More agent rules

[ejfine]

Why is this change necessary?

Some more rules. Some CI permission tweaks to be more explicit

What side effects does this change have?

Switching the default value for the install_deps action would be a breaking change, but that whole thing was just introduced yesterday and I had been assuming it was defaulted to false when I wrote all the code using it anyway, so it should be fine.

How is this change tested?

Downstream aws-central-infra repos

Summary by CodeRabbit

Chores

• Refined frontend testing guidance: prefer strict mock/spy assertions, retain data-testid uniqueness, and require scoping DOM queries to top-level portal/popups.
• Updated Pulumi-related version constraints to newer minimums.
• Changed CI defaults to install the Pulumi CLI unless skipped and granted workflows explicit repository contents read access (plus a job-level contents write for updates).
• Added a reviewer instruction to avoid commenting on certain commit-tag values.

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: ASSERTIVE

Plan: Pro

Run ID: af52dc03-0769-416c-a3b5-a705ed2145ea

📥 Commits

Reviewing files that changed from the base of the PR and between 778c95e and 1f264ca.

📒 Files selected for processing (1)

• AGENTS.md

---

📝 Walkthrough

Walkthrough

Updates code review instructions and frontend testing guidance, bumps Pulumi-related template context versions, flips a composite-action input default to install Pulumi CLI by default, and adds explicit GitHub Actions permissions for repository contents and a job-level write permission.

Changes

Cohort / File(s)	Summary
Code Review & Agent Guidance \.coderabbit.yaml, AGENTS.md	Added reviews.path_instructions entry targeting **/.copier-answers.yml to avoid comments about _commit release-tag cleanliness. Expanded frontend testing guidance: retained data-testid uniqueness note and added mock/spy assertion ordering plus DOM-query scoping to top-level portal elements.
Template Context Version Pins extensions/context.py	Bumped Pulumi-related context constraints: pulumi_version → >=3.228.0, pulumi_aws_native_version → >=1.59.0, pulumi_okta_version → >=6.4.0. No control-flow changes.
GitHub Actions / Workflow Inputs & Permissions template/.github/actions/install_deps/action.yml.jinja-base, template/.github/workflows/ci.yaml.jinja-base, template/template/.github/workflows/ci.yaml.jinja	Changed skip-installing-pulumi-cli default from true to false (Pulumi CLI installs by default). Added contents: read to workflow-level permissions and added contents: write on get-values job.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~22 minutes

Possibly related PRs

• Coderabbit extension #100: Updates the same Pulumi version keys in extensions/context.py.
• Install Pulumi in devcontainer (when needed) #141: Previously introduced/modified the skip-installing-pulumi-cli composite-action input this PR flips.
• Ariadne Codegen path, and VCRpy fixtures #116: Also modifies extensions/context.py template context version assignments.

Suggested reviewers

• idonaldson
• zendern

🚥 Pre-merge checks | ✅ 1 | ❌ 2

❌ Failed checks (1 warning, 1 inconclusive)

Check name	Status	Explanation	Resolution
Description check	⚠️ Warning	The description covers several required sections but is missing the 'How does this change address the issue?' section and lacks details about the 'Link to Issue' context, making it incomplete.	Add the 'How does this change address the issue?' section and include the link to the issue or context explaining why these changes are necessary.
Title check	❓ Inconclusive	The title 'More agent rules' is vague and does not clearly summarize the main changes, which include agent rules, CI permission adjustments, and dependency version updates.	Consider a more specific title that captures both agent rules and CI permission changes, such as 'Add agent rules and clarify CI workflow permissions'.

✅ Passed checks (1 passed)

Check name	Status	Explanation
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@AGENTS.md`:
- Around line 43-44: The CSS selector example for the Reka UI dialog is split
across lines causing Markdown/rendering and copy-paste errors; edit AGENTS.md at
the sentence mentioning "a Reka UI dialog" and replace the broken multi-line
selector with a single inline code span for the combined selector (the dialog
selector should be one contiguous token rather than split), e.g. the combined
[role="dialog"][data-state="open"], so all further queries run on that found
element.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: ASSERTIVE

Plan: Pro

Run ID: 00c1fb86-e636-44a1-aeed-b0184e1bbadc

📥 Commits

Reviewing files that changed from the base of the PR and between f01259a and 778c95e.

📒 Files selected for processing (6)

• .coderabbit.yaml
• AGENTS.md
• extensions/context.py
• template/.github/actions/install_deps/action.yml.jinja-base
• template/.github/workflows/ci.yaml.jinja-base
• template/template/.github/workflows/ci.yaml.jinja

[Copilot]

Pull request overview

This PR updates the repository’s agent/reviewer guidance, tightens GitHub Actions CI permissions to be explicit, and adjusts template defaults/versions to better match expected downstream behavior.

Changes:

• Explicitly grants contents: read at the workflow level and adds/clarifies job-level permissions for CI.
• Changes install_deps action default to install the Pulumi CLI unless explicitly skipped.
• Bumps minimum Pulumi-related version constraints and refines reviewer/agent instructions (AGENTS + CodeRabbit config).

Reviewed changes

Copilot reviewed 6 out of 6 changed files in this pull request and generated 1 comment.

Show a summary per file

File	Description
template/template/.github/workflows/ci.yaml.jinja	Adds explicit contents: read at workflow level and job permission tweaks (including Dependabot update flow).
template/.github/workflows/ci.yaml.jinja-base	Adds explicit contents: read at workflow level to avoid implicit none when permissions are set.
template/.github/actions/install_deps/action.yml.jinja-base	Changes Pulumi CLI skip flag default to false so Pulumi CLI installs unless opted out.
extensions/context.py	Updates Pulumi/Pulumi-provider minimum version constraints used in template context.
AGENTS.md	Expands testing guidance and adds a Frontend Testing section.
.coderabbit.yaml	Adds a path-specific instruction to avoid comments about _commit in .copier-answers.yml.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[Copilot]

toHaveBeenCalledExactlyOnceWith is not a standard matcher in Jest (and isn’t available in many Vitest setups unless an additional matcher library is installed). To keep this guidance broadly correct, consider recommending toHaveBeenCalledTimes(1) + toHaveBeenCalledWith(...) or toHaveBeenNthCalledWith(1, ...) / toHaveBeenLastCalledWith(...) instead, unless this template explicitly includes a matcher package that provides toHaveBeenCalledExactlyOnceWith.

Suggested change

- When asserting a mock or spy was called with specific arguments, always constrain as tightly as possible. In order of preference: (1) assert called exactly once with those args (`assert_called_once_with` in Python, `toHaveBeenCalledExactlyOnceWith` in Vitest/Jest); (2) if multiple calls are expected, assert the total call count and use a positional or last-call assertion (`nthCalledWith`, `lastCalledWith` / `assert_has_calls` with `call_args_list[n]`); (3) plain "called with at any point" (`toHaveBeenCalledWith`, `assert_called_with`) is a last resort only when neither the call count nor the call order can reasonably be constrained.

- When asserting a mock or spy was called with specific arguments, always constrain as tightly as possible. In order of preference: (1) assert called exactly once with those args (`assert_called_once_with` in Python, `toHaveBeenCalledTimes(1)` together with `toHaveBeenCalledWith(...)` or `toHaveBeenNthCalledWith(1, ...)` / `toHaveBeenLastCalledWith(...)` in Vitest/Jest); (2) if multiple calls are expected, assert the total call count and use a positional or last-call assertion (`nthCalledWith`, `lastCalledWith` / `assert_has_calls` with `call_args_list[n]`); (3) plain "called with at any point" (`toHaveBeenCalledWith`, `assert_called_with`) is a last resort only when neither the call count nor the call order can reasonably be constrained.