From f3cdd696e882829b95efccb7ecf3c63ca2d6caa2 Mon Sep 17 00:00:00 2001 From: Eli Fine Date: Mon, 22 Sep 2025 15:11:00 +0000 Subject: [PATCH 01/15] ruff --- ruff.toml | 1 + 1 file changed, 1 insertion(+) diff --git a/ruff.toml b/ruff.toml index ed93b2d4..2123a309 100644 --- a/ruff.toml +++ b/ruff.toml @@ -45,6 +45,7 @@ ignore = [ "D102", # Docstrings are not always necessary for public methods "D103", # Docstrings are not always necessary for public functions "D104", # Docstrings are not always necessary for public packages + "D105", # Docstrings are not always necessary for magic methods "D106", # Nested classes are usually library-specific and don't always require its own docstring "D107", # Init shouldn't need its own docstring, those arguments can be captured in the class level docstring "D203", # Ignore D203 because it's a bug https://github.com/PyCQA/pydocstyle/issues/141 From 2a0785cffa1bc7a4fb7791a5c31a3e99a2c804d8 Mon Sep 17 00:00:00 2001 From: Eli Fine Date: Mon, 22 Sep 2025 15:12:59 +0000 Subject: [PATCH 02/15] precommit --- .devcontainer/devcontainer.json | 2 +- .pre-commit-config.yaml | 4 ++-- extensions/context.py | 6 +++--- 3 files changed, 6 insertions(+), 6 deletions(-) diff --git a/.devcontainer/devcontainer.json b/.devcontainer/devcontainer.json index 87604458..65b4e201 100644 --- a/.devcontainer/devcontainer.json +++ b/.devcontainer/devcontainer.json @@ -59,5 +59,5 @@ "initializeCommand": "sh .devcontainer/initialize-command.sh", "onCreateCommand": "sh .devcontainer/on-create-command.sh", "postStartCommand": "sh .devcontainer/post-start-command.sh" - // Devcontainer context hash (do not manually edit this, it's managed by a pre-commit hook): d461f957 # spellchecker:disable-line + // Devcontainer context hash (do not manually edit this, it's managed by a pre-commit hook): a7ebf864 # spellchecker:disable-line } diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml index 1fe4e577..6079fb4b 100644 --- a/.pre-commit-config.yaml +++ b/.pre-commit-config.yaml @@ -215,7 +215,7 @@ repos: exclude: docs/.*\.rst$ - repo: https://github.com/hadolint/hadolint - rev: 87de847754330ad47ae16bdfe2d1a757ccb4b4d4 # frozen: v2.13.1 + rev: 4e697ba704fd23b2409b947a319c19c3ee54d24f # frozen: v2.14.0 hooks: - id: hadolint-docker name: Lint Dockerfiles @@ -223,7 +223,7 @@ repos: description: Runs hadolint to lint Dockerfiles - repo: https://github.com/astral-sh/ruff-pre-commit - rev: 13a6bda8ea7612b3aec844ded16569d424b9a1ab # frozen: v0.13.0 + rev: a113f03edeabb71305f025e6e14bd2cd68660e29 # frozen: v0.13.1 hooks: - id: ruff name: ruff-src diff --git a/extensions/context.py b/extensions/context.py index 6b5f0021..febe1686 100644 --- a/extensions/context.py +++ b/extensions/context.py @@ -25,7 +25,7 @@ def hook(self, context: dict[Any, Any]) -> dict[Any, Any]: context["pytest_cov_version"] = "7.0.0" ####### context["sphinx_version"] = "8.1.3" - context["pulumi_version"] = "3.196.0" + context["pulumi_version"] = "3.197.0" context["pulumi_aws_version"] = "7.7.0" context["pulumi_aws_native_version"] = "1.33.0" context["pulumi_command_version"] = "1.1.0" @@ -37,9 +37,9 @@ def hook(self, context: dict[Any, Any]) -> dict[Any, Any]: context["pyinstaller_version"] = "6.16.0" context["setuptools_version"] = "80.7.1" context["strawberry_graphql_version"] = "0.282.0" - context["fastapi_version"] = "0.116.1" + context["fastapi_version"] = "0.117.1" context["fastapi_offline_version"] = "1.7.4" - context["uvicorn_version"] = "0.35.0" + context["uvicorn_version"] = "0.36.0" context["lab_auto_pulumi_version"] = "0.1.16" context["ariadne_codegen_version"] = "0.15.2" context["pytest_mock_version"] = "3.15.0" From 13bd2a6969a01220baee6e308c3568f8f10d6de1 Mon Sep 17 00:00:00 2001 From: Eli Fine Date: Mon, 22 Sep 2025 15:13:58 +0000 Subject: [PATCH 03/15] uv --- .devcontainer/devcontainer.json | 2 +- .devcontainer/install-ci-tooling.py | 2 +- extensions/context.py | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) diff --git a/.devcontainer/devcontainer.json b/.devcontainer/devcontainer.json index 65b4e201..ac83d3b4 100644 --- a/.devcontainer/devcontainer.json +++ b/.devcontainer/devcontainer.json @@ -59,5 +59,5 @@ "initializeCommand": "sh .devcontainer/initialize-command.sh", "onCreateCommand": "sh .devcontainer/on-create-command.sh", "postStartCommand": "sh .devcontainer/post-start-command.sh" - // Devcontainer context hash (do not manually edit this, it's managed by a pre-commit hook): a7ebf864 # spellchecker:disable-line + // Devcontainer context hash (do not manually edit this, it's managed by a pre-commit hook): 7471f866 # spellchecker:disable-line } diff --git a/.devcontainer/install-ci-tooling.py b/.devcontainer/install-ci-tooling.py index c8ef8067..e75f5a82 100644 --- a/.devcontainer/install-ci-tooling.py +++ b/.devcontainer/install-ci-tooling.py @@ -5,7 +5,7 @@ import subprocess import sys -UV_VERSION = "0.8.17" +UV_VERSION = "0.8.19" COPIER_VERSION = "9.10.2" COPIER_TEMPLATE_EXTENSIONS_VERSION = "0.3.3" PRE_COMMIT_VERSION = "4.3.0" diff --git a/extensions/context.py b/extensions/context.py index febe1686..0365a024 100644 --- a/extensions/context.py +++ b/extensions/context.py @@ -11,7 +11,7 @@ class ContextUpdater(ContextHook): @override def hook(self, context: dict[Any, Any]) -> dict[Any, Any]: # These are duplicated in the install-ci-tooling.py script in this repository - context["uv_version"] = "0.8.17" + context["uv_version"] = "0.8.19" context["pre_commit_version"] = "4.3.0" # These also in pyproject.toml context["copier_version"] = "9.10.2" From 8664eb56e45b0fab859f993ef1c9a3b8b1060276 Mon Sep 17 00:00:00 2001 From: Eli Fine Date: Mon, 22 Sep 2025 15:16:24 +0000 Subject: [PATCH 04/15] org question --- copier.yaml | 5 +++++ tests/copier_data/data1.yaml | 1 + tests/copier_data/data2.yaml | 1 + 3 files changed, 7 insertions(+) diff --git a/copier.yaml b/copier.yaml index 259f43e0..a476820d 100644 --- a/copier.yaml +++ b/copier.yaml @@ -7,6 +7,11 @@ repo_org_name: type: str help: What's the organization or username that owns this repository (look in the URL)? +repo_org_name_for_copyright: + type: str + help: What's the human-readable organization or username that should be set for the Copyright? + default: "{{ repo_org_name }}" + description: type: str help: What is this copier template used for? diff --git a/tests/copier_data/data1.yaml b/tests/copier_data/data1.yaml index fe4b9c3c..be1986bc 100644 --- a/tests/copier_data/data1.yaml +++ b/tests/copier_data/data1.yaml @@ -6,6 +6,7 @@ python_ci_versions: template_uses_python: true template_uses_pulumi: true repo_org_name: theGreatestOrg +repo_org_name_for_copyright: The Greatest Org template_uses_javascript: false template_uses_vuejs: false template_might_want_to_install_aws_ssm_port_forwarding_plugin: true diff --git a/tests/copier_data/data2.yaml b/tests/copier_data/data2.yaml index 24aa9e73..f5a2a439 100644 --- a/tests/copier_data/data2.yaml +++ b/tests/copier_data/data2.yaml @@ -7,6 +7,7 @@ python_ci_versions: template_uses_python: true template_uses_pulumi: false repo_org_name: Initech +repo_org_name_for_copyright: Initech Corporation template_uses_javascript: true template_uses_vuejs: true template_might_want_to_install_aws_ssm_port_forwarding_plugin: false From c115f588d0037f9bf5571653e116f24ca3f42072 Mon Sep 17 00:00:00 2001 From: Eli Fine Date: Mon, 22 Sep 2025 15:20:50 +0000 Subject: [PATCH 05/15] readme --- template/README.md.jinja-base | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/template/README.md.jinja-base b/template/README.md.jinja-base index 88841ce3..c1c5d09c 100644 --- a/template/README.md.jinja-base +++ b/template/README.md.jinja-base @@ -7,7 +7,7 @@ # Usage To create a new repository using this template: 1. Create a basic devcontainer either using the Codespaces default or using the file `.devcontainer/devcontainer-to-instantiate-template.json` from [the base template repo](https://github.com/LabAutomationAndScreening/copier-base-template/blob/main/.devcontainer/devcontainer-to-instantiate-template.json) -1. Inside that devcontainer, run `python .devcontainer/install-ci-tooling.py` to install necessary tooling to instantiate the template (you can copy/paste the script from this +1. Inside that devcontainer, run `python .devcontainer/install-ci-tooling.py` to install necessary tooling to instantiate the template (you can copy/paste the script from this repo...and you can paste it in the root of the repo if you want) 1. Delete all files currently in the repository. Optional...but makes it easiest to avoid git conflicts. 1. Run copier to instantiate the template: `copier copy --trust gh:{% endraw %}{{ repo_org_name }}/{{ repo_name }}{% raw %}.git .` 1. Run `python .devcontainer/manual-setup-deps.py --only-create-lock` to generate the lock file(s) From 760ce611982a6b3f0adf353bb5fc5771c7f1cdd8 Mon Sep 17 00:00:00 2001 From: Eli Fine Date: Mon, 22 Sep 2025 17:04:48 +0000 Subject: [PATCH 06/15] bump pnpm --- extensions/context.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/extensions/context.py b/extensions/context.py index 0365a024..eae8228b 100644 --- a/extensions/context.py +++ b/extensions/context.py @@ -17,7 +17,7 @@ def hook(self, context: dict[Any, Any]) -> dict[Any, Any]: context["copier_version"] = "9.10.2" context["copier_template_extensions_version"] = "0.3.3" ####### - context["pnpm_version"] = "10.17.0" + context["pnpm_version"] = "10.17.1" # These are duplicated in the pyproject.toml of this repository context["pyright_version"] = "1.1.405" context["pytest_version"] = "8.4.2" From e7f44ebc2242979138ae970090fa283235337c78 Mon Sep 17 00:00:00 2001 From: Eli Fine Date: Tue, 23 Sep 2025 17:30:56 +0000 Subject: [PATCH 07/15] perttier --- .devcontainer/devcontainer.json | 2 +- .pre-commit-config.yaml | 4 ++-- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/.devcontainer/devcontainer.json b/.devcontainer/devcontainer.json index ac83d3b4..b2e237d6 100644 --- a/.devcontainer/devcontainer.json +++ b/.devcontainer/devcontainer.json @@ -59,5 +59,5 @@ "initializeCommand": "sh .devcontainer/initialize-command.sh", "onCreateCommand": "sh .devcontainer/on-create-command.sh", "postStartCommand": "sh .devcontainer/post-start-command.sh" - // Devcontainer context hash (do not manually edit this, it's managed by a pre-commit hook): 7471f866 # spellchecker:disable-line + // Devcontainer context hash (do not manually edit this, it's managed by a pre-commit hook): e58ddd05 # spellchecker:disable-line } diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml index 6079fb4b..51453d0b 100644 --- a/.pre-commit-config.yaml +++ b/.pre-commit-config.yaml @@ -102,8 +102,8 @@ repos: .*pyrightconfig\.json| )$ - - repo: https://github.com/pre-commit/mirrors-prettier # TODO: switch to a different approach...this was archived in 2024 - rev: f12edd9c7be1c20cfa42420fd0e6df71e42b51ea # frozen: v4.0.0-alpha.8 + - repo: https://github.com/rbubley/mirrors-prettier + rev: 5ba47274f9b181bce26a5150a725577f3c336011 # frozen: v3.6.2 hooks: - id: prettier # TODO: get template YAML and MD files more in line with prettier expectations so we can start using prettier on those too From beb6b64247b96b19566f1e0470987df148cf9e0f Mon Sep 17 00:00:00 2001 From: Eli Fine Date: Tue, 23 Sep 2025 17:36:34 +0000 Subject: [PATCH 08/15] zizmor --- .devcontainer/devcontainer.json | 2 +- .pre-commit-config.yaml | 5 +++++ 2 files changed, 6 insertions(+), 1 deletion(-) diff --git a/.devcontainer/devcontainer.json b/.devcontainer/devcontainer.json index b2e237d6..d0ae396c 100644 --- a/.devcontainer/devcontainer.json +++ b/.devcontainer/devcontainer.json @@ -59,5 +59,5 @@ "initializeCommand": "sh .devcontainer/initialize-command.sh", "onCreateCommand": "sh .devcontainer/on-create-command.sh", "postStartCommand": "sh .devcontainer/post-start-command.sh" - // Devcontainer context hash (do not manually edit this, it's managed by a pre-commit hook): e58ddd05 # spellchecker:disable-line + // Devcontainer context hash (do not manually edit this, it's managed by a pre-commit hook): 956bfd20 # spellchecker:disable-line } diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml index 51453d0b..7713e235 100644 --- a/.pre-commit-config.yaml +++ b/.pre-commit-config.yaml @@ -205,6 +205,11 @@ repos: hooks: - id: detect-private-key + - repo: https://github.com/woodruffw/zizmor-pre-commit + rev: v1.13.0 + hooks: + - id: zizmor + # Linting - repo: https://github.com/Lucas-C/pre-commit-hooks-markup From 3aa3330a3b6db6fdffdbaabe45df530b024b009d Mon Sep 17 00:00:00 2001 From: Eli Fine Date: Tue, 23 Sep 2025 17:40:33 +0000 Subject: [PATCH 09/15] schema --- .devcontainer/devcontainer.json | 2 +- .pre-commit-config.yaml | 7 ++++++- 2 files changed, 7 insertions(+), 2 deletions(-) diff --git a/.devcontainer/devcontainer.json b/.devcontainer/devcontainer.json index d0ae396c..3a931bb2 100644 --- a/.devcontainer/devcontainer.json +++ b/.devcontainer/devcontainer.json @@ -59,5 +59,5 @@ "initializeCommand": "sh .devcontainer/initialize-command.sh", "onCreateCommand": "sh .devcontainer/on-create-command.sh", "postStartCommand": "sh .devcontainer/post-start-command.sh" - // Devcontainer context hash (do not manually edit this, it's managed by a pre-commit hook): 956bfd20 # spellchecker:disable-line + // Devcontainer context hash (do not manually edit this, it's managed by a pre-commit hook): 0f3a417f # spellchecker:disable-line } diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml index 7713e235..7339bd6e 100644 --- a/.pre-commit-config.yaml +++ b/.pre-commit-config.yaml @@ -178,6 +178,11 @@ repos: - id: check-merge-conflict - id: check-case-conflict + - repo: https://github.com/python-jsonschema/check-jsonschema + rev: 83987cd6ad8943c7f029b500b14aaf82c00a01fa # frozen: 0.34.0 + hooks: + - id: check-github-workflows + - repo: https://github.com/maresb/check-json5 rev: 893a2b5a0a27c3540bd8fcafe2968ccc05237179 # 1.0 hooks: @@ -206,7 +211,7 @@ repos: - id: detect-private-key - repo: https://github.com/woodruffw/zizmor-pre-commit - rev: v1.13.0 + rev: b933184438555436e38621f46ceb0c417cbed400 # frozen: v1.13.0 hooks: - id: zizmor From 310951d6d0cc0406b977f232f3c1faec410f0e86 Mon Sep 17 00:00:00 2001 From: Eli Fine Date: Tue, 23 Sep 2025 17:42:56 +0000 Subject: [PATCH 10/15] exclude --- .devcontainer/devcontainer.json | 2 +- .pre-commit-config.yaml | 1 + 2 files changed, 2 insertions(+), 1 deletion(-) diff --git a/.devcontainer/devcontainer.json b/.devcontainer/devcontainer.json index 3a931bb2..52bdd484 100644 --- a/.devcontainer/devcontainer.json +++ b/.devcontainer/devcontainer.json @@ -59,5 +59,5 @@ "initializeCommand": "sh .devcontainer/initialize-command.sh", "onCreateCommand": "sh .devcontainer/on-create-command.sh", "postStartCommand": "sh .devcontainer/post-start-command.sh" - // Devcontainer context hash (do not manually edit this, it's managed by a pre-commit hook): 0f3a417f # spellchecker:disable-line + // Devcontainer context hash (do not manually edit this, it's managed by a pre-commit hook): 97d447a8 # spellchecker:disable-line } diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml index 7339bd6e..be5c07f5 100644 --- a/.pre-commit-config.yaml +++ b/.pre-commit-config.yaml @@ -125,6 +125,7 @@ repos: .*/vendor_files/.*| .*/schema.graphql| .*generated/graphql.ts| + template/.*| )$ files: (.*.json)|(.*.ts)|(.*.jsx)|(.*.tsx)|(.*.yaml)|(.*.yml)|(.*.md)|(.*.html)|(.*.css)|(.*.scss)|(.*.less)|(.*.vue)|(.*.graphql)|(.*.gql) From 71434ca07b8f7e3fc2f6c18a7465321c0c33e559 Mon Sep 17 00:00:00 2001 From: Eli Fine Date: Tue, 23 Sep 2025 18:03:36 +0000 Subject: [PATCH 11/15] fix github --- .github/workflows/ci.yaml | 5 +++++ .github/workflows/tag-on-merge.yaml | 3 ++- .../reusable_workflows/build-docker-image.yaml.jinja-base | 2 ++ template/.github/workflows/ci.yaml.jinja-base | 2 ++ template/.github/workflows/get-values.yaml.jinja-base | 2 ++ template/.github/workflows/pre-commit.yaml.jinja-base | 3 +++ 6 files changed, 16 insertions(+), 1 deletion(-) diff --git a/.github/workflows/ci.yaml b/.github/workflows/ci.yaml index c7a4660d..10ffc0dd 100644 --- a/.github/workflows/ci.yaml +++ b/.github/workflows/ci.yaml @@ -25,6 +25,8 @@ jobs: runs-on: ${{ matrix.os }} steps: - uses: actions/checkout@v5.0.0 + with: + persist-credentials: false - name: Setup Python uses: actions/setup-python@v6.0.0 @@ -80,6 +82,8 @@ jobs: steps: - uses: actions/checkout@v5.0.0 + with: + persist-credentials: false - name: Setup Python uses: actions/setup-python@v6.0.0 @@ -153,6 +157,7 @@ jobs: runs-on: ubuntu-24.04 needs: [ lint-matrix ] if: always() + permissions: {} steps: - name: fail if prior job failure if: needs.lint-matrix.result != 'success' diff --git a/.github/workflows/tag-on-merge.yaml b/.github/workflows/tag-on-merge.yaml index 00bb0cab..2f91c730 100644 --- a/.github/workflows/tag-on-merge.yaml +++ b/.github/workflows/tag-on-merge.yaml @@ -17,7 +17,8 @@ jobs: with: ref: ${{ github.event.pull_request.merge_commit_sha }} fetch-depth: '0' + persist-credentials: false - name: Bump version and push tag - uses: mathieudutour/github-tag-action@v6.2 + uses: mathieudutour/github-tag-action@a22cf08638b34d5badda920f9daf6e72c477b07b # v6.2 with: github_token: ${{ secrets.GITHUB_TOKEN }} diff --git a/template/.github/reusable_workflows/build-docker-image.yaml.jinja-base b/template/.github/reusable_workflows/build-docker-image.yaml.jinja-base index 0335a949..123b9a79 100644 --- a/template/.github/reusable_workflows/build-docker-image.yaml.jinja-base +++ b/template/.github/reusable_workflows/build-docker-image.yaml.jinja-base @@ -66,6 +66,8 @@ jobs: - name: Checkout code uses: actions/checkout@{% endraw %}{{ gha_checkout }}{% raw %} + with: + persist-credentials: false - name: OIDC Auth for ECR if: ${{ inputs.push-role-name != 'no-push' }} diff --git a/template/.github/workflows/ci.yaml.jinja-base b/template/.github/workflows/ci.yaml.jinja-base index b530a79e..1909b854 100644 --- a/template/.github/workflows/ci.yaml.jinja-base +++ b/template/.github/workflows/ci.yaml.jinja-base @@ -51,6 +51,8 @@ jobs: steps: - name: Checkout code uses: actions/checkout@{% endraw %}{{ gha_checkout }}{% raw %} + with: + persist-credentials: false - name: Move python script that replaces private package registry information to temp folder so it doesn't get deleted run: | diff --git a/template/.github/workflows/get-values.yaml.jinja-base b/template/.github/workflows/get-values.yaml.jinja-base index 9a1f86f6..da23f125 100644 --- a/template/.github/workflows/get-values.yaml.jinja-base +++ b/template/.github/workflows/get-values.yaml.jinja-base @@ -29,6 +29,8 @@ jobs: - name: Checkout code uses: actions/checkout@{% endraw %}{{ gha_checkout }}{% raw %} + with: + persist-credentials: false - name: Update Devcontainer Hash if: ${{ github.actor == 'dependabot[bot]' && github.event_name == 'push' }} diff --git a/template/.github/workflows/pre-commit.yaml.jinja-base b/template/.github/workflows/pre-commit.yaml.jinja-base index 2e6028ee..478ba2ed 100644 --- a/template/.github/workflows/pre-commit.yaml.jinja-base +++ b/template/.github/workflows/pre-commit.yaml.jinja-base @@ -35,10 +35,13 @@ jobs: uses: actions/checkout@{% endraw %}{{ gha_checkout }}{% raw %} with: ref: ${{ github.ref_name }} # explicitly get the head of the branch, which will include any new commits pushed if this is a dependabot branch + persist-credentials: false - name: Checkout code not during push if: ${{ github.event_name != 'push' }} uses: actions/checkout@{% endraw %}{{ gha_checkout }}{% raw %} + with: + persist-credentials: false - name: Install latest versions of packages uses: ./.github/actions/install_deps From 78b4a6f1dc955757722e15bd6bb5939b20d5589f Mon Sep 17 00:00:00 2001 From: Eli Fine Date: Tue, 23 Sep 2025 18:12:00 +0000 Subject: [PATCH 12/15] some more zizmor --- template/.github/workflows/get-values.yaml.jinja-base | 2 +- template/.github/zizmor.yml | 4 ++++ 2 files changed, 5 insertions(+), 1 deletion(-) create mode 100644 template/.github/zizmor.yml diff --git a/template/.github/workflows/get-values.yaml.jinja-base b/template/.github/workflows/get-values.yaml.jinja-base index da23f125..03f7fca0 100644 --- a/template/.github/workflows/get-values.yaml.jinja-base +++ b/template/.github/workflows/get-values.yaml.jinja-base @@ -33,7 +33,7 @@ jobs: persist-credentials: false - name: Update Devcontainer Hash - if: ${{ github.actor == 'dependabot[bot]' && github.event_name == 'push' }} + if: ${{ github.event.pull_request.user.login == 'dependabot[bot]' && github.event_name == 'push' }} id: update-hash uses: ./.github/actions/update-devcontainer-hash with: diff --git a/template/.github/zizmor.yml b/template/.github/zizmor.yml new file mode 100644 index 00000000..2410230e --- /dev/null +++ b/template/.github/zizmor.yml @@ -0,0 +1,4 @@ +rules: + template-injection: + ignore: + - get-values.yaml:28 From c462d998431f595c841a52971ec2b67d45cf5f27 Mon Sep 17 00:00:00 2001 From: Eli Fine Date: Tue, 23 Sep 2025 18:17:13 +0000 Subject: [PATCH 13/15] zizmor --- .devcontainer/devcontainer.json | 2 +- .pre-commit-config.yaml | 8 ++++---- template/.github/zizmor.yml | 1 + 3 files changed, 6 insertions(+), 5 deletions(-) diff --git a/.devcontainer/devcontainer.json b/.devcontainer/devcontainer.json index 52bdd484..18c937a4 100644 --- a/.devcontainer/devcontainer.json +++ b/.devcontainer/devcontainer.json @@ -59,5 +59,5 @@ "initializeCommand": "sh .devcontainer/initialize-command.sh", "onCreateCommand": "sh .devcontainer/on-create-command.sh", "postStartCommand": "sh .devcontainer/post-start-command.sh" - // Devcontainer context hash (do not manually edit this, it's managed by a pre-commit hook): 97d447a8 # spellchecker:disable-line + // Devcontainer context hash (do not manually edit this, it's managed by a pre-commit hook): e04b48b4 # spellchecker:disable-line } diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml index be5c07f5..8a8e0c4c 100644 --- a/.pre-commit-config.yaml +++ b/.pre-commit-config.yaml @@ -211,10 +211,10 @@ repos: hooks: - id: detect-private-key - - repo: https://github.com/woodruffw/zizmor-pre-commit - rev: b933184438555436e38621f46ceb0c417cbed400 # frozen: v1.13.0 - hooks: - - id: zizmor + # - repo: https://github.com/woodruffw/zizmor-pre-commit + # rev: b933184438555436e38621f46ceb0c417cbed400 # frozen: v1.13.0 + # hooks: + # - id: zizmor # Linting diff --git a/template/.github/zizmor.yml b/template/.github/zizmor.yml index 2410230e..b70672b4 100644 --- a/template/.github/zizmor.yml +++ b/template/.github/zizmor.yml @@ -1,4 +1,5 @@ rules: template-injection: ignore: + # this is just echo-ing out the github context to be visible for debugging, it's not executing commands - get-values.yaml:28 From 5f7edca9d47c8307859b853627bdd8e150ef48db Mon Sep 17 00:00:00 2001 From: Eli Fine Date: Tue, 23 Sep 2025 18:26:11 +0000 Subject: [PATCH 14/15] fix push --- template/.github/workflows/get-values.yaml.jinja-base | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/template/.github/workflows/get-values.yaml.jinja-base b/template/.github/workflows/get-values.yaml.jinja-base index 03f7fca0..da23f125 100644 --- a/template/.github/workflows/get-values.yaml.jinja-base +++ b/template/.github/workflows/get-values.yaml.jinja-base @@ -33,7 +33,7 @@ jobs: persist-credentials: false - name: Update Devcontainer Hash - if: ${{ github.event.pull_request.user.login == 'dependabot[bot]' && github.event_name == 'push' }} + if: ${{ github.actor == 'dependabot[bot]' && github.event_name == 'push' }} id: update-hash uses: ./.github/actions/update-devcontainer-hash with: From 1ea5acb8054280be7f89b133256d10a6cad213e2 Mon Sep 17 00:00:00 2001 From: Eli Fine Date: Tue, 23 Sep 2025 23:23:08 +0000 Subject: [PATCH 15/15] nits --- .devcontainer/devcontainer.json | 2 +- .pre-commit-config.yaml | 2 +- copier.yaml | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) diff --git a/.devcontainer/devcontainer.json b/.devcontainer/devcontainer.json index 18c937a4..97902f55 100644 --- a/.devcontainer/devcontainer.json +++ b/.devcontainer/devcontainer.json @@ -59,5 +59,5 @@ "initializeCommand": "sh .devcontainer/initialize-command.sh", "onCreateCommand": "sh .devcontainer/on-create-command.sh", "postStartCommand": "sh .devcontainer/post-start-command.sh" - // Devcontainer context hash (do not manually edit this, it's managed by a pre-commit hook): e04b48b4 # spellchecker:disable-line + // Devcontainer context hash (do not manually edit this, it's managed by a pre-commit hook): d1386cd9 # spellchecker:disable-line } diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml index 8a8e0c4c..249101a5 100644 --- a/.pre-commit-config.yaml +++ b/.pre-commit-config.yaml @@ -211,7 +211,7 @@ repos: hooks: - id: detect-private-key - # - repo: https://github.com/woodruffw/zizmor-pre-commit + # - repo: https://github.com/woodruffw/zizmor-pre-commit # TODO: implement this: https://github.com/LabAutomationAndScreening/copier-base-template/issues/95 # rev: b933184438555436e38621f46ceb0c417cbed400 # frozen: v1.13.0 # hooks: # - id: zizmor diff --git a/copier.yaml b/copier.yaml index a476820d..20ad0c7e 100644 --- a/copier.yaml +++ b/copier.yaml @@ -9,7 +9,7 @@ repo_org_name: repo_org_name_for_copyright: type: str - help: What's the human-readable organization or username that should be set for the Copyright? + help: What's the human-readable organization or username that should be set for the copyright? default: "{{ repo_org_name }}" description: