Copier update (pre-commit bumps)

[ejfine]

Pull in upstream template changes

Summary by CodeRabbit

• Documentation

  • Clarified install instructions on where to source and place the setup script.

• Chores

  • Upgraded developer tooling versions (uv, pnpm, Pulumi, FastAPI, Uvicorn, and frontend utilities).
  • Hardened installer with timeouts and retry logic.
  • Added JSON Schema checks for GitHub workflows; broadened Prettier exclusions.
  • Updated lint settings to ignore docstrings for magic methods.
  • Disabled credential persistence in checkout steps across workflows and updated tagging action version.
  • Added optional debugging to display full GitHub context.
  • Adjusted security tooling to ignore a benign template-injection case.

[coderabbitai]

Warning

Rate limit exceeded

@ejfine has exceeded the limit for the number of commits or files that can be reviewed per hour. Please wait 14 minutes and 3 seconds before requesting another review.

⌛ How to resolve this issue?

After the wait time has elapsed, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

We recommend that you space out your commits to avoid hitting the rate limit.

🚦 How do rate limits work?

CodeRabbit enforces hourly rate limits for each developer per organization.

Our paid plans have higher rate limits than the trial, open-source and free plans. In all cases, we re-allow further reviews after a brief timeout.

Please see our FAQ for further information.

📥 Commits

Reviewing files that changed from the base of the PR and between 1758951 and 4f10492.

📒 Files selected for processing (1)

• .copier-answers.yml (2 hunks)

Note

Other AI code review bot(s) detected

CodeRabbit has detected other AI code review bot(s) in this pull request and will avoid duplicating their findings in the review comments. This may lead to a less comprehensive review.

Walkthrough

Template and tooling versions were bumped; curl install commands hardened; GitHub workflows changed to set persist-credentials: false and add a context-dump step; linting and pre-commit configs updated (including new check-jsonschema); ruff ignores expanded; minor README guidance tweak; template answers and security config adjusted.

Changes

Cohort / File(s)	Summary of Changes
• Template metadata .copier-answers.yml	Updated _commit to v0.0.72-15-g1ea5acb; added repo_org_name_for_copyright: "Lab Automation & Screening".
• Devcontainer and tooling .devcontainer/devcontainer.json, .devcontainer/install-ci-tooling.py, template/.devcontainer/install-ci-tooling.py.jinja	Bumped UV to 0.8.19 and PNPM to 10.17.1; hardened curl for uv install with timeouts/retries/HTTPS; updated devcontainer context hash comment.
• GitHub workflows (checkout behavior, context dump, tag action) .github/reusable_workflows/build-docker-image.yaml, .github/workflows/ci.yaml, .github/workflows/get-values.yaml, .github/workflows/pre-commit.yaml, .github/workflows/tag-on-merge.yaml, template/.github/workflows/get-values.yaml, template/.github/workflows/pre-commit.yaml	Set persist-credentials: false on checkout steps; added a step to print toJSON(github) in get-values workflows; updated github-tag-action to a pinned commit.
• Security scanning config .github/zizmor.yml	Ignored template-injection rule for get-values.yaml:28 with explanatory comment.
• Pre-commit and lint configs .pre-commit-config.yaml, template/.pre-commit-config.yaml, ruff.toml, template/ruff.toml	Switched Prettier mirror to rbubley/mirrors-prettier; expanded Prettier exclusions to include template/.*; added python-jsonschema/check-jsonschema (check-github-workflows); updated hadolint to v2.14.0 and ruff pre-commit to v0.13.1; added Ruff ignore D105.
• Context/version map<br extensions/context.py>	Updated versions: uv 0.8.19, pnpm 10.17.1, pulumi 3.197.0, fastapi 0.117.1, uvicorn 0.36.0; added uuid_utils_version 0.11.0; bumped types_node and added several frontend tooling keys.
• Documentation README.md	Clarified install script source and allowed placement at repo root.

Sequence Diagram(s)

sequenceDiagram
  autonumber
  actor Dev as Developer
  participant GH as GitHub Actions
  participant W as Workflow Job
  participant CO as actions/checkout
  participant ST as Steps

  Dev->>GH: Push / PR / Dispatch
  GH->>W: Start job
  rect rgb(230,240,250)
    note right of W: New/modified
    W->>ST: Display full GitHub context (toJSON(github))
    ST-->>W: Context printed
  end
  rect rgb(240,235,250)
    note right of CO: Changed setting
    W->>CO: Checkout code with persist-credentials: false
    CO-->>W: Code checked out without stored credentials
  end
  W->>ST: Run remaining steps (build/test/tag)
  ST-->>W: Results
  W-->>GH: Job complete

Loading

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~12 minutes

Possibly related PRs

• Copier update (bump pytest-cov) #70 — Similar template/version bumps in .copier-answers.yml, devcontainer install script, and extensions/context.py.
• Copier update (misc version bumps) #52 — Concurrent updates to template files and context/version mappings.
• Copier update (biome) #51 — Broad template sync touching ruff, pre-commit, devcontainer, and context versions.

Poem

A nibble of versions, a hop through the CI,
Curl gets its mittens, retried ‘neath the sky.
Lints hush D105, Prettier’s fresh hue,
Secrets kept shy as checkouts pass through.
I thump with delight—templates in tune,
Carrots of context, shipping soon! 🥕🐇

Pre-merge checks and finishing touches

❌ Failed checks (2 warnings)

Check name	Status	Explanation	Resolution
Description Check	⚠️ Warning	The PR description "Pull in upstream template changes" is too brief and does not follow the repository's required template; it omits the required sections such as a link to an issue or discussion, why the change is necessary, how it addresses the issue, side effects, and testing details.	Please expand the PR description to follow the repository template by adding a link to the related issue or discussion, a concise rationale for the changes, a summary of how the changes address the issue, any expected side effects, and details of testing performed (including CI status or test commands), and include a brief file-level summary of the key changes (e.g., pre-commit hook bumps, workflow checkout updates, dependency version bumps) to help reviewers.
Docstring Coverage	⚠️ Warning	Docstring coverage is 0.00% which is insufficient. The required threshold is 80.00%.	You can run @coderabbitai generate docstrings to improve docstring coverage.

✅ Passed checks (1 passed)

Check name	Status	Explanation
Title Check	✅ Passed	The title "Copier update (pre-commit bumps)" is a concise, single-sentence summary that accurately highlights the primary change set—pulling upstream copier/template updates including pre-commit hook version bumps—so it communicates the main change to reviewers at a glance.

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[Copilot]

Pull Request Overview

This PR updates the upstream template by pulling in changes from the base template via Copier, including version bumps for various tools and dependencies, security improvements, and new features.

Key changes:

• Version updates for Python/JavaScript packages and tools (uv, pnpm, FastAPI, Pulumi, etc.)
• Security enhancements including persist-credentials: false for GitHub Actions checkout steps
• Addition of new pre-commit hooks and tooling (check-jsonschema, zizmor configuration)

Reviewed Changes

Copilot reviewed 18 out of 18 changed files in this pull request and generated 1 comment.

Show a summary per file

File	Description
template/ruff.toml	Adds D105 ignore rule for magic method docstrings
template/.pre-commit-config.yaml	Updates prettier repo, adds check-jsonschema hook, version bumps for hadolint and ruff
template/.github/workflows/*.yaml	Adds persist-credentials: false and debugging output
template/.devcontainer/install-ci-tooling.py.jinja	Enhances curl command with security and reliability options
extensions/context.py	Updates multiple package versions and adds new dependencies
Various root files	Mirror changes from template files for consistency
.github/zizmor.yml	New configuration file for zizmor security tool

Comments suppressed due to low confidence (1)

---

_{Tip: Customize your code reviews with copilot-instructions.md. Create the file or learn how to get started.}

[Copilot]

Using a commit SHA for GitHub Actions is a good security practice, but the comment indicates this should be v6.2. Verify that the SHA a22cf08638b34d5badda920f9daf6e72c477b07b actually corresponds to the v6.2 release tag.

[coderabbitai]

Actionable comments posted: 4

🧹 Nitpick comments (8)

.github/reusable_workflows/build-docker-image.yaml (1)

39-42: Scope permissions to the job and pin Actions by commit SHA

• Move contents: write from workflow to the job that actually needs it (least privilege).
• Consider pinning actions (checkout, buildx, build-push, upload-artifact) to commit SHAs for supply-chain hardening.

Can you confirm which steps truly require contents: write, and whether you’re open to pinning these actions to SHAs across workflows for consistency?

.github/workflows/tag-on-merge.yaml (1)

16-20: Also pin actions/checkout to a commit SHA

Minor hardening tweak to match the above pinning practice.

.github/workflows/ci.yaml (1)

13-15: Consider defaulting permissions to least privilege and pin actions by SHA

• Set a conservative top-level permissions (e.g., contents: read) and grant job-level elevations only where needed (mutex, statuses).
• Pin actions (checkout, cache, upload-artifact) to SHAs.

Would you like a follow-up PR to scope permissions per job and pin remaining Actions to SHAs?

.github/workflows/get-values.yaml (1)

27-29: Dumping full GitHub context: consider gating

Useful for debugging but noisy. Consider running only on pull_request or behind a debug flag.

Confirm this won’t bloat logs for frequent push events; okay to gate behind an input?

template/.devcontainer/install-ci-tooling.py.jinja (2)

68-68: Hardened curl flags — nice improvement. Consider adding --retry-all-errors and -S.

These improve resilience and error visibility.

Apply this diff:

-                f"curl -fsSL --connect-timeout 20 --max-time 40 --retry 3 --retry-delay 5 --retry-connrefused --proto '=https' https://astral.sh/uv/{UV_VERSION}/install.sh | sh",
+                f"curl -fsSL -S --connect-timeout 20 --max-time 40 --retry 3 --retry-all-errors --retry-delay 5 --retry-connrefused --proto '=https' https://astral.sh/uv/{UV_VERSION}/install.sh | sh",

---

106-120: Avoid passing a one‑element list to subprocess.run(..., shell=True) on POSIX.

With shell=True, pass a string (not ["npm -v"]), or drop shell=True and pass an arg list.

Apply this diff:

-            cmd = (
+            cmd = (
                 [
                     pwsh,  # type: ignore[reportPossiblyUnboundVariable] # this matches the conditional above that defines pwsh
                     "-NoProfile",
                     "-NonInteractive",
                     "-Command",
                     cmd,
                 ]
                 if is_windows
-                else [cmd]
+                else cmd
             )
             _ = subprocess.run(cmd, shell=True, check=True)

.devcontainer/install-ci-tooling.py (2)

68-68: Curl hardening — LGTM. Consider parity with template (--retry-all-errors, -S).

Apply this diff:

-                f"curl -fsSL --connect-timeout 20 --max-time 40 --retry 3 --retry-delay 5 --retry-connrefused --proto '=https' https://astral.sh/uv/{UV_VERSION}/install.sh | sh",
+                f"curl -fsSL -S --connect-timeout 20 --max-time 40 --retry 3 --retry-all-errors --retry-delay 5 --retry-connrefused --proto '=https' https://astral.sh/uv/{UV_VERSION}/install.sh | sh",

---

106-120: Use string (not [cmd]) with shell=True on POSIX to avoid execution issues.

This prevents the shell from treating the entire list element as a program name.

Apply this diff:

-            cmd = (
+            cmd = (
                 [
                     pwsh,  # type: ignore[reportPossiblyUnboundVariable] # this matches the conditional above that defines pwsh
                     "-NoProfile",
                     "-NonInteractive",
                     "-Command",
                     cmd,
                 ]
                 if is_windows
-                else [cmd]
+                else cmd
             )
             _ = subprocess.run(cmd, shell=True, check=True)

📜 Review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 85d995b and 1758951.

📒 Files selected for processing (18)

• .copier-answers.yml (2 hunks)
• .devcontainer/devcontainer.json (1 hunks)
• .devcontainer/install-ci-tooling.py (2 hunks)
• .github/reusable_workflows/build-docker-image.yaml (1 hunks)
• .github/workflows/ci.yaml (1 hunks)
• .github/workflows/get-values.yaml (1 hunks)
• .github/workflows/pre-commit.yaml (1 hunks)
• .github/workflows/tag-on-merge.yaml (1 hunks)
• .github/zizmor.yml (1 hunks)
• .pre-commit-config.yaml (5 hunks)
• README.md (1 hunks)
• extensions/context.py (4 hunks)
• ruff.toml (1 hunks)
• template/.devcontainer/install-ci-tooling.py.jinja (1 hunks)
• template/.github/workflows/get-values.yaml (1 hunks)
• template/.github/workflows/pre-commit.yaml (1 hunks)
• template/.pre-commit-config.yaml (5 hunks)
• template/ruff.toml (1 hunks)

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (2)

• GitHub Check: lint-matrix (ubuntu-24.04, 3.12.7, --data-file tests/copier_data/data3.yaml)
• GitHub Check: lint-matrix (ubuntu-24.04, 3.13.2, --data-file tests/copier_data/data2.yaml)

🔇 Additional comments (25)

ruff.toml (1)

48-49: Add D105 ignore looks good

Aligns with template; reduces noise on magic methods.

.github/reusable_workflows/build-docker-image.yaml (1)

69-70: Good hardening: disable persisted credentials

Using persist-credentials: false is a solid default.

.github/workflows/tag-on-merge.yaml (2)

20-20: Good: no credential persistence on checkout

Keeps git remotes tokenless; action uses GITHUB_TOKEN input anyway.

---

22-22: Action pinned to commit SHA

Nice supply‑chain hardening for github-tag-action.

template/.pre-commit-config.yaml (5)

105-129: Prettier mirror swap and exclusions LGTM

Switch to rbubley/mirrors-prettier and exclude template/.* make sense for templates.

---

182-186: Add check-jsonschema for workflows — good addition

Catches schema issues in GH workflows early.

---

214-218: Zizmor block left commented — keep as future opt‑in

No action needed now.

---

229-229: Hadolint bump

Version update looks fine.

---

237-237: Ruff pre-commit bump

Looks good and aligns with ruff config changes.

template/ruff.toml (1)

48-49: Template ruff ignore D105 — consistent with root

Keeps lint expectations aligned across template and repo.

.pre-commit-config.yaml (5)

105-129: Prettier mirror swap and exclusions LGTM

Matches template; avoids formatting template assets.

---

182-186: Add check-jsonschema for workflows — good

Improves CI reliability on workflow changes.

---

214-218: Commented zizmor hook — fine to defer

Optional security scanner can be enabled later.

---

229-229: Hadolint bump

No issues spotted.

---

237-237: Ruff pre-commit bump

Looks consistent with ruff.toml updates.

.github/workflows/ci.yaml (1)

57-59: Good: disable credential persistence in CI checkout

Prevents accidental pushes via embedded tokens.

.github/workflows/get-values.yaml (1)

32-34: Good: disable credential persistence

Consistent with other workflows.

.github/workflows/pre-commit.yaml (2)

33-39: Good hardening: disable persisted credentials on checkout (push path).

Looks correct for least‑privilege.

If any subsequent step needs to push (none apparent here), confirm it re‑authenticates Git explicitly since checkout won’t persist the token.

---

40-45: Mirror hardening for non‑push path looks good.

Consistent with above; no issues spotted.

Same note: verify no step implicitly relies on persisted git auth.

template/.github/workflows/get-values.yaml (1)

30-34: Checkout with persist-credentials: false: good; verify downstream push logic.

The job later may push a commit on Dependabot branches. Ensure the update-devcontainer-hash action (or a follow-up step) performs its own authenticated push, since checkout won’t persist the token.

template/.github/workflows/pre-commit.yaml (2)

33-39: Security hardening: persist-credentials disabled (push path).

Looks right and aligns with other workflows.

Confirm no steps assume persisted git auth.

---

40-45: Security hardening mirrored for non‑push path.

Consistent and OK.

Same verification note re: push/auth if ever added.

.devcontainer/devcontainer.json (1)

64-64: Context hash bump — LGTM.

Hash update only; no behavior change.

.devcontainer/install-ci-tooling.py (1)

10-11: Version bumps (uv, pnpm) — LGTM.

extensions/context.py (1)

13-15: Version/context updates — LGTM. Ensure downstream templates consume new keys.

Values align with the bumped tooling; verify child templates reference new keys (e.g., uuid_utils_version, iconify/nuxt test utils) before release.

Also applies to: 23-23, 35-38, 41-41, 60-71

[coderabbitai]

⚠️ Potential issue

Quote value containing an ampersand to avoid YAML parsing edge cases.

Safer to quote strings with “&” to prevent any anchor parsing quirks.

Apply this diff:

-repo_org_name_for_copyright: Lab Automation & Screening
+repo_org_name_for_copyright: "Lab Automation & Screening"

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	repo_org_name_for_copyright: Lab Automation & Screening
	repo_org_name_for_copyright: "Lab Automation & Screening"

🤖 Prompt for AI Agents

In .copier-answers.yml around line 11, the value repo_org_name_for_copyright
contains an ampersand and must be quoted to avoid YAML interpreting it as an
anchor; update the line so the string is wrapped in quotes (single or double) —
e.g. change to repo_org_name_for_copyright: "Lab Automation & Screening" —
ensuring proper YAML quoting and saving the file.

[coderabbitai]

⚠️ Potential issue

Tighten ignore path to match the template file precisely.

The ignore entry references get-values.yaml:28; the changed file lives under template/.github/workflows. Use the full path to avoid a mis‑match.

Apply this diff:

-      - get-values.yaml:28
+      - template/.github/workflows/get-values.yaml:28

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	rules:
	template-injection:
	ignore:
	# this is just echo-ing out the github context to be visible for debugging, it's not executing commands
	- get-values.yaml:28
	rules:
	template-injection:
	ignore:
	# this is just echo-ing out the github context to be visible for debugging, it's not executing commands
	- template/.github/workflows/get-values.yaml:28

🤖 Prompt for AI Agents

.github/zizmor.yml lines 1-5: the ignore path "get-values.yaml:28" is too broad
and doesn't include the template directory; update the ignore entry to the full
path "template/.github/workflows/get-values.yaml:28" so it precisely matches the
template file location.

[coderabbitai]

⚠️ Potential issue

Clarify path if script is moved to repo root and tighten wording.

Apply this diff:

-1. Inside that devcontainer, run `python .devcontainer/install-ci-tooling.py` to install necessary tooling to instantiate the template (you can copy/paste the script from this repo...and you can paste it in the root of the repo if you want)
+1. Inside that devcontainer, run `python .devcontainer/install-ci-tooling.py` to install necessary tooling to instantiate the template. You can copy the script from this repo; if you place it at the repository root, run `python install-ci-tooling.py` instead.

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	1. Inside that devcontainer, run `python .devcontainer/install-ci-tooling.py` to install necessary tooling to instantiate the template (you can copy/paste the script from this repo...and you can paste it in the root of the repo if you want)
	1. Inside that devcontainer, run `python .devcontainer/install-ci-tooling.py` to install necessary tooling to instantiate the template. You can copy the script from this repo; if you place it at the repository root, run `python install-ci-tooling.py` instead.

🤖 Prompt for AI Agents

In README.md around line 10, the instruction about running python
.devcontainer/install-ci-tooling.py is ambiguous if the script is copied to the
repo root and wording is loose; update the sentence to explicitly state both
paths and tighten phrasing: show the primary command using
.devcontainer/install-ci-tooling.py and add an alternative command for running
the script if placed in the repository root (./install-ci-tooling.py), clarify
that you can copy the script from this repository into either location, and
reword to a concise imperative (e.g., "Run ... to install the required tooling;
you may copy the script from this repository to .devcontainer/ or to the
repository root and run the appropriate path").

[coderabbitai]

⚠️ Potential issue

Gate the GitHub context dump to avoid noisy logs and potential metadata leakage.

Restrict to trusted events or an explicit debug flag.

Apply this diff to add a guard on the step:

-      - name: Display full GitHub context
-        run: echo '${{ toJSON(github) }}'
+      - name: Display full GitHub context
+        if: ${{ (github.event_name != 'pull_request' && github.event_name != 'pull_request_target') && (inputs.debug || env.ACTIONS_STEP_DEBUG == 'true') }}
+        run: echo '${{ toJSON(github) }}'

And add this input at the top (outside this hunk) so callers can enable when needed:

# under on.workflow_call.inputs
  debug:
    description: 'Enable verbose context logging'
    type: boolean
    default: false

🤖 Prompt for AI Agents

In template/.github/workflows/get-values.yaml around lines 27 to 29, the
workflow unconditionally echoes the entire GitHub context which can leak
metadata and create noisy logs; add a workflow_call input named debug (boolean,
default false) at the top under on.workflow_call.inputs and modify the Display
full GitHub context step to run only when either inputs.debug is true or the
event is a trusted event (e.g., github.event_name in a whitelist or specific
actor/permission checks); implement the condition using the workflow expression
(inputs.debug == 'true' || <trusted-event-check>) so the echo runs only when
explicitly enabled or for trusted events.