Add Render deployment configuration

[willbnu]

Configure Render Blueprint for one-click deployment:

• Rails web service (Docker runtime)
• Sidekiq background worker
• PostgreSQL 16 database
• External Redis (Redis Cloud free tier)

Cost: $0/month using all free tiers

🤖 Generated with Claude Code

Summary by CodeRabbit

• Chores
  • Added production deployment configuration for containerized environments
  • Configured infrastructure with database and background job processing capabilities
  • Enabled automatic preview environment generation with 7-day expiration

_{✏️ Tip: You can customize this high-level summary in your review settings.}

[coderabbitai]

📝 Walkthrough

Walkthrough

A new render.yaml configuration file is introduced that defines infrastructure-as-code for a Rails application deployment, specifying a web service, Sidekiq background worker, PostgreSQL database (version 16), and preview environment settings, all deployed via Docker in the Oregon region.

Changes

Cohort / File(s)	Summary
Infrastructure Configuration render.yaml	New file defining Rails web service with environment variables (RAILS_ENV, SECRET_KEY_BASE, DATABASE_URL, REDIS_URL), Sidekiq worker with shared SECRET_KEY_BASE reference, PostgreSQL 16 database (sure-db), and previews with 7-day expiration. All resources configured with starter plans.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

Poem

🐰 A yaml file hops to life,
with services, queues, no strife,
Rails and Sidekiq dancing together,
Postgres standing tall and tether,
Infrastructure code, light and clear! 🚀

Pre-merge checks

✅ Passed checks (3 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The pull request title accurately and concisely describes the main change: adding a Render deployment configuration file (render.yaml). It is specific, clear, and directly reflects the primary focus of the changeset.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 3

🧹 Nitpick comments (1)

render.yaml (1)

9-22: Consider adding additional production environment variables.

For a production Rails deployment, consider configuring:

• RAILS_MASTER_KEY or Rails credentials for encrypted secrets
• RAILS_LOG_LEVEL (info/warn for production)
• WEB_CONCURRENCY (number of Puma workers)
• RAILS_MAX_THREADS (threads per worker)
• SMTP/email configuration if sending emails
• Action Cable adapter configuration if using WebSockets

📜 Review details

Configuration used: defaults

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between b3330a3 and 3973931.

📒 Files selected for processing (1)

• render.yaml

🧰 Additional context used

🧠 Learnings (1)

📓 Common learnings

Learnt from: CR
Repo: we-promise/sure PR: 0
File: .cursor/rules/project-design.mdc:0-0
Timestamp: 2025-11-24T16:56:30.669Z
Learning: Application behavior is controlled by `Rails.application.config.app_mode` which can be set to either 'managed' (team-operated servers) or 'self_hosted' (user-hosted infrastructure via Docker Compose)

🪛 Checkov (3.2.334)

render.yaml

[medium] 22-23: Basic Auth Credentials

(CKV_SECRET_4)

🔇 Additional comments (3)

render.yaml (3)

49-57: LGTM!

Database configuration is appropriate:

• PostgreSQL 16 is current and well-supported
• Preview environment settings with 7-day expiration are reasonable for testing PRs

---

12-13: No action needed—SELF_HOSTED environment variable correctly maps to app_mode.

The configuration is correct. In config/application.rb, SELF_HOSTED=true is properly mapped to Rails.application.config.app_mode = "self_hosted" via the line:

config.app_mode = (ENV["SELF_HOSTED"] == "true" || ENV["SELF_HOSTING_ENABLED"] == "true" ? "self_hosted" : "managed").inquiry

---

5-8: Configuration is correctly set up.

The Dockerfile exists in the repository root, and the Rails 7.2.2 application has the /up health check endpoint properly configured via the built-in Rails health check at rails/health#show (line 360 of config/routes.rb). The render.yaml configuration is compatible with this setup.

[coderabbitai]

⚠️ Potential issue | 🟠 Major

Region mismatch will cause significant latency.

The web service and worker are deployed in Oregon (US West), but Redis is hosted in europe-west2-1 (Europe). This geographic distance will introduce substantial latency (150-200ms+) for every Redis operation, negatively impacting:

• Page load times (session/cache reads)
• Background job processing (Sidekiq queue operations)
• Overall application responsiveness

Consider using Render's managed Redis in the same region or relocating the Redis Cloud instance to a US region closer to Oregon.

Also applies to: 20-22

🤖 Prompt for AI Agents

In render.yaml around line 6 (and also apply the same change to lines 20-22),
the region is set to "oregon" while your Redis Cloud instance is in
europe-west2-1 causing high cross-region latency; fix by aligning regions:
either change the region field(s) to the same US region where your Redis
instance is hosted or move the Redis instance to a US region (preferably
Render-managed Redis in the Oregon region) so all services and Redis share the
same region; update render.yaml service and Redis entries accordingly to the
chosen region and redeploy.

[coderabbitai]

⚠️ Potential issue | 🔴 Critical

CRITICAL: Remove hardcoded Redis credentials from version control.

The Redis URL contains plaintext credentials that will be committed to the repository and exposed publicly. This is a critical security vulnerability.

🔎 Recommended fix

       - key: REDIS_URL
         sync: false
-        value: "redis://default:wEEMRqyNSyzgCJ39277MKni75wJxizXZ@redis-13179.c335.europe-west2-1.gce.cloud.redislabs.com:13179"

Remove the hardcoded value and add the Redis URL through Render's dashboard as a secret environment variable after deployment. Alternatively, use Render's managed Redis service which handles credentials securely.

Committable suggestion skipped: line range outside the PR's diff.

🤖 Prompt for AI Agents

In render.yaml around lines 20 to 22, the REDIS_URL is hardcoded with plaintext
credentials which must be removed; replace the value entry with no secret in
source control and configure REDIS_URL as a secret environment variable in
Render's dashboard (or switch to Render's managed Redis) so credentials are
injected at runtime rather than stored in the repo. Ensure you also rotate the
exposed credentials immediately and remove them from history if necessary (e.g.,
revoke and recreate the Redis password and purge from git history or force a
commit without the secret).

[coderabbitai]

⚠️ Potential issue | 🔴 Critical

CRITICAL: Remove hardcoded Redis credentials from version control.

The Redis URL contains the same plaintext credentials as the web service. This duplicates the security vulnerability and will be committed to the repository.

🔎 Recommended fix

       - key: REDIS_URL
         sync: false
-        value: "redis://default:wEEMRqyNSyzgCJ39277MKni75wJxizXZ@redis-13179.c335.europe-west2-1.gce.cloud.redislabs.com:13179"

Remove the hardcoded value and add the Redis URL through Render's dashboard as a secret environment variable, or use Render's managed Redis service.

Committable suggestion skipped: line range outside the PR's diff.

🤖 Prompt for AI Agents

In render.yaml around lines 45-47, the Redis URL is hardcoded with plaintext
credentials which must be removed; delete the value field from the file and
replace it with a reference to an environment variable (set the actual REDIS_URL
via Render's dashboard as a secret or use Render's managed Redis service),
ensure the repository only contains the variable name (no secret), and rotate
those exposed Redis credentials immediately to prevent continued compromise.