Bump Fast API and Uvicorn

[ejfine]

Why is this change necessary?

Newer versions

How does this change address the issue?

Bumps them

What side effects does this change have?

None

How is this change tested?

Downstream repos

Other

Made some modifications to github workflows based on zizmor recommendations. But disabled zizmor for now and created an issue to fully implement it later.

Created a question around copyright holder name in the template.

Fixed typo in Readme

Summary by CodeRabbit

• New Features

  • Added a template option to set a human-readable organization name for copyright.

• Chores

  • Hardened CI by disabling credential persistence in several checkouts and pinning a tagging action.
  • Added GitHub workflow JSON schema validation; updated pre-commit tooling and hooks.
  • Bumped several tool and dependency versions and refreshed devcontainer metadata.
  • Adjusted lint rules to ignore magic-method docstrings (D105).

• Documentation

  • Clarified README instructions for copying the install script.

• Tests

  • Updated copier test data to cover the new organization-name option.

[coderabbitai]

Note

Other AI code review bot(s) detected

CodeRabbit has detected other AI code review bot(s) in this pull request and will avoid duplicating their findings in the review comments. This may lead to a less comprehensive review.

Walkthrough

Bumps several tooling/context versions, disables credential persistence on multiple GitHub checkout steps and pins one tag action, updates pre-commit hooks (adds JSON-schema check and revisions), adds a new Copier field with test fixtures, and adds a Ruff ignore rule and minor template/docs tweaks.

Changes

Cohort / File(s)	Summary
Devcontainer metadata \.devcontainer/devcontainer.json	Update context hash comment (d461f957 → d1386cd9).
CI tooling installer \.devcontainer/install-ci-tooling.py	Bump UV_VERSION from "0.8.17" to "0.8.19".
Context version map extensions/context.py	Update context versions: uv_version 0.8.17→0.8.19, pnpm_version 10.17.0→10.17.1, pulumi_version 3.196.0→3.197.0, fastapi_version 0.116.1→0.117.1, uvicorn_version 0.35.0→0.36.0.
GitHub workflows (root & templates) .github/workflows/ci.yaml, .github/workflows/tag-on-merge.yaml, template/.../ci.yaml.jinja-base, template/.../pre-commit.yaml.jinja-base, template/.../get-values.yaml.jinja-base, template/.github/reusable_workflows/build-docker-image.yaml.jinja-base	Add persist-credentials: false to multiple checkout steps; add permissions: {} to two jobs; pin github-tag-action usage to commit a22cf086... in tag-on-merge workflow.
Pre-commit config & checks .pre-commit-config.yaml	Switch Prettier mirror and revision, expand exclude patterns, add python-jsonschema/check-jsonschema hook (check-github-workflows), bump hadolint and ruff hook revisions, comment-preserve zizmor block.
Copier schema + tests copier.yaml, tests/copier_data/data1.yaml, tests/copier_data/data2.yaml	Add repo_org_name_for_copyright field to schema (default {{ repo_org_name }}) and add test values ("The Greatest Org", "Initech Corporation").
Ruff config ruff.toml	Add D105 to docstring ignore rules.
Template security config template/.github/zizmor.yml	Add ignore rule for template-injection at get-values.yaml:28.
Template README template/README.md.jinja-base	Clarify wording about copying install-ci-tooling.py from this repo into the target repo.

Sequence Diagram(s)

sequenceDiagram
  participant Dev as Developer / Repo
  participant CI as GitHub Actions
  participant Checkout as actions/checkout
  participant TagAction as github-tag-action

  rect #f0f9ff
    Note over CI,Checkout: Checkout steps now run with\npersist-credentials: false
  end

  Dev->>CI: Push / Merge
  CI->>Checkout: actions/checkout (persist-credentials: false)
  Checkout-->>CI: Repository checked out (no persisted creds)
  CI->>CI: run pre-commit / linters / build
  alt Tag-on-merge job
    CI->>Checkout: actions/checkout (persist-credentials: false)
    CI->>TagAction: github-tag-action @ a22cf086...
    TagAction-->>CI: create/push tag
  end

Loading

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

Possibly related PRs

• Bump nuxt and other deps #86 — Edits the same files and updates UV version constants in both .devcontainer/install-ci-tooling.py and extensions/context.py.
• Bump pytest-cov #92 — Also bumps UV/tooling versions across installer and context mappings.
• Readme update #72 — Similar combined changes: devcontainer hash, tooling version bumps, and context updates.

Poem

I’m a rabbit with a tiny key,
Nudging versions up with gentle glee.
Checkouts forget their creds tonight,
Schemas sing and linters bite.
Hoppity-hop — templates polished bright! 🐇✨

Pre-merge checks and finishing touches

✅ Passed checks (3 passed)

Check name	Status	Explanation
Title Check	✅ Passed	The title "Bump Fast API and Uvicorn" concisely captures the primary intent of the PR — updating FastAPI and Uvicorn versions present in the changeset — and is relevant to the main changes. It is readable and specific enough for a teammate scanning history to understand the primary change.
Description Check	✅ Passed	The PR description fills most sections of the repository template (Why, How, Side effects, How is this change tested, Other) with brief answers and notes, matching the expected structure, but it omits the "Link to Issue or Message thread" section and several entries are terse. Overall the description is mostly complete but would benefit from a linked discussion/issue and more detailed testing and impact information.
Docstring Coverage	✅ Passed	No functions found in the changes. Docstring coverage check skipped.

✨ Finishing touches

🧪 Generate unit tests

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch fastapi

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[Copilot]

Pull Request Overview

This PR bumps FastAPI and Uvicorn to newer versions and implements security improvements to GitHub workflows based on zizmor recommendations.

• Updates FastAPI from 0.116.1 to 0.117.1 and Uvicorn from 0.35.0 to 0.36.0
• Adds security configurations to GitHub Actions workflows including persist-credentials: false and permissions restrictions
• Introduces a new copyright holder field for templates and fixes documentation typos

Reviewed Changes

Copilot reviewed 16 out of 16 changed files in this pull request and generated 1 comment.

Show a summary per file

File	Description
extensions/context.py	Updates FastAPI, Uvicorn, and other package versions
template/.github/workflows/*.yaml.jinja-base	Adds security configurations to workflow templates
copier.yaml	Adds new copyright holder field configuration
tests/copier_data/*.yaml	Updates test data with copyright holder examples
.pre-commit-config.yaml	Updates pre-commit hooks and adds GitHub workflow validation
.github/workflows/*.yaml	Applies security improvements to repository workflows
template/README.md.jinja-base	Fixes incomplete sentence in documentation

---

_{Tip: Customize your code reviews with copilot-instructions.md. Create the file or learn how to get started.}

[Copilot]

The condition github.event.pull_request.user.login == 'dependabot[bot]' will fail because github.event.pull_request is not available in push events. This should use github.actor == 'dependabot[bot]' as in the original code, or check the event type first.

Suggested change

	if: ${{ github.event.pull_request.user.login == 'dependabot[bot]' && github.event_name == 'push' }}
	if: ${{ github.actor == 'dependabot[bot]' && github.event_name == 'push' }}

[ejfine]

5f7edca

[coderabbitai]

Actionable comments posted: 0

🧹 Nitpick comments (7)

template/.github/zizmor.yml (1)

1-5: Avoid brittle line-number-specific ignores.

Prefer ignoring the file path (or a more targeted pattern) to prevent breakage when lines shift.

Apply:

-      - get-values.yaml:28
+      - get-values.yaml

Confirm this scope is acceptable for your use case.

template/README.md.jinja-base (1)

10-11: Clarify the script source link.

“this repo” can be ambiguous when rendered downstream; consider linking directly to the script in the base template.

Example: https://github.com/LabAutomationAndScreening/copier-base-template/blob/main/.devcontainer/install-ci-tooling.py

.pre-commit-config.yaml (1)

182-186: Added GitHub workflows schema check is a solid addition.

Optionally add a second hook to validate template/.github/workflows as well.

+  - repo: https://github.com/python-jsonschema/check-jsonschema
+    rev: 83987cd6ad8943c7f029b500b14aaf82c00a01fa  # frozen: 0.34.0
+    hooks:
+      - id: check-jsonschema
+        name: check-template-github-workflows
+        args: ["--builtin-schema", "github-workflows"]
+        files: ^template/.github/workflows/.*\.ya?ml$

copier.yaml (1)

12-12: Microcopy: clarify help text

Consider lowercase “copyright” and being explicit about the notice to reduce ambiguity.

Apply:

-    help: What's the human-readable organization or username that should be set for the Copyright?
+    help: What's the human-readable organization or username to use in the copyright notice?

.github/workflows/tag-on-merge.yaml (1)

16-21: Consider pinning actions/checkout to a commit SHA.

You pinned the tag action to a SHA; applying the same to actions/checkout@v5.0.0 would align supply‑chain hardening across steps.

.github/workflows/ci.yaml (2)

27-30: Pin actions/checkout to a commit SHA for supply‑chain hardening.

Same recommendation as elsewhere; pinning reduces risk from mutable tags.

---

85-87: Repeat: pin this checkout to a commit SHA as well.

Keeps consistency and hardens the workflow.

📜 Review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 8f2ecc6 and 5f7edca.

📒 Files selected for processing (16)

• .devcontainer/devcontainer.json (1 hunks)
• .devcontainer/install-ci-tooling.py (1 hunks)
• .github/workflows/ci.yaml (3 hunks)
• .github/workflows/tag-on-merge.yaml (1 hunks)
• .pre-commit-config.yaml (5 hunks)
• copier.yaml (1 hunks)
• extensions/context.py (2 hunks)
• ruff.toml (1 hunks)
• template/.github/reusable_workflows/build-docker-image.yaml.jinja-base (1 hunks)
• template/.github/workflows/ci.yaml.jinja-base (1 hunks)
• template/.github/workflows/get-values.yaml.jinja-base (1 hunks)
• template/.github/workflows/pre-commit.yaml.jinja-base (1 hunks)
• template/.github/zizmor.yml (1 hunks)
• template/README.md.jinja-base (1 hunks)
• tests/copier_data/data1.yaml (1 hunks)
• tests/copier_data/data2.yaml (1 hunks)

🔇 Additional comments (17)

.devcontainer/devcontainer.json (1)

62-62: Devcontainer context hash bump looks good.

Confirm the pre-commit hook computed this value (compute-devcontainer-context-hash) so CI prebuild triggers are accurate.

If needed, run locally: pre-commit run -a compute-devcontainer-context-hash

ruff.toml (1)

48-49: OK to ignore D105.

Matches your docstring policy; aligns with existing D10x ignores.

.pre-commit-config.yaml (4)

105-129: Prettier mirror switch and expanded exclude look good.

rbubley/mirrors-prettier at v3.6.2 is fine; excluding template/.* avoids unintended formatting churn.

---

214-218: Zizmor hook intentionally disabled.

Matches PR note; ensure the tracking issue stays open until re-enabled.

Add the issue link in a comment here for traceability, if you like.

---

229-229: Hadolint bump to v2.14.0 approved.

---

237-237: Ruff pre-commit bump to v0.13.1 approved.

.devcontainer/install-ci-tooling.py (1)

8-8: UV version bump verified — matches in both files.
Both .devcontainer/install-ci-tooling.py and extensions/context.py set UV version to "0.8.19".

tests/copier_data/data1.yaml (1)

9-9: New copier field added — defined but not wired through

copier.yaml defines repo_org_name_for_copyright (default: "{{ repo_org_name }}"); tests set it in tests/copier_data/data1.yaml and tests/copier_data/data2.yaml (data1: "The Greatest Org", data2: "Initech Corporation"). No usages found in templates/ or README — either wire this field into the templates/README where intended or confirm it's intentionally unused, and make test fixtures consistent.

extensions/context.py (1)

14-15: Version bumps look aligned — external compatibility OK; run a local dependency scan

• FastAPI 0.117.1 + Uvicorn 0.36.0: compatible, no known breaking changes.
• fastapi-offline 1.7.4 requires fastapi>=0.99.0, so compatible with FastAPI 0.117.x.
• I could not verify repo pins (ripgrep returned "No files were searched"). Re-run a dependency scan against requirements.txt / pyproject.toml / setup.cfg and confirm the runtime Python version meets package minimums.

tests/copier_data/data2.yaml (1)

10-10: Test fixture updated correctly

Value looks good; plain scalar with spaces is valid YAML. Matches the new copier variable.

Please confirm data1.yaml was updated similarly and that template rendering tests cover both values.

copier.yaml (1)

10-14: Good addition; default derives from repo_org_name — no legacy usages found

Occurrences found: copier.yaml; tests/copier_data/data1.yaml, tests/copier_data/data2.yaml. Ripgrep reported no instances of "{{ repo_org_name }}" near "Copyright".

.github/workflows/tag-on-merge.yaml (1)

20-23: Good hardening: disabled checkout creds + pinned action by SHA. Please confirm push behavior.

Nice upgrade in supply‑chain posture. Since checkout creds are disabled, ensure mathieudutour/github-tag-action pushes tags/commits using the provided GITHUB_TOKEN internally and does not rely on checkout’s persisted credentials.

template/.github/workflows/ci.yaml.jinja-base (1)

54-55: LGTM: checkout without credential persistence.

Consistent with least‑privilege principles; no issues spotted.

template/.github/reusable_workflows/build-docker-image.yaml.jinja-base (1)

69-71: LGTM: disabling persisted credentials on checkout.

Matches the security posture elsewhere; no impact on ECR auth since OIDC is used later.

.github/workflows/ci.yaml (1)

160-160: Nice: explicit minimal permissions.

permissions: {} on this job is appropriate since it only gates earlier results.

template/.github/workflows/pre-commit.yaml.jinja-base (1)

36-45: LGTM: disabled checkout credential persistence across both paths.

Consistent hardening; pre‑commit doesn’t push, so this is safe.

template/.github/workflows/get-values.yaml.jinja-base (1)

32-33: Confirmed — action configures credentials for the push.
template/.github/actions/update-devcontainer-hash/action.yml.jinja-base calls actions/checkout with persist-credentials: true, configures git user.name/email, and runs git push; no additional auth changes required despite the workflow's persist-credentials: false.

[coderabbitai]

Actionable comments posted: 0

🧹 Nitpick comments (3)

.pre-commit-config.yaml (3)

105-131: Prettier mirror bump looks good; consider trimming target files to avoid redundant include/exclude.

• Good move to rbubley/mirrors-prettier and v3.6.2; exclude of template/.* is sensible.
• Optional: since YAML/YML/MD/JSONC are excluded, drop them from the files pattern to reduce hook overhead.

Apply this minimal tweak:

-        files: (.*.json)|(.*.ts)|(.*.jsx)|(.*.tsx)|(.*.yaml)|(.*.yml)|(.*.md)|(.*.html)|(.*.css)|(.*.scss)|(.*.less)|(.*.vue)|(.*.graphql)|(.*.gql)
+        files: (.*.json)|(.*.ts)|(.*.jsx)|(.*.tsx)|(.*.html)|(.*.css)|(.*.scss)|(.*.less)|(.*.vue)|(.*.graphql)|(.*.gql)

---

182-186: Nice addition of workflow schema checks; optionally make it repository-wide per run.
If you want the workflow validation to run even when no workflow files are staged (useful after schema/tooling changes), add always_run and disable filename passing.

   - repo: https://github.com/python-jsonschema/check-jsonschema
     rev: 83987cd6ad8943c7f029b500b14aaf82c00a01fa  # frozen: 0.34.0
     hooks:
       - id: check-github-workflows
+        pass_filenames: false
+        always_run: true

---

214-218: zizmor is intentionally commented; can help wire it up behind a flag.
Recommend adding a minimal config and gating via stages or a dedicated repo-local toggle when you’re ready.

I can prepare a starter .zizmor.yaml and suggested hook config aligned with your workflows. Want me to open a draft?

📜 Review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 5f7edca and 1ea5acb.

📒 Files selected for processing (3)

• .devcontainer/devcontainer.json (1 hunks)
• .pre-commit-config.yaml (5 hunks)
• copier.yaml (1 hunks)

🚧 Files skipped from review as they are similar to previous changes (2)

• copier.yaml
• .devcontainer/devcontainer.json

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (1)

• GitHub Check: lint-matrix (ubuntu-24.04, 3.13.1, --data-file tests/copier_data/data1.yaml)

🔇 Additional comments (2)

.pre-commit-config.yaml (2)

229-229: Fix hadolint version — v2.14.0 is not a released tag

No release v2.14.0 exists; latest stable is v2.12.0 (v2.12.1-beta pre-release). Update .pre-commit-config.yaml (line 229) to pin a valid hadolint release (e.g., v2.12.0).

    rev: 4e697ba704fd23b2409b947a319c19c3ee54d24f  # frozen: v2.14.0

Likely an incorrect or invalid review comment.

---

237-263: Ruff pre-commit bump approved — verify config location and rules.

.pre-commit-config.yaml pins astral-sh/ruff-pre-commit rev a113f03edeabb71305f025e6e14bd2cd68660e29 (v0.13.1). No ruff.toml or ruff-test.toml found in the repo; confirm where ruff is configured (ruff.toml / ruff-test.toml or pyproject.toml) and verify configs don't use deprecated rules after the upgrade.