Copier update: workflow summary (#87)

Pull in upstream template changes

Tested in downstream repos, including
LabAutomationAndScreening/cloud-courier#51

<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->

## Summary by CodeRabbit

## Release Notes

* **New Features**
* Enhanced CI/CD pipeline with duplicate pull request detection to
prevent redundant checks
* Added template version validation workflow for release tag enforcement

* **Chores**
* Updated devcontainer base image and VS Code extensions to latest
versions
* Updated development tool dependencies (pnpm, Pulumi, and related
packages)
  * Improved GitHub CLI permission rules for enhanced security controls
  * Added optional Pulumi CLI installation skipping for faster setup

* **Documentation**
* Expanded developer testing guidelines with isolation patterns and
mock/spy assertions
* Enhanced tooling best practices with explicit command execution
preferences

<!-- end of auto-generated comment: release notes by coderabbit.ai -->

Author: ejfine

.claude/settings/permissions/bash.jsonc

@@ -74,9 +74,17 @@
       "Bash(tail *)",
       // Search
       "Bash(rg *)",
+      // Research
+      "Bash(gh issue list *)",
+      "Bash(gh pr view *)",
+      "Bash(gh pr diff *)"
     ],
     "ask": [
-      "Bash(gh *)", // let's hold off before we let it use the github CLI in any free running allow mode...I don't want it somehow approving PRs with the user's credentials
+      // let's hold off before we let it use the github CLI in any free running allow mode...I don't want it somehow approving PRs with the user's credentials
+      "Bash(gh repo *)",
+      "Bash(gh release *)",
+      "Bash(gh secret *)",
+      "Bash(gh ruleset *)",
       "Bash(aws *)", // let's hold off before we let it use AWS CLI in any free running allow mode. We need to be very sure we don't have any access to staging or production credentials in our dev environment (...which we shouldn't...but we need to double check that or consider any other safeguards first)
       "Bash(curl *)",
       "Bash(ln *)",
@@ -85,6 +93,17 @@
     "deny": [
       // Exceptions to generally allowed AI tooling
       "Bash(bd init*)", // we need to control the init process, don't let AI do that in the background
+      // Github
+      // Claude should not ever interfere with the PR process, that is how we gate AI's work
+      "Bash(gh pr create *)",
+      "Bash(gh pr edit *)",
+      "Bash(gh pr ready *)",
+      "Bash(gh pr review *)",
+      "Bash(gh pr merge *)",
+      "Bash(gh pr close *)",
+      "Bash(gh pr comment *)",
+      "Bash(gh pr update-branch *)",
+
       // Destructive File Operations
       "Bash(chmod -R *)",
       "Bash(chown -R *)",

.coderabbit.yaml

@@ -7,6 +7,8 @@ reviews:
       instructions: "These files came from a vendor and we're not allowed to change them. Refer to it if you need to understand how the main code interacts with it, but do not make comments about it."
     - path: "**/*.py"
       instructions: "Check the `ruff.toml` and `ruff-test.toml` for linting rules we've explicitly disabled and don't suggest changes to please conventions we've disabled. Do not express concerns about ruff rules; a pre-commit hook already runs a ruff check. Do not warn about unnecessary super().__init__() calls; pyright prefers those to be present. Do not warn about missing type hints; a pre-commit hook already checks for that."
+    - path: "**/.copier-answers.yml"
+      instructions: "Do not comment about the `_commit` value needing to be a clean release tag. A CI job will fail if that is not the case."
   tools:
     eslint: # when the code contains typescript, eslint will be run by pre-commit, and coderabbit often generates false positives
       enabled: false

.copier-answers.yml

@@ -1,5 +1,5 @@
 # Changes here will be overwritten by Copier
-_commit: v0.0.106
+_commit: v0.0.109
 _src_path: gh:LabAutomationAndScreening/copier-base-template.git
 description: Copier template for creating Python libraries and executables
 install_claude_cli: true

.devcontainer/Dockerfile

@@ -1,7 +1,7 @@
 # base image tags available at https://mcr.microsoft.com/v2/devcontainers/universal/tags/list
 # added the platform flag to override any local settings since this image is only compatible with linux/amd64. since this image is only x64 compatible, suppressing the hadolint rule
 # hadolint ignore=DL3029
-FROM --platform=linux/amd64 mcr.microsoft.com/devcontainers/universal:5.1.4-noble
+FROM --platform=linux/amd64 mcr.microsoft.com/devcontainers/universal:5.1.5-noble
 
 SHELL ["/bin/bash", "-o", "pipefail", "-c"]
 

.devcontainer/devcontainer.json

@@ -1,4 +1,8 @@
 {
+  "hostRequirements": {
+    "cpus": 2,
+    "memory": "4gb"
+  },
   "dockerComposeFile": "docker-compose.yml",
   "service": "devcontainer",
   "workspaceFolder": "/workspaces/${localWorkspaceFolderBasename}",
@@ -22,21 +26,21 @@
         "ms-vscode.live-server@0.5.2025051301",
         "MS-vsliveshare.vsliveshare@1.0.5905",
         "github.copilot@1.388.0",
-        "github.copilot-chat@0.38.2026022704",
-        "anthropic.claude-code@2.1.74",
+        "github.copilot-chat@0.42.2026032602",
+        "anthropic.claude-code@2.1.84",
 
         // Python
-        "ms-python.python@2026.2.2026021801",
-        "ms-python.vscode-pylance@2026.1.1",
+        "ms-python.python@2026.5.2026032701",
+        "ms-python.vscode-pylance@2026.1.102",
         "ms-vscode-remote.remote-containers@0.414.0",
-        "charliermarsh.ruff@2026.36.0",
+        "charliermarsh.ruff@2026.38.0",
 
         // Misc file formats
         "bierner.markdown-mermaid@1.29.0",
         "samuelcolvin.jinjahtml@0.20.0",
         "tamasfe.even-better-toml@0.19.2",
         "emilast.LogFileHighlighter@3.3.3",
-        "esbenp.prettier-vscode@12.3.0"
+        "esbenp.prettier-vscode@12.4.0"
       ],
       "settings": {
         "editor.accessibilitySupport": "off", // turn off sounds
@@ -61,5 +65,5 @@
   "initializeCommand": "sh .devcontainer/initialize-command.sh",
   "onCreateCommand": "sh .devcontainer/on-create-command.sh",
   "postStartCommand": "sh .devcontainer/post-start-command.sh"
-  // Devcontainer context hash (do not manually edit this, it's managed by a pre-commit hook): c4997eda # spellchecker:disable-line
+  // Devcontainer context hash (do not manually edit this, it's managed by a pre-commit hook): d77a3ff3 # spellchecker:disable-line
 }

.devcontainer/install-ci-tooling.py

@@ -8,7 +8,7 @@
 from pathlib import Path
 
 UV_VERSION = "0.10.12"
-PNPM_VERSION = "10.32.1"
+PNPM_VERSION = "10.33.0"
 COPIER_VERSION = "==9.14.0"
 COPIER_TEMPLATE_EXTENSIONS_VERSION = "==0.3.3"
 PRE_COMMIT_VERSION = "4.5.1"

.devcontainer/manual-setup-deps.py

@@ -44,6 +44,12 @@
     default=False,
     help="Allow uv to install new versions of Python on the fly. This is typically only needed when instantiating the copier template.",
 )
+_ = parser.add_argument(
+    "--skip-installing-pulumi-cli",
+    action="store_true",
+    default=False,
+    help="Do not install the Pulumi CLI even if the lock file references it",
+)
 
 
 class PackageManager(str, enum.Enum):
@@ -127,6 +133,17 @@ def main():
                     check=True,
                     env=uv_env,
                 )
+            if (
+                not generate_lock_file_only
+                and not args.skip_installing_pulumi_cli
+                and platform.system() == "Linux"
+                and env.lock_file.exists()
+                and '"pulumi"' in env.lock_file.read_text()
+            ):
+                _ = subprocess.run(
+                    ["sh", str(REPO_ROOT_DIR / ".devcontainer" / "install-pulumi-cli.sh"), str(env.lock_file)],
+                    check=True,
+                )
         elif env.package_manager == PackageManager.PNPM:
             pnpm_command = ["pnpm", "install", "--dir", str(env.path)]
             if env_check_lock:

.devcontainer/on-create-command.sh

@@ -3,12 +3,12 @@ set -ex
 
 # For some reason the directory is not setup correctly and causes build of devcontainer to fail since
 # it doesn't have access to the workspace directory. This can normally be done in post-start-command
-git config --global --add safe.directory /workspaces/copier-python-package-template
+script_dir="$(CDPATH= cd -- "$(dirname -- "$0")" && pwd)"
+repo_root="$(CDPATH= cd -- "$script_dir/.." && pwd)"
+git config --global --add safe.directory "$repo_root"
 
 sh .devcontainer/on-create-command-boilerplate.sh
 # install json5 for merging claude settings.  TODO: consider if we can install json5 globally...or somehow eliminate this dependency
-script_dir="$(CDPATH= cd -- "$(dirname -- "$0")" && pwd)"
-repo_root="$(CDPATH= cd -- "$script_dir/.." && pwd)"
 mkdir -p "$repo_root/.claude"
 chmod -R ug+rwX "$repo_root/.claude"
 chgrp -R 0 "$repo_root/.claude" || true

.devcontainer/post-start-command.sh

@@ -3,7 +3,9 @@ set -ex
 
 # For some reason the directory is not setup correctly and causes build of devcontainer to fail since
 # it doesn't have access to the workspace directory. This can normally be done in post-start-command
-git config --global --add safe.directory /workspaces/copier-python-package-template
+script_dir="$(CDPATH= cd -- "$(dirname -- "$0")" && pwd)"
+repo_root="$(CDPATH= cd -- "$script_dir/.." && pwd)"
+git config --global --add safe.directory "$repo_root"
 pre-commit run merge-claude-settings -a
 if ! bd ready; then
 	echo "It's likely the Dolt server has not yet been initialized to support beads, running that now" # TODO: figure out a better way to match this specific scenario than just a non-zero exit code...but beads still seems like in high flux right now so not sure what to tie it to

.github/actions/check-skip-duplicates/action.yml

@@ -0,0 +1,44 @@
+name: Check Skip Duplicates
+description: 'Check that will output a variable to allow you to skip duplicate runs. Example: If you have both push and pull_request triggers enabled and you dont want to run 2 jobs for the same commit if a PR is already open you can add this to your jobs to skip that extra execution.'
+
+outputs:
+  should-run:
+    description: 'Flag that determines if this execution should run or not'
+    value: ${{ steps.check.outputs.should_run }}
+
+runs:
+  using: composite
+  steps:
+    - name: Check if push has associated open PR
+      id: check
+      env:
+        GH_TOKEN: ${{ github.token }}
+        REF_NAME: ${{ github.ref_name }}
+        REPO_NAME: ${{ github.repository }}
+        EVENT_NAME: ${{ github.event_name }}
+      shell: bash
+      run: |
+        # For non-push events, always run
+        if [ "$EVENT_NAME" != "push" ]; then
+          echo "should_run=true" >> $GITHUB_OUTPUT
+          echo "Event is $EVENT_NAME, will run CI"
+          exit 0
+        fi
+
+        # For push events, check if there's an open PR for this branch
+        pr_json=$(gh pr list \
+          --repo "$REPO_NAME" \
+          --head "$REF_NAME" \
+          --state open \
+          --json number \
+          --limit 1)
+
+        pr_number=$(echo "$pr_json" | jq -r '.[0].number // ""')
+
+        if [ -n "$pr_number" ]; then
+          echo "should_run=false" >> $GITHUB_OUTPUT
+          echo "Push to branch with open PR #$pr_number detected, skipping (PR event will run CI)"
+        else
+          echo "should_run=true" >> $GITHUB_OUTPUT
+          echo "Push to branch without open PR, will run CI"
+        fi