Copier update: install pulumi CLI in devcontainer

[ejfine]

Pull in upstream template changes

Tested in ejfine/aws-central-infrastructure#99

Summary by CodeRabbit

Release Notes

• Chores

  • Updated development environment tooling versions including uv, pnpm, copier, and multiple VS Code extensions
  • Upgraded development container base image and GitHub Actions versions
  • Enhanced CI/CD workflow validation with improved pull request support and duplicate-check detection

• Documentation

  • Expanded development guidelines with stricter testing practices, type-checking patterns, and enhanced tooling rules

[coderabbitai]

Caution

Review failed

Pull request was closed or merged during review

Warning

Ignoring CodeRabbit configuration file changes. For security, only the configuration from the base branch is applied for open source repositories.

📝 Walkthrough

Walkthrough

This pull request updates the Copier template from v0.0.102 to v0.0.109 and makes comprehensive updates across the repository: adds CI workflow enhancements for skip-duplicate checking and copier template validation, refactors git safe-directory configuration to use dynamic paths, introduces Pulumi CLI installation control, updates multiple tool and dependency versions, adds a new ECR authentication action, and expands agent and documentation guidelines.

Changes

Cohort / File(s)	Summary
Copier Template Configuration .copier-answers.yml, template/.coderabbit.yaml, .coderabbit.yaml	Updated Copier template version to v0.0.109. Added CodeRabbit path instructions for .copier-answers.yml to note that _commit must be a clean release tag (CI validation enforced).
Devcontainer Base Images & Extensions .devcontainer/Dockerfile, template/.devcontainer/Dockerfile, .devcontainer/devcontainer.json, template/.devcontainer/devcontainer.json.jinja	Updated base image tag from 5.1.4 to 5.1.5. Added hostRequirements (2 CPUs, 4GB memory). Bumped VS Code extension versions (Copilot Chat, Python, Pylance, Ruff, Prettier, ESLint, Claude Code).
Pinned Tool Versions .devcontainer/install-ci-tooling.py, extensions/context.py, pyproject.toml	Updated versions: uv (0.10.9 → 0.10.12), pnpm (10.32.1 → 10.33.0), copier (9.12.0 → 9.14.0), pytest-cov (7.0.0 → 7.1.0), pulumi (~3.226.0 → ~3.228.0), frontend dependencies (Nuxt, Vue, faker, GraphQL codegen). Updated GitHub Action versions for AWS credentials, ECR, Node setup.
Pulumi CLI Installation Control .devcontainer/manual-setup-deps.py, template/.devcontainer/manual-setup-deps.py, .github/actions/install_deps/action.yml, template/.github/actions/install_deps/action.yml, .github/workflows/pre-commit.yaml, template/.github/workflows/pre-commit.yaml, template/.github/workflows/pulumi-aws.yml	Added --skip-installing-pulumi-cli flag to dependency installation scripts and GitHub Action; threaded through pre-commit and pulumi-aws workflows to conditionally skip Pulumi CLI installation when not needed.
Git Safe Directory Refactoring .devcontainer/on-create-command.sh, .devcontainer/post-start-command.sh, template/.devcontainer/on-create-command.sh.jinja, template/.devcontainer/post-start-command.sh.jinja	Replaced hard-coded workspace path with dynamic path resolution: scripts now compute script_dir, derive repo_root from parent directory, and register computed paths as safe directories.
CI Workflow Enhancements .github/workflows/ci.yaml, template/.github/workflows/ci.yaml.jinja	Added pull_request trigger. Introduced check-skip-duplicate job to conditionally skip duplicate PRs. Replaced required-check job with new confirm-on-tagged-copier-template and expanded workflow-summary job; added success-state posting via gh api for required-check status on PRs/merge-groups.
Copier Template Validation .github/workflows/confirm-on-tagged-copier-template.yaml, template/.github/workflows/confirm-on-tagged-copier-template.yaml, .github/actions/check-skip-duplicates/action.yml	Added new reusable workflows and action: check-skip-duplicates checks for duplicate open PRs on same branch; confirm-on-tagged-copier-template validates that .copier-answers.yml _commit is a clean release tag (no hyphens).
ECR Authentication Action template/.github/actions/ecr-auth/action.yml.jinja	Added new composite GitHub Action for OIDC-based AWS ECR authentication with configurable region and role ARN inputs.
Build Workflow Updates .github/reusable_workflows/build-docker-image.yaml	Switched ECR auth from marketplace action to new local composite action; added full-image-tag job/workflow output; updated Docker image tagging to use computed tag instead of input-assembled tags.
Tag Workflow & Test Instructions .github/workflows/tag-on-merge.yaml, template/.claude/commands/green.md	Updated checkout action version; switched tag-bumping action from mathieudutour/github-tag-action to nickkostov/github-tag-action. Added post-green coverage verification requirement scoped to edited files only.
Bash & GitHub CLI Permissions template/.claude/settings/permissions/bash.jsonc	Tightened GitHub CLI (gh) usage permissions: added allow list for read-only operations (issue list, PR view/diff), narrowed ask scope (repo, release, secret, ruleset), added deny rules blocking PR manipulation commands (create, edit, merge, close, comment).
Agent & Development Guidelines AGENTS.md, template/AGENTS.md	Expanded guidance: added "Agent Implementations & Configurations" section, clarified memory/rule placement. Strengthened code/testing/tooling rules: avoid type-checker overrides, enforce test isolation, tighten mock assertions, prefer pre-commit over IDE, prohibit python/python3 usage, ban manual edits to generated/ folders. Added frontend testing (data-testid uniqueness, DOM scoping).

Estimated code review effort

🎯 4 (Complex) | ⏱️ ~50 minutes

Possibly related PRs

• PR #103: Modifies CI workflow to replace required-check job with workflow-summary and introduce required-check status posting, directly overlapping with workflow logic changes.
• PR #73, #76, #79, #82, #99, #100: Update .copier-answers.yml _commit field, affecting Copier template versioning consistency.
• PR #97, #91: Modify template/.coderabbit.yaml and .coderabbit.yaml review path instructions, related to reviewer guidance configuration.

Suggested reviewers

• zendern

🚥 Pre-merge checks | ✅ 1 | ❌ 2

❌ Failed checks (2 warnings)

Check name	Status	Explanation	Resolution
Description check	⚠️ Warning	The description lacks required sections from the template: it does not explain why changes are necessary, how they address an issue, what side effects exist, or how changes are tested; only a vague statement about pulling upstream changes is provided.	Complete the description by filling in all required template sections: explain the rationale for the Pulumi CLI installation change, describe side effects (e.g., workflow behavior changes), and detail how changes were tested.
Docstring Coverage	⚠️ Warning	Docstring coverage is 0.00% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.

✅ Passed checks (1 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title accurately describes the primary change across multiple files: adding conditional Pulumi CLI installation logic to the devcontainer setup, controlled by a new --skip-installing-pulumi-cli flag throughout the template and CI workflows.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[Copilot]

Pull request overview

Pulls in upstream Copier template updates to improve devcontainer/CI ergonomics, including conditional Pulumi CLI installation and additional CI guardrails for template usage.

Changes:

• Bump template tooling/deps (Copier, pytest-cov, uv/pnpm, assorted frontend + GitHub Action versions).
• Add CI workflows/actions for skipping duplicate push runs and enforcing non-dev _commit template refs.
• Adjust devcontainer scripts and dependency setup to support Pulumi CLI installation (with opt-out flags).

Reviewed changes

Copilot reviewed 34 out of 35 changed files in this pull request and generated 7 comments.

Show a summary per file

File	Description
uv.lock	Bumps Copier and pytest-cov lock entries.
pyproject.toml	Updates Copier + pytest-cov dependency constraints.
extensions/context.py	Updates template context version pins (uv/pnpm/Copier/Pulumi/etc.).
AGENTS.md	Expands repository guidance (style/testing/tooling).
template/AGENTS.md	Mirrors AGENTS.md guidance for generated repos.
.devcontainer/Dockerfile	Updates devcontainer base image tag.
template/.devcontainer/Dockerfile	Updates template devcontainer base image tag.
.devcontainer/devcontainer.json	Adds host requirements + bumps editor extension versions + updates hash.
template/.devcontainer/devcontainer.json.jinja	Adds host requirements + bumps editor extension versions for generated repos.
.devcontainer/on-create-command.sh	Makes git safe.directory path dynamic based on script location.
.devcontainer/post-start-command.sh	Makes git safe.directory path dynamic based on script location.
template/.devcontainer/on-create-command.sh.jinja	Makes git safe.directory path dynamic for generated repos.
template/.devcontainer/post-start-command.sh.jinja	Makes git safe.directory path dynamic for generated repos.
.devcontainer/install-ci-tooling.py	Bumps UV/PNPM/Copier versions used in CI tooling bootstrap.
.devcontainer/manual-setup-deps.py	Adds optional Pulumi CLI install hook + skip flag.
template/.devcontainer/manual-setup-deps.py	Adds optional Pulumi CLI install hook + skip flag for generated repos.
.github/actions/install_deps/action.yml	Adds skip-installing-pulumi-cli input; bumps setup-node + configure-aws-credentials.
template/.github/actions/install_deps/action.yml	Same as root install_deps action for generated repos.
.github/actions/check-skip-duplicates/action.yml	New composite action to skip duplicate push CI runs when PR exists.
.github/workflows/ci.yaml	Adds pull_request trigger; introduces duplicate-skip job; adds confirm-on-tagged-template job; updates summary job gating.
template/.github/workflows/ci.yaml.jinja	Template version of CI workflow changes, including pulumi CLI skip and tagged-template confirmation.
.github/workflows/pre-commit.yaml	Skips Pulumi CLI install during pre-commit workflow runs.
template/.github/workflows/pre-commit.yaml	Skips Pulumi CLI install during template pre-commit runs.
template/.github/workflows/pulumi-aws.yml	Skips Pulumi CLI install in deps step (installed elsewhere for deploy action).
.github/workflows/confirm-on-tagged-copier-template.yaml	New reusable workflow enforcing _commit is a clean release tag.
template/.github/workflows/confirm-on-tagged-copier-template.yaml	Template version of the _commit release-tag enforcement workflow.
.github/reusable_workflows/build-docker-image.yaml	Adds full-image-tag output; refactors tagging/pull/push behavior; switches to local ecr-auth action.
template/.github/actions/ecr-auth/action.yml.jinja	New template composite action to assume role + login to ECR.
template/.github/actions/pulumi_ephemeral_deploy/action.yml	Bumps configure-aws-credentials version.
.github/workflows/tag-on-merge.yaml	Bumps checkout; switches tagging action to a Node 22-compatible fork.
.coderabbit.yaml	Adds instruction to not comment on _commit cleanliness (now enforced by CI).
template/.coderabbit.yaml	Same coderabbit instruction update for generated repos.
.copier-answers.yml	Updates _commit ref for upstream template source.
template/.claude/settings/permissions/bash.jsonc	Refines allowed/asked/denied GitHub CLI subcommands.
template/.claude/commands/green.md	Adds post-green coverage verification guidance.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[Copilot]

.github/actions/ecr-auth is referenced here, but that action directory/file does not exist in this repo (only check-skip-duplicates, install_deps, and update-devcontainer-hash are present). This reusable workflow will fail at runtime unless the ecr-auth composite action is added (or this step is changed back to a published action).

[Copilot]

The check-skip-duplicates action calls gh pr list, which requires pull-requests: read permission. This workflow sets explicit permissions, so any permission not listed becomes none; without pull-requests: read, the gh pr list call will be unauthorized and the duplicate-skip check will not work (or may behave unpredictably). Add pull-requests: read at the workflow level or at least for the check-skip-duplicate job.

Suggested change

	contents: read # need to explicitly provide this whenever defining permissions because the default value is 'none' for anything not explicitly set when permissions are defined
	contents: read # need to explicitly provide this whenever defining permissions because the default value is 'none' for anything not explicitly set when permissions are defined
	pull-requests: read

[Copilot]

This code invokes .devcontainer/install-pulumi-cli.sh, but that script is not present in .devcontainer/ in this repository. As written, dependency setup will fail on Linux whenever the lock file contains the Pulumi package. Either add the missing install-pulumi-cli.sh script (and ensure it’s executable) or remove/guard this call so it can’t trigger without the script.

Suggested change

	_ = subprocess.run(
	["sh", str(REPO_ROOT_DIR / ".devcontainer" / "install-pulumi-cli.sh"), str(env.lock_file)],
	check=True,
	)
	install_script = REPO_ROOT_DIR / ".devcontainer" / "install-pulumi-cli.sh"
	if install_script.exists():
	_ = subprocess.run(
	["sh", str(install_script), str(env.lock_file)],
	check=True,
	)
	else:
	print(
	f"Skipping Pulumi CLI installation because '{install_script}' does not exist.",
	file=sys.stderr,
	)

[Copilot]

This code invokes .devcontainer/install-pulumi-cli.sh, but that script is not present in .devcontainer/ in this repository. Template instantiations (and/or local dev setup) will fail on Linux whenever the lock file contains the Pulumi package unless the script is added or this call is guarded.

Suggested change

	_ = subprocess.run(
	["sh", str(REPO_ROOT_DIR / ".devcontainer" / "install-pulumi-cli.sh"), str(env.lock_file)],
	check=True,
	)
	pulumi_install_script = REPO_ROOT_DIR / ".devcontainer" / "install-pulumi-cli.sh"
	if pulumi_install_script.exists():
	_ = subprocess.run(
	["sh", str(pulumi_install_script), str(env.lock_file)],
	check=True,
	)

[Copilot]

This repo’s .copier-answers.yml now points _commit to a dev-style ref containing hyphens (v0.0.108-8-g...). With the newly added confirm-on-tagged-copier-template workflow, this will cause CI to fail. Update _commit to a clean release tag (no hyphens) before merging, or adjust the workflow logic if dev refs are intended to be allowed.

[Copilot]

If _commit: is missing from the answers file, COMMIT_LINE becomes empty and this check will currently pass. Consider explicitly failing when grep finds no _commit: line (or using grep -q with an explicit error path) so the workflow enforces the invariant reliably.

[Copilot]

If _commit: is missing from the answers file, COMMIT_LINE becomes empty and this check will currently pass. Consider explicitly failing when grep finds no _commit: line so the workflow enforces the invariant reliably for generated repos.