Copier update (pre-commit bumps) (#71)

Pull in upstream template changes

<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->

## Summary by CodeRabbit

* **Documentation**
* Clarified install instructions on where to source and place the setup
script.

* **Chores**
* Upgraded developer tooling versions (uv, pnpm, Pulumi, FastAPI,
Uvicorn, and frontend utilities).
  * Hardened installer with timeouts and retry logic.
* Added JSON Schema checks for GitHub workflows; broadened Prettier
exclusions.
  * Updated lint settings to ignore docstrings for magic methods.
* Disabled credential persistence in checkout steps across workflows and
updated tagging action version.
  * Added optional debugging to display full GitHub context.
* Adjusted security tooling to ignore a benign template-injection case.

<!-- end of auto-generated comment: release notes by coderabbit.ai -->

Author: ejfine

.copier-answers.yml

@@ -1,5 +1,5 @@
 # Changes here will be overwritten by Copier
-_commit: v0.0.71
+_commit: v0.0.73
 _src_path: gh:LabAutomationAndScreening/copier-base-template.git
 description: Copier template for creating Python libraries and executables
 python_ci_versions:
@@ -8,6 +8,7 @@ python_ci_versions:
 python_version: 3.12.7
 repo_name: copier-python-package-template
 repo_org_name: LabAutomationAndScreening
+repo_org_name_for_copyright: Lab Automation & Screening
 ssh_port_number: 55874
 template_might_want_to_install_aws_ssm_port_forwarding_plugin: true
 template_uses_javascript: false

.devcontainer/devcontainer.json

@@ -61,5 +61,5 @@
   "initializeCommand": "sh .devcontainer/initialize-command.sh",
   "onCreateCommand": "sh .devcontainer/on-create-command.sh",
   "postStartCommand": "sh .devcontainer/post-start-command.sh"
-  // Devcontainer context hash (do not manually edit this, it's managed by a pre-commit hook): 86b774f4 # spellchecker:disable-line
+  // Devcontainer context hash (do not manually edit this, it's managed by a pre-commit hook): a57008fa # spellchecker:disable-line
 }

.devcontainer/install-ci-tooling.py

@@ -7,8 +7,8 @@
 import tempfile
 from pathlib import Path
 
-UV_VERSION = "0.8.17"
-PNPM_VERSION = "10.16.1"
+UV_VERSION = "0.8.19"
+PNPM_VERSION = "10.17.1"
 COPIER_VERSION = "9.10.2"
 COPIER_TEMPLATE_EXTENSIONS_VERSION = "0.3.3"
 PRE_COMMIT_VERSION = "4.3.0"
@@ -65,7 +65,7 @@ def main():
             )
         else:
             _ = subprocess.run(
-                f"curl -fsSL https://astral.sh/uv/{UV_VERSION}/install.sh | sh",
+                f"curl -fsSL --connect-timeout 20 --max-time 40 --retry 3 --retry-delay 5 --retry-connrefused --proto '=https' https://astral.sh/uv/{UV_VERSION}/install.sh | sh",
                 check=True,
                 shell=True,
                 env=uv_env,

.github/reusable_workflows/build-docker-image.yaml

@@ -66,6 +66,8 @@ jobs:
 
       - name: Checkout code
         uses: actions/[email protected]
+        with:
+          persist-credentials: false
 
       - name: OIDC Auth for ECR
         if: ${{ inputs.push-role-name != 'no-push' }}

.github/workflows/ci.yaml

@@ -54,6 +54,8 @@ jobs:
     steps:
       - name: Checkout code
         uses: actions/[email protected]
+        with:
+          persist-credentials: false
 
       - name: Move python script that replaces private package registry information to temp folder so it doesn't get deleted
         run: |

.github/workflows/get-values.yaml

@@ -24,8 +24,13 @@ jobs:
       dependabot-commit-created: ${{ steps.update-hash.outputs.commit-created }}
       pr-short-num: ${{ steps.find-pr-num.outputs.number }}
     steps:
+      - name: Display full GitHub context
+        run: echo '${{ toJSON(github) }}'
+
       - name: Checkout code
         uses: actions/[email protected]
+        with:
+          persist-credentials: false
 
       - name: Update Devcontainer Hash
         if: ${{ github.actor == 'dependabot[bot]' && github.event_name == 'push' }}

.github/workflows/pre-commit.yaml

@@ -35,10 +35,13 @@ jobs:
         uses: actions/[email protected]
         with:
           ref: ${{ github.ref_name }} # explicitly get the head of the branch, which will include any new commits pushed if this is a dependabot branch
+          persist-credentials: false
 
       - name: Checkout code not during push
         if: ${{ github.event_name != 'push' }}
         uses: actions/[email protected]
+        with:
+          persist-credentials: false
 
       - name: Install latest versions of packages
         uses: ./.github/actions/install_deps

.github/workflows/tag-on-merge.yaml

@@ -17,7 +17,8 @@ jobs:
         with:
           ref: ${{ github.event.pull_request.merge_commit_sha }}
           fetch-depth: '0'
+          persist-credentials: false
       - name: Bump version and push tag
-        uses: mathieudutour/[email protected]
+        uses: mathieudutour/github-tag-action@a22cf08638b34d5badda920f9daf6e72c477b07b # v6.2
         with:
           github_token: ${{ secrets.GITHUB_TOKEN }}

.github/zizmor.yml

@@ -0,0 +1,5 @@
+rules:
+  template-injection:
+    ignore:
+      # this is just echo-ing out the github context to be visible for debugging, it's not executing commands
+      - get-values.yaml:28

.pre-commit-config.yaml

@@ -102,8 +102,8 @@ repos:
               .*pyrightconfig\.json|
           )$
 
-  - repo: https://github.com/pre-commit/mirrors-prettier # TODO: switch to a different approach...this was archived in 2024
-    rev: f12edd9c7be1c20cfa42420fd0e6df71e42b51ea # frozen: v4.0.0-alpha.8
+  - repo: https://github.com/rbubley/mirrors-prettier
+    rev: 5ba47274f9b181bce26a5150a725577f3c336011  # frozen: v3.6.2
     hooks:
       - id: prettier
         # TODO: get template YAML and MD files more in line with prettier expectations so we can start using prettier on those too
@@ -125,6 +125,7 @@ repos:
               .*/vendor_files/.*|
               .*/schema.graphql|
               .*generated/graphql.ts|
+              template/.*|
           )$
         files: (.*.json)|(.*.ts)|(.*.jsx)|(.*.tsx)|(.*.yaml)|(.*.yml)|(.*.md)|(.*.html)|(.*.css)|(.*.scss)|(.*.less)|(.*.vue)|(.*.graphql)|(.*.gql)
 
@@ -178,6 +179,11 @@ repos:
       - id: check-merge-conflict
       - id: check-case-conflict
 
+  - repo: https://github.com/python-jsonschema/check-jsonschema
+    rev: 83987cd6ad8943c7f029b500b14aaf82c00a01fa  # frozen: 0.34.0
+    hooks:
+      - id: check-github-workflows
+
   - repo: https://github.com/maresb/check-json5
     rev: 893a2b5a0a27c3540bd8fcafe2968ccc05237179 # 1.0
     hooks:
@@ -205,6 +211,11 @@ repos:
     hooks:
       - id: detect-private-key
 
+  # - repo: https://github.com/woodruffw/zizmor-pre-commit # TODO: implement this: https://github.com/LabAutomationAndScreening/copier-base-template/issues/95
+  #   rev: b933184438555436e38621f46ceb0c417cbed400  # frozen: v1.13.0
+  #   hooks:
+  #     - id: zizmor
+
   # Linting
 
   - repo: https://github.com/Lucas-C/pre-commit-hooks-markup
@@ -215,15 +226,15 @@ repos:
         exclude: docs/.*\.rst$
 
   - repo: https://github.com/hadolint/hadolint
-    rev: 87de847754330ad47ae16bdfe2d1a757ccb4b4d4  # frozen: v2.13.1
+    rev: 4e697ba704fd23b2409b947a319c19c3ee54d24f  # frozen: v2.14.0
     hooks:
       - id: hadolint-docker
         name: Lint Dockerfiles
         exclude: .*\.jinja$
         description: Runs hadolint to lint Dockerfiles
 
   - repo: https://github.com/astral-sh/ruff-pre-commit
-    rev: 13a6bda8ea7612b3aec844ded16569d424b9a1ab  # frozen: v0.13.0
+    rev: a113f03edeabb71305f025e6e14bd2cd68660e29  # frozen: v0.13.1
     hooks:
       - id: ruff
         name: ruff-src