diff --git a/.coderabbit.yaml b/.coderabbit.yaml index 1d2e81ac..372316ba 100644 --- a/.coderabbit.yaml +++ b/.coderabbit.yaml @@ -7,6 +7,8 @@ reviews: instructions: "These files came from a vendor and we're not allowed to change them. Refer to it if you need to understand how the main code interacts with it, but do not make comments about it." - path: "**/*.py" instructions: "Check the `ruff.toml` and `ruff-test.toml` for linting rules we've explicitly disabled and don't suggest changes to please conventions we've disabled. Do not express concerns about ruff rules; a pre-commit hook already runs a ruff check. Do not warn about unnecessary super().__init__() calls; pyright prefers those to be present. Do not warn about missing type hints; a pre-commit hook already checks for that." + - path: "**/.copier-answers.yml" + instructions: "Do not comment about the `_commit` value needing to be a clean release tag. A CI job will fail if that is not the case." tools: eslint: # when the code contains typescript, eslint will be run by pre-commit, and coderabbit often generates false positives enabled: false diff --git a/AGENTS.md b/AGENTS.md index 6c9e9f64..89ac5111 100644 --- a/AGENTS.md +++ b/AGENTS.md @@ -23,7 +23,7 @@ This project is a Copier template used to generate other copier templates. It is - Avoid magic values in comparisons in tests in all languages (like ruff rule PLR2004 specifies) - Prefer using random values in tests rather than arbitrary ones (e.g. the faker library, uuids, random.randint) when possible. For enums, pick randomly rather than hardcoding one value. - Avoid loops in tests — assert each item explicitly so failures pinpoint the exact element. When verifying a condition across all items in a collection, collect the violations into a list and assert it's empty (e.g., assert [x for x in items if bad_condition(x)] == []). -- Key `data-testid` selectors off unique IDs (e.g. UUIDs), not human-readable names which may collide or change. +- When asserting a mock or spy was called with specific arguments, always constrain as tightly as possible. In order of preference: (1) assert called exactly once with those args (`assert_called_once_with` in Python, `toHaveBeenCalledExactlyOnceWith` in Vitest/Jest); (2) if multiple calls are expected, assert the total call count and use a positional or last-call assertion (`nthCalledWith`, `lastCalledWith` / `assert_has_calls` with `call_args_list[n]`); (3) plain "called with at any point" (`toHaveBeenCalledWith`, `assert_called_with`) is a last resort only when neither the call count nor the call order can reasonably be constrained. ### Python Testing @@ -37,6 +37,11 @@ This project is a Copier template used to generate other copier templates. It is - **Never hand-edit syrupy snapshot files.** Snapshots are auto-generated — to create or update them, run `uv run pytest --snapshot-update --no-cov`. A missing snapshot causes the test to fail, which is expected until you run with `--snapshot-update`. When a snapshot mismatch occurs, fix the code if the change was unintentional; run `--snapshot-update` if it was intentional. - **Never hand-write or hand-edit pytest-reserial `.jsonl` recording files.** Recordings must be captured from real serial port traffic by running the test with `--record` while the device is connected: `uv run pytest --record --no-cov`. The default mode replays recordings — a missing recording causes an error, which is expected until recorded against a live device. +### Frontend Testing + +- Key `data-testid` selectors off unique IDs (e.g. UUIDs), not human-readable names which may collide or change. +- In DOM-based tests, scope queries to the tightest relevant container. Only query `document` or `document.body` directly to find the top-level portal/popup element (e.g. a Reka UI dialog via `[role="dialog"][data-state="open"]`); all further queries should run on that element, not on `document.body` again. + # Agent Implementations & Configurations ## Memory and Rules diff --git a/extensions/context.py b/extensions/context.py index 4d03a034..86add4b7 100644 --- a/extensions/context.py +++ b/extensions/context.py @@ -26,12 +26,12 @@ def hook(self, context: dict[Any, Any]) -> dict[Any, Any]: context["ty_version"] = ">=0.0.23" ####### context["sphinx_version"] = "9.0.4" - context["pulumi_version"] = ">=3.226.0" + context["pulumi_version"] = ">=3.228.0" context["pulumi_aws_version"] = ">=7.23.0" - context["pulumi_aws_native_version"] = ">=1.57.0" + context["pulumi_aws_native_version"] = ">=1.59.0" context["pulumi_command_version"] = ">=1.2.1" context["pulumi_github_version"] = ">=6.12.1" - context["pulumi_okta_version"] = ">=6.2.3" + context["pulumi_okta_version"] = ">=6.4.0" context["boto3_version"] = ">=1.42.53" context["ephemeral_pulumi_deploy_version"] = ">=0.0.6" context["pydantic_version"] = ">=2.12.5" diff --git a/template/.github/actions/install_deps/action.yml.jinja-base b/template/.github/actions/install_deps/action.yml.jinja-base index c21e92b7..3ca2d720 100644 --- a/template/.github/actions/install_deps/action.yml.jinja-base +++ b/template/.github/actions/install_deps/action.yml.jinja-base @@ -47,7 +47,7 @@ inputs: skip-installing-pulumi-cli: type: boolean description: Whether to skip installing the Pulumi CLI even if the lock file references it - default: true + default: false required: false diff --git a/template/.github/workflows/ci.yaml.jinja-base b/template/.github/workflows/ci.yaml.jinja-base index 673af8db..fe5421a1 100644 --- a/template/.github/workflows/ci.yaml.jinja-base +++ b/template/.github/workflows/ci.yaml.jinja-base @@ -13,6 +13,7 @@ env: permissions: id-token: write # needed to assume OIDC roles (e.g. for downloading from CodeArtifact) + contents: read # need to explicitly provide this whenever defining permissions because the default value is 'none' for anything not explicitly set when permissions are defined jobs: get-values: diff --git a/template/template/.github/workflows/ci.yaml.jinja b/template/template/.github/workflows/ci.yaml.jinja index a1e70a54..4b65122a 100644 --- a/template/template/.github/workflows/ci.yaml.jinja +++ b/template/template/.github/workflows/ci.yaml.jinja @@ -13,10 +13,13 @@ env: permissions: id-token: write # needed to assume OIDC roles (e.g. for downloading from CodeArtifact) + contents: read # need to explicitly provide this whenever defining permissions because the default value is 'none' for anything not explicitly set when permissions are defined jobs: get-values: uses: ./.github/workflows/get-values.yaml + permissions: + contents: write # needed for updating dependabot branches check-skip-duplicate: runs-on: {% endraw %}{{ gha_linux_runner }}{% raw %}