Copier update (misc version bumps)

[ejfine]

Pull in upstream template changes

Summary by CodeRabbit

• New Features

  • Added optional installation of the AWS SSM plugin in development environments, with platform checks and command-line control.
  • Introduced new workflow input and secret for more granular Pulumi AWS mutex locking.

• Bug Fixes

  • Corrected typos and package/module names in configuration and scripts.
  • Fixed formatting issue in GitHub Actions workflow step name.

• Chores

  • Updated dependency versions and pre-commit hook versions.
  • Refined pre-commit and linting configuration exclusions to avoid processing generated or minified files.
  • Updated setup and lock file generation instructions in documentation.
  • Changed dependency version pinning to minimum version requirements for improved flexibility.

• Refactor

  • Improved logic for handling lock file checks in setup scripts.
  • Migrated and updated formatter/linter configuration files, disabling them globally and refining file inclusion/exclusion patterns.

[coderabbitai]

Caution

Review failed

The pull request is closed.

Walkthrough

This update revises dependency versions, corrects package names, and improves configuration for formatting, linting, and CI tooling across multiple files and templates. It introduces new options for AWS SSM plugin installation, updates pre-commit and Dependabot rules, and refines workflow and documentation steps. Several configuration files are replaced or updated for accuracy and maintainability.

Changes

Cohort / File(s)	Change Summary
Dependency Version Updates and Corrections .devcontainer/install-ci-tooling.py, extensions/context.py, pyproject.toml, copier.yml, template/.devcontainer/install-ci-tooling.py.jinja, template/pyproject.toml.jinja	Updated version constants and dependency requirements for multiple tools and packages; corrected package/module names from "copier-templates-extensions" to "copier-template-extensions"; switched "pyright" dependency from exact to minimum version.
Pre-commit and Linting Configuration .pre-commit-config.yaml, ruff.toml, biome.json, biome.jsonc, template/.pre-commit-config.yaml, template/ruff.toml, template/biome.json, template/biome.jsonc	Upgraded hook versions, expanded exclusion patterns, added new linting ignores, replaced or added biome configuration files to disable formatter and linter and refine file inclusion/exclusion.
Manual Dependency Setup Logic .devcontainer/manual-setup-deps.py, template/.devcontainer/manual-setup-deps.py	Adjusted logic for skip_check_lock to use logical OR with optionally_check_lock and improved error condition for mutually exclusive flags.
AWS SSM Plugin Installation .devcontainer/install-ci-tooling.py, template/.devcontainer/install-ci-tooling.py.jinja	Added --install-ssm-plugin argument; implemented logic to install AWS SSM plugin on non-Windows platforms.
CI/CD and Automation Workflow Tweaks .github/workflows/pre-commit.yaml, template/.github/workflows/pre-commit.yaml, .devcontainer/devcontainer.json	Fixed minor formatting in workflow step names; updated devcontainer context hash comment.
Dependabot Configuration .github/dependabot.yml, template/.github/dependabot.yml.jinja	Restricted updates to minor only for dependencies, globally ignored patch updates except for security, and removed specific ignores.
Pulumi Workflow Enhancements template/.github/workflows/pulumi-aws.yml	Added ADDITIONAL_MUTEX_SUFFIX input and iac-github-api-tokens secret; updated mutex branch logic.
Documentation Updates README.md	Changed lock file generation instructions to use a Python script and added a step to stage all files after generation.
Copier Metadata .copier-answers.yml	Updated _commit value from v0.0.50 to v0.0.60.

Sequence Diagram(s)

sequenceDiagram
    participant User
    participant SetupScript
    participant OS
    participant AWS_SSM_Plugin

    User->>SetupScript: Run install-ci-tooling.py [--install-ssm-plugin]
    SetupScript->>OS: Check platform
    alt If not Windows and --install-ssm-plugin set
        SetupScript->>OS: Create temp dir
        SetupScript->>OS: Download SSM plugin .deb
        SetupScript->>OS: Install via dpkg
        SetupScript->>AWS_SSM_Plugin: Verify installation
    else If Windows and --install-ssm-plugin set
        SetupScript->>User: Raise NotImplementedError
    end

Loading

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

Poem

A bunny hopped through configs and code,
Upgrading versions on its winding road.
It fixed the names, made linting neat,
And let Dependabot skip patch-repeat.
Now SSM plugins install with a breeze—
This rabbit’s work will surely please!
🐇✨

Note

⚡️ Unit Test Generation is now available in beta!

Learn more here, or try it out under "Finishing Touches" below.

---

📜 Recent review details

Configuration used: CodeRabbit UI
Review profile: CHILL
Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 9801e22 and 17c4652.

📒 Files selected for processing (1)

• template/.github/dependabot.yml.jinja (2 hunks)

✨ Finishing Touches

🧪 Generate unit tests

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch cop-up

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

🪧 Tips

Chat

There are 3 ways to chat with CodeRabbit:

• Review comments: Directly reply to a review comment made by CodeRabbit. Example:
  • I pushed a fix in commit <commit_id>, please review it.
  • Explain this complex logic.
  • Open a follow-up GitHub issue for this discussion.
• Files and specific lines of code (under the "Files changed" tab): Tag @coderabbitai in a new review comment at the desired location with your query. Examples:
  • @coderabbitai explain this code block.
  • @coderabbitai modularize this function.
• PR comments: Tag @coderabbitai in a new PR comment to ask questions about the PR branch. For the best results, please provide a very specific query, as very limited context is provided in this mode. Examples:
  • @coderabbitai gather interesting stats about this repository and render them as a table. Additionally, render a pie chart showing the language distribution in the codebase.
  • @coderabbitai read src/utils.ts and explain its main purpose.
  • @coderabbitai read the files in the src/scheduler package and generate a class diagram using mermaid and a README in the markdown format.
  • @coderabbitai help me debug CodeRabbit configuration file.

Support

Need help? Create a ticket on our support page for assistance with any issues or questions.

Note: Be mindful of the bot's finite context window. It's strongly recommended to break down tasks such as reading entire modules into smaller chunks. For a focused discussion, use review comments to chat about specific files and their changes, instead of using the PR comments.

CodeRabbit Commands (Invoked using PR comments)

• @coderabbitai pause to pause the reviews on a PR.
• @coderabbitai resume to resume the paused reviews.
• @coderabbitai review to trigger an incremental review. This is useful when automatic reviews are disabled for the repository.
• @coderabbitai full review to do a full review from scratch and review all the files again.
• @coderabbitai summary to regenerate the summary of the PR.
• @coderabbitai generate docstrings to generate docstrings for this PR.
• @coderabbitai generate sequence diagram to generate a sequence diagram of the changes in this PR.
• @coderabbitai generate unit tests to generate unit tests for this PR.
• @coderabbitai resolve resolve all the CodeRabbit review comments.
• @coderabbitai configuration to show the current CodeRabbit configuration for the repository.
• @coderabbitai help to get help.

Other keywords and placeholders

• Add @coderabbitai ignore anywhere in the PR description to prevent this PR from being reviewed.
• Add @coderabbitai summary to generate the high-level summary at a specific location in the PR description.
• Add @coderabbitai anywhere in the PR title to generate the title automatically.

CodeRabbit Configuration File (.coderabbit.yaml)

• You can programmatically configure CodeRabbit by adding a .coderabbit.yaml file to the root of your repository.
• Please see the configuration documentation for more information.
• If your editor has YAML language server enabled, you can add the path at the top of this file to enable auto-completion and validation: # yaml-language-server: $schema=https://coderabbit.ai/integrations/schema.v2.json

Documentation and Community

• Visit our Documentation for detailed information on how to use CodeRabbit.
• Join our Discord Community to get help, request features, and share feedback.
• Follow us on X/Twitter for updates and announcements.

[Copilot]

Pull Request Overview

This PR updates various dependencies and configurations across the project template, moving from older package versions to newer ones and fixing some package naming inconsistencies. It also introduces new configuration files and enhances CI functionality.

• Updates multiple tool versions including UV, PNPM, Copier, Pyright, Pytest, and various other dependencies
• Fixes package name from copier-templates-extensions to copier-template-extensions
• Adds new SSM plugin installation capability and enhanced pre-commit exclusions

Reviewed Changes

Copilot reviewed 22 out of 25 changed files in this pull request and generated no comments.

Show a summary per file

File	Description
template/ruff.toml	Adds new ignore rules for TC006 and SIM114
template/pyproject.toml.jinja	Changes pyright from pinned to range version
template/biome.jsonc	New configuration file replacing biome.json
template/biome.json	Removed old configuration file
template/.pre-commit-config.yaml	Updates tool versions and adds exclusions
template/.github/workflows/pulumi-aws.yml	Adds mutex suffix configuration
template/.github/dependabot.yml.jinja	Removes patch-level updates
template/.devcontainer/manual-setup-deps.py	Fixes logical expression for skip_check_lock
template/.devcontainer/install-ci-tooling.py.jinja	Adds SSM plugin installation and updates versions
extensions/context.py	Updates package name and version numbers
copier.yml	Updates package reference
Multiple other files	Version bumps and configuration updates

Comments suppressed due to low confidence (1)

[coderabbitai]

Actionable comments posted: 0

🧹 Nitpick comments (3)

.github/dependabot.yml (1)

15-17: Consider removing redundant boto3 patch ignore rule.

The specific boto3 patch ignore rule is now redundant since the global ignore rule on lines 12-14 already covers patch updates for all dependencies, including boto3.

Consider removing this specific rule to simplify the configuration:

-      - dependency-name: "boto3" # boto3 gets patch updates way too frequently and they're usually not important
-        update-types:
-          - "version-update:semver-patch"

biome.jsonc (1)

1-16: Disabling the Biome formatter / linter globally may hide real issues

Both "formatter.enabled": false and "linter.enabled": false switch Biome off for the whole repo. Given the large reliance on pre-commit quality gates elsewhere, this could let defects or inconsistent styling slip through unnoticed.

Consider one of:

-  "formatter": { "enabled": false },
-  "linter":   { "enabled": false },
+  // Keep Biome on, but restrict to folders that are currently noise-free
+  "formatter": { "enabled": true },
+  "linter":   { "enabled": true },
+  "files": {
+    "includes": ["src/**", "scripts/**"],
+    "excludes": ["**/*.css", "template/**"]
+  },

or remove the Biome pre-commit hook entirely if you do not intend to use it.

At minimum, document in README.md why Biome is disabled to avoid confusion for future contributors.

extensions/context.py (1)

12-80: Consider refactoring the hook method to reduce complexity.

The hook method contains 61 statements, exceeding the recommended limit of 50. Consider extracting version assignments into separate methods or using a data structure to improve maintainability.

 @override
 def hook(self, context: dict[Any, Any]) -> dict[Any, Any]:
+    self._update_python_versions(context)
+    self._update_javascript_versions(context)
+    self._update_github_actions_versions(context)
+    self._update_docker_versions(context)
+    return context
+
+def _update_python_versions(self, context: dict[Any, Any]) -> None:
     context["uv_version"] = "0.8.3"
-    context["pnpm_version"] = "10.14.0"
-    context["pre_commit_version"] = "4.2.0"
     # ... other python-related versions
+
+def _update_javascript_versions(self, context: dict[Any, Any]) -> None:
+    context["pnpm_version"] = "10.14.0"
     # ... other javascript-related versions
-    return context

📜 Review details

Configuration used: CodeRabbit UI
Review profile: CHILL
Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 2bbbe35 and 9801e22.

⛔ Files ignored due to path filters (1)

• uv.lock is excluded by !**/*.lock

📒 Files selected for processing (24)

• .copier-answers.yml (1 hunks)
• .devcontainer/devcontainer.json (1 hunks)
• .devcontainer/install-ci-tooling.py (4 hunks)
• .devcontainer/manual-setup-deps.py (1 hunks)
• .github/dependabot.yml (1 hunks)
• .github/workflows/pre-commit.yaml (1 hunks)
• .pre-commit-config.yaml (4 hunks)
• README.md (1 hunks)
• biome.json (0 hunks)
• biome.jsonc (1 hunks)
• copier.yml (1 hunks)
• extensions/context.py (2 hunks)
• pyproject.toml (1 hunks)
• ruff.toml (1 hunks)
• template/.devcontainer/install-ci-tooling.py.jinja (4 hunks)
• template/.devcontainer/manual-setup-deps.py (1 hunks)
• template/.github/dependabot.yml.jinja (1 hunks)
• template/.github/workflows/pre-commit.yaml (1 hunks)
• template/.github/workflows/pulumi-aws.yml (3 hunks)
• template/.pre-commit-config.yaml (4 hunks)
• template/biome.json (0 hunks)
• template/biome.jsonc (1 hunks)
• template/pyproject.toml.jinja (1 hunks)
• template/ruff.toml (1 hunks)

💤 Files with no reviewable changes (2)

• biome.json
• template/biome.json

🧰 Additional context used

🪛 Ruff (0.12.2)

.devcontainer/install-ci-tooling.py

127-127: subprocess call: check for execution of untrusted input

(S603)

---

128-133: Starting a process with a partial executable path

(S607)

---

136-136: subprocess call: check for execution of untrusted input

(S603)

---

137-137: Starting a process with a partial executable path

(S607)

---

141-141: Starting a process with a partial executable path

(S607)

extensions/context.py

1-1: File extensions/context.py is part of an implicit namespace package. Add an __init__.py.

(INP001)

---

12-12: Too many statements (61 > 50)

(PLR0915)

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (4)

• GitHub Check: lint-matrix (ubuntu-24.04, 3.13.2, --data-file tests/copier_data/data2.yaml)
• GitHub Check: lint-matrix (ubuntu-24.04, 3.12.7, --data-file tests/copier_data/data1.yaml)
• GitHub Check: lint-matrix (ubuntu-24.04, 3.13.2, --data-file tests/copier_data/data1.yaml)
• GitHub Check: lint-matrix (ubuntu-24.04, 3.12.7, --data-file tests/copier_data/data2.yaml)

🔇 Additional comments (35)

template/.github/dependabot.yml.jinja (1)

27-28: LGTM! Dependency policy tightened to reduce update noise.

The removal of "patch" updates from the dev-dependencies group aligns with the overall policy shift to focus on minor version updates and security patches only. This should reduce the frequency of automated dependency updates while maintaining security coverage.

.github/dependabot.yml (2)

12-14: LGTM! Global patch update ignore policy implemented.

The new global ignore rule effectively prevents patch-level updates for all dependencies except security updates, which aligns with the goal of reducing update noise while maintaining security coverage.

---

27-31: LGTM! Dependency groups restricted to minor updates only.

Both production and development dependency groups are now limited to minor updates, which is consistent with the template configuration and the overall policy to reduce patch update noise.

template/.github/workflows/pre-commit.yaml (1)

42-42: Step-name typo fixed – looks good

Only the redundant space in the step title was removed. No functional impact, thanks for the tidy-up.

.copier-answers.yml (1)

2-2: Confirm tag v0.0.60 exists in the upstream template

The _commit pin guards against future breaking changes. Please double-check that v0.0.60 is published and not a draft / pre-release to avoid clone failures in fresh copier runs.

.devcontainer/devcontainer.json (1)

64-64: Hash update acknowledged

The context hash is auto-managed; nothing else changed. ✅

.github/workflows/pre-commit.yaml (1)

42-42: Consistent step naming – good catch

Same one-space cleanup as in the template file; keeps parity between template & actual workflow.

template/ruff.toml (1)

64-65: LGTM! Well-documented linting rule suppressions.

The additions of TC006 and SIM114 to the ignore list are justified with clear explanations. TC006 prevents IDE confusion during refactoring, and SIM114 maintains better coverage checking accuracy.

README.md (1)

13-14: Improved setup process with better dependency management.

The change from uv lock to using the manual setup script with --optionally-check-lock provides more sophisticated dependency handling. Adding the explicit git add . step ensures all generated files are properly staged for commit.

ruff.toml (1)

64-65: LGTM! Consistent with template configuration.

The addition of TC006 and SIM114 rules mirrors the template changes, maintaining consistency between base and template configurations. The documented rationale for these suppressions is sound.

template/.devcontainer/manual-setup-deps.py (1)

61-64: Enhanced flag logic for flexible lock file handling.

The updated logic properly implements mutual exclusivity between --skip-check-lock and --optionally-check-lock flags while allowing the derived skip_check_lock variable to be set by either option. This provides more flexible dependency management during setup.

.devcontainer/manual-setup-deps.py (1)

61-64: LGTM! Consistent flag handling improvements.

The changes mirror those in the template version, implementing the same enhanced mutual exclusivity logic between --skip-check-lock and --optionally-check-lock flags. This consistency ensures reliable behavior across template instantiations.

template/pyproject.toml.jinja (1)

14-14: LGTM! Improved dependency flexibility.

Changing from exact version pinning (==) to minimum version (>=) for pyright is a good improvement. This allows the template to benefit from future patch updates while maintaining the minimum version requirement, and removes the previous strict pin that was in place due to a bug in version 1.1.401.

template/biome.jsonc (1)

1-16: LGTM! Well-structured biome configuration.

The configuration properly disables both formatter and linter while setting up sensible file inclusion patterns. The exclusions are practical:

• Self-excluding biome.jsonc files prevents circular processing
• Excluding CSS files due to excessive false positives is a reasonable workaround

The JSONC format with comments improves maintainability by documenting the reasoning behind exclusions.

pyproject.toml (3)

9-11: LGTM! Routine version updates.

The version bumps for pytest (8.3.5→8.4.1) and pytest-cov (6.1.1→6.2.1) are incremental updates that should provide bug fixes and improvements.

---

12-12: Good improvement to pyright versioning.

Changing from fixed version 1.1.400 to minimum version 1.1.403 provides better flexibility while ensuring the minimum required version is met. This aligns with the similar change in the template file.

---

13-14: LGTM! Version updates and package name correction.

The copier version bump (9.7.1→9.8.0) and the correction of the package name from copier-templates-extensions to copier-template-extensions (with version update to 0.3.2) fixes what appears to have been a naming inconsistency across the project.

copier.yml (1)

141-143: LGTM! Package name consistency fix.

The corrections from copier-templates-extensions to copier-template-extensions in both the URL comment and Python module reference ensure consistency with the corrected package name used throughout the project. This aligns with the fixes in pyproject.toml and other configuration files.

.devcontainer/install-ci-tooling.py (5)

7-8: LGTM! New imports for enhanced functionality.

The addition of tempfile and pathlib.Path imports supports the new SSM plugin installation feature with proper temporary directory management.

---

10-16: LGTM! Version updates and new feature flag.

The version bumps for UV (0.8.3), PNPM (10.14.0), COPIER (9.8.0), and COPIER_TEMPLATE_EXTENSIONS (0.3.2) are consistent with updates across the project. The new INSTALL_SSM_PLUGIN_BY_DEFAULT flag provides a sensible default for the new feature.

---

33-38: LGTM! Well-designed command line argument.

The new --install-ssm-plugin argument is properly structured with a clear help message and uses the configurable default value.

---

81-81: LGTM! Package name correction.

The fix from copier-templates-extensions to copier-template-extensions maintains consistency with the corrected package name used throughout the project.

---

120-143: SSM plugin version (1.2.707.0) availability confirmed
The HTTP HEAD request to the pinned URL returned “HTTP/1.1 200 OK,” so the specified version is still accessible and can safely remain pinned.

template/.github/workflows/pulumi-aws.yml (3)

74-78: LGTM! Enhanced mutex control granularity.

The addition of ADDITIONAL_MUTEX_SUFFIX parameter provides finer control over concurrency in Pulumi deployments, allowing more specific locking beyond just the stack name.

---

80-82: LGTM! Flexible secret management for non-enterprise environments.

The iac-github-api-tokens secret and corresponding environment variable provide a good fallback for environments that don't use AWS Secrets Manager, enhancing deployment flexibility.

Also applies to: 96-97

---

112-112: LGTM! Mutex key properly incorporates the additional suffix.

The mutex branch name correctly includes the new ADDITIONAL_MUTEX_SUFFIX parameter, maintaining consistency with the enhanced locking mechanism.

extensions/context.py (2)

5-5: LGTM! Import package name corrected.

The import statement has been correctly updated from copier_templates_extensions to copier_template_extensions, aligning with the proper package name used throughout the codebase.

---

13-47: LGTM! Version updates appear consistent.

The dependency version updates look reasonable and align with the PR's objective of pulling in upstream template changes. The addition of new version keys (dot_env_cli_version, playwright_version, nginx_image_version) and the Alpine image bump to 3.21 are appropriate.

Also applies to: 74-75

.pre-commit-config.yaml (2)

45-45: LGTM! Hook versions updated appropriately.

The version updates for typos (v1.34.0), biome-check (v2.1.1), and ruff (v0.12.3) are reasonable maintenance updates that should provide bug fixes and improvements.

Also applies to: 93-93, 225-225

---

48-54: LGTM! Exclusion patterns refined for generated and minified files.

The expanded exclusion patterns appropriately skip processing of:

• Minified files (.min.js, .min.css, .umd.js)
• Generated files (schema.graphql, pyrightconfig.json)
• Snapshot directories and biome.jsonc configuration

This prevents unnecessary processing of files that shouldn't be modified by these hooks.

Also applies to: 87-87, 100-101, 116-126

template/.pre-commit-config.yaml (1)

45-54: LGTM! Template pre-commit configuration updated consistently.

The changes mirror those in the main .pre-commit-config.yaml, ensuring consistency between the template and the base repository. The version updates and refined exclusion patterns are appropriate.

Also applies to: 87-87, 93-102, 116-127, 225-225

template/.devcontainer/install-ci-tooling.py.jinja (4)

10-15: LGTM! Jinja templating improves version management.

Using Jinja templating for version variables allows centralized version management through the context system, improving maintainability.

---

16-16: LGTM! Conditional SSM plugin installation with user control.

The conditional default behavior based on template context and the explicit command-line flag provide good flexibility for users who need AWS SSM port forwarding capabilities.

Also applies to: 33-38

---

81-81: LGTM! Package name corrected.

The package name has been correctly updated from copier-templates-extensions to copier-template-extensions, aligning with the proper package name.

---

120-143: LGTM! SSM plugin installation implemented securely.

The SSM plugin installation follows AWS documentation best practices:

• Downloads from official AWS S3 URL
• Uses a pinned version (1.2.707.0) for reproducibility
• Uses temporary directory for cleanup
• Appropriately raises NotImplementedError for Windows
• Verifies installation with version check

The implementation is secure and follows good practices.