Coolify v4 doesn't inject SOURCE_COMMIT (only COOLIFY_BRANCH,
COOLIFY_FQDN, COOLIFY_RESOURCE_UUID, COOLIFY_URL and the container
name). The previous build-arg approach always resolved to "dev".
Switch the web build context to the repo root so the Dockerfile can
COPY .git into a scratch path, parse HEAD → SHA with a small sh
snippet (handles both detached-HEAD and packed-refs), and stamp the
image with a /git_commit file. settings.py now prefers env GIT_COMMIT
(for local dev overrides) and falls back to /git_commit → "dev".
The .git copy is the last content layer, so only this thin layer
invalidates per commit; pip install stays cached.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Dockerfile takes SOURCE_COMMIT as a build arg and bakes it into the
image as GIT_COMMIT. Coolify sets SOURCE_COMMIT on every deploy, so
the value in the footer changes with each successful push → build.
ARG is placed after COPY . so only a thin final layer rebuilds when
the SHA changes; pip install stays cached. Outside Coolify the
default is "dev" and the footer renders "build dev".
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Three isolated services (alert scraper, apply HTTP worker, web UI+DB)
with argon2 auth, signed cookies, CSRF, rate-limited login, kill switch,
apply circuit breaker, audit log, and strict CSP.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
