fix(web): read git SHA from .git in the image instead of SOURCE_COMMIT

Coolify v4 doesn't inject SOURCE_COMMIT (only COOLIFY_BRANCH,
COOLIFY_FQDN, COOLIFY_RESOURCE_UUID, COOLIFY_URL and the container
name). The previous build-arg approach always resolved to "dev".

Switch the web build context to the repo root so the Dockerfile can
COPY .git into a scratch path, parse HEAD → SHA with a small sh
snippet (handles both detached-HEAD and packed-refs), and stamp the
image with a /git_commit file. settings.py now prefers env GIT_COMMIT
(for local dev overrides) and falls back to /git_commit → "dev".

The .git copy is the last content layer, so only this thin layer
invalidates per commit; pip install stays cached.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

docker-compose.yml

@@ -1,9 +1,10 @@
 services:
   web:
     build:
-      context: ./web
+      # Context is the repo root so the Dockerfile can read .git for the
-      args:
+      # SHA stamp — Coolify doesn't expose the commit as an env var.
-        SOURCE_COMMIT: ${SOURCE_COMMIT:-dev}
+      context: .
+      dockerfile: web/Dockerfile
     container_name: lazyflat-web
     restart: unless-stopped
     depends_on:

web/Dockerfile

@@ -3,17 +3,30 @@ FROM python:3.12-slim
 ENV PYTHONUNBUFFERED=1
 WORKDIR /app
 
-COPY requirements.txt .
+# Deps first so a code-only change doesn't bust the pip-install cache.
+COPY web/requirements.txt .
 RUN pip install --no-cache-dir -r requirements.txt
 
-COPY . .
+# App code.
+COPY web/ .
 
-# Stamp the image with the git SHA so the web footer can show which commit is
+# Stamp with the git SHA read from the build context's .git dir. Kept last so
-# live. Coolify passes SOURCE_COMMIT as a build arg on every deploy; outside
+# only this thin layer invalidates per commit. Coolify doesn't expose the SHA
-# Coolify the ARG defaults to "dev". Placed after COPY so only this thin layer
+# as an env/build-arg, but it does leave .git intact in the checkout — so we
-# rebuilds when the SHA changes — pip install stays cached.
+# parse HEAD ourselves. Build context must be the repo root for .git to be
-ARG SOURCE_COMMIT=dev
+# visible (see docker-compose.yml).
-ENV GIT_COMMIT=${SOURCE_COMMIT}
+COPY .git /tmp/.git
+RUN set -eu; \
+    HEAD=$(cat /tmp/.git/HEAD 2>/dev/null || echo ""); \
+    case "$HEAD" in \
+      "ref: "*) REF=$(printf '%s' "$HEAD" | awk '{print $2}'); \
+                SHA=$(cat "/tmp/.git/$REF" 2>/dev/null || \
+                      awk -v r="$REF" '$2==r {print $1}' /tmp/.git/packed-refs 2>/dev/null || \
+                      echo "");; \
+      *) SHA="$HEAD";; \
+    esac; \
+    printf '%s\n' "${SHA:-dev}" > /git_commit; \
+    rm -rf /tmp/.git
 
 EXPOSE 8000
 

web/settings.py

@@ -61,6 +61,19 @@ ANTHROPIC_API_KEY: str = getenv("ANTHROPIC_API_KEY", "")
 ANTHROPIC_MODEL: str = getenv("ANTHROPIC_MODEL", "claude-haiku-4-5-20251001")
 
 # --- Build info --------------------------------------------------------------
-# Baked into the image at docker build time via the Dockerfile ARG; rendered in
+# The Dockerfile writes /git_commit at build time by parsing the repo's .git
-# the site footer so the running commit is visible at a glance.
+# dir (Coolify doesn't expose the SHA as an env var). Env GIT_COMMIT overrides
-GIT_COMMIT: str = getenv("GIT_COMMIT", "dev")
+# the file so local dev can fake a value. Rendered in the site footer so the
+# running commit is visible at a glance.
+def _read_git_commit() -> str:
+    env_val = getenv("GIT_COMMIT", "").strip()
+    if env_val:
+        return env_val
+    try:
+        with open("/git_commit") as _f:
+            return _f.read().strip() or "dev"
+    except OSError:
+        return "dev"
+
+
+GIT_COMMIT: str = _read_git_commit()