diff --git a/.devcontainer/devcontainer.json b/.devcontainer/devcontainer.json index 87604458..97902f55 100644 --- a/.devcontainer/devcontainer.json +++ b/.devcontainer/devcontainer.json @@ -59,5 +59,5 @@ "initializeCommand": "sh .devcontainer/initialize-command.sh", "onCreateCommand": "sh .devcontainer/on-create-command.sh", "postStartCommand": "sh .devcontainer/post-start-command.sh" - // Devcontainer context hash (do not manually edit this, it's managed by a pre-commit hook): d461f957 # spellchecker:disable-line + // Devcontainer context hash (do not manually edit this, it's managed by a pre-commit hook): d1386cd9 # spellchecker:disable-line } diff --git a/.devcontainer/install-ci-tooling.py b/.devcontainer/install-ci-tooling.py index c8ef8067..e75f5a82 100644 --- a/.devcontainer/install-ci-tooling.py +++ b/.devcontainer/install-ci-tooling.py @@ -5,7 +5,7 @@ import subprocess import sys -UV_VERSION = "0.8.17" +UV_VERSION = "0.8.19" COPIER_VERSION = "9.10.2" COPIER_TEMPLATE_EXTENSIONS_VERSION = "0.3.3" PRE_COMMIT_VERSION = "4.3.0" diff --git a/.github/workflows/ci.yaml b/.github/workflows/ci.yaml index c7a4660d..10ffc0dd 100644 --- a/.github/workflows/ci.yaml +++ b/.github/workflows/ci.yaml @@ -25,6 +25,8 @@ jobs: runs-on: ${{ matrix.os }} steps: - uses: actions/checkout@v5.0.0 + with: + persist-credentials: false - name: Setup Python uses: actions/setup-python@v6.0.0 @@ -80,6 +82,8 @@ jobs: steps: - uses: actions/checkout@v5.0.0 + with: + persist-credentials: false - name: Setup Python uses: actions/setup-python@v6.0.0 @@ -153,6 +157,7 @@ jobs: runs-on: ubuntu-24.04 needs: [ lint-matrix ] if: always() + permissions: {} steps: - name: fail if prior job failure if: needs.lint-matrix.result != 'success' diff --git a/.github/workflows/tag-on-merge.yaml b/.github/workflows/tag-on-merge.yaml index 00bb0cab..2f91c730 100644 --- a/.github/workflows/tag-on-merge.yaml +++ b/.github/workflows/tag-on-merge.yaml @@ -17,7 +17,8 @@ jobs: with: ref: ${{ github.event.pull_request.merge_commit_sha }} fetch-depth: '0' + persist-credentials: false - name: Bump version and push tag - uses: mathieudutour/github-tag-action@v6.2 + uses: mathieudutour/github-tag-action@a22cf08638b34d5badda920f9daf6e72c477b07b # v6.2 with: github_token: ${{ secrets.GITHUB_TOKEN }} diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml index 1fe4e577..249101a5 100644 --- a/.pre-commit-config.yaml +++ b/.pre-commit-config.yaml @@ -102,8 +102,8 @@ repos: .*pyrightconfig\.json| )$ - - repo: https://github.com/pre-commit/mirrors-prettier # TODO: switch to a different approach...this was archived in 2024 - rev: f12edd9c7be1c20cfa42420fd0e6df71e42b51ea # frozen: v4.0.0-alpha.8 + - repo: https://github.com/rbubley/mirrors-prettier + rev: 5ba47274f9b181bce26a5150a725577f3c336011 # frozen: v3.6.2 hooks: - id: prettier # TODO: get template YAML and MD files more in line with prettier expectations so we can start using prettier on those too @@ -125,6 +125,7 @@ repos: .*/vendor_files/.*| .*/schema.graphql| .*generated/graphql.ts| + template/.*| )$ files: (.*.json)|(.*.ts)|(.*.jsx)|(.*.tsx)|(.*.yaml)|(.*.yml)|(.*.md)|(.*.html)|(.*.css)|(.*.scss)|(.*.less)|(.*.vue)|(.*.graphql)|(.*.gql) @@ -178,6 +179,11 @@ repos: - id: check-merge-conflict - id: check-case-conflict + - repo: https://github.com/python-jsonschema/check-jsonschema + rev: 83987cd6ad8943c7f029b500b14aaf82c00a01fa # frozen: 0.34.0 + hooks: + - id: check-github-workflows + - repo: https://github.com/maresb/check-json5 rev: 893a2b5a0a27c3540bd8fcafe2968ccc05237179 # 1.0 hooks: @@ -205,6 +211,11 @@ repos: hooks: - id: detect-private-key + # - repo: https://github.com/woodruffw/zizmor-pre-commit # TODO: implement this: https://github.com/LabAutomationAndScreening/copier-base-template/issues/95 + # rev: b933184438555436e38621f46ceb0c417cbed400 # frozen: v1.13.0 + # hooks: + # - id: zizmor + # Linting - repo: https://github.com/Lucas-C/pre-commit-hooks-markup @@ -215,7 +226,7 @@ repos: exclude: docs/.*\.rst$ - repo: https://github.com/hadolint/hadolint - rev: 87de847754330ad47ae16bdfe2d1a757ccb4b4d4 # frozen: v2.13.1 + rev: 4e697ba704fd23b2409b947a319c19c3ee54d24f # frozen: v2.14.0 hooks: - id: hadolint-docker name: Lint Dockerfiles @@ -223,7 +234,7 @@ repos: description: Runs hadolint to lint Dockerfiles - repo: https://github.com/astral-sh/ruff-pre-commit - rev: 13a6bda8ea7612b3aec844ded16569d424b9a1ab # frozen: v0.13.0 + rev: a113f03edeabb71305f025e6e14bd2cd68660e29 # frozen: v0.13.1 hooks: - id: ruff name: ruff-src diff --git a/copier.yaml b/copier.yaml index 259f43e0..20ad0c7e 100644 --- a/copier.yaml +++ b/copier.yaml @@ -7,6 +7,11 @@ repo_org_name: type: str help: What's the organization or username that owns this repository (look in the URL)? +repo_org_name_for_copyright: + type: str + help: What's the human-readable organization or username that should be set for the copyright? + default: "{{ repo_org_name }}" + description: type: str help: What is this copier template used for? diff --git a/extensions/context.py b/extensions/context.py index 6b5f0021..eae8228b 100644 --- a/extensions/context.py +++ b/extensions/context.py @@ -11,13 +11,13 @@ class ContextUpdater(ContextHook): @override def hook(self, context: dict[Any, Any]) -> dict[Any, Any]: # These are duplicated in the install-ci-tooling.py script in this repository - context["uv_version"] = "0.8.17" + context["uv_version"] = "0.8.19" context["pre_commit_version"] = "4.3.0" # These also in pyproject.toml context["copier_version"] = "9.10.2" context["copier_template_extensions_version"] = "0.3.3" ####### - context["pnpm_version"] = "10.17.0" + context["pnpm_version"] = "10.17.1" # These are duplicated in the pyproject.toml of this repository context["pyright_version"] = "1.1.405" context["pytest_version"] = "8.4.2" @@ -25,7 +25,7 @@ def hook(self, context: dict[Any, Any]) -> dict[Any, Any]: context["pytest_cov_version"] = "7.0.0" ####### context["sphinx_version"] = "8.1.3" - context["pulumi_version"] = "3.196.0" + context["pulumi_version"] = "3.197.0" context["pulumi_aws_version"] = "7.7.0" context["pulumi_aws_native_version"] = "1.33.0" context["pulumi_command_version"] = "1.1.0" @@ -37,9 +37,9 @@ def hook(self, context: dict[Any, Any]) -> dict[Any, Any]: context["pyinstaller_version"] = "6.16.0" context["setuptools_version"] = "80.7.1" context["strawberry_graphql_version"] = "0.282.0" - context["fastapi_version"] = "0.116.1" + context["fastapi_version"] = "0.117.1" context["fastapi_offline_version"] = "1.7.4" - context["uvicorn_version"] = "0.35.0" + context["uvicorn_version"] = "0.36.0" context["lab_auto_pulumi_version"] = "0.1.16" context["ariadne_codegen_version"] = "0.15.2" context["pytest_mock_version"] = "3.15.0" diff --git a/ruff.toml b/ruff.toml index ed93b2d4..2123a309 100644 --- a/ruff.toml +++ b/ruff.toml @@ -45,6 +45,7 @@ ignore = [ "D102", # Docstrings are not always necessary for public methods "D103", # Docstrings are not always necessary for public functions "D104", # Docstrings are not always necessary for public packages + "D105", # Docstrings are not always necessary for magic methods "D106", # Nested classes are usually library-specific and don't always require its own docstring "D107", # Init shouldn't need its own docstring, those arguments can be captured in the class level docstring "D203", # Ignore D203 because it's a bug https://github.com/PyCQA/pydocstyle/issues/141 diff --git a/template/.github/reusable_workflows/build-docker-image.yaml.jinja-base b/template/.github/reusable_workflows/build-docker-image.yaml.jinja-base index 0335a949..123b9a79 100644 --- a/template/.github/reusable_workflows/build-docker-image.yaml.jinja-base +++ b/template/.github/reusable_workflows/build-docker-image.yaml.jinja-base @@ -66,6 +66,8 @@ jobs: - name: Checkout code uses: actions/checkout@{% endraw %}{{ gha_checkout }}{% raw %} + with: + persist-credentials: false - name: OIDC Auth for ECR if: ${{ inputs.push-role-name != 'no-push' }} diff --git a/template/.github/workflows/ci.yaml.jinja-base b/template/.github/workflows/ci.yaml.jinja-base index b530a79e..1909b854 100644 --- a/template/.github/workflows/ci.yaml.jinja-base +++ b/template/.github/workflows/ci.yaml.jinja-base @@ -51,6 +51,8 @@ jobs: steps: - name: Checkout code uses: actions/checkout@{% endraw %}{{ gha_checkout }}{% raw %} + with: + persist-credentials: false - name: Move python script that replaces private package registry information to temp folder so it doesn't get deleted run: | diff --git a/template/.github/workflows/get-values.yaml.jinja-base b/template/.github/workflows/get-values.yaml.jinja-base index 9a1f86f6..da23f125 100644 --- a/template/.github/workflows/get-values.yaml.jinja-base +++ b/template/.github/workflows/get-values.yaml.jinja-base @@ -29,6 +29,8 @@ jobs: - name: Checkout code uses: actions/checkout@{% endraw %}{{ gha_checkout }}{% raw %} + with: + persist-credentials: false - name: Update Devcontainer Hash if: ${{ github.actor == 'dependabot[bot]' && github.event_name == 'push' }} diff --git a/template/.github/workflows/pre-commit.yaml.jinja-base b/template/.github/workflows/pre-commit.yaml.jinja-base index 2e6028ee..478ba2ed 100644 --- a/template/.github/workflows/pre-commit.yaml.jinja-base +++ b/template/.github/workflows/pre-commit.yaml.jinja-base @@ -35,10 +35,13 @@ jobs: uses: actions/checkout@{% endraw %}{{ gha_checkout }}{% raw %} with: ref: ${{ github.ref_name }} # explicitly get the head of the branch, which will include any new commits pushed if this is a dependabot branch + persist-credentials: false - name: Checkout code not during push if: ${{ github.event_name != 'push' }} uses: actions/checkout@{% endraw %}{{ gha_checkout }}{% raw %} + with: + persist-credentials: false - name: Install latest versions of packages uses: ./.github/actions/install_deps diff --git a/template/.github/zizmor.yml b/template/.github/zizmor.yml new file mode 100644 index 00000000..b70672b4 --- /dev/null +++ b/template/.github/zizmor.yml @@ -0,0 +1,5 @@ +rules: + template-injection: + ignore: + # this is just echo-ing out the github context to be visible for debugging, it's not executing commands + - get-values.yaml:28 diff --git a/template/README.md.jinja-base b/template/README.md.jinja-base index 88841ce3..c1c5d09c 100644 --- a/template/README.md.jinja-base +++ b/template/README.md.jinja-base @@ -7,7 +7,7 @@ # Usage To create a new repository using this template: 1. Create a basic devcontainer either using the Codespaces default or using the file `.devcontainer/devcontainer-to-instantiate-template.json` from [the base template repo](https://github.com/LabAutomationAndScreening/copier-base-template/blob/main/.devcontainer/devcontainer-to-instantiate-template.json) -1. Inside that devcontainer, run `python .devcontainer/install-ci-tooling.py` to install necessary tooling to instantiate the template (you can copy/paste the script from this +1. Inside that devcontainer, run `python .devcontainer/install-ci-tooling.py` to install necessary tooling to instantiate the template (you can copy/paste the script from this repo...and you can paste it in the root of the repo if you want) 1. Delete all files currently in the repository. Optional...but makes it easiest to avoid git conflicts. 1. Run copier to instantiate the template: `copier copy --trust gh:{% endraw %}{{ repo_org_name }}/{{ repo_name }}{% raw %}.git .` 1. Run `python .devcontainer/manual-setup-deps.py --only-create-lock` to generate the lock file(s) diff --git a/tests/copier_data/data1.yaml b/tests/copier_data/data1.yaml index fe4b9c3c..be1986bc 100644 --- a/tests/copier_data/data1.yaml +++ b/tests/copier_data/data1.yaml @@ -6,6 +6,7 @@ python_ci_versions: template_uses_python: true template_uses_pulumi: true repo_org_name: theGreatestOrg +repo_org_name_for_copyright: The Greatest Org template_uses_javascript: false template_uses_vuejs: false template_might_want_to_install_aws_ssm_port_forwarding_plugin: true diff --git a/tests/copier_data/data2.yaml b/tests/copier_data/data2.yaml index 24aa9e73..f5a2a439 100644 --- a/tests/copier_data/data2.yaml +++ b/tests/copier_data/data2.yaml @@ -7,6 +7,7 @@ python_ci_versions: template_uses_python: true template_uses_pulumi: false repo_org_name: Initech +repo_org_name_for_copyright: Initech Corporation template_uses_javascript: true template_uses_vuejs: true template_might_want_to_install_aws_ssm_port_forwarding_plugin: false