Copier update (dependabot) (#31)

Pull in upstream changes

Author: ejfine

.copier-answers.yml

@@ -1,5 +1,5 @@
 # Changes here will be overwritten by Copier
-_commit: v0.0.34
+_commit: v0.0.44
 _src_path: gh:LabAutomationAndScreening/copier-base-template.git
 description: A web app that is hosted within a local intranet. Nuxt frontend, python
     backend, docker-compose

.devcontainer/devcontainer.json

@@ -59,5 +59,5 @@
   "initializeCommand": "sh .devcontainer/initialize-command.sh",
   "onCreateCommand": "sh .devcontainer/on-create-command.sh",
   "postStartCommand": "sh .devcontainer/post-start-command.sh"
-  // Devcontainer context hash (do not manually edit this, it's managed by a pre-commit hook): 04266789 # spellchecker:disable-line
+  // Devcontainer context hash (do not manually edit this, it's managed by a pre-commit hook): c3deafe5 # spellchecker:disable-line
 }

.devcontainer/install-ci-tooling.sh

@@ -9,7 +9,7 @@ npm -v
 npm install -g [email protected]
 pnpm -v
 
-curl -LsSf https://astral.sh/uv/0.6.17/install.sh | sh
+curl -LsSf https://astral.sh/uv/0.7.3/install.sh | sh
 uv --version
 # TODO: add uv autocompletion to the shell https://docs.astral.sh/uv/getting-started/installation/#shell-autocompletion
 

.github/actions/install_deps_uv/action.yml

@@ -40,7 +40,7 @@ runs:
       shell: bash
 
     - name: Setup python
-      uses: actions/setup-python@v5.5.0
+      uses: actions/setup-python@v5.6.0
       with:
         python-version: ${{ env.PYTHON_VERSION }}
 

.github/actions/install_deps_uv/install-ci-tooling.ps1

@@ -3,7 +3,7 @@
 Set-StrictMode -Version Latest
 $ErrorActionPreference = "Stop"
 
-irm https://astral.sh/uv/0.6.17/install.ps1 | iex
+irm https://astral.sh/uv/0.7.3/install.ps1 | iex
 
 # Add uv to path (in github runner)
 $env:Path = "C:\Users\runneradmin\.local\bin;$env:Path"
@@ -21,7 +21,7 @@ if ($args.Count -eq 0) {
 }
 
 
-$env:UV_PYTHON = "$input"
+$env:UV_PYTHON = "$input_arg"
 $env:UV_PYTHON_PREFERENCE="only-system"
 
 & uv tool install 'copier==9.6.0' --with 'copier-templates-extensions==0.3.0'

.github/actions/update-devcontainer-hash/action.yml

@@ -0,0 +1,60 @@
+name: Update Devcontainer Hash
+
+inputs:
+  branch:
+    description: 'Branch to checkout and update'
+    required: true
+
+permissions:
+  contents: write
+
+outputs:
+  new-sha:
+    description: 'The SHA of the branch tip after update'
+    value: ${{ steps.commit-and-push.outputs.new-sha }}
+  commit-created:
+    description: 'Whether a new commit was created and pushed'
+    value: ${{ steps.commit-and-push.outputs.commit-created }}
+
+runs:
+  using: composite
+  steps:
+    - name: Verify Dependabot actor
+      if: ${{ github.actor != 'dependabot[bot]' }}
+      run: |
+        echo "Action can only be run by dependabot[bot], but was invoked by ${GITHUB_ACTOR}." >&2
+        exit 1
+      shell: bash
+
+    - name: Checkout code
+      uses: actions/[email protected]
+      with:
+        persist-credentials: true
+        fetch-depth: 1
+        ref: ${{ inputs.branch }}
+
+    - name: Configure Git author
+      run: |
+        git config user.name "github-actions[bot]"
+        git config user.email "github-actions[bot]@users.noreply.github.com"
+      shell: bash
+
+    - name: Update devcontainer hash
+      run: |
+        python3 .github/workflows/hash_git_files.py . --for-devcontainer-config-update --exit-zero
+      shell: bash
+
+    - name: Commit & push changes
+      id: commit-and-push
+      run: |
+        if ! git diff --quiet; then
+          git add .
+          git commit -m "chore: update devcontainer hash [dependabot skip]"
+          git push origin HEAD:${{ inputs.branch }}
+          echo "commit-created=true" >> $GITHUB_OUTPUT
+          echo "new-sha=$(git rev-parse HEAD)" >> $GITHUB_OUTPUT
+        else
+          echo "No changes to commit"
+          echo "commit-created=false" >> $GITHUB_OUTPUT
+        fi
+      shell: bash

.github/dependabot.yml

@@ -0,0 +1,30 @@
+version: 2
+updates:
+  - package-ecosystem: "uv"
+    directories:
+      - "/"
+    schedule:
+      interval: "weekly"
+      day: "sunday"
+      time: "16:00"
+    open-pull-requests-limit: 5
+    ignore:
+      - dependency-name: "boto3" # boto3 gets patch updates way too frequently and they're usually not important
+        update-types:
+          - "version-update:semver-patch"
+      - dependency-name: "sphinx*" # read-the-docs uses specific versions of sphinx, so we generally want to stay tightly pinned unless there's a major version change
+        update-types:
+          - "version-update:semver-minor"
+          - "version-update:semver-patch"
+
+    groups:
+      prod-dependencies:
+        dependency-type: "production"
+        update-types:
+          - "minor"
+          - "patch"
+      dev-dependencies:
+        dependency-type: "development"
+        update-types:
+          - "minor"
+          - "patch"

.github/workflows/ci.yaml

@@ -12,54 +12,18 @@ env:
 
 permissions:
     id-token: write
-    contents: write # needed for mutex
+    contents: write # needed for mutex, and updating dependabot branches
+    statuses: write # needed for updating status on Dependabot PRs
 
 jobs:
-  pre-commit:
-    strategy:
-      fail-fast: false
-      matrix:
-        os:
-          - "ubuntu-24.04"
-        python-version:
-            - 3.12.7
-        node-version:
-            - 22.14.0
-    name: Pre-commit for Py${{ matrix.python-version }} on ${{ matrix.os }}
-    runs-on: ${{ matrix.os }}
-    steps:
-      - name: Checkout code
-        uses: actions/[email protected]
+  get-values:
+    uses: ./.github/workflows/get-values.yaml
 
-      - name: Setup node
-        uses: actions/[email protected]
-        with:
-          node-version: ${{ matrix.node-version }}
-
-      - name: Install latest versions of python packages
-        uses: ./.github/actions/install_deps_uv
-        with:
-          python-version: ${{ matrix.python-version }}
-
-      - name: Set up mutex # Github concurrency management is horrible, things get arbitrarily cancelled if queued up. So using mutex until github fixes itself. When multiple jobs are modifying cache at once, weird things can happen.  possible issue is https://github.com/actions/toolkit/issues/658
-        if: ${{ runner.os != 'Windows' }} # we're just gonna have to YOLO on Windows, because this action doesn't support it yet https://github.com/ben-z/gh-action-mutex/issues/14
-        uses: ben-z/gh-action-mutex@1ebad517141198e08d47cf72f3c0975316620a65 # v1.0.0-alpha.10
-        with:
-          branch: mutex-venv-${{ matrix.os }}-${{ matrix.python-version }}
-        timeout-minutes: 30 # this is the amount of time this action will wait to attempt to acquire the mutex lock before failing, e.g. if other jobs are queued up in front of it
-
-      - name: Cache Pre-commit hooks
-        uses: actions/[email protected]
-        env:
-          cache-name: cache-pre-commit-hooks
-        with:
-          path: ${{ env.PRE_COMMIT_HOME }}
-          key: ${{ matrix.os }}-${{ matrix.python-version }}-build-${{ env.cache-name }}-${{ hashFiles('.pre-commit-config.yaml') }}
-          restore-keys: |
-            ${{ matrix.os }}-${{ matrix.python-version }}-build-${{ env.cache-name }}-
-
-      - name: Run pre-commit
-        run:  pre-commit run -a
+  pre-commit:
+    needs: [ get-values ]
+    uses: ./.github/workflows/pre-commit.yaml
+    with:
+      python-version: 3.12.7
 
   lint-matrix:
     needs: [ pre-commit ]
@@ -160,10 +124,20 @@ jobs:
 
   required-check:
     runs-on: ubuntu-24.04
-    needs: [ lint-matrix ]
+    needs: [ lint-matrix, get-values ]
     if: always()
     steps:
       - name: fail if prior job failure
         if: needs.lint-matrix.result != 'success'
         run: |
           exit 1
+      - name: Mark updated dependabot hash commit as succeeded
+        if: needs.get-values.outputs.dependabot-commit-created == 'true'
+        env:
+          GH_TOKEN: ${{ github.token }}
+        run: |
+          gh api \
+            -X POST -H "Accept: application/vnd.github.v3+json" \
+            "/repos/${{ github.repository }}/statuses/${{ needs.get-values.outputs.new-dependabot-sha }}" \
+            -f state=success -f context="required-check" -f description="Initial CI run passed" \
+            -f target_url="${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }}"

.github/workflows/get-values.yaml

@@ -0,0 +1,34 @@
+name: Get Values
+
+on:
+  workflow_call:
+    outputs:
+      new-dependabot-sha:
+        description: BUILD_HASH
+        value: ${{ jobs.get-values.outputs.new-dependabot-sha }}
+      dependabot-commit-created:
+        description: whether or not a commit was created on a dependabot branch
+        value: ${{ jobs.get-values.outputs.dependabot-commit-created }}
+
+env:
+  PYTHONUNBUFFERED: True
+
+permissions:
+    contents: write # needed to push commit of new devcontainer hash for dependabot PRs
+
+jobs:
+  get-values:
+    runs-on: ubuntu-24.04
+    outputs:
+      new-dependabot-sha: ${{ steps.update-hash.outputs.new-sha }}
+      dependabot-commit-created: ${{ steps.update-hash.outputs.commit-created }}
+    steps:
+      - name: Checkout code
+        uses: actions/[email protected]
+
+      - name: Update Devcontainer Hash
+        if: ${{ github.actor == 'dependabot[bot]' }}
+        id: update-hash
+        uses: ./.github/actions/update-devcontainer-hash
+        with:
+          branch: ${{ github.ref_name }}

.github/workflows/hash_git_files.py

@@ -138,6 +138,7 @@ def main():
         action="store_true",
         help="Update the hash in the devcontainer.json file based on all files relevant to devcontainer context",
     )
+    _ = parser.add_argument("--exit-zero", action="store_true", help="Exit with code 0 even if the hash changes")
     args = parser.parse_args()
 
     repo_path = args.folder
@@ -170,7 +171,11 @@ def main():
             print(  # noqa: T201
                 f"Updated {devcontainer_json_file} with the new hash: {overall_checksum_str}"
             )
-            sys.exit(1)  # Exit with non-zero code to indicate changes were made
+            if args.exit_zero:
+                sys.exit(0)
+            else:
+                sys.exit(1)
+
     else:
         print(overall_checksum_str)  # noqa: T201 # print this so that the value can be picked up via STDOUT when calling this in a CI pipeline or as a subprocess
 

.github/workflows/pre-commit.yaml

@@ -0,0 +1,66 @@
+name: Pre-commit
+
+on:
+  workflow_call:
+    inputs:
+      python-version:
+        description: 'What version of python'
+        type: string
+        required: true
+      setup-node:
+        description: 'Whether to set up Node'
+        type: boolean
+        default: false
+      node-version:
+        description: 'What version of node'
+        type: string
+        required: false
+        default: 'notUsing'
+
+env:
+  PYTHONUNBUFFERED: True
+  PRE_COMMIT_HOME: ${{ github.workspace }}/.precommit_cache
+
+permissions:
+    contents: write # needed for mutex
+
+jobs:
+  pre-commit:
+    runs-on: ubuntu-24.04
+    name: Pre-commit
+    steps:
+      - name: Checkout code
+        uses: actions/[email protected]
+        with:
+          ref: ${{ github.ref_name }} # explicitly get the head of the branch, which will include any new commits pushed if this is a dependabot branch
+
+      - name: Setup node
+        uses: actions/[email protected]
+        if: ${{ inputs.setup-node }}
+        with:
+          node-version: ${{ inputs.node-version }}
+
+      - name: Install latest versions of python packages
+        uses: ./.github/actions/install_deps_uv
+        with:
+          python-version: ${{ inputs.python-version }}
+
+      - name: Set up mutex # Github concurrency management is horrible, things get arbitrarily cancelled if queued up. So using mutex until github fixes itself. When multiple jobs are modifying cache at once, weird things can happen.  possible issue is https://github.com/actions/toolkit/issues/658
+        if: ${{ runner.os != 'Windows' }} # we're just gonna have to YOLO on Windows, because this action doesn't support it yet https://github.com/ben-z/gh-action-mutex/issues/14
+        uses: ben-z/gh-action-mutex@1ebad517141198e08d47cf72f3c0975316620a65 # v1.0.0-alpha.10
+        with:
+          branch: mutex-venv-ubuntu-24.04-py${{ inputs.python-version }}-nodejs-${{ inputs.node-version }}
+        timeout-minutes: 30 # this is the amount of time this action will wait to attempt to acquire the mutex lock before failing, e.g. if other jobs are queued up in front of it
+
+      - name: Cache Pre-commit hooks
+        uses: actions/[email protected]
+        env:
+          cache-name: cache-pre-commit-hooks
+        with:
+          path: ${{ env.PRE_COMMIT_HOME }}
+          key: ubuntu-24.04-py${{ inputs.python-version }}-node-${{ inputs.node-version}}-${{ env.cache-name }}-${{ hashFiles('.pre-commit-config.yaml') }}
+          restore-keys: |
+            ubuntu-24.04-py${{ inputs.python-version }}-node-${{ inputs.node-version}}-${{ env.cache-name }}-
+
+      - name: Run pre-commit
+        run:  pre-commit run -a

extensions/context.py

@@ -10,7 +10,7 @@ class ContextUpdater(ContextHook):
 
     @override
     def hook(self, context: dict[Any, Any]) -> dict[Any, Any]:
-        context["uv_version"] = "0.6.17"
+        context["uv_version"] = "0.7.3"
         context["pnpm_version"] = "10.10.0"
         context["pre_commit_version"] = "4.2.0"
         context["pyright_version"] = "1.1.400"
@@ -45,10 +45,11 @@ def hook(self, context: dict[Any, Any]) -> dict[Any, Any]:
         context["graphql_codegen_typescript_version"] = "^4.1.6"
 
         context["gha_checkout"] = "v4.2.2"
-        context["gha_setup_python"] = "v5.5.0"
+        context["gha_setup_python"] = "v5.6.0"
         context["gha_cache"] = "v4.2.2"
         context["gha_upload_artifact"] = "v4.6.2"
         context["gha_download_artifact"] = "v4.2.1"
+        context["gha_github_script"] = "v7.0.1"
         context["gha_setup_buildx"] = "v3.10.0"
         context["buildx_version"] = "v0.22.0"
         context["gha_docker_build_push"] = "v6.15.0"

template/.github/actions/install_deps_uv/action.yml

@@ -40,7 +40,7 @@ runs:
       shell: bash
 
     - name: Setup python
-      uses: actions/setup-python@v5.5.0
+      uses: actions/setup-python@v5.6.0
       with:
         python-version: ${{ env.PYTHON_VERSION }}
 

template/.github/actions/install_deps_uv/install-ci-tooling.ps1

@@ -3,7 +3,7 @@
 Set-StrictMode -Version Latest
 $ErrorActionPreference = "Stop"
 
-irm https://astral.sh/uv/0.6.17/install.ps1 | iex
+irm https://astral.sh/uv/0.7.3/install.ps1 | iex
 
 # Add uv to path (in github runner)
 $env:Path = "C:\Users\runneradmin\.local\bin;$env:Path"
@@ -21,7 +21,7 @@ if ($args.Count -eq 0) {
 }
 
 
-$env:UV_PYTHON = "$input"
+$env:UV_PYTHON = "$input_arg"
 $env:UV_PYTHON_PREFERENCE="only-system"
 
 & uv tool install 'copier==9.6.0' --with 'copier-templates-extensions==0.3.0'