Copier update (CI timeouts)

[ejfine]

Pull in upstream template changes

Summary by CodeRabbit

Release Notes

• New Features

  • Optional Claude CLI support now available in development containers.

• Documentation

  • Corrected GitHub product terminology throughout documentation.
  • Enhanced setup and dependency installation guidance.

• Chores

  • Updated development tooling and dependency versions.
  • Improved CI/CD security with enhanced credential handling.
  • Optimized workflow execution timeouts for better reliability.

_{✏️ Tip: You can customize this high-level summary in your review settings.}

[coderabbitai]

Warning

Rate limit exceeded

@ejfine has exceeded the limit for the number of commits or files that can be reviewed per hour. Please wait 9 minutes and 11 seconds before requesting another review.

⌛ How to resolve this issue?

After the wait time has elapsed, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

We recommend that you space out your commits to avoid hitting the rate limit.

🚦 How do rate limits work?

CodeRabbit enforces hourly rate limits for each developer per organization.

Our paid plans have higher rate limits than the trial, open-source and free plans. In all cases, we re-allow further reviews after a brief timeout.

Please see our FAQ for further information.

📥 Commits

Reviewing files that changed from the base of the PR and between 4b51747 and f2faf72.

📒 Files selected for processing (1)

• .copier-answers.yml (1 hunks)

Walkthrough

This PR updates development infrastructure and CI/CD configurations across the repository. It bumps tool and dependency versions, introduces new CLI arguments for environment setup with Python version detection, adds CodeRabbit configuration, updates pre-commit hooks and GitHub workflows, adds VSCode extensions and settings, and includes conditional Claude CLI integration support in the template.

Changes

Cohort / File(s)	Summary
CodeRabbit Configuration .coderabbit.yaml, template/.coderabbit.yaml	Introduces new CodeRabbit config files with assertive profile, vendor file read-only rules, disabled code quality tools (eslint, ruff, pylint, flake8), auto-review for drafts enabled, and finishing touches (docstrings, unit tests) disabled.
Copier Configuration & Metadata copier.yml, .copier-answers.yml, tests/copier_data/data1.yaml, tests/copier_data/data2.yaml	Adds install_claude_cli boolean option to copier configuration; updates .copier-answers.yml with new fields (install_claude_cli, repo_org_name_for_copyright, template_uses_python), bumped commit hash, and SSH port change (54184→51184).
DevContainer Scripts (Root) .devcontainer/manual-setup-deps.py, .devcontainer/install-ci-tooling.py	Adds new CLI flags (--only-create-lock, --skip-updating-devcontainer-hash, --allow-uv-to-install-python), Python version handling logic, environment-aware configuration, and enhanced curl resilience; tool versions bumped (UV, PNPM, Copier, Pre-Commit).
DevContainer Configuration (Root) .devcontainer/devcontainer.json, .devcontainer/docker-compose.yml	Updates AWS CLI feature (1.1.1→1.1.2, 2.27.14→2.31.11), replaces GitLens with CodeRabbit extension, updates Copilot/Python/Ruff tooling, adds Copilot whitespace setting, updates port mapping (54184→51184).
GitHub Actions & Workflows (Root) .github/actions/install_deps/action.yml, .github/reusable_workflows/build-docker-image.yaml, .github/workflows/ci.yaml, .github/workflows/get-values.yaml, .github/workflows/pre-commit.yaml, .github/workflows/tag-on-merge.yaml	Adds new action input skip-updating-devcontainer-hash, increases job timeouts (2–15 min), reduces mutex timeout (30→8 min), adds persist-credentials: false to checkout steps, updates external action versions (setup-node v5→v6, aws-configure v5.0→v5.1, docker-buildx v6.16→v6.18, upload-artifact v4.6→v5.0).
GitHub Security & Linting .github/zizmor.yml	Adds template-injection ignore entry for get-values.yaml:28 with debug-output justification.
Pre-commit & Code Quality (Root) .pre-commit-config.yaml, pyrightconfig.json, ruff.toml, ruff-test.toml	Bumps multiple pre-commit hook revisions, adds check-github-workflows from check-jsonschema, expands exclusion patterns for generated/open-api and graphql_codegen paths, removes reportShadowedImports from pyright, adds D105 and SIM117 ruff rules, reformats unfixable blocks.
Python Dependencies & Context pyproject.toml, extensions/context.py	Bumps pytest (8.4→9.0), pytest-cov (6.3→7.0), pytest-randomly (3.16→4.0), pyright (1.1.405→1.1.407), copier (9.10→9.11); updates numerous context version keys and adds new ones (ariadne_codegen, pytest_mock, syrupy, structlog, httpx, python_kiota_bundle, GHA timeout presets).
Documentation & Repository Files README.md, CONTRIBUTING.md, .gitignore, _typos.toml	Adds OpenIssues badge, updates lock-file generation command guidance, adds devcontainer rebuild step, capitalizes "GitHub", removes .pytest_cache/ and .mypy_cache/ from ignore lists, fixes typo (misPELL→misspell).
Template: DevContainer Scripts & Config template/.devcontainer/manual-setup-deps.py, template/.devcontainer/install-ci-tooling.py.jinja, template/.devcontainer/devcontainer.json.jinja, template/.devcontainer/docker-compose.yml.jinja	Mirrors root devcontainer changes with template-aware conditionals for Claude CLI (install_claude_cli), updates tool versions, adds ANTHROPIC_API_KEY env var when applicable.
Template: GitHub Workflows & Actions template/.github/workflows/ci.yaml.jinja, template/.github/workflows/get-values.yaml, template/.github/workflows/pre-commit.yaml, template/.github/workflows/pulumi-aws.yml, template/.github/actions/install_deps/action.yml, template/.github/actions/pulumi_ephemeral_deploy/action.yml	Adds timeout-minutes to jobs using GHA timeout presets, adds persist-credentials: false to checkout steps, reduces mutex timeout (30→8/15 min), adds new action input, updates external action versions.
Template: Code Quality & Ignore template/.pre-commit-config.yaml, template/pyrightconfig.json, template/ruff.toml, template/ruff-test.toml, template/.gitignore, template/_typos.toml, template/CONTRIBUTING.md, template/.coveragerc	Mirrors root config changes (pre-commit hooks, pyright exclusions, ruff rules, capitalization fixes, removed cache dirs), adds coverage omit for generated/open_api.

Estimated code review effort

🎯 4 (Complex) | ⏱️ ~50 minutes

• Areas requiring careful attention:
  • Environment-aware Python version detection logic in .devcontainer/manual-setup-deps.py and template variant—verify precedence rules (--python-version > .python-version file > root .python-version) and UV_PYTHON_ALREADY_CONFIGURED flag handling
  • Pre-commit hook configuration completeness—ensure all exclusion patterns for generated/open-api and graphql_codegen are consistent across all hooks and both root and template versions
  • GitHub workflow timeout values and their appropriateness—verify that new timeouts (2–15 min) are realistic for each job and won't cause spurious failures
  • Template conditional logic for install_claude_cli—ensure ANTHROPIC_API_KEY and Claude devcontainer feature are correctly added/omitted based on flag
  • Version compatibility of bumped tools (pytest, pyright, copier, pre-commit hooks)—spot-check for any known breaking changes

Possibly related PRs

• Copier update (misc version bumps) #37 — Updates the same .copier-answers.yml _commit field to reference a newer copier template version.
• Copier update (GHA permissions) #40 — Modifies overlapping devcontainer, setup script, and workflow configuration files with similar version bumps and CLI argument changes.

Pre-merge checks

❌ Failed checks (1 warning, 1 inconclusive)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 0.00% which is insufficient. The required threshold is 80.00%.	You can run @coderabbitai generate docstrings to improve docstring coverage.
Description check	❓ Inconclusive	The pull request description 'Pull in upstream template changes' is vague and does not follow the required template structure with sections for Issue Link, Why, How, Side effects, Testing, and Other.	Expand the description to follow the provided template structure, explaining which upstream changes are being incorporated and their impact on the project.

✅ Passed checks (1 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title 'Copier update (CI timeouts)' accurately reflects the main change in the changeset, which primarily involves updating CI workflow timeouts across multiple files and dependency versions.

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[Copilot]

Pull request overview

This PR pulls in upstream template changes from the Copier base template, primarily focused on addressing CI timeout issues and updating various dependencies and tooling. The changes include dependency version bumps, GitHub Actions workflow improvements with timeout configurations, devcontainer tooling enhancements, and the addition of CodeRabbit AI code review integration.

Key changes:

• Updated multiple Python dependencies (copier 9.10.1→9.11.0, pytest 8.4.2→9.0.1, pytest-cov 6.3.0→7.0.0, coverage 7.6.10→7.12.0, pyright 1.1.405→1.1.407)
• Added timeout-minutes to GitHub Actions workflows to prevent hanging jobs
• Enhanced manual-setup-deps.py with new flags for lock file generation and Python installation control
• Added CodeRabbit configuration and Claude CLI installation option
• Improved security with persist-credentials: false in checkout actions

Reviewed changes

Copilot reviewed 44 out of 46 changed files in this pull request and generated no comments.

Show a summary per file

File	Description
uv.lock	Updated lock file with new dependency versions and upload-time metadata
pyproject.toml	Bumped minimum versions for testing and tooling dependencies
extensions/context.py	Updated version constants for Python packages, Node packages, and GitHub Actions
copier.yml	Added new install_claude_cli configuration option
tests/copier_data/*.yaml	Added install_claude_cli field to test data
.devcontainer/manual-setup-deps.py	Enhanced with new CLI flags and Python version detection logic
.devcontainer/install-ci-tooling.py	Updated version constants and curl command with additional safety flags
template/.github/workflows/*.yaml	Added timeout-minutes and persist-credentials: false for security
template/.devcontainer/devcontainer.json	Updated extension versions and added CodeRabbit extension
.coderabbit.yaml	New configuration file for CodeRabbit AI code review
ruff*.toml	Added D105 to ignored rules and reformatted unfixable list
pyrightconfig.json	Removed reportShadowedImports check and added generated code exclusions
.pre-commit-config.yaml	Updated hook versions and improved exclusion patterns

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[coderabbitai]

Actionable comments posted: 4

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (1)

.devcontainer/manual-setup-deps.py (1)

76-106: Consider clarifying the lock-checking variable names.

The interaction between check_lock_file, args.optionally_check_lock, and env_check_lock may be confusing:

• Line 76: check_lock_file = not (...or args.optionally_check_lock...) sets it to False when optional checking is requested
• Lines 104-105: env_check_lock = True when optional check is enabled AND the file exists

While functionally correct, the naming could be clearer. Consider renaming check_lock_file to require_lock_file or similar to better convey that it represents mandatory checking.

📜 Review details

Configuration used: Path: .coderabbit.yaml

Review profile: ASSERTIVE

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 4850255 and 4b51747.

⛔ Files ignored due to path filters (1)

• uv.lock is excluded by !**/*.lock

📒 Files selected for processing (45)

• .coderabbit.yaml (1 hunks)
• .copier-answers.yml (1 hunks)
• .devcontainer/devcontainer.json (4 hunks)
• .devcontainer/docker-compose.yml (1 hunks)
• .devcontainer/install-ci-tooling.py (3 hunks)
• .devcontainer/manual-setup-deps.py (5 hunks)
• .github/actions/install_deps/action.yml (3 hunks)
• .github/reusable_workflows/build-docker-image.yaml (5 hunks)
• .github/workflows/ci.yaml (5 hunks)
• .github/workflows/get-values.yaml (1 hunks)
• .github/workflows/pre-commit.yaml (2 hunks)
• .github/workflows/tag-on-merge.yaml (1 hunks)
• .github/zizmor.yml (1 hunks)
• .gitignore (0 hunks)
• .pre-commit-config.yaml (10 hunks)
• CONTRIBUTING.md (1 hunks)
• README.md (1 hunks)
• _typos.toml (1 hunks)
• copier.yml (1 hunks)
• extensions/context.py (1 hunks)
• pyproject.toml (1 hunks)
• pyrightconfig.json (1 hunks)
• ruff-test.toml (1 hunks)
• ruff.toml (3 hunks)
• template/.coderabbit.yaml (1 hunks)
• template/.coveragerc (1 hunks)
• template/.devcontainer/devcontainer.json.jinja (2 hunks)
• template/.devcontainer/docker-compose.yml.jinja (1 hunks)
• template/.devcontainer/install-ci-tooling.py.jinja (2 hunks)
• template/.devcontainer/manual-setup-deps.py (5 hunks)
• template/.github/actions/install_deps/action.yml (3 hunks)
• template/.github/actions/pulumi_ephemeral_deploy/action.yml (1 hunks)
• template/.github/workflows/ci.yaml.jinja (1 hunks)
• template/.github/workflows/get-values.yaml (1 hunks)
• template/.github/workflows/pre-commit.yaml (2 hunks)
• template/.github/workflows/pulumi-aws.yml (2 hunks)
• template/.gitignore (0 hunks)
• template/.pre-commit-config.yaml (10 hunks)
• template/CONTRIBUTING.md (1 hunks)
• template/_typos.toml (1 hunks)
• template/pyrightconfig.json (1 hunks)
• template/ruff-test.toml (1 hunks)
• template/ruff.toml (3 hunks)
• tests/copier_data/data1.yaml (1 hunks)
• tests/copier_data/data2.yaml (1 hunks)

💤 Files with no reviewable changes (2)

• .gitignore
• template/.gitignore

🧰 Additional context used

🧬 Code graph analysis (2)

template/.devcontainer/manual-setup-deps.py (1)

.devcontainer/manual-setup-deps.py (1)

• PackageManager (49-51)

.devcontainer/manual-setup-deps.py (1)

template/.devcontainer/manual-setup-deps.py (1)

• PackageManager (49-51)

🪛 markdownlint-cli2 (0.18.1)

README.md

7-7: Headings should be surrounded by blank lines
Expected: 1; Actual: 0; Below

(MD022, blanks-around-headings)

🪛 YAMLlint (1.37.1)

copier.yml

[warning] 17-17: truthy value should be one of [false, true]

(truthy)

.github/workflows/pre-commit.yaml

[warning] 38-38: too few spaces before comment: expected 2

(comments)

---

[warning] 59-59: too few spaces before comment: expected 2

(comments)

.github/workflows/ci.yaml

[warning] 110-110: too few spaces before comment: expected 2

(comments)

template/.github/workflows/pre-commit.yaml

[warning] 38-38: too few spaces before comment: expected 2

(comments)

---

[warning] 59-59: too few spaces before comment: expected 2

(comments)

🔇 Additional comments (78)

extensions/context.py (5)

98-101: CI timeout presets align with PR objectives.

The addition of timeout presets (short: 2m, medium: 8m, long: 15m, xlong: 45m) directly supports the PR title "CI timeouts" and provides sensible defaults for workflow stages.

---

105-105: Python 3.14.0 is confirmed stable and production-ready.

Python 3.14.0 was released as the final (stable) version on October 7, 2025. The addition of py314_version = "3.14.0" is appropriate.

---

13-45: Verification shows most sampled versions exist. I need to check the specific versions mentioned in the code snippet since the script returned newer "latest" versions for three packages. Let me verify the pinned versions actually exist:

Let me search for pulumi-github version history to verify the 6.8.0 release:

Verification confirms Python package versions exist with no critical security issues.

FastAPI 0.121.0 exists as a released version, and strawberry-graphql 0.284.1 was released on Oct 18, 2025. The initial sample verification using PyPI API confirmed fastapi 0.121.0, pytest 9.0.1, copier 9.11.0, and all tested Pulumi packages exist and are available. Strawberry-graphql was scanned for known vulnerabilities and no issues were found. Pydantic 2.12.4 is beyond the affected range of previously identified ReDoS vulnerabilities (v2.0-2.4.0). The version updates are valid and can proceed.

---

47-78: I need to verify the context and scope of impact for these version updates. Let me inspect the codebase:

I need to understand the context of this file—whether it's generating templates or setting production dependencies. Let me inspect the codebase:

All specified npm package versions exist and are compatible. No action required.

Nuxt UI v4 requires Nuxt 4 due to some dependencies, and your specified versions (Nuxt ^4.2.0, Vue ^3.5.22, Tailwind CSS ^4.1.11, Nuxt UI ^4.1.0) are correctly aligned. The npm registry verification confirms these versions are available with their semver ranges resolving to current releases.

Nuxt 4 is a stability-focused major release, and most of the breaking changes have been testable with a compatibility flag for over a year. Some modules might need further updates for full Nuxt 4 compatibility, but for most breaking changes, there are configuration options to revert to the old behavior. Nuxt 3 will continue to receive maintenance updates until the end of January 2026, providing ample runway for any downstream consumers still on v3.

---

80-97: I have the results for three of the five actions mentioned in the review comment. Let me search for the breaking changes in the remaining two actions:

Let me search for more specific breaking change information for the remaining two actions:

Verify GitHub Actions major version updates for breaking changes—focus on three actions with confirmed breaking changes.

Upload-artifact v5 requires Node.js v24 and bumps @actions/artifact to v4, which introduces immutable artifacts, a 500-artifact-per-job limit, and hidden-file exclusion by default. Download-artifact v6 also requires Node.js v24 and carries the same @actions/artifact v4 backend behavior, plus earlier versions had breaking path-extraction changes. Setup-node v6 limits automatic caching to npm only; other package managers (yarn, pnpm) require explicit cache enablement.

For docker/build-push-action@v6.18.0 and aws-actions/configure-aws-credentials@v5.1.0: no documented breaking changes were found in public release notes, but you should manually verify these against your workflows to ensure compatibility.

template/_typos.toml (1)

25-25: LGTM! Typo correction.

The comment correction from "mispell" to "misspell" improves documentation clarity.

pyrightconfig.json (1)

15-16: LGTM! Appropriate exclusions for generated code.

Adding exclusions for GraphQL and OpenAPI generated code aligns with best practices and reduces static analysis noise. This is consistent with similar exclusions in .coveragerc and pre-commit configuration.

template/.coveragerc (1)

6-7: LGTM! Appropriate coverage exclusion.

Excluding auto-generated OpenAPI client code from coverage analysis is a best practice. This aligns with the corresponding exclusions in pyrightconfig.json.

template/CONTRIBUTING.md (1)

30-30: LGTM! Branding correction.

Correcting "Github" to "GitHub" maintains proper branding consistency.

template/.github/workflows/pre-commit.yaml (2)

39-39: LGTM! Security improvement.

Adding persist-credentials: false to checkout actions is a security best practice that prevents credentials from persisting in the workspace.

Also applies to: 44-45

---

31-31: Verify timeout durations are sufficient with historical workflow data.

The job timeout and mutex acquisition timeout have both been set to 8 minutes (reduced from 30 minutes for mutex). Please verify that this duration is sufficient based on recent Pre-commit workflow run times. You can use the provided script to check historical runs:

gh run list --workflow="Pre-commit" --limit 20 --json startedAt,updatedAt,conclusion | \
  jq -r '.[] | "\(.conclusion)\t\((.updatedAt | fromdateiso8601) - (.startedAt | fromdateiso8601) | . / 60 | floor) minutes"'

Ensure the 8-minute timeout provides adequate buffer above your maximum observed run durations to prevent premature failures.

_typos.toml (1)

25-25: LGTM! Consistent typo correction.

The comment correction from "mispell" to "misspell" matches the identical fix in template/_typos.toml, maintaining consistency across the repository.

.devcontainer/docker-compose.yml (1)

16-16: Port consistency verified successfully.

The SSH port change from 54184 to 51184 is consistent across the repository:

• .copier-answers.yml stores ssh_port_number: 51184
• .devcontainer/docker-compose.yml maps "51184:2222"
• No remaining references to the old port 54184 exist in the codebase

The changes are correctly aligned.

template/.github/actions/pulumi_ephemeral_deploy/action.yml (1)

71-71: Version v5.1.0 is valid and up-to-date.

v5.1.0 is the latest published release of aws-actions/configure-aws-credentials, and there are no published security advisories for this version. The version bump is appropriate.

.github/workflows/tag-on-merge.yaml (3)

13-13: LGTM! Good addition of timeout protection.

The 2-minute timeout for the tagging job is appropriate and helps prevent runaway jobs.

---

21-21: LGTM! Security best practice.

Setting persist-credentials: false prevents the GITHUB_TOKEN from persisting after checkout, which is a security best practice to prevent credential leakage in subsequent steps.

---

23-23: LGTM! Security best practice with commit pinning.

Using a commit SHA instead of a mutable tag reference prevents potential supply chain attacks where tags could be replaced. The inline comment preserving the version reference is helpful for tracking updates.

ruff.toml (2)

48-48: LGTM! Reasonable docstring exemption.

Exempting magic methods from requiring docstrings is reasonable, as they often have well-understood semantics from Python conventions.

---

72-75: LGTM! Improved formatting.

The reformatted unfixable list is more readable with consistent indentation and line breaks.

template/.devcontainer/docker-compose.yml.jinja (1)

19-20: LGTM! Conditional secret exposure.

The conditional ANTHROPIC_API_KEY environment variable is appropriately guarded by the install_claude_cli flag. This ensures the API key is only exposed when Claude CLI is actually installed, which is a good security practice.

ruff-test.toml (2)

15-15: LGTM! Grammar correction.

Fixed the typo from "dont" to "don't".

---

18-20: LGTM! Good testing practice.

Preventing automatic combination of pytest.raises with other context managers ensures more precise error location tracking in tests. This improves test clarity and debugging.

template/pyrightconfig.json (1)

13-14: LGTM! Appropriate exclusions for generated code.

Excluding generated GraphQL and OpenAPI code from Pyright analysis is standard practice, as these files are auto-generated and don't require type checking.

CONTRIBUTING.md (1)

30-30: LGTM! Proper brand capitalization.

Corrected the capitalization from "Github" to "GitHub" (proper brand name formatting).

template/ruff-test.toml (2)

15-15: LGTM! Grammar correction.

Fixed the typo from "dont" to "don't" (consistent with the root ruff-test.toml).

---

18-20: LGTM! Good testing practice.

Preventing automatic combination of pytest.raises with other context managers ensures more precise error location tracking in tests. This improves test clarity and debugging (consistent with the root ruff-test.toml).

.github/workflows/pre-commit.yaml (1)

31-31: LGTM! Security and timeout improvements look good.

The additions of persist-credentials: false follow security best practices by preventing credential leakage, and the timeout reductions from 30 to 8 minutes align with the PR's objective of addressing CI timeouts. The consistency across job-level and mutex timeouts is well-coordinated.

Note: The static analysis tool flagged lines 38 and 59 for having only one space before comments instead of two (YAML convention). This is a minor formatting nitpick that you may optionally address for style consistency.

Also applies to: 39-39, 44-45, 59-59

.github/zizmor.yml (1)

1-5: LGTM! Clear security-conscious configuration.

The ignore rule for the template-injection warning is well-documented with a clear explanation that the output is only for debugging and not command execution. This demonstrates proper risk assessment and documentation.

.coderabbit.yaml (1)

1-26: LGTM! Well-configured CodeRabbit settings.

The configuration follows the provided schema correctly and includes helpful inline comments explaining the rationale for each setting. Key highlights:

• Assertive profile will provide more comprehensive feedback
• Vendor files path instruction prevents noise from read-only code
• Tool disabling avoids duplication with pre-commit hooks
• Finishing touches appropriately disabled with clear reasoning

The configuration is consistent and well-thought-out.

template/.coderabbit.yaml (1)

1-26: LGTM! Template configuration mirrors root appropriately.

The template's CodeRabbit configuration is identical to the root configuration, which is the correct approach. This ensures that projects generated from this template inherit the same review behavior, tool settings, and policies.

.devcontainer/install-ci-tooling.py (3)

10-14: LGTM! Tool version updates look reasonable.

The version bumps for UV (0.8.15 → 0.9.11), PNPM (10.15.1 → 10.23.0), Copier (9.10.1 → 9.11.0), and pre-commit (4.3.0 → 4.5.0) are all minor or patch updates, which should be lower risk than major version changes.

---

68-68: LGTM! Enhanced curl resilience.

The curl command now includes robust network handling options:

• --connect-timeout 20 and --max-time 40 prevent hanging
• --retry 3 --retry-delay 5 --retry-connrefused improve reliability on transient failures

This significantly improves the installation robustness in CI environments.

---

45-45: No issues found — environment variable order does not matter.

uv reads both environment variables independently and applies their semantics (UV_PYTHON sets the requested Python version; UV_PYTHON_PREFERENCE controls whether system or managed Pythons are preferred) regardless of order. The code change is correct.

.github/reusable_workflows/build-docker-image.yaml (2)

46-46: LGTM! Build timeout and action version updates look good.

The changes improve the workflow:

• Job timeout increased to 15 minutes (appropriate for Docker builds)
• persist-credentials: false enhances security
• AWS credentials action patch update (v5.0.0 → v5.1.0)
• Mutex timeout aligned with other workflows (reduced to 8 minutes)
• Docker build-push action patch update (v6.16.0 → v6.18.0)

Also applies to: 70-71, 75-75, 98-98, 132-132

---

159-159: Upgrade to upload-artifact@v5.0.0 is safe for this workflow.

Verification confirms the breaking changes from v5.0.0 and its underlying @actions/artifact v4.0.0 dependency do not impact this workflow. The v5.0.0 primary requirement is Node.js 24 runtime support. The v4.0.0 breaking changes—immutable artifacts, job-scoped storage, v3 incompatibility—do not apply to this single-upload pattern.

No workflows in the codebase consume this artifact; if external workflows download this artifact, ensure they use download-artifact v4+.

.github/actions/install_deps/action.yml (2)

42-46: LGTM! New input flag and AWS credentials update.

The additions are well-structured:

• New skip-updating-devcontainer-hash input with sensible defaults (true to maintain existing behavior)
• AWS credentials action patch update (v5.0.0 → v5.1.0)
• Proper conditional flag passing to manual-setup-deps.py

Also applies to: 78-78, 86-86

---

67-67: Breaking change in setup-node v6.0.0 confirmed but does not impact this repository.

The v6.0.0 release includes a documented breaking change: "Limit automatic caching to npm, update workflows and documentation". However, this repository is not affected because:

• The setup-node step in .github/actions/install_deps/action.yml does not specify a package-manager field and includes no explicit caching configuration
• Node dependency installation is delegated to a Python script (.devcontainer/manual-setup-deps.py) rather than relying on setup-node's built-in caching behavior
• No cache steps are configured in workflows

No action is required for this change.

pyproject.toml (1)

9-11: Based on verification of the changelog information, I found real breaking changes with these upgrades that warrant caution:

Verify test suite compatibility with major version upgrades.

pytest 9.x introduced breaking changes to pytest's collection phase with no deprecation period, and PytestRemovedIn9Warning deprecation warnings are now errors by default. Additionally, pytest-cov 7.0.0 dropped support for Python 3.7, and requires at least coverage 7.10.6.

These are test dependencies with legitimate breaking changes. Before merging, confirm:

1. The test suite runs successfully with pytest 9.0.1, pytest-cov 7.0.0, and pytest-randomly 4.0.1
2. No deprecated pytest features are in use (if targeting pytest 9.x, verify no PytestRemovedIn9Warning violations)
3. Minimum Python version requirement is Python 3.8+ (incompatible with Python 3.7)

.pre-commit-config.yaml (2)

197-200: LGTM! Good addition for workflow validation.

Adding the check-github-workflows hook will help catch syntax and schema errors in GitHub Actions workflow files before they're pushed.

---

110-111: Verify that switching to a community fork is intentional.

rbubley/mirrors-prettier is a community fork used by some projects, not the official pre-commit/prettier mirror. The official mirror historically lived under pre-commit/mirrors-prettier (now archived). Before using this community fork, ensure that this choice is intentional and acceptable for your project, particularly regarding maintenance and security considerations.

.devcontainer/manual-setup-deps.py (2)

92-101: LGTM! Well-designed Python version precedence.

The UV_PYTHON configuration logic correctly respects the precedence: existing environment variable → CLI argument → local .python-version file → repo root .python-version file. This provides flexibility while preventing unintended overrides.

---

151-160: LGTM! Good separation of concerns for hash updates.

The conditional hash update logic is well-implemented:

• Respects the --skip-updating-devcontainer-hash flag for flexibility in CI/CD
• Uses --exit-zero to prevent failures on hash mismatches
• Properly captures and displays output

.github/workflows/ci.yaml (3)

57-58: LGTM! Security improvement.

Adding persist-credentials: false prevents GitHub credentials from persisting in the workspace, reducing the attack surface if subsequent steps are compromised.

---

110-110: Verify the mutex timeout reduction.

The mutex acquisition timeout has been reduced from 30 to 8 minutes (a 73% reduction). While this can speed up failure detection, ensure that normal queuing scenarios won't trigger premature timeouts during high CI load.

Note: The static analysis warning about comment spacing is a minor style issue that can be safely ignored or fixed.

---

100-100: LGTM! Flags align with updated dependency script.

The new flags --skip-check-lock and --skip-updating-devcontainer-hash are appropriate for CI environments where lock files are assumed valid and hash updates aren't needed.

tests/copier_data/data1.yaml (1)

6-6: LGTM! Test data updated for new template option.

The addition of install_claude_cli: false ensures test coverage for the non-Claude-CLI installation path.

tests/copier_data/data2.yaml (1)

6-6: LGTM! Test data updated for new template option.

The addition of install_claude_cli: true ensures test coverage for the Claude-CLI installation path, complementing the false value in data1.yaml.

template/.github/workflows/get-values.yaml (2)

28-32: LGTM! Helpful debugging addition.

Displaying the full GitHub context at the start of the job will aid in debugging workflow issues and understanding the runtime environment.

---

36-37: LGTM! Security improvement.

Adding persist-credentials: false is a security best practice that prevents credentials from being available to subsequent steps.

template/.github/workflows/ci.yaml.jinja (1)

51-51: LGTM! Timeout configuration added.

Adding the timeout using the gha_short_timeout_minutes template variable ensures consistent timeout configuration across workflows.

.copier-answers.yml (1)

13-13: No issues found—the SSH port change is isolated to template configuration.

The file .copier-answers.yml is a Copier template answers file (auto-managed by Copier, as indicated by its header comment). The port number ssh_port_number: 51184 is a template configuration value, not a live connection setting. Verification found zero references to the old port (54184) anywhere in the codebase, confirming this change has no impact on existing connections, scripts, or documentation.

template/.github/workflows/pulumi-aws.yml (1)

96-96: LGTM! Timeout adjustments are well-balanced.

The job timeout increase to 45 minutes and mutex timeout reduction to 15 minutes provide better resource management—allowing sufficient time for Pulumi operations while preventing indefinite queue waits.

Also applies to: 114-114

.github/workflows/get-values.yaml (3)

22-22: LGTM! Appropriate timeout for the get-values job.

The 2-minute timeout is suitable for this lightweight job that extracts and computes values.

---

28-32: LGTM! GitHub context display aids debugging.

Outputting the full GitHub context as JSON is helpful for troubleshooting workflow issues without requiring re-runs.

---

36-37: LGTM! Security best practice applied.

Setting persist-credentials: false prevents credentials from persisting in the checked-out repository, reducing the risk of accidental credential exposure.

template/ruff.toml (2)

48-48: LGTM! Explicit documentation for magic methods.

Making the D105 ignore explicit ensures consistent treatment of magic method docstrings across the codebase.

---

72-75: LGTM! Unfixable rules reorganized for clarity.

The reformatting improves readability while preserving the same set of unfixable rules.

template/.devcontainer/install-ci-tooling.py.jinja (1)

68-68: LGTM! Robust curl invocation with timeouts and retries.

The enhanced curl command adds connection/total timeouts, retry logic with backoff, and HTTPS enforcement, significantly improving reliability and security of the UV installer fetch.

template/.github/actions/install_deps/action.yml (3)

42-46: LGTM! New input for devcontainer hash control.

The skip-updating-devcontainer-hash input provides flexibility in CI workflows to control when the devcontainer hash is updated, with a sensible default of true for most CI scenarios.

---

86-86: LGTM! Conditional flag propagation.

The conditional passing of --skip-updating-devcontainer-hash to the setup script follows the established pattern and correctly uses the GitHub Actions ternary syntax.

---

67-67: Review breaking change in actions/setup-node v6.0.0 before merging.

Both versions are valid, but actions/setup-node v6.0.0 introduces a breaking change: automatic caching is now limited to npm only. Verify whether your workflows rely on caching for other package managers (yarn, pnpm, etc.) and update workflows if needed.

The aws-actions/configure-aws-credentials v5.1.0 update is safe—it's a minor version bump with new features and a bug fix, with no breaking changes.

template/.devcontainer/devcontainer.json.jinja (5)

30-30: LGTM! CodeRabbit extension added.

The addition of the CodeRabbit VSCode extension aligns with the PR's broader integration of CodeRabbit tooling.

---

62-62: LGTM! Copilot setting prevents whitespace-only changes.

Disabling whitespace-only suggestions from Copilot's next edits reduces noise in code suggestions.

---

38-41: I'll verify the remaining extension versions.

Extension versions verified and valid.

Pylance version 2025.8.3 is published and confirmed available. Ruff version 2025.28.0 was released on October 7, 2025. Combined with the earlier verification that ms-python.python version 2025.17.2025100201 is a published release, all three extension versions in your devcontainer configuration are valid and available in the VSCode marketplace.

---

21-22: No issues found - Claude CLI devcontainer feature is publicly available.

The Claude CLI devcontainer feature exists at ghcr.io/anthropics/devcontainer-features/claude-code, and version 1.0.5 is publicly available. The conditional integration in the template is correct.

---

6-9: I need to verify the specific versions mentioned. Let me search for more targeted information about these releases.

Let me search for more specific information about breaking changes between these versions.

AWS CLI version 2.31.11 and devcontainer feature 1.1.2 are valid and available.

AWS CLI v2.31.11 is documented in the official changelog with API updates for various AWS services. The devcontainer feature version 1.1.2 was published 2 months ago and is available, representing a standard patch-level update from 1.1.1. The changes between 2.27.14 and 2.31.11 include API enhancements and service updates typical of AWS CLI releases. No breaking changes are introduced between minor versions within the v2.x series—breaking changes are limited to major version transitions (v1 to v2). Both versions can be safely updated in your devcontainer configuration.

.devcontainer/devcontainer.json (1)

6-9: LGTM! Devcontainer configuration synchronized with template.

The changes mirror the template updates:

• AWS CLI and tooling version bumps
• GitLens disabled, CodeRabbit extension added
• Python tooling and Copilot updates
• New Copilot whitespace setting
• Context hash properly updated (229b607e)

These changes maintain consistency between the template and the actual repository configuration.

Also applies to: 23-24, 27-28, 31-34, 48-48, 66-66

README.md (1)

13-13: All new CLI flags are correctly implemented and documented.

The verification confirms that both --only-create-lock and --allow-uv-to-install-python flags are properly defined in .devcontainer/manual-setup-deps.py with appropriate help text and are correctly used in the script logic. The README.md documentation matches the implementation.

template/.devcontainer/manual-setup-deps.py (6)

14-14: LGTM: Clear precedence hierarchy established.

The constant and updated argument definition correctly establish the precedence: pre-existing UV_PYTHON environment variable takes highest priority, followed by the CLI argument, then .python-version files.

Also applies to: 19-20

---

26-28: LGTM: Well-designed CLI flags.

The new arguments provide granular control over the setup process:

• --only-create-lock: enables lock file generation without installation (useful for CI)
• --skip-updating-devcontainer-hash: allows skipping hash updates when not needed
• --allow-uv-to-install-python: controls whether UV can auto-install Python versions

Also applies to: 38-46

---

73-76: LGTM: Correct UV configuration and lock checking logic.

The logic correctly:

• Restricts UV to system Python when --allow-uv-to-install-python is not set
• Distinguishes between lock generation (--only-create-lock) and lock validation modes
• Ensures mutually exclusive operations are handled properly

---

103-129: LGTM: Correct lock file handling logic.

The implementation properly distinguishes between:

• Lock generation mode (--only-create-lock): runs uv lock without --check, skips installation
• Lock validation mode: runs uv lock --check, then installs with --frozen flag

The per-environment env_check_lock flag correctly handles the --optionally-check-lock case and maintains consistency between UV and PNPM flows.

Also applies to: 132-132

---

151-160: LGTM: Proper devcontainer hash update integration.

The conditional hash update correctly:

• Respects the --skip-updating-devcontainer-hash flag
• Runs the hash computation script from the repo root
• Captures and displays output for visibility
• Uses --exit-zero to avoid failing the setup when hash changes are detected

---

92-101: No issues found; code correctly implements fallback chain for UV_PYTHON configuration.

The fallback precedence (CLI arg → env .python-version → root .python-version) is sound. When no source provides a Python version, leaving UV_PYTHON unset is the correct behavior—uv will then search for a compatible system Python, which aligns with the UV_PYTHON_PREFERENCE="only-system" setting on line 74. If no suitable system Python exists, uv will report an appropriate error.

template/.pre-commit-config.yaml (4)

45-45: LGTM: Improved formatting for typos hook.

The revision update and conversion to block-style YAML for the exclude pattern improves readability while maintaining the same exclusions.

Also applies to: 48-53

---

197-201: LGTM: Valuable workflow validation additions.

The new hooks enhance GitHub Actions workflow quality:

• check-github-workflows: validates workflow syntax and schema compliance
• zizmor (commented out): security linter for workflows, tracked for future implementation in issue #95

These additions align with security and CI/CD best practices.

Also applies to: 229-233

---

58-63: LGTM: Consistent and comprehensive exclude pattern updates.

The exclude pattern updates are well-structured:

• Generated code exclusions: generated/open[-_]api pattern correctly handles both naming conventions
• Template exclusions: prevents formatting conflicts in Copier template files
• Binary-like format exclusions: SVGs appropriately excluded from text-based formatters
• Format improvements: conversion to block-style YAML enhances readability

The patterns are applied consistently across all relevant hooks (ruff, pylint, pyright, prettier, docformatter, etc.).

Also applies to: 66-81, 83-95, 102-108, 115-136, 143-149, 163-164, 186-192, 258-263, 268-273, 275-279, 287-292, 303-307

---

45-45: I'll verify the version compatibility by searching for release information and examining the repository configuration.

Now let me examine the pre-commit configuration file to understand what the actual setup is:

Verify compatibility of major version bumps and clarify scope of version updates.

pylint v4.0.2 removes the suggestion-mode option, which should be removed from your config if defined. Additionally, the version requirement for isort has been bumped to >=5.0.0, removing internal compatibility for older versions. However, ruff v0.14.2 released on 2025-10-07 contains no documented breaking changes — it's a minor/patch update, not a major version bump.

Verify that:

1. No project config files define the now-removed suggestion-mode option for pylint
2. Your project's isort dependency is >=5.0.0 if pylint is used
3. Review the specific version changes in pre-commit-config.yaml to assess actual impact on the project

[coderabbitai]

🧹 Nitpick | 🔵 Trivial

Consider enabling the zizmor security scanner.

The zizmor hook for GitHub Actions security auditing is commented out with a TODO. This tool can identify security issues in workflows.

Would you like me to open an issue to track enabling this security scanner, or help with the implementation?

🤖 Prompt for AI Agents

In .pre-commit-config.yaml around lines 229 to 232 the zizmor hook is commented
out; enable and configure it by uncommenting the repo block, pinning a stable
rev, and adding the zizmor hook entry so pre-commit runs the GitHub Actions
security scanner; ensure the chosen rev is a released tag or commit SHA,
validate the hook ID is "zizmor", and run pre-commit autoupdate/test to confirm
it executes correctly (or alternatively create an issue tracking this TODO if
you prefer to defer enabling).

[coderabbitai]

🧹 Nitpick | 🔵 Trivial

Use explicit boolean values for better clarity.

The static analysis tool warns that default: no should be default: false for explicit boolean clarity. While YAML interprets both, using true/false is more explicit and prevents potential confusion.

Apply this diff:

 install_claude_cli:
     type: bool
     help: Should the Claude CLI be installed in the devcontainer?
-    default: no
+    default: false

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	install_claude_cli:
	type: bool
	help: Should the Claude CLI be installed in the devcontainer?
	default: no
	install_claude_cli:
	type: bool
	help: Should the Claude CLI be installed in the devcontainer?
	default: false

🧰 Tools

🪛 YAMLlint (1.37.1)

[warning] 17-17: truthy value should be one of [false, true]

(truthy)

🤖 Prompt for AI Agents

In copier.yml around lines 14 to 17, the boolean default uses the string "no"
which should be an explicit YAML boolean; change the default value from no to
false so the key install_claude_cli reads as an actual boolean default: false,
ensuring the YAML uses true/false instead of yes/no strings for clarity and
static-analysis compatibility.

[coderabbitai]

🧹 Nitpick | 🔵 Trivial

Add blank line before heading.

The static analysis tool flagged a missing blank line before the "Usage" heading.

Apply this diff:

+
 # Usage

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	# Usage
	# Usage

🧰 Tools

🪛 markdownlint-cli2 (0.18.1)

7-7: Headings should be surrounded by blank lines
Expected: 1; Actual: 0; Below

(MD022, blanks-around-headings)

🤖 Prompt for AI Agents

In README.md around line 7, there is no blank line immediately before the
"Usage" heading; insert a single blank line above the "# Usage" line so the
heading is separated from the preceding paragraph/content to satisfy the static
analysis rule.

[coderabbitai]

⚠️ Potential issue | 🟠 Major

🧩 Analysis chain

Verify the prettier mirror repository change.

The prettier hook repository changed from mirrors-prettier to rbubley/mirrors-prettier. Please confirm:

1. This is an official or trusted prettier pre-commit mirror
2. The repository is actively maintained
3. The version bump to v3.6.2 is compatible with the project

---

🌐 Web query:

Is rbubley/mirrors-prettier an official pre-commit mirror for prettier?

💡 Result:

No — the official pre-commit mirror for Prettier is pre-commit/mirrors-prettier. rbubley/mirrors-prettier is a separate third‑party fork/clone (projects sometimes reference it), not the official pre-commit organization mirror. [1][2]

Sources:

• pre-commit/mirrors-prettier (official mirror repository). [1]
• Example project using rbubley/mirrors-prettier (shows it is a separate fork). [2]

---

Use the official pre-commit mirror for prettier instead of a third-party fork.

The repository changed to rbubley/mirrors-prettier, which is a third-party fork rather than the official mirror. The official pre-commit mirror for Prettier is pre-commit/mirrors-prettier. Revert to the official mirror to ensure maintainability and avoid potential security risks from unauthorized forks.

🤖 Prompt for AI Agents

In template/.pre-commit-config.yaml around lines 110 to 111, the repo entry uses
a third-party fork (rbubley/mirrors-prettier) instead of the official mirror;
update the repo value to the official pre-commit/mirrors-prettier and keep or
update the rev to a corresponding official tag or commit (ensure the rev matches
the chosen official version), then run pre-commit autoupdate or validate the
config to confirm no other references need changing.