AI Assistance | GitHub Copilot (custom instructions), Claude Code (PR reviews) |
Before configuring services, confirm the local environment is working:
mise run install
mise run testAll tests should pass. If not, run mise run install first.
| Service | Purpose | Status |
|---|---|---|
| GitHub Repository Settings | Security alerts, Dependabot | |
| Google Artifact Registry | Package publishing | |
| SonarCloud | Code quality analysis | |
| Renovate | Dependency updates | |
| CodeCov Badge | Coverage badge | |
| Sentry | Error monitoring | |
| Repository Polish | Discoverability | |
| Slack Release Notifications | Release notifications | |
| Background Worker | Chancy job queue |
Why: Ensures dependency vulnerability scanning is active.
- Go to https://github.com/aignostics/foundry-python-core/settings/security_analysis
- Verify Dependabot alerts is enabled (on by default via enterprise policy)
- Verify Dependabot security updates is enabled (on by default via enterprise policy)
- Do NOT enable Dependabot version updates — Renovate handles this
- (Public repos only) Enable Private vulnerability reporting
Why: Allows CI to access our private Python registry.
- Add your repository to the
github_repositorieslist in this file; follow the usual process to apply the Terragrunt changes- Example PR here
- Go to https://github.com/aignostics/foundry-python-core/settings/secrets/actions/new and create a new repository secret called
GCP_WORKLOAD_IDENTITY_PROVIDERwith valueprojects/359433074524/locations/global/workloadIdentityPools/github-python-library-repos/providers/github-provider
Verify: the Setup Dev Environment action succeeds in lint, test or audit workflow
Note: Requires SonarCloud admin access. Your team lead should have admin access; if not, ask in #topic-foundry.
- Go to https://sonarcloud.io/projects/create, select your new repo and click "Set Up"
- Select Previous Code when prompted
- Go to https://sonarcloud.io/project/settings?id=aignostics_foundry-python-core → Administration > Analysis Method → disable Automatic Analysis
- For private repositories — update the quality badge in
README.md:- Go to https://sonarcloud.io/project/information?id=aignostics_foundry-python-core, scroll to Badges, copy the token from the URL, replace
SONAR_BADGE_TOKENin yourREADME.md
- Go to https://sonarcloud.io/project/information?id=aignostics_foundry-python-core, scroll to Badges, copy the token from the URL, replace
For private repositories, the badge URL requires a token:
- Go to https://app.codecov.io/gh/aignostics/foundry-python-core/config/badge
- Under "Embed via API", copy the token value from the URL
- In your
README.md, replaceCODECOV_BADGE_TOKENwith the copied token
The following do not block this PR. Complete them after merge to finish the project setup.
These services are active automatically at the organisation level:
| Service | Purpose | Notes |
|---|---|---|
| SonarCloud | Code quality & security analysis | SONAR_TOKEN is org-wide; quality gate runs on every PR |
| Sentry | Error monitoring | Org-level integration; scans PRs automatically |
| Ox Security | Supply chain security | Org-level integration; scans PRs automatically |
| CodeQL | Static security analysis | Runs weekly (Tuesdays 3:22 AM UTC) via included workflow |
| CodeCov | Coverage tracking & PR comments | Org-level; coverage uploads automatic |
| Dependabot | Dependency vulnerability alerts | Enabled by default via enterprise policy |
| Claude Code | AI-powered PR reviews (claude label) |
ANTHROPIC_API_KEY is org-wide; no setup required |
Why: Automated dependency updates with smart grouping and scheduling (complements Dependabot which handles security patches).
- Go to https://developer.mend.io and sign in with your GitHub account
- Go to https://developer.mend.io/github/aignostics/foundry-python-core and click Action > Run Renovate scan
- Renovate creates a Dependency Dashboard issue in your repository
Verify: Dependency Dashboard issue appears in your repository
For error tracking, performance profiling, and release tracking, configure the Sentry DSN in your application code. Basic PR scanning is already active at the org level.
- Go to https://github.com/aignostics/foundry-python-core
- Click the cogs icon next to "About"
- Copy the description from
pyproject.tomlinto the description field - Copy up to 20 tags from
pyproject.tomlinto the topics field - Go to https://github.com/aignostics/foundry-python-core/settings and upload a social preview image (e.g.
logo.png)
Why: Notifies #announce-foundry when a new version is published.
No secrets needed — the Slack webhook is configured at the org level. No action required; verify by publishing a release.
This project includes a Chancy background worker powered by PostgreSQL.
src/foundry_python_core/scheduler/— the scheduler module (service, CLI, API, settings)src/foundry_python_core/hello_world/_jobs.pyandsrc/foundry_python_core/system/_jobs.py— example job definitionsmigrations/versions/0002_add_scheduler_heartbeats.py— database migration for the heartbeat tabledeployment/cloudrun/service-worker.template.yaml— Cloud Run worker service definition
Start everything with Docker Compose (the worker service starts alongside the API and PostgreSQL):
docker compose upOr run the worker directly:
# Apply the scheduler database migration first
uv run foundry-python-core scheduler db migrate
# Register job definitions
uv run foundry-python-core scheduler joblets register
# Start the worker
uv run foundry-python-core scheduler executeThe Chancy web UI is available at http://127.0.0.1:8001 by default (configurable via FOUNDRY_PYTHON_CORE_SCHEDULER_API_HOST and FOUNDRY_PYTHON_CORE_SCHEDULER_API_PORT).
The scheduler requires its own migration to create the heartbeat table. This runs automatically at startup in production (see deployment/cloudrun/service.template.yaml). Locally, run:
uv run foundry-python-core scheduler db migrate- docs/foundry/testing.md - Test markers, running tests, coverage
- docs/foundry/ci-cd.md - CI/CD workflows, releases, versioning
- docs/foundry/code-quality.md - Linting, pre-commit hooks, task reference
- docs/foundry/troubleshooting.md - Common issues and solutions