LabAutomationAndScreening · ejfine · Apr 12, 2026 · Mar 31, 2026 · Mar 31, 2026 · Mar 31, 2026
diff --git a/.claude/settings/permissions/bash.jsonc b/.claude/settings/permissions/bash.jsonc
@@ -74,9 +74,17 @@
       "Bash(tail *)",
       // Search
       "Bash(rg *)",
+      // Research
+      "Bash(gh issue list *)",
+      "Bash(gh pr view *)",
+      "Bash(gh pr diff *)"
     ],
     "ask": [
-      "Bash(gh *)", // let's hold off before we let it use the github CLI in any free running allow mode...I don't want it somehow approving PRs with the user's credentials
+      // let's hold off before we let it use the github CLI in any free running allow mode...I don't want it somehow approving PRs with the user's credentials
+      "Bash(gh repo *)",
+      "Bash(gh release *)",
+      "Bash(gh secret *)",
+      "Bash(gh ruleset *)",
       "Bash(aws *)", // let's hold off before we let it use AWS CLI in any free running allow mode. We need to be very sure we don't have any access to staging or production credentials in our dev environment (...which we shouldn't...but we need to double check that or consider any other safeguards first)
       "Bash(curl *)",
       "Bash(ln *)",
@@ -85,6 +93,17 @@
     "deny": [
       // Exceptions to generally allowed AI tooling
       "Bash(bd init*)", // we need to control the init process, don't let AI do that in the background
+      // Github
+      // Claude should not ever interfere with the PR process, that is how we gate AI's work
+      "Bash(gh pr create *)",
+      "Bash(gh pr edit *)",
+      "Bash(gh pr ready *)",
+      "Bash(gh pr review *)",
+      "Bash(gh pr merge *)",
+      "Bash(gh pr close *)",
+      "Bash(gh pr comment *)",
+      "Bash(gh pr update-branch *)",
+
       // Destructive File Operations
       "Bash(chmod -R *)",
       "Bash(chown -R *)",

diff --git a/.coderabbit.yaml b/.coderabbit.yaml
@@ -7,6 +7,8 @@ reviews:
       instructions: "These files came from a vendor and we're not allowed to change them. Refer to it if you need to understand how the main code interacts with it, but do not make comments about it."
     - path: "**/*.py"
       instructions: "Check the `ruff.toml` and `ruff-test.toml` for linting rules we've explicitly disabled and don't suggest changes to please conventions we've disabled. Do not express concerns about ruff rules; a pre-commit hook already runs a ruff check. Do not warn about unnecessary super().__init__() calls; pyright prefers those to be present. Do not warn about missing type hints; a pre-commit hook already checks for that."
+    - path: "**/.copier-answers.yml"
+      instructions: "Do not comment about the `_commit` value needing to be a clean release tag. A CI job will fail if that is not the case."
   tools:
     eslint: # when the code contains typescript, eslint will be run by pre-commit, and coderabbit often generates false positives
       enabled: false

diff --git a/.copier-answers.yml b/.copier-answers.yml
@@ -1,5 +1,5 @@
 # Changes here will be overwritten by Copier
-_commit: v0.0.61
+_commit: v0.0.63
 _src_path: gh:LabAutomationAndScreening/copier-python-package-template
 configure_python_asyncio: false
 configure_vcrpy: false

diff --git a/.devcontainer/Dockerfile b/.devcontainer/Dockerfile
@@ -1,7 +1,7 @@
 # base image tags available at https://mcr.microsoft.com/v2/devcontainers/universal/tags/list
 # added the platform flag to override any local settings since this image is only compatible with linux/amd64. since this image is only x64 compatible, suppressing the hadolint rule
 # hadolint ignore=DL3029
-FROM --platform=linux/amd64 mcr.microsoft.com/devcontainers/universal:5.1.4-noble
+FROM --platform=linux/amd64 mcr.microsoft.com/devcontainers/universal:5.1.5-noble
 
 SHELL ["/bin/bash", "-o", "pipefail", "-c"]
 

diff --git a/.devcontainer/devcontainer.json b/.devcontainer/devcontainer.json
@@ -1,4 +1,8 @@
 {
+  "hostRequirements": {
+    "cpus": 2,
+    "memory": "4gb"
+  },
   "dockerComposeFile": "docker-compose.yml",
   "service": "devcontainer",
   "workspaceFolder": "/workspaces/${localWorkspaceFolderBasename}",
@@ -34,21 +38,21 @@
         "ms-vscode.live-server@0.5.2025051301",
         "MS-vsliveshare.vsliveshare@1.0.5905",
         "github.copilot@1.388.0",
-        "github.copilot-chat@0.38.2026022704",
-        "anthropic.claude-code@2.1.74",
+        "github.copilot-chat@0.42.2026032602",
+        "anthropic.claude-code@2.1.84",
 
         // Python
-        "ms-python.python@2026.2.2026021801",
-        "ms-python.vscode-pylance@2026.1.1",
+        "ms-python.python@2026.5.2026032701",
+        "ms-python.vscode-pylance@2026.1.102",
         "ms-vscode-remote.remote-containers@0.414.0",
-        "charliermarsh.ruff@2026.36.0",
+        "charliermarsh.ruff@2026.38.0",
 
         // Misc file formats
         "bierner.markdown-mermaid@1.29.0",
         "samuelcolvin.jinjahtml@0.20.0",
         "tamasfe.even-better-toml@0.19.2",
         "emilast.LogFileHighlighter@3.3.3",
-        "esbenp.prettier-vscode@12.3.0"
+        "esbenp.prettier-vscode@12.4.0"
       ],
       "settings": {
         "editor.accessibilitySupport": "off", // turn off sounds
@@ -73,5 +77,5 @@
   "initializeCommand": "sh .devcontainer/initialize-command.sh",
   "onCreateCommand": "sh .devcontainer/on-create-command.sh",
   "postStartCommand": "sh .devcontainer/post-start-command.sh"
-  // Devcontainer context hash (do not manually edit this, it's managed by a pre-commit hook): 7dfa8182 # spellchecker:disable-line
+  // Devcontainer context hash (do not manually edit this, it's managed by a pre-commit hook): b046471b # spellchecker:disable-line
 }
diff --git a/.devcontainer/install-ci-tooling.py b/.devcontainer/install-ci-tooling.py
@@ -7,8 +7,8 @@
 import tempfile
 from pathlib import Path
 
-UV_VERSION = "0.10.10"
-PNPM_VERSION = "10.32.1"
+UV_VERSION = "0.10.12"
+PNPM_VERSION = "10.33.0"
 COPIER_VERSION = "==9.14.0"
 COPIER_TEMPLATE_EXTENSIONS_VERSION = "==0.3.3"
 PRE_COMMIT_VERSION = "4.5.1"

diff --git a/.devcontainer/manual-setup-deps.py b/.devcontainer/manual-setup-deps.py
@@ -44,6 +44,12 @@
     default=False,
     help="Allow uv to install new versions of Python on the fly. This is typically only needed when instantiating the copier template.",
 )
+_ = parser.add_argument(
+    "--skip-installing-pulumi-cli",
+    action="store_true",
+    default=False,
+    help="Do not install the Pulumi CLI even if the lock file references it",
+)
 
 
 class PackageManager(str, enum.Enum):
@@ -127,6 +133,17 @@ def main():
                     check=True,
                     env=uv_env,
                 )
+            if (
+                not generate_lock_file_only
+                and not args.skip_installing_pulumi_cli
+                and platform.system() == "Linux"
+                and env.lock_file.exists()
+                and '"pulumi"' in env.lock_file.read_text()
+            ):
+                _ = subprocess.run(
+                    ["sh", str(REPO_ROOT_DIR / ".devcontainer" / "install-pulumi-cli.sh"), str(env.lock_file)],
+                    check=True,
+                )
         elif env.package_manager == PackageManager.PNPM:
             pnpm_command = ["pnpm", "install", "--dir", str(env.path)]
             if env_check_lock:

diff --git a/.devcontainer/on-create-command.sh b/.devcontainer/on-create-command.sh
@@ -3,12 +3,12 @@ set -ex
 
 # For some reason the directory is not setup correctly and causes build of devcontainer to fail since
 # it doesn't have access to the workspace directory. This can normally be done in post-start-command
-git config --global --add safe.directory /workspaces/ephemeral-pulumi-deploy
+script_dir="$(CDPATH= cd -- "$(dirname -- "$0")" && pwd)"
+repo_root="$(CDPATH= cd -- "$script_dir/.." && pwd)"
+git config --global --add safe.directory "$repo_root"
 
 sh .devcontainer/on-create-command-boilerplate.sh
 # install json5 for merging claude settings.  TODO: consider if we can install json5 globally...or somehow eliminate this dependency
-script_dir="$(CDPATH= cd -- "$(dirname -- "$0")" && pwd)"
-repo_root="$(CDPATH= cd -- "$script_dir/.." && pwd)"
 mkdir -p "$repo_root/.claude"
 chmod -R ug+rwX "$repo_root/.claude"
 chgrp -R 0 "$repo_root/.claude" || true

diff --git a/.devcontainer/post-start-command.sh b/.devcontainer/post-start-command.sh
@@ -3,7 +3,9 @@ set -ex
 
 # For some reason the directory is not setup correctly and causes build of devcontainer to fail since
 # it doesn't have access to the workspace directory. This can normally be done in post-start-command
-git config --global --add safe.directory /workspaces/ephemeral-pulumi-deploy
+script_dir="$(CDPATH= cd -- "$(dirname -- "$0")" && pwd)"
+repo_root="$(CDPATH= cd -- "$script_dir/.." && pwd)"
+git config --global --add safe.directory "$repo_root"
 pre-commit run merge-claude-settings -a
 if ! bd ready; then
 	echo "It's likely the Dolt server has not yet been initialized to support beads, running that now" # TODO: figure out a better way to match this specific scenario than just a non-zero exit code...but beads still seems like in high flux right now so not sure what to tie it to

diff --git a/.github/actions/install_deps/action.yml b/.github/actions/install_deps/action.yml
@@ -44,6 +44,11 @@ inputs:
     description: Whether to skip updating the hash when running manual-setup-deps.py
     default: true
     required: false
+  skip-installing-pulumi-cli:
+    type: boolean
+    description: Whether to skip installing the Pulumi CLI even if the lock file references it
+    default: false
+    required: false
 
 
 runs:
@@ -83,5 +88,5 @@ runs:
     - name: Install dependencies
       # the funky syntax is github action ternary
       if: ${{ inputs.install-deps }}
-      run: python .devcontainer/manual-setup-deps.py ${{ inputs.python-version == 'notUsing' && '--no-python' || '' }} ${{ inputs.node-version == 'notUsing' && '--no-node' || '' }} ${{ inputs.skip-updating-devcontainer-hash && '--skip-updating-devcontainer-hash' || '' }}
+      run: python .devcontainer/manual-setup-deps.py ${{ inputs.python-version == 'notUsing' && '--no-python' || '' }} ${{ inputs.node-version == 'notUsing' && '--no-node' || '' }} ${{ inputs.skip-updating-devcontainer-hash && '--skip-updating-devcontainer-hash' || '' }} ${{ inputs.skip-installing-pulumi-cli && '--skip-installing-pulumi-cli' || '' }}
       shell: pwsh
diff --git a/.github/workflows/ci.yaml b/.github/workflows/ci.yaml
@@ -5,6 +5,7 @@ on:
     branches-ignore:
       - 'gh-readonly-queue/**' # don't run (again) when on these special branches created during merge groups; the `on: merge_group` already triggers it.
   merge_group:
+  pull_request:
 
 env:
   PYTHONUNBUFFERED: True
@@ -18,11 +19,32 @@ jobs:
   get-values:
     uses: ./.github/workflows/get-values.yaml
     permissions:
-      contents: write # needed updating dependabot branches
+      contents: write # needed for updating dependabot branches
+
+  check-skip-duplicate:
+    runs-on: ubuntu-24.04
+    permissions:
+      contents: read
+      pull-requests: read # needed to check if PR exists for current branch
+    outputs:
+      should-run: ${{ steps.check.outputs.should-run }}
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v6.0.2
+        with:
+          persist-credentials: false
+      - id: check
+        uses: ./.github/actions/check-skip-duplicates
+
+  confirm-on-tagged-copier-template:
+    if: ${{ github.event_name == 'pull_request' || github.event_name == 'merge_group' }}
+    uses: ./.github/workflows/confirm-on-tagged-copier-template.yaml
 
   lint:
     needs:
       - get-values
+      - check-skip-duplicate
+    if: needs.check-skip-duplicate.outputs.should-run == 'true'
     name: Pre-commit
     uses: ./.github/workflows/pre-commit.yaml
     permissions:
@@ -34,6 +56,8 @@ jobs:
   test:
     needs:
       - lint
+      - check-skip-duplicate
+    if: needs.check-skip-duplicate.outputs.should-run == 'true'
     strategy:
       matrix:
         os:
@@ -63,6 +87,8 @@ jobs:
       - name: Install python tooling
         uses: ./.github/actions/install_deps
         with:
+          skip-installing-ssm-plugin-manager: true
+          skip-installing-pulumi-cli: true
           python-version: ${{ matrix.python-version }}
 
       - name: Unit test
@@ -86,29 +112,45 @@ jobs:
 
 
 
-  required-check:
+  workflow-summary:
     runs-on: ubuntu-24.04
-    permissions:
-      statuses: write # needed for updating status on Dependabot PRs
+    timeout-minutes: 2
     needs:
       - get-values
+      - check-skip-duplicate
       - lint
       - test
+      - confirm-on-tagged-copier-template
+    permissions:
+      statuses: write # needed for updating status on Dependabot PRs
     if: always()
-    timeout-minutes: 2
     steps:
       - name: fail if prior job failure
         run: |
           success_pattern="^(skipped|success)$" # these are the possibilities: https://docs.github.com/en/actions/reference/workflows-and-actions/contexts#needs-context
 
           if [[ ! "${{ needs.get-values.result }}" =~ $success_pattern ]] ||
+            [[ ! "${{ needs.check-skip-duplicate.result }}" =~ $success_pattern ]] ||
             [[ ! "${{ needs.lint.result }}" =~ $success_pattern ]] ||
-            [[ ! "${{ needs.test.result }}" =~ $success_pattern ]]; then
+            [[ ! "${{ needs.test.result }}" =~ $success_pattern ]] ||
+            [[ ! "${{ needs.confirm-on-tagged-copier-template.result }}" =~ $success_pattern ]]; then
             echo "❌ One or more jobs did not finish with skipped or success"
             exit 1
           fi
           echo "✅ All jobs finished with skipped or success"
-      - name: Mark updated Dependabot commit of devcontainer hash as succeeded
+
+      - name: Mark the required-check as succeeded so the PR can be merged
+        if: ${{ github.event_name == 'pull_request' || github.event_name == 'merge_group' }}
+        env:
+          GH_TOKEN: ${{ github.token }}
+        run: |
+          gh api \
+            -X POST -H "Accept: application/vnd.github.v3+json" \
+            "${{ github.event.pull_request.statuses_url }}" \
+            -f state=success -f context="required-check" -f description="✅ All required checks passed in the job triggered by pull_request" \
+            -f target_url="${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }}"
+
+      - name: Mark updated dependabot hash commit as succeeded
         if: needs.get-values.outputs.dependabot-commit-created == 'true'
         env:
           GH_TOKEN: ${{ github.token }}

diff --git a/.github/workflows/confirm-on-tagged-copier-template.yaml b/.github/workflows/confirm-on-tagged-copier-template.yaml
@@ -0,0 +1,34 @@
+name: Confirm using tagged copier template version
+
+on:
+  workflow_call:
+    inputs:
+      answers_file:
+        description: 'Path to the copier answers file'
+        type: string
+        default: '.copier-answers.yml'
+
+jobs:
+  confirm-on-tagged-copier-template:
+    runs-on: ubuntu-24.04
+    timeout-minutes: 2
+    name: Fail if template under development
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v6.0.2
+        with:
+          persist-credentials: false
+
+      - name: Check _commit is a clean release tag
+        run: |
+          ANSWERS_FILE="${{ inputs.answers_file }}"
+          if [ ! -f "$ANSWERS_FILE" ]; then
+            echo "Error: $ANSWERS_FILE not found"
+            exit 1
+          fi
+          COMMIT_LINE=$(grep "^_commit:" "$ANSWERS_FILE")
+          if echo "$COMMIT_LINE" | grep -q "-"; then
+            echo "Error: $COMMIT_LINE"
+            echo "_commit must be a clean release tag (e.g. v0.0.111), not a dev commit (e.g. v0.0.106-14-g7847d7b)"
+            exit 1
-          COMMIT_LINE=$(grep "^_commit:" "$ANSWERS_FILE")
-          if echo "$COMMIT_LINE" | grep -q "-"; then
-            echo "Error: $COMMIT_LINE"
-            echo "_commit must be a clean release tag (e.g. v0.0.111), not a dev commit (e.g. v0.0.106-14-g7847d7b)"
-            exit 1
+          COMMIT_VALUE=$(grep -m1 "^_commit:" "$ANSWERS_FILE" | cut -d: -f2- | cut -d# -f1 | xargs)
+          if [ -z "$COMMIT_VALUE" ]; then
+            echo "Error: _commit not found in $ANSWERS_FILE"
+            exit 1
+          fi
+          if ! echo "$COMMIT_VALUE" | grep -Eq '^v[0-9]+\.[0-9]+\.[0-9]+$'; then
+            echo "Error: _commit=$COMMIT_VALUE"
+            echo "_commit must be a clean release tag (e.g. v0.0.111), not a dev commit (e.g. v0.0.106-14-g7847d7b)"
+            exit 1
+          fi
-          COMMIT_LINE=$(grep "^_commit:" "$ANSWERS_FILE")
-          if echo "$COMMIT_LINE" | grep -q "-"; then
-            echo "Error: $COMMIT_LINE"
-            echo "_commit must be a clean release tag (e.g. v0.0.111), not a dev commit (e.g. v0.0.106-14-g7847d7b)"
-            exit 1
+          COMMIT_VALUE=$(grep -m1 "^_commit:" "$ANSWERS_FILE" | cut -d: -f2- | cut -d# -f1 | xargs)
+          if [ -z "$COMMIT_VALUE" ]; then
+            echo "Error: _commit not found in $ANSWERS_FILE"
+            exit 1
+          fi
+          if ! echo "$COMMIT_VALUE" | grep -Eq '^v[0-9]+\.[0-9]+\.[0-9]+$'; then
+            echo "Error: _commit=$COMMIT_VALUE"
+            echo "_commit must be a clean release tag (e.g. v0.0.111), not a dev commit (e.g. v0.0.106-14-g7847d7b)"
+            exit 1
+          fi
+          fi
diff --git a/.github/workflows/pre-commit.yaml b/.github/workflows/pre-commit.yaml
@@ -50,6 +50,7 @@ jobs:
           python-version: ${{ inputs.python-version }}
           node-version: ${{ inputs.node-version }}
           skip-installing-ssm-plugin-manager: true
+          skip-installing-pulumi-cli: true
 
       - name: Set up mutex # Github concurrency management is horrible, things get arbitrarily cancelled if queued up. So using mutex until github fixes itself. When multiple jobs are modifying cache at once, weird things can happen.  possible issue is https://github.com/actions/toolkit/issues/658
         if: ${{ runner.os != 'Windows' }} # we're just gonna have to YOLO on Windows, because this action doesn't support it yet https://github.com/ben-z/gh-action-mutex/issues/14