Copier update (github action versions) (#66)

## Why is this change necessary?
Keep up to date


 ## How does this change address the issue?
Pulls in upstream changes


 ## What side effects does this change have?
None


 ## How is this change tested?
downstream repo


 ## Other
also addresses
#63
and
#67

<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit

- New Features
- CI tooling: optional skip for SSM Plugin install and Windows support
for SSM Plugin.
  - Reusable Docker build workflow now exposes an artifact-name output.

- Chores
- Bumped many devcontainer extensions, tooling, dependencies, and GitHub
Action versions.
  - Removed obsolete manual dependency setup script.
  - Pre-commit workflow: added concurrency mutex.
- Publish flow: stricter import verification and changed PyPI install
timing/flags.
<!-- end of auto-generated comment: release notes by coderabbit.ai -->

Author: ejfine

.copier-answers.yml

@@ -1,5 +1,5 @@
 # Changes here will be overwritten by Copier
-_commit: v0.0.64
+_commit: v0.0.69
 _src_path: gh:LabAutomationAndScreening/copier-base-template.git
 description: Copier template for creating Python libraries and executables
 python_ci_versions:

.devcontainer/devcontainer.json

@@ -23,12 +23,12 @@
         "eamodio.gitlens@15.5.1",
         "ms-vscode.live-server@0.5.2025051301",
         "MS-vsliveshare.vsliveshare@1.0.5905",
-        "github.copilot@1.320.1564",
-        "github.copilot-chat@0.28.2025051402",
+        "github.copilot@1.366.1775",
+        "github.copilot-chat@0.31.2025090401",
 
         // Python
-        "ms-python.python@2025.7.2025051401",
-        "ms-python.vscode-pylance@2025.4.104",
+        "ms-python.python@2025.13.2025090201",
+        "ms-python.vscode-pylance@2025.7.102",
         "ms-vscode-remote.remote-containers@0.414.0",
         "charliermarsh.ruff@2025.24.0",
 
@@ -61,5 +61,5 @@
   "initializeCommand": "sh .devcontainer/initialize-command.sh",
   "onCreateCommand": "sh .devcontainer/on-create-command.sh",
   "postStartCommand": "sh .devcontainer/post-start-command.sh"
-  // Devcontainer context hash (do not manually edit this, it's managed by a pre-commit hook): d72f90f7 # spellchecker:disable-line
+  // Devcontainer context hash (do not manually edit this, it's managed by a pre-commit hook): bec12e35 # spellchecker:disable-line
 }

.devcontainer/install-ci-tooling.py

@@ -7,10 +7,10 @@
 import tempfile
 from pathlib import Path
 
-UV_VERSION = "0.8.4"
-PNPM_VERSION = "10.14.0"
-COPIER_VERSION = "9.9.1"
-COPIER_TEMPLATE_EXTENSIONS_VERSION = "0.3.2"
+UV_VERSION = "0.8.15"
+PNPM_VERSION = "10.15.1"
+COPIER_VERSION = "9.10.1"
+COPIER_TEMPLATE_EXTENSIONS_VERSION = "0.3.3"
 PRE_COMMIT_VERSION = "4.3.0"
 GITHUB_WINDOWS_RUNNER_BIN_PATH = r"C:\Users\runneradmin\.local\bin"
 INSTALL_SSM_PLUGIN_BY_DEFAULT = False
@@ -31,10 +31,10 @@
     "--no-node", action="store_true", default=False, help="Do not process any environments using node package managers"
 )
 _ = parser.add_argument(
-    "--install-ssm-plugin",
+    "--skip-installing-ssm-plugin",
     action="store_true",
-    default=INSTALL_SSM_PLUGIN_BY_DEFAULT,
-    help="Install the SSM plugin for AWS CLI",
+    default=False,
+    help="Skip installing the SSM plugin for AWS CLI",
 )
 
 
@@ -117,26 +117,43 @@ def main():
                 else [cmd]
             )
             _ = subprocess.run(cmd, shell=True, check=True)
-    if args.install_ssm_plugin:
-        if is_windows:
-            raise NotImplementedError("SSM plugin installation is not implemented for Windows")
+    if INSTALL_SSM_PLUGIN_BY_DEFAULT and not args.skip_installing_ssm_plugin:
         with tempfile.TemporaryDirectory() as tmp_dir:
-            local_package_path = Path(tmp_dir) / "session-manager-plugin.deb"
-            # Based on https://docs.aws.amazon.com/systems-manager/latest/userguide/install-plugin-debian-and-ubuntu.html
-            # no specific reason for that version, just pinning it for best practice
-            _ = subprocess.run(
-                [
-                    "curl",
-                    "https://s3.amazonaws.com/session-manager-downloads/plugin/1.2.707.0/ubuntu_64bit/session-manager-plugin.deb",
-                    "-o",
-                    f"{local_package_path}",
-                ],
-                check=True,
-            )
-            _ = subprocess.run(
-                ["sudo", "dpkg", "-i", str(local_package_path)],
-                check=True,
-            )
+            if is_windows:
+                local_package_path = Path(tmp_dir) / "SessionManagerPluginSetup.exe"
+                # Based on https://docs.aws.amazon.com/systems-manager/latest/userguide/install-plugin-windows.html
+                # no specific reason for that version, just pinning it for best practice
+                _ = subprocess.run(
+                    [
+                        "curl",
+                        "https://s3.amazonaws.com/session-manager-downloads/plugin/1.2.707.0/windows/SessionManagerPluginSetup.exe",
+                        "-o",
+                        f"{local_package_path}",
+                    ],
+                    check=True,
+                )
+                _ = subprocess.run(
+                    [str(local_package_path), "/quiet"],
+                    check=True,
+                )
+            else:
+                local_package_path = Path(tmp_dir) / "session-manager-plugin.deb"
+                # Based on https://docs.aws.amazon.com/systems-manager/latest/userguide/install-plugin-debian-and-ubuntu.html
+                # no specific reason for that version, just pinning it for best practice
+                _ = subprocess.run(
+                    [
+                        "curl",
+                        "https://s3.amazonaws.com/session-manager-downloads/plugin/1.2.707.0/ubuntu_64bit/session-manager-plugin.deb",
+                        "-o",
+                        f"{local_package_path}",
+                    ],
+                    check=True,
+                )
+                _ = subprocess.run(
+                    ["sudo", "dpkg", "-i", str(local_package_path)],
+                    check=True,
+                )
+            print("SSM Plugin Manager Version: ")
             _ = subprocess.run(
                 ["session-manager-plugin", "--version"],
                 check=True,

.devcontainer/manual-setup-deps.sh

@@ -16,6 +16,11 @@ inputs:
     default: true
     type: boolean
     description: Whether to run the setup-deps script, or just to setup basic CI tooling
+  skip-installing-ssm-plugin-manager:
+    required: false
+    default: false
+    type: boolean
+    description: Whether to explicitly skip installing the SSM Plugin manager when setting up basic CI tooling
   project-dir:
     type: string
     description: What's the relative path to the project?
@@ -48,24 +53,24 @@ runs:
 
     - name: Setup python
       if: ${{ inputs.python-version != 'notUsing' }}
-      uses: actions/setup-python@v5.6.0
+      uses: actions/setup-python@v6.0.0
       with:
         python-version: ${{ env.PYTHON_VERSION }}
 
     - name: Setup node
       if: ${{ inputs.node-version != 'notUsing' }}
-      uses: actions/setup-node@v4.4.0
+      uses: actions/setup-node@v5.0.0
       with:
         node-version: ${{ inputs.node-version }}
 
     - name: Install tooling
       # the funky syntax is github action ternary
-      run: python .devcontainer/install-ci-tooling.py ${{ inputs.python-version == 'notUsing' && '--no-python' || '' }} ${{ inputs.node-version == 'notUsing' && '--no-node' || '' }}
+      run: python .devcontainer/install-ci-tooling.py ${{ inputs.python-version == 'notUsing' && '--no-python' || '' }} ${{ inputs.node-version == 'notUsing' && '--no-node' || '' }} ${{ inputs.skip-installing-ssm-plugin-manager && '--skip-installing-ssm-plugin' || '' }}
       shell: pwsh
 
     - name: OIDC Auth for CodeArtifact
       if: ${{ inputs.code-artifact-auth-role-name != 'no-code-artifact' }}
-      uses: aws-actions/configure-aws-credentials@v4.2.0
+      uses: aws-actions/configure-aws-credentials@v5.0.0
       with:
         role-to-assume: arn:aws:iam::${{ inputs.code-artifact-auth-role-account-id }}:role/${{ inputs.code-artifact-auth-role-name }}
         aws-region: ${{ inputs.code-artifact-auth-region }}

.github/actions/install_deps/action.yml

@@ -27,7 +27,7 @@ runs:
       shell: bash
 
     - name: Checkout code
-      uses: actions/checkout@v4.2.2
+      uses: actions/checkout@v5.0.0
       with:
         persist-credentials: true
         fetch-depth: 1

.github/actions/update-devcontainer-hash/action.yml

@@ -31,6 +31,10 @@ on:
         description: 'Should the image be saved as an artifact?'
         required: false
         default: false
+    outputs:
+      artifact-name:
+        description: 'The name of the uploaded artifact of the image tarball'
+        value: ${{ jobs.build-image.outputs.artifact-name }}
 
 permissions:
     id-token: write
@@ -40,6 +44,8 @@ jobs:
   build-image:
     name: Build Docker Image
     runs-on: ubuntu-24.04
+    outputs:
+      artifact-name: ${{ steps.calculate-build-context-hash.outputs.image_name_no_slashes }}
     steps:
       - name: Parse ECR URL
         if: ${{ inputs.push-role-name != 'no-push' }}
@@ -59,11 +65,11 @@ jobs:
         shell: bash
 
       - name: Checkout code
-        uses: actions/checkout@v4.2.2
+        uses: actions/checkout@v5.0.0
 
       - name: OIDC Auth for ECR
         if: ${{ inputs.push-role-name != 'no-push' }}
-        uses: aws-actions/configure-aws-credentials@v4.2.0
+        uses: aws-actions/configure-aws-credentials@v5.0.0
         with:
           role-to-assume: arn:aws:iam::${{ steps.parse_ecr_url.outputs.aws_account_id }}:role/${{ inputs.push-role-name }}
           aws-region: ${{ steps.parse_ecr_url.outputs.aws_region }}
@@ -114,9 +120,9 @@ jobs:
 
       - name: Set up Docker Buildx
         if: ${{ (inputs.save-as-artifact && inputs.push-role-name == 'no-push') || steps.check-if-exists.outputs.status == 'notfound' }}
-        uses: docker/setup-buildx-action@v3.10.0
+        uses: docker/setup-buildx-action@v3.11.1
         with:
-          version: v0.22.0
+          version: v0.27.0
 
       - name: Build Docker Image
         if: ${{ (inputs.save-as-artifact && inputs.push-role-name == 'no-push') || steps.check-if-exists.outputs.status == 'notfound' }}

.github/reusable_workflows/build-docker-image.yaml

@@ -53,7 +53,7 @@ jobs:
 
     steps:
       - name: Checkout code
-        uses: actions/checkout@v4.2.2
+        uses: actions/checkout@v5.0.0
 
       - name: Move python script that replaces private package registry information to temp folder so it doesn't get deleted
         run: |
@@ -108,7 +108,7 @@ jobs:
         timeout-minutes: 30 # this is the amount of time this action will wait to attempt to acquire the mutex lock before failing, e.g. if other jobs are queued up in front of it
 
       - name: Cache Pre-commit hooks
-        uses: actions/cache@v4.2.3
+        uses: actions/cache@v4.2.4
         env:
           cache-name: cache-pre-commit-hooks
         with:

.github/workflows/ci.yaml

@@ -25,7 +25,7 @@ jobs:
       pr-short-num: ${{ steps.find-pr-num.outputs.number }}
     steps:
       - name: Checkout code
-        uses: actions/checkout@v4.2.2
+        uses: actions/checkout@v5.0.0
 
       - name: Update Devcontainer Hash
         if: ${{ github.actor == 'dependabot[bot]' && github.event_name == 'push' }}

.github/workflows/get-values.yaml

@@ -32,19 +32,20 @@ jobs:
     steps:
       - name: Checkout code during push
         if: ${{ github.event_name == 'push' }}
-        uses: actions/checkout@v4.2.2
+        uses: actions/checkout@v5.0.0
         with:
           ref: ${{ github.ref_name }} # explicitly get the head of the branch, which will include any new commits pushed if this is a dependabot branch
 
       - name: Checkout code not during push
         if: ${{ github.event_name != 'push' }}
-        uses: actions/checkout@v4.2.2
+        uses: actions/checkout@v5.0.0
 
       - name: Install latest versions of packages
         uses: ./.github/actions/install_deps
         with:
           python-version: ${{ inputs.python-version }}
           node-version: ${{ inputs.node-version }}
+          skip-installing-ssm-plugin-manager: true
 
       - name: Set up mutex # Github concurrency management is horrible, things get arbitrarily cancelled if queued up. So using mutex until github fixes itself. When multiple jobs are modifying cache at once, weird things can happen.  possible issue is https://github.com/actions/toolkit/issues/658
         if: ${{ runner.os != 'Windows' }} # we're just gonna have to YOLO on Windows, because this action doesn't support it yet https://github.com/ben-z/gh-action-mutex/issues/14
@@ -54,7 +55,7 @@ jobs:
         timeout-minutes: 30 # this is the amount of time this action will wait to attempt to acquire the mutex lock before failing, e.g. if other jobs are queued up in front of it
 
       - name: Cache Pre-commit hooks
-        uses: actions/cache@v4.2.3
+        uses: actions/cache@v4.2.4
         env:
           cache-name: cache-pre-commit-hooks
         with: