LabAutomationAndScreening · ejfine · Mar 31, 2026 · Mar 30, 2026 · Mar 30, 2026 · coderabbitai
diff --git a/.claude/settings/permissions/bash.jsonc b/.claude/settings/permissions/bash.jsonc
@@ -74,9 +74,17 @@
       "Bash(tail *)",
       // Search
       "Bash(rg *)",
+      // Research
+      "Bash(gh issue list *)",
+      "Bash(gh pr view *)",
+      "Bash(gh pr diff *)"
     ],
     "ask": [
-      "Bash(gh *)", // let's hold off before we let it use the github CLI in any free running allow mode...I don't want it somehow approving PRs with the user's credentials
+      // let's hold off before we let it use the github CLI in any free running allow mode...I don't want it somehow approving PRs with the user's credentials
+      "Bash(gh repo *)",
+      "Bash(gh release *)",
+      "Bash(gh secret *)",
+      "Bash(gh ruleset *)",
       "Bash(aws *)", // let's hold off before we let it use AWS CLI in any free running allow mode. We need to be very sure we don't have any access to staging or production credentials in our dev environment (...which we shouldn't...but we need to double check that or consider any other safeguards first)
       "Bash(curl *)",
       "Bash(ln *)",
@@ -85,6 +93,17 @@
     "deny": [
       // Exceptions to generally allowed AI tooling
       "Bash(bd init*)", // we need to control the init process, don't let AI do that in the background
+      // Github
+      // Claude should not ever interfere with the PR process, that is how we gate AI's work
+      "Bash(gh pr create *)",
+      "Bash(gh pr edit *)",
+      "Bash(gh pr ready *)",
+      "Bash(gh pr review *)",
+      "Bash(gh pr merge *)",
+      "Bash(gh pr close *)",
+      "Bash(gh pr comment *)",
+      "Bash(gh pr update-branch *)",
+
       // Destructive File Operations
       "Bash(chmod -R *)",
       "Bash(chown -R *)",

diff --git a/.coderabbit.yaml b/.coderabbit.yaml
@@ -7,6 +7,8 @@ reviews:
       instructions: "These files came from a vendor and we're not allowed to change them. Refer to it if you need to understand how the main code interacts with it, but do not make comments about it."
     - path: "**/*.py"
       instructions: "Check the `ruff.toml` and `ruff-test.toml` for linting rules we've explicitly disabled and don't suggest changes to please conventions we've disabled. Do not express concerns about ruff rules; a pre-commit hook already runs a ruff check. Do not warn about unnecessary super().__init__() calls; pyright prefers those to be present. Do not warn about missing type hints; a pre-commit hook already checks for that."
+    - path: "**/.copier-answers.yml"
+      instructions: "Do not comment about the `_commit` value needing to be a clean release tag. A CI job will fail if that is not the case."
   tools:
     eslint: # when the code contains typescript, eslint will be run by pre-commit, and coderabbit often generates false positives
       enabled: false

diff --git a/.copier-answers.yml b/.copier-answers.yml
@@ -1,5 +1,5 @@
 # Changes here will be overwritten by Copier
-_commit: v0.0.106
+_commit: v0.0.109
 _src_path: gh:LabAutomationAndScreening/copier-base-template.git
 description: Copier template for creating Python libraries and executables
 install_claude_cli: true

diff --git a/.devcontainer/Dockerfile b/.devcontainer/Dockerfile
@@ -1,7 +1,7 @@
 # base image tags available at https://mcr.microsoft.com/v2/devcontainers/universal/tags/list
 # added the platform flag to override any local settings since this image is only compatible with linux/amd64. since this image is only x64 compatible, suppressing the hadolint rule
 # hadolint ignore=DL3029
-FROM --platform=linux/amd64 mcr.microsoft.com/devcontainers/universal:5.1.4-noble
+FROM --platform=linux/amd64 mcr.microsoft.com/devcontainers/universal:5.1.5-noble
 
 SHELL ["/bin/bash", "-o", "pipefail", "-c"]
 

diff --git a/.devcontainer/devcontainer.json b/.devcontainer/devcontainer.json
@@ -1,4 +1,8 @@
 {
+  "hostRequirements": {
+    "cpus": 2,
+    "memory": "4gb"
+  },
   "dockerComposeFile": "docker-compose.yml",
   "service": "devcontainer",
   "workspaceFolder": "/workspaces/${localWorkspaceFolderBasename}",
@@ -22,21 +26,21 @@
         "ms-vscode.live-server@0.5.2025051301",
         "MS-vsliveshare.vsliveshare@1.0.5905",
         "github.copilot@1.388.0",
-        "github.copilot-chat@0.38.2026022704",
-        "anthropic.claude-code@2.1.74",
+        "github.copilot-chat@0.42.2026032602",
+        "anthropic.claude-code@2.1.84",
 
         // Python
-        "ms-python.python@2026.2.2026021801",
-        "ms-python.vscode-pylance@2026.1.1",
+        "ms-python.python@2026.5.2026032701",
+        "ms-python.vscode-pylance@2026.1.102",
         "ms-vscode-remote.remote-containers@0.414.0",
-        "charliermarsh.ruff@2026.36.0",
+        "charliermarsh.ruff@2026.38.0",
 
         // Misc file formats
         "bierner.markdown-mermaid@1.29.0",
         "samuelcolvin.jinjahtml@0.20.0",
         "tamasfe.even-better-toml@0.19.2",
         "emilast.LogFileHighlighter@3.3.3",
-        "esbenp.prettier-vscode@12.3.0"
+        "esbenp.prettier-vscode@12.4.0"
       ],
       "settings": {
         "editor.accessibilitySupport": "off", // turn off sounds
@@ -61,5 +65,5 @@
   "initializeCommand": "sh .devcontainer/initialize-command.sh",
   "onCreateCommand": "sh .devcontainer/on-create-command.sh",
   "postStartCommand": "sh .devcontainer/post-start-command.sh"
-  // Devcontainer context hash (do not manually edit this, it's managed by a pre-commit hook): c4997eda # spellchecker:disable-line
+  // Devcontainer context hash (do not manually edit this, it's managed by a pre-commit hook): d77a3ff3 # spellchecker:disable-line
 }
diff --git a/.devcontainer/install-ci-tooling.py b/.devcontainer/install-ci-tooling.py
@@ -8,7 +8,7 @@
 from pathlib import Path
 
 UV_VERSION = "0.10.12"
-PNPM_VERSION = "10.32.1"
+PNPM_VERSION = "10.33.0"
 COPIER_VERSION = "==9.14.0"
 COPIER_TEMPLATE_EXTENSIONS_VERSION = "==0.3.3"
 PRE_COMMIT_VERSION = "4.5.1"

diff --git a/.devcontainer/manual-setup-deps.py b/.devcontainer/manual-setup-deps.py
@@ -44,6 +44,12 @@
     default=False,
     help="Allow uv to install new versions of Python on the fly. This is typically only needed when instantiating the copier template.",
 )
+_ = parser.add_argument(
+    "--skip-installing-pulumi-cli",
+    action="store_true",
+    default=False,
+    help="Do not install the Pulumi CLI even if the lock file references it",
+)
 
 
 class PackageManager(str, enum.Enum):
@@ -127,6 +133,17 @@ def main():
                     check=True,
                     env=uv_env,
                 )
+            if (
+                not generate_lock_file_only
+                and not args.skip_installing_pulumi_cli
+                and platform.system() == "Linux"
+                and env.lock_file.exists()
+                and '"pulumi"' in env.lock_file.read_text()
+            ):
+                _ = subprocess.run(
+                    ["sh", str(REPO_ROOT_DIR / ".devcontainer" / "install-pulumi-cli.sh"), str(env.lock_file)],
+                    check=True,
+                )
         elif env.package_manager == PackageManager.PNPM:
             pnpm_command = ["pnpm", "install", "--dir", str(env.path)]
             if env_check_lock:

diff --git a/.devcontainer/on-create-command.sh b/.devcontainer/on-create-command.sh
@@ -3,12 +3,12 @@ set -ex
 
 # For some reason the directory is not setup correctly and causes build of devcontainer to fail since
 # it doesn't have access to the workspace directory. This can normally be done in post-start-command
-git config --global --add safe.directory /workspaces/copier-python-package-template
+script_dir="$(CDPATH= cd -- "$(dirname -- "$0")" && pwd)"
+repo_root="$(CDPATH= cd -- "$script_dir/.." && pwd)"
+git config --global --add safe.directory "$repo_root"
 
 sh .devcontainer/on-create-command-boilerplate.sh
 # install json5 for merging claude settings.  TODO: consider if we can install json5 globally...or somehow eliminate this dependency
-script_dir="$(CDPATH= cd -- "$(dirname -- "$0")" && pwd)"
-repo_root="$(CDPATH= cd -- "$script_dir/.." && pwd)"
 mkdir -p "$repo_root/.claude"
 chmod -R ug+rwX "$repo_root/.claude"
 chgrp -R 0 "$repo_root/.claude" || true

diff --git a/.devcontainer/post-start-command.sh b/.devcontainer/post-start-command.sh
@@ -3,7 +3,9 @@ set -ex
 
 # For some reason the directory is not setup correctly and causes build of devcontainer to fail since
 # it doesn't have access to the workspace directory. This can normally be done in post-start-command
-git config --global --add safe.directory /workspaces/copier-python-package-template
+script_dir="$(CDPATH= cd -- "$(dirname -- "$0")" && pwd)"
+repo_root="$(CDPATH= cd -- "$script_dir/.." && pwd)"
+git config --global --add safe.directory "$repo_root"
 pre-commit run merge-claude-settings -a
 if ! bd ready; then
 	echo "It's likely the Dolt server has not yet been initialized to support beads, running that now" # TODO: figure out a better way to match this specific scenario than just a non-zero exit code...but beads still seems like in high flux right now so not sure what to tie it to

diff --git a/.github/actions/check-skip-duplicates/action.yml b/.github/actions/check-skip-duplicates/action.yml
@@ -0,0 +1,44 @@
+name: Check Skip Duplicates
+description: 'Check that will output a variable to allow you to skip duplicate runs. Example: If you have both push and pull_request triggers enabled and you dont want to run 2 jobs for the same commit if a PR is already open you can add this to your jobs to skip that extra execution.'
+
+outputs:
+  should-run:
+    description: 'Flag that determines if this execution should run or not'
+    value: ${{ steps.check.outputs.should_run }}
+
+runs:
+  using: composite
+  steps:
+    - name: Check if push has associated open PR
+      id: check
+      env:
+        GH_TOKEN: ${{ github.token }}
+        REF_NAME: ${{ github.ref_name }}
+        REPO_NAME: ${{ github.repository }}
+        EVENT_NAME: ${{ github.event_name }}
+      shell: bash
+      run: |
+        # For non-push events, always run
+        if [ "$EVENT_NAME" != "push" ]; then
+          echo "should_run=true" >> $GITHUB_OUTPUT
+          echo "Event is $EVENT_NAME, will run CI"
+          exit 0
+        fi
+
+        # For push events, check if there's an open PR for this branch
+        pr_json=$(gh pr list \
+          --repo "$REPO_NAME" \
+          --head "$REF_NAME" \
+          --state open \
+          --json number \
+          --limit 1)
+
+        pr_number=$(echo "$pr_json" | jq -r '.[0].number // ""')
+
+        if [ -n "$pr_number" ]; then
+          echo "should_run=false" >> $GITHUB_OUTPUT
+          echo "Push to branch with open PR #$pr_number detected, skipping (PR event will run CI)"
+        else
+          echo "should_run=true" >> $GITHUB_OUTPUT
+          echo "Push to branch without open PR, will run CI"
+        fi
diff --git a/.github/actions/install_deps/action.yml b/.github/actions/install_deps/action.yml
@@ -44,6 +44,11 @@ inputs:
     description: Whether to skip updating the hash when running manual-setup-deps.py
     default: true
     required: false
+  skip-installing-pulumi-cli:
+    type: boolean
+    description: Whether to skip installing the Pulumi CLI even if the lock file references it
+    default: false
+    required: false
 
 
 runs:
@@ -83,5 +88,5 @@ runs:
     - name: Install dependencies
       # the funky syntax is github action ternary
       if: ${{ inputs.install-deps }}
-      run: python .devcontainer/manual-setup-deps.py ${{ inputs.python-version == 'notUsing' && '--no-python' || '' }} ${{ inputs.node-version == 'notUsing' && '--no-node' || '' }} ${{ inputs.skip-updating-devcontainer-hash && '--skip-updating-devcontainer-hash' || '' }}
+      run: python .devcontainer/manual-setup-deps.py ${{ inputs.python-version == 'notUsing' && '--no-python' || '' }} ${{ inputs.node-version == 'notUsing' && '--no-node' || '' }} ${{ inputs.skip-updating-devcontainer-hash && '--skip-updating-devcontainer-hash' || '' }} ${{ inputs.skip-installing-pulumi-cli && '--skip-installing-pulumi-cli' || '' }}
       shell: pwsh
diff --git a/.github/workflows/ci.yaml b/.github/workflows/ci.yaml
@@ -5,23 +5,39 @@ on:
     branches-ignore:
       - 'gh-readonly-queue/**' # don't run (again) when on these special branches created during merge groups; the `on: merge_group` already triggers it.
   merge_group:
+  pull_request:
 
 env:
   PYTHONUNBUFFERED: True
   PRE_COMMIT_HOME: ${{ github.workspace }}/.precommit_cache
 
 permissions:
   id-token: write # needed to assume OIDC roles (e.g. for downloading from CodeArtifact)
+  contents: read # need to explicitly provide this whenever defining permissions because the default value is 'none' for anything not explicitly set when permissions are defined
 
 jobs:
   get-values:
     uses: ./.github/workflows/get-values.yaml
     permissions:
       contents: write # needed for updating dependabot branches
 
+  check-skip-duplicate:
+    runs-on: ubuntu-24.04
+    outputs:
+      should-run: ${{ steps.check.outputs.should-run }}
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v6.0.2
+        with:
+          persist-credentials: false
+      - id: check
+        uses: ./.github/actions/check-skip-duplicates
+
   pre-commit:
     needs:
       - get-values
+      - check-skip-duplicate
+    if: needs.check-skip-duplicate.outputs.should-run == 'true'
     uses: ./.github/workflows/pre-commit.yaml
     permissions:
       contents: write # needed for mutex
@@ -32,6 +48,8 @@ jobs:
   unit-test:
     needs:
       - pre-commit
+      - check-skip-duplicate
+    if: needs.check-skip-duplicate.outputs.should-run == 'true'
     strategy:
       matrix:
         os:
@@ -66,6 +84,8 @@ jobs:
   lint-matrix:
     needs:
       - pre-commit
+      - check-skip-duplicate
+    if: needs.check-skip-duplicate.outputs.should-run == 'true'
     strategy:
       matrix:
         os:
@@ -175,11 +195,18 @@ jobs:
           name: pre-commit-log--${{ github.jobs.lint-matrix.name }}
           path: "${{ github.workspace }}/.precommit_cache/pre-commit.log"
 
-  required-check:
+  confirm-on-tagged-copier-template:
+    if: ${{ github.event_name == 'pull_request' || github.event_name == 'merge_group' }}
+    uses: ./.github/workflows/confirm-on-tagged-copier-template.yaml
+
+
+  workflow-summary:
     runs-on: ubuntu-24.04
     timeout-minutes: 2
     needs:
       - get-values
+      - check-skip-duplicate
+      - confirm-on-tagged-copier-template
       - pre-commit
       - unit-test
       - lint-matrix
@@ -192,13 +219,27 @@ jobs:
           success_pattern="^(skipped|success)$" # these are the possibilities: https://docs.github.com/en/actions/reference/workflows-and-actions/contexts#needs-context
 
           if [[ ! "${{ needs.get-values.result }}" =~ $success_pattern ]] ||
+            [[ ! "${{ needs.confirm-on-tagged-copier-template.result }}" =~ $success_pattern ]] ||
+            [[ ! "${{ needs.check-skip-duplicate.result }}" =~ $success_pattern ]] ||
             [[ ! "${{ needs.pre-commit.result }}" =~ $success_pattern ]] ||
             [[ ! "${{ needs.unit-test.result }}" =~ $success_pattern ]] ||
             [[ ! "${{ needs.lint-matrix.result }}" =~ $success_pattern ]]; then
             echo "❌ One or more jobs did not finish with skipped or success"
             exit 1
           fi
           echo "✅ All jobs finished with skipped or success"
+
+      - name: Mark the required-check as succeeded so the PR can be merged
+        if: ${{ github.event_name == 'pull_request' || github.event_name == 'merge_group' }}
+        env:
+          GH_TOKEN: ${{ github.token }}
+        run: |
+          gh api \
+            -X POST -H "Accept: application/vnd.github.v3+json" \
+            "${{ github.event.pull_request.statuses_url }}" \
+            -f state=success -f context="required-check" -f description="✅ All required checks passed in the job triggered by pull_request" \
+            -f target_url="${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }}"
-      - name: Mark the required-check as succeeded so the PR can be merged
-        if: ${{ github.event_name == 'pull_request' || github.event_name == 'merge_group' }}
-        env:
-          GH_TOKEN: ${{ github.token }}
-        run: |
-          gh api \
-            -X POST -H "Accept: application/vnd.github.v3+json" \
-            "${{ github.event.pull_request.statuses_url }}" \
-            -f state=success -f context="required-check" -f description="✅ All required checks passed in the job triggered by pull_request" \
-            -f target_url="${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }}"
+      - name: Mark the required-check as succeeded so the PR can be merged
+        if: ${{ github.event_name == 'pull_request' }}
+        env:
+          GH_TOKEN: ${{ github.token }}
+        run: |
+          gh api \
+            -X POST -H "Accept: application/vnd.github.v3+json" \
+            "${{ github.event.pull_request.statuses_url }}" \
+            -f state=success -f context="required-check" -f description="✅ All required checks passed in the job triggered by pull_request" \
+            -f target_url="${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }}"
-      - name: Mark the required-check as succeeded so the PR can be merged
-        if: ${{ github.event_name == 'pull_request' || github.event_name == 'merge_group' }}
-        env:
-          GH_TOKEN: ${{ github.token }}
-        run: |
-          gh api \
-            -X POST -H "Accept: application/vnd.github.v3+json" \
-            "${{ github.event.pull_request.statuses_url }}" \
-            -f state=success -f context="required-check" -f description="✅ All required checks passed in the job triggered by pull_request" \
-            -f target_url="${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }}"
+      - name: Mark the required-check as succeeded so the PR can be merged
+        if: ${{ github.event_name == 'pull_request' }}
+        env:
+          GH_TOKEN: ${{ github.token }}
+        run: |
+          gh api \
+            -X POST -H "Accept: application/vnd.github.v3+json" \
+            "${{ github.event.pull_request.statuses_url }}" \
+            -f state=success -f context="required-check" -f description="✅ All required checks passed in the job triggered by pull_request" \
+            -f target_url="${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }}"
+
       - name: Mark updated dependabot hash commit as succeeded
         if: needs.get-values.outputs.dependabot-commit-created == 'true'
         env:

diff --git a/.github/workflows/confirm-on-tagged-copier-template.yaml b/.github/workflows/confirm-on-tagged-copier-template.yaml
@@ -0,0 +1,34 @@
+name: Confirm using tagged copier template version
+
+on:
+  workflow_call:
+    inputs:
+      answers_file:
+        description: 'Path to the copier answers file'
+        type: string
+        default: '.copier-answers.yml'
+
+jobs:
+  confirm-on-tagged-copier-template:
+    runs-on: ubuntu-24.04
+    timeout-minutes: 2
+    name: Fail if template under development
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v6.0.2
+        with:
+          persist-credentials: false
+
+      - name: Check _commit is a clean release tag
+        run: |
+          ANSWERS_FILE="${{ inputs.answers_file }}"
+          if [ ! -f "$ANSWERS_FILE" ]; then
+            echo "Error: $ANSWERS_FILE not found"
+            exit 1
+          fi
+          COMMIT_LINE=$(grep "^_commit:" "$ANSWERS_FILE")
+          if echo "$COMMIT_LINE" | grep -q "-"; then
+            echo "Error: $COMMIT_LINE"
+            echo "_commit must be a clean release tag (e.g. v0.0.111), not a dev commit (e.g. v0.0.106-14-g7847d7b)"
+            exit 1
+          fi
diff --git a/.github/workflows/pre-commit.yaml b/.github/workflows/pre-commit.yaml
@@ -50,6 +50,7 @@ jobs:
           python-version: ${{ inputs.python-version }}
           node-version: ${{ inputs.node-version }}
           skip-installing-ssm-plugin-manager: true
+          skip-installing-pulumi-cli: true
 
       - name: Set up mutex # Github concurrency management is horrible, things get arbitrarily cancelled if queued up. So using mutex until github fixes itself. When multiple jobs are modifying cache at once, weird things can happen.  possible issue is https://github.com/actions/toolkit/issues/658
         if: ${{ runner.os != 'Windows' }} # we're just gonna have to YOLO on Windows, because this action doesn't support it yet https://github.com/ben-z/gh-action-mutex/issues/14