Back to path
AdvancedBeacon · Project 9 of 12 ~10h· 6 milestones

Enforce quality gates as code

Continues from the last build: Canary deploys are safe, but your standards (coverage, allowed base images, manifest rules, versioning) live in people's heads and slip past review.

Last rung you shipped it behind a canary so a bad notifications build can no longer take down the whole fleet at once.

Policy-as-code with OPA and conftestCoverage threshold gating with pytest-covDependency vulnerability scanning with pip-auditLicense compliance gating with pip-licensesAutomated semantic versioning and changelog generationDesigning required status checks and branch protectionConventional Commits for release automation
Build this freeBrowse all projectsNo credit card. Already a member?

What you'll build

You will have converted the service's delivery standards into executable, version-controlled policy that runs automatically on every pull request and release. Conftest enforces manifest rules over deploy/, a coverage gate fails any PR that lets api/ or worker/ slip below threshold, dependency and license scanning blocks risky packages before merge, and semantic-release derives the next version, tags the image, and writes the changelog from commit history. Required status checks make every one of these a hard gate, so a change cannot reach production unless it provably meets the bar.

See how we teach, before you sign up

You don't just get code dumped on you. Every starter file and every solution is explained line-by-line, in plain English. Here's one real file from this project:

policy/deployment.regorego
package main

import rego.v1

# Only these base image registries are allowed for the service images.
allowed_registries := {"ghcr.io/beacon", "registry.internal/beacon"}

deny contains msg if {
	input.kind == "Deployment"
	some container in input.spec.template.spec.containers
	not registry_allowed(container.image)
	msg := sprintf("container %q uses disallowed image %q", [container.name, container.image])
}

registry_allowed(image) if {
	some prefix in allowed_registries
	startswith(image, prefix)
}

deny contains msg if {
	input.kind == "Deployment"
	some container in input.spec.template.spec.containers
	endswith(container.image, ":latest")
	msg := sprintf("container %q must not use the :latest tag", [container.name])
}

deny contains msg if {
	input.kind == "Deployment"
	some container in input.spec.template.spec.containers
	not container.resources.limits.memory
	msg := sprintf("container %q must set resources.limits.memory", [container.name])
}

Reading this file

  • package mainconftest looks in package main by default, so policies live here unless you pass --namespace.
  • deny contains msg if {This is the Rego v1 syntax for a partial set rule; each matching case adds one message to the deny set.
  • endswith(container.image, ":latest")This is the rule that would have caught the python:latest base image that slipped through review.
  • not container.resources.limits.memoryNegation over a missing field: if the limit is absent the body holds and the deny fires.

The conftest policy package. deny rules return human-readable messages; conftest fails the run when any deny fires. These rules encode the standards that used to live in the wiki.

That's 1 of 9 explained code blocks in this single project.

The build, milestone by milestone

  1. 1

    Encode manifest standards as conftest policy

    4 guided steps

    The python:latest incident happened because a manifest rule lived only in a human's memory. A policy file is reviewable, diffable, and runs the same way every time, so the standard cannot quietly erode.

  2. 2

    Make coverage a hard merge gate

    4 guided steps

    The 61 percent coverage regression reached production because coverage was advisory. fail_under makes the test command itself fail, so the gate cannot be ignored and the untested retry branch can never ship silent again.

  3. 3

    Block vulnerable dependencies before they merge

    4 guided steps

    A vulnerable transitive dependency can reach production through an innocuous PR. Scanning at PR time, against the locked set the image uses, catches it while the change is still cheap to fix instead of after it is deployed.

  4. 4

    Gate licenses so nothing unapproved ships

    4 guided steps

    License risk is invisible at runtime but expensive in legal review. Encoding the approved license set as a CI check moves that judgment out of one person's head and applies it uniformly to every dependency on every PR.

  5. 5

    Automate versioning and changelog with semantic-release

    4 guided steps

    v1.4.0, v1.4.0-final, and v1.5 happened because humans typed tags. Deriving the version from commit history makes tags deterministic and meaningful, gives the canary a reliable ordering, and produces release notes for free.

  6. 6

    Make every gate a required status check

    4 guided steps

    Without branch protection, a reviewer can merge a red PR. Required checks make the gates load-bearing: GitHub itself refuses the merge until every named check is green, so the standards apply to everyone including the rushed and the senior.

What's inside when you start

3 starter files, ready to clone
6 guided milestones
6 full reference solutions
9 code blocks explained line-by-line
6 "is it working?" checks
3 interview questions it prepares you for

You'll walk away with

A policy/ directory with conftest Rego policies over the service's deploy/ manifests, split into deployment.rego and deployment_test.rego, where the unit tests prove the policies themselves work
Coverage configured as a hard gate in api/ and worker/ pyproject.toml with fail_under, and added tests so the worker retry branch clears the bar
A supply-chain CI job running pip-audit for dependency vulnerabilities and pip-licenses against a recorded license allowlist, both blocking on violation
A .releaserc.json and a Node-enabled release job that derive the version, tag, and CHANGELOG.md from Conventional Commits with no hand-typed tags
Branch protection on main requiring the policy, coverage, and supply-chain checks to pass before any merge

This is portfolio-grade. Build it free.

Sign up to unlock every milestone step-by-step, the code skeletons, full reference solutions, and checkable tasks, with your progress saved as you build.

Start building