Copier update (GHA permissions)

[ejfine]

Pull in upstream template changes

Summary by CodeRabbit

• New Features

  • Added option to skip installing the AWS SSM plugin in CI/dev tooling; Windows installation now supported.
  • Reusable Docker build workflow exposes artifact-name output for easier artifact retrieval.
  • Devcontainer now targets linux/amd64 for consistent cross-architecture behavior.

• Chores

  • Upgraded numerous dependencies, developer tools, and VS Code extensions (Python, Ruff, Copilot, etc.).
  • Updated GitHub Actions versions and tightened permissions; improved mutex usage across workflows.
  • Expanded .gitignore (coverage.xml, rotated logs, macOS files) and refined pre-commit config and exclusions.

[coderabbitai]

Caution

Review failed

The pull request is closed.

Walkthrough

Version bumps across tooling, devcontainer, and workflows; adjusted GitHub Actions permissions and action versions; added platform override to devcontainers; introduced a skip flag for AWS SSM plugin install with OS-specific installers; exposed artifact-name output in Docker build workflow; removed a manual setup script; expanded pre-commit excludes and .gitignore.

Changes

Cohort / File(s)	Summary
Devcontainer configs /.devcontainer/devcontainer.json, /.devcontainer/docker-compose.yml, /template/.devcontainer/devcontainer.json.jinja, /template/.devcontainer/docker-compose.yml.jinja	Bumped VS Code extension versions; updated devcontainer context hash comment; added platform: linux/amd64 to devcontainer service (template and root).
CI tooling installer (SSM plugin flow) /.devcontainer/install-ci-tooling.py, /template/.devcontainer/install-ci-tooling.py.jinja	Switched flag from --install-ssm-plugin to --skip-installing-ssm-plugin; gated install on INSTALL_SSM_PLUGIN_BY_DEFAULT and skip flag; implemented Windows installer (EXE) and non-Windows DEB flow; bumped tool version constants; added version check output.
Composite GitHub Actions /.github/actions/install_deps/action.yml, /template/.github/actions/install_deps/action.yml, /.github/actions/update-devcontainer-hash/action.yml, /template/.github/actions/update-devcontainer-hash/action.yml, /template/.github/actions/pulumi_ephemeral_deploy/action.yml	Added input skip-installing-ssm-plugin-manager and forwards --skip-installing-ssm-plugin; upgraded used actions (checkout/setup-python/setup-node/aws-credentials); no logic changes otherwise.
Reusable workflow: Docker image /.github/reusable_workflows/build-docker-image.yaml	Added public output artifact-name (exposed at workflow_call and job); upgraded actions (checkout, configure-aws-credentials, setup-buildx) and Buildx version; added permissions: contents: write.
Workflow updates (permissions and deps) /.github/workflows/ci.yaml, /.github/workflows/get-values.yaml, /.github/workflows/pre-commit.yaml, /.github/workflows/tag-on-merge.yaml, /template/.github/workflows/ci.yaml.jinja, /template/.github/workflows/get-values.yaml, /template/.github/workflows/pre-commit.yaml, /template/.github/workflows/pulumi-aws.yml, /template/.github/workflows/refresh-stack.yaml.jinja	Scoped permissions per job (id-token/contents/statuses), reduced top-level permissions; upgraded checkout/cache actions; passed skip-install flag in pre-commit; standardized mutex usage; refactored refresh-stack lint job to reuse pre-commit workflow.
Pre-commit configs /.pre-commit-config.yaml, /template/.pre-commit-config.yaml	Raised minimum_pre_commit_version; updated hook revs (typos, pre-commit-hooks, hadolint, ruff, pylint); added excludes for snapshots and generated files.
Project/tool versions and context /extensions/context.py, /pyproject.toml	Bumped many versions (uv, pnpm, pre-commit, pyright, pytest, copier, Pulumi libs, frontend tooling); added multiple JS-related context keys and template_uses_javascript flag; updated Python deps in pyproject.
Copier metadata and prompts /.copier-answers.yml, /copier.yml	Updated _commit from v0.0.60 to v0.0.69; adjusted when expressions to reference install_aws_ssm_port_forwarding_plugin (effective behavior unchanged due to or True).
Ignore files /.gitignore, /template/.gitignore	Added coverage.xml, **/logs/*.log.*, and macOS .DS_Store entries.
Removed script /.devcontainer/manual-setup-deps.sh	Deleted shell-based dependency setup script using uv (lock/sync/list flow).

Sequence Diagram(s)

sequenceDiagram
  autonumber
  actor User as User
  participant GH as GitHub Action (install_deps)
  participant Script as install-ci-tooling.py
  participant AWS as AWS SSM Plugin Sources
  participant OS as Host OS

  User->>GH: inputs.skip-installing-ssm-plugin-manager (bool)
  GH->>Script: run with (--skip-installing-ssm-plugin if input true)
  Script->>Script: if INSTALL_SSM_PLUGIN_BY_DEFAULT and not skip
  alt Install SSM plugin
    Script->>OS: detect platform (Windows vs non-Windows)
    opt Windows
      Script->>AWS: download SessionManagerPluginSetup.exe
      Script->>OS: run installer (/quiet)
    end
    opt Non-Windows
      Script->>AWS: download session-manager-plugin.deb
      Script->>OS: dpkg -i .deb
    end
    Script->>OS: session-manager-plugin --version
  else Skip installation
    Script->>Script: proceed without SSM plugin install
  end

Loading

sequenceDiagram
  autonumber
  actor Caller as Reusing Workflow
  participant WF as build-docker-image (reusable)
  participant Job as build-image job
  participant Step as calc-hash step

  Caller->>WF: workflow_call (no changes)
  WF->>Job: start build-image
  Job->>Step: compute image_name_no_slashes
  Step-->>Job: output image_name_no_slashes
  Job-->>WF: set outputs.artifact-name = image_name_no_slashes
  WF-->>Caller: expose outputs.artifact-name

Loading

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~30 minutes

Possibly related PRs

• Copier update (misc version bumps) #37 — Parallel template updates: _commit bump and matching install-ci-tooling SSM flag/installer changes.

Poem

A rabbit taps keys in a burrow so snug,
Skips SSM installs with a confident shrug.
Devcontainers hum on amd64,
Actions gain outputs, permissions galore.
Pre-commit hops lightly past snapshots and logs—
Version bumps bloom like carrots in clogs. 🥕✨

---

📜 Recent review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between a53895b and ddefd54.

⛔ Files ignored due to path filters (1)

• uv.lock is excluded by !**/*.lock

📒 Files selected for processing (30)

• .copier-answers.yml (1 hunks)
• .devcontainer/devcontainer.json (2 hunks)
• .devcontainer/docker-compose.yml (1 hunks)
• .devcontainer/install-ci-tooling.py (3 hunks)
• .devcontainer/manual-setup-deps.sh (0 hunks)
• .github/actions/install_deps/action.yml (2 hunks)
• .github/actions/update-devcontainer-hash/action.yml (1 hunks)
• .github/reusable_workflows/build-docker-image.yaml (4 hunks)
• .github/workflows/ci.yaml (4 hunks)
• .github/workflows/get-values.yaml (2 hunks)
• .github/workflows/pre-commit.yaml (3 hunks)
• .github/workflows/tag-on-merge.yaml (1 hunks)
• .gitignore (2 hunks)
• .pre-commit-config.yaml (9 hunks)
• copier.yml (1 hunks)
• extensions/context.py (2 hunks)
• pyproject.toml (1 hunks)
• template/.devcontainer/devcontainer.json.jinja (1 hunks)
• template/.devcontainer/docker-compose.yml.jinja (1 hunks)
• template/.devcontainer/install-ci-tooling.py.jinja (2 hunks)
• template/.github/actions/install_deps/action.yml (2 hunks)
• template/.github/actions/pulumi_ephemeral_deploy/action.yml (1 hunks)
• template/.github/actions/update-devcontainer-hash/action.yml (1 hunks)
• template/.github/workflows/ci.yaml.jinja (2 hunks)
• template/.github/workflows/get-values.yaml (2 hunks)
• template/.github/workflows/pre-commit.yaml (3 hunks)
• template/.github/workflows/pulumi-aws.yml (2 hunks)
• template/.github/workflows/refresh-stack.yaml.jinja (2 hunks)
• template/.gitignore (2 hunks)
• template/.pre-commit-config.yaml (9 hunks)

✨ Finishing Touches

• 📝 Generate Docstrings

🧪 Generate unit tests

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch gha-permissions

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[Copilot]

Pull Request Overview

This PR pulls in upstream template changes focused on updating GitHub Actions permissions and various tool/dependency versions. The changes primarily enhance security by adding explicit permission comments and updating to newer versions of actions, tools, and dependencies.

• Updates GitHub Actions permissions across workflows with explicit comments explaining their purpose
• Updates various tool and dependency versions (GitHub Actions, pre-commit hooks, Python packages, Node packages, etc.)
• Enhances the SSM plugin installation to support Windows and adds configuration options

Reviewed Changes

Copilot reviewed 29 out of 31 changed files in this pull request and generated 2 comments.

Show a summary per file

File	Description
template/.pre-commit-config.yaml	Updates pre-commit version and hook versions with additional exclusions for test snapshots
template/.gitignore	Adds coverage.xml, additional log patterns, and macOS .DS_Store files
template/.github/workflows/refresh-stack.yaml.jinja	Refactors to use reusable workflow and adds explicit permissions
template/.github/workflows/pulumi-aws.yml	Updates checkout action and adds permission comments
template/.github/workflows/pre-commit.yaml	Updates actions versions and adds SSM plugin skip option
template/.github/workflows/get-values.yaml	Updates checkout action version
template/.github/workflows/ci.yaml.jinja	Restructures permissions and adds UV_PYTHON environment variable
template/.github/actions/update-devcontainer-hash/action.yml	Updates checkout action version
template/.github/actions/pulumi_ephemeral_deploy/action.yml	Updates AWS credentials action version
template/.github/actions/install_deps/action.yml	Updates actions versions and adds SSM plugin skip option
template/.devcontainer/install-ci-tooling.py.jinja	Adds Windows support for SSM plugin installation
template/.devcontainer/docker-compose.yml.jinja	Adds platform specification for linux/amd64
template/.devcontainer/devcontainer.json.jinja	Updates VS Code extension versions
pyproject.toml	Updates Python dependency versions
extensions/context.py	Updates numerous tool and package versions
copier.yml	Updates conditional logic for AWS-related questions
.pre-commit-config.yaml	Updates pre-commit versions and hooks (same as template)
.github/workflows/tag-on-merge.yaml	Updates checkout action version
.github/workflows/pre-commit.yaml	Updates actions and adds permissions (same as template)
.github/workflows/get-values.yaml	Updates checkout action version (same as template)
.github/workflows/ci.yaml	Updates permissions structure and adds UV_PYTHON environment
.github/reusable_workflows/build-docker-image.yaml	Updates actions versions and adds artifact output
.github/actions/update-devcontainer-hash/action.yml	Updates checkout action version (same as template)
.github/actions/install_deps/action.yml	Updates actions and adds SSM plugin option (same as template)
.devcontainer/manual-setup-deps.sh	Removes entire file (script deletion)
.devcontainer/install-ci-tooling.py	Updates versions and adds Windows SSM plugin support (same as template)
.devcontainer/docker-compose.yml	Adds platform specification (same as template)
.devcontainer/devcontainer.json	Updates extension versions and devcontainer hash
.copier-answers.yml	Updates commit reference version

Comments suppressed due to low confidence (2)

template/.github/workflows/ci.yaml.jinja:1

• The UV_PYTHON environment variable is set at the job level but the matrix.python-version is not defined in the visible context. Ensure this environment variable is only set for jobs that actually use a matrix strategy with python-version.

{% raw %}name: CI

---

_{Tip: Customize your code reviews with copilot-instructions.md. Create the file or learn how to get started.}

[Copilot]

The version comment appears incomplete. It should specify the full version tag like 'v1.x.x' rather than just 'v1'.

Suggested change

	rev: 65a25783d8705c6a72d9fead19c44d87b4ff03c3 # frozen: v1
	rev: 65a25783d8705c6a72d9fead19c44d87b4ff03c3 # frozen: v1.16.20

[Copilot]

Downloading and executing files from HTTP URLs without integrity verification poses a security risk. Consider adding checksum verification or using HTTPS URLs with certificate validation.