Open Source · Azure · AI-Powered

CI/CD pipelines generated
automatically from your diffs

DMD Cloud listens to your GitHub pushes, analyzes the code diff with DeepSeek AI, and writes an optimized GitHub Actions workflow — no manual configuration needed.

Get started → See how it works
< 100ms
Webhook response time
3
Microservices
128
Diff cache slots
90%
Spot-node cost saving

How it works

Four clear steps from GitHub webhook to generated workflow.

1🎣
GitHub webhook event
2🌐
webhook-service validates + ACKs
3🤖
ai-service analyzes diff + calls DeepSeek
4📄
ci-cd.yml is generated and saved

DMD Cloud Architecture (structured view)

Azure AKS · namespace: dmd-production
1

GitHub webhook event

POST /webhook/github
Signed with HMAC-SHA256.

2

webhook-service (port 8001)

Validates signature, deduplicates commit SHA, and returns 200 in <100ms.

3

ai-service (port 8000)

Processes diff, checks SHA-256 cache, then calls DeepSeek API over HTTPS.

4

Workflow output

Generated YAML is saved to .github/workflows/ci-cd.yml.

webhook-service FastAPI · Python 3.11
  • Port: 8001
  • Autoscaling: 3 -> 10 pods (HPA)
  • HMAC signature verification
  • Deduplication cache: TTL 5 minutes
ai-service FastAPI · Python 3.11
  • Port: 8000
  • Autoscaling: 2 -> 8 pods (HPA)
  • httpx keep-alive connection pool
  • SHA-256 diff cache: 128 slots
orchestrator Go 1.22
  • Port: 8080
  • Graceful shutdown support
  • Health endpoint: /health
  • Metrics endpoint: /metrics

Features

Built for reliability, efficiency, and security.

Sub-100ms webhook response

The webhook service acknowledges GitHub immediately and processes the diff in the background, well within GitHub's 30-second timeout window.

🧠

SHA-256 diff caching

Identical diffs never trigger a second DeepSeek API call. An in-memory LRU cache returns the cached pipeline instantly, saving cost and energy.

🔒

HMAC-SHA256 webhook signatures

Every incoming webhook is validated against the GitHub secret using constant-time comparison, preventing spoofed requests.

🔁

Exponential-backoff retries

Transient AI service failures are handled with up to 3 retries (1 s → 2 s → 4 s). A built-in fallback pipeline ensures continuity at all times.

♻️

Deduplication gate

The same commit SHA is never processed twice within a 5-minute window, preventing cascading webhook retries from causing redundant AI calls.

📊

Live health & metrics

Every service exposes /health. The orchestrator also serves /metrics with goroutine count, heap usage, and GC cycles.

🏗️

Horizontal Pod Autoscaling

AI service scales 2 → 8 pods on CPU/memory pressure. Webhook service scales 3 → 10. Both scale down automatically during quiet periods.

🛡️

Zero-privilege containers

All containers run as UID 1000, drop ALL Linux capabilities, and forbid privilege escalation — enforced by Kubernetes security contexts.

🌍

Green IT by design

ARM64 nodes, spot instance pools, scale-to-zero capability, short log retention in dev, and automated weekly carbon-footprint audits.

Green IT & FinOps

🌱 Sustainable

Every architectural decision balances performance with environmental responsibility.

  • 🌍
    Sweden Central region Azure Sweden Central runs on ~100% renewable energy — the lowest-carbon Azure region in Europe.
  • 💻
    ARM64 nodes (Dpsv5) ARM-based VMs deliver ~50% better performance-per-watt compared to equivalent x86 SKUs.
  • 💰
    Spot node pool (scale-to-zero) Background workloads run on spot instances at up to 90% discount. Min replicas = 0 outside business hours.
  • 🔋
    Diff caching reduces API calls An LRU cache prevents redundant DeepSeek requests for duplicate diffs, cutting AI inference energy by up to 40% on high-frequency repos.
  • 🎯
    Path-filtered CI (only build what changed) GitHub Actions only builds the services with code changes, eliminating unnecessary container builds and runner minutes.
  • 🗓️
    Weekly Green Policy workflow Automated audit scans for image CVEs, stale branches, and large tracked files — keeping the repo lean and secure.
  • 📢
    Budget alerts (FinOps) Azure Consumption Budget alerts fire at 80% and 100% of the monthly spend threshold, preventing bill shock.

📈 FinOps impact estimates

Spot node savings up to 90%
ARM64 energy reduction ~50%
ACR SKU saving (dev) ~60%
Redundant AI calls avoided up to 40%
CI minutes saved (path filter) ~70%
Region carbon intensity Sweden Central ≈ 13 gCO₂eq/kWh

Quick start

Deploy DMD Cloud on your AKS cluster in minutes.

terminal · bash 
# 1. Clone the repository
git clone https://github.com/taoufikmohamed/diff-dmd.git
cd diff-dmd

# 2. Provision infrastructure (Azure AKS, ACR, Key Vault)
cd terraform
terraform init && terraform apply

# 3. Create the DEEPSEEK_API_KEY secret in the cluster
kubectl create secret generic ai-service-secrets \
  --from-literal=DEEPSEEK_API_KEY="your-key" \
  -n dmd-production

# 4. Deploy all services
kubectl apply -f k8s/production/

# 5. Get the public webhook URL
kubectl get svc webhook-service -n dmd-production

# 6. Register the webhook in GitHub
#    Payload URL: https://<your-ip>:8001/webhook/github
#    Content-Type: application/json
#    Secret: same value as GITHUB_WEBHOOK_SECRET env var
#    Events: push

Tech stack

Modern, lean, and cloud-native from top to bottom.

🐍 Python 3.11
FastAPI
🦄 uvicorn + uvloop
🌐 httpx (async)
🐹 Go 1.22
🐳 Docker (multi-stage)
☸️ Kubernetes / AKS
🏗️ Terraform 1.5+
🤖 DeepSeek Coder AI
🔵 Azure (Sweden Central)
📦 GitHub Actions
🔑 Azure Key Vault
🛡️ OIDC (keyless auth)
🌱 ARM64 nodes
💸 Azure Spot instances