Copier update: base image

[ejfine]

Why is this change necessary?

Pull in upstream changes

What side effects does this change have?

N/A

How is this change tested?

ejfine/aws-central-infrastructure#86

Summary by CodeRabbit

• New Features

  • Added option to pull Docker images from Elastic Container Registry (ECR)
  • Pulumi preview comments now include stack names for improved clarity

• Chores

  • Updated development tools, Python packages, and GitHub Actions to latest versions
  • Upgraded base Docker image and system dependencies

_{✏️ Tip: You can customize this high-level summary in your review settings.}

[coderabbitai]

📝 Walkthrough

Walkthrough

This PR updates multiple dependency and tool versions across the project, bumps dev container base images from Focal/Bookworm to Noble/Trixie, updates GitHub Actions versions, and introduces a new boolean field pull_from_ecr to the Copier template configuration with conditional visibility for AWS-related settings.

Changes

Cohort / File(s)	Summary
Version & Metadata Updates .copier-answers.yml, extensions/context.py, pyproject.toml	Bumped commit reference to v0.0.94; updated tool versions (uv 0.9.26, pnpm 10.28.1, copier 9.11.2, pre-commit 4.5.1); updated pyright, ty, and GitHub Actions versions; changed Debian release from bookworm to trixie.
Dev Container Configuration .devcontainer/Dockerfile, .devcontainer/devcontainer.json, template/.devcontainer/Dockerfile, template/.devcontainer/devcontainer.json.jinja	Updated base image from universal:2.13.1-focal to universal:5.1.1-noble; bumped bash-completion from 2.10 to 2.11; added yarn GPG key workaround (removed yarn.list); renamed workspace path from /workspace to /workspaces; updated VS Code coderabbit extension from 0.16.4 to 0.16.6.
Installation & Tooling .devcontainer/install-ci-tooling.py	Bumped UV_VERSION, PNPM_VERSION, COPIER_VERSION, and PRE_COMMIT_VERSION in version pins.
GitHub Actions & CI/CD .github/actions/install_deps/action.yml, .github/reusable_workflows/build-docker-image.yaml, .github/workflows/ci.yaml, .github/workflows/pre-commit.yaml, template/.github/actions/install_deps/action.yml, template/.github/actions/pulumi_ephemeral_deploy/action.yml, template/.github/workflows/pre-commit.yaml, template/.github/workflows/pulumi-aws.yml	Updated setup-python and setup-node from v6.1.0 to v6.2.0; updated cache action from v4.3.0 to v5.0.2 and upload-artifact from v5.0.0 to v6.0.0; updated download-artifact from v6.0.0 to v7.0.0; modified Pulumi preview comment to include stack name in message and tag.
Copier Template Configuration copier.yml	Added new boolean field pull_from_ecr with default false; updated when conditions for four AWS-related fields (aws_identity_center_id, aws_org_home_region, aws_central_infrastructure_account_id, core_infra_base_access_profile_name) to include pull_from_ecr.
Test Data tests/copier_data/data1.yaml, tests/copier_data/data2.yaml, tests/copier_data/data3.yaml	Added pull_from_ecr field with values false, true, and false respectively.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

Possibly related PRs

• Copier update (misc version bumps) #82: Both PRs modify version-pinning files (.copier-answers.yml, pyproject.toml) and update ContextUpdater.hook in extensions/context.py with bumped dependency versions.
• Copier update (CI Perms) #76: Both PRs make overlapping updates to the same configuration and template files (.copier-answers.yml, devcontainer files, install-ci-tooling.py, extensions/context.py, copier.yml) with consistent version/value changes.
• Copier update: ty #91: Both PRs modify tooling version pins and template/config files, particularly extensions/context.py and copier-related dependency updates.

🚥 Pre-merge checks | ✅ 2 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 0.00% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.

✅ Passed checks (2 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title 'Copier update: base image' accurately describes a primary change in the PR—multiple Dockerfile base image updates from version 2.13.1-focal to 5.1.1-noble across both root and template directories.
Description check	✅ Passed	The PR description addresses the 'Why' section and includes side effects and testing information, but omits required sections for 'Link to Issue', 'How does this change address the issue', and 'Other'.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 4

🤖 Fix all issues with AI agents

In @.github/workflows/pre-commit.yaml:
- Around line 61-63: The workflow update switched the "Cache Pre-commit hooks"
step to actions/cache@v5.0.2 which changes retry behavior for HTTP 429 and
raises runtime/runner requirements; either revert to the prior safe version
(e.g., actions/cache@v3) or explicitly add retry logic around the cache step and
update CI docs to require Node.js 24 and GitHub Actions Runner >= 2.327.1 for
self-hosted runners; update the step named "Cache Pre-commit hooks" (the uses:
actions/cache@v5.0.2) accordingly and ensure any self-hosted runners are
validated or the version is pinned to maintain current compatibility.

In `@copier.yml`:
- Around line 1-6: The file copier.yml contains five leading blank lines; reduce
the consecutive blank lines to at most two by removing three of them so the file
starts with no more than two empty lines (update copier.yml to eliminate the
excess blank lines at the top).
- Around line 65-71: The when clauses for aws_identity_center_id and
aws_org_home_region include a trailing "or True", causing them to always
evaluate true; remove "or True" from those when expressions (i.e., change the
when value to match the pattern used by similar fields such as "{{
python_package_registry == 'AWS CodeArtifact' or pull_from_ecr }}"), or if you
intend unconditional visibility, delete the when clause entirely and add a
comment explaining why. Ensure you update the when for both
aws_identity_center_id and aws_org_home_region to be consistent with other
fields.

In `@template/.devcontainer/Dockerfile`:
- Around line 8-9: Add an explicit TODO and tracking reference for the temporary
Yarn GPG workaround: update the Dockerfile near the RUN rm
/etc/apt/sources.list.d/yarn.list || true line to include a short TODO comment
that references an issue number or a GitHub issue template (e.g., "TODO: remove
when Yarn GPG key is updated — tracked by ISSUE-XXXX/URL") and, if no issue
exists, create a lightweight issue in the repository titled "Remove temporary
Yarn GPG key workaround" with context so the TODO can point to that issue
ID/URL.

♻️ Duplicate comments (4)

template/.github/actions/install_deps/action.yml (2)

59-63: Mirror check: actions/setup-python v6.2.0 compatibility.
Please verify release notes for any breaking changes or new requirements that might affect runners or inputs.

actions/setup-python v6.2.0 release notes breaking changes

---

65-68: Mirror check: actions/setup-node v6.2.0 compatibility.
Please verify release notes for any breaking changes or new requirements that might affect runners or inputs.

actions/setup-node v6.2.0 release notes breaking changes

template/.github/workflows/pre-commit.yaml (1)

61-63: Mirror check: actions/cache v5.0.2 upgrade behavior.
Please confirm release notes for any cache behavior changes that could affect pre-commit cache hits.

actions/cache v5.0.2 release notes breaking changes

.github/workflows/ci.yaml (1)

113-115: Confirm actions/cache v5.0.2 behavior in CI.
Please verify release notes for any cache behavior changes that could affect pre-commit cache hits.

actions/cache v5.0.2 release notes breaking changes

[coderabbitai]

⚠️ Potential issue | 🟠 Major

🧩 Analysis chain

🌐 Web query:

actions/cache v5.0.2 release notes breaking changes

💡 Result:

For actions/cache@v5.0.2, the release notes list one behavior change (and no explicitly labeled “breaking changes”):

• Changed: When creating cache entries, HTTP 429 responses from the cache service will not be retried. This can increase the chance of a cache-save failing under throttling. [1]

The breaking changes are at the v5 major line level (apply to v5.0.2 as well):

• Runtime bump: actions/cache@v5 runs on Node.js 24. [2]
• Runner requirement: Requires GitHub Actions Runner >= 2.327.1 (notably relevant for self-hosted runners). [2]

Sources: [1] [2]

---

Review actions/cache v5.0.2 upgrade for operational concerns.

The upgrade to v5.0.2 introduces a behavior change: HTTP 429 throttling responses will no longer be retried when creating cache entries, increasing the chance of cache-save failures under rate limiting. Additionally, this version requires Node.js 24 runtime and GitHub Actions Runner >= 2.327.1, which may affect self-hosted runner compatibility. Confirm these changes align with your CI/CD infrastructure requirements.

🤖 Prompt for AI Agents

In @.github/workflows/pre-commit.yaml around lines 61 - 63, The workflow update
switched the "Cache Pre-commit hooks" step to actions/cache@v5.0.2 which changes
retry behavior for HTTP 429 and raises runtime/runner requirements; either
revert to the prior safe version (e.g., actions/cache@v3) or explicitly add
retry logic around the cache step and update CI docs to require Node.js 24 and
GitHub Actions Runner >= 2.327.1 for self-hosted runners; update the step named
"Cache Pre-commit hooks" (the uses: actions/cache@v5.0.2) accordingly and ensure
any self-hosted runners are validated or the version is pinned to maintain
current compatibility.

[coderabbitai]

⚠️ Potential issue | 🟡 Minor

Fix excessive blank lines.

Static analysis reports 5 blank lines where only 2 are allowed.

Proposed fix

 # Questions specific to this template
-
-
-
-
-
+
+
 # Questions managed by upstream template

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	# Questions specific to this template
	# Questions specific to this template
	# Questions managed by upstream template

🧰 Tools

🪛 YAMLlint (1.38.0)

[error] 6-6: too many blank lines (5 > 2)

(empty-lines)

🤖 Prompt for AI Agents

In `@copier.yml` around lines 1 - 6, The file copier.yml contains five leading
blank lines; reduce the consecutive blank lines to at most two by removing three
of them so the file starts with no more than two empty lines (update copier.yml
to eliminate the excess blank lines at the top).

[coderabbitai]

⚠️ Potential issue | 🔴 Critical

🧩 Analysis chain

🏁 Script executed:

git ls-files | grep -i copier

Repository: LabAutomationAndScreening/copier-aws-central-infrastructure

Length of output: 255

---

🏁 Script executed:

cat -n copier.yml | sed -n '60,75p'

Repository: LabAutomationAndScreening/copier-aws-central-infrastructure

Length of output: 943

---

🏁 Script executed:

rg 'or True' copier.yml

Repository: LabAutomationAndScreening/copier-aws-central-infrastructure

Length of output: 364

---

🏁 Script executed:

rg 'when:' copier.yml -A 1

Repository: LabAutomationAndScreening/copier-aws-central-infrastructure

Length of output: 1284

---

🏁 Script executed:

rg 'or True' --type yaml

Repository: LabAutomationAndScreening/copier-aws-central-infrastructure

Length of output: 386

---

🏁 Script executed:

rg 'python_package_registry|install_aws_ssm_port_forwarding_plugin|pull_from_ecr' copier.yml | head -20

Repository: LabAutomationAndScreening/copier-aws-central-infrastructure

Length of output: 566

---

The or True suffix makes these conditions always evaluate to true.

The when conditions for aws_identity_center_id and aws_org_home_region (lines 65, 71) end with or True, which means these fields will always be shown regardless of the other conditions. This pattern is unique in the file—similar fields use conditions like {{ python_package_registry == 'AWS CodeArtifact' or pull_from_ecr }} without the or True. If unconditional visibility is intended, remove the when clause entirely or add a comment explaining why these fields must always appear. If conditional visibility is needed, remove the or True.

🤖 Prompt for AI Agents

In `@copier.yml` around lines 65 - 71, The when clauses for aws_identity_center_id
and aws_org_home_region include a trailing "or True", causing them to always
evaluate true; remove "or True" from those when expressions (i.e., change the
when value to match the pattern used by similar fields such as "{{
python_package_registry == 'AWS CodeArtifact' or pull_from_ecr }}"), or if you
intend unconditional visibility, delete the when clause entirely and add a
comment explaining why. Ensure you update the when for both
aws_identity_center_id and aws_org_home_region to be consistent with other
fields.

[coderabbitai]

🧹 Nitpick | 🔵 Trivial

Consider tracking the temporary workaround.

The yarn GPG key workaround is appropriately marked as temporary. The || true fallback correctly prevents build failures if the file doesn't exist.

Would you like me to open an issue to track removal of this workaround once yarn updates its GPG key?

🤖 Prompt for AI Agents

In `@template/.devcontainer/Dockerfile` around lines 8 - 9, Add an explicit TODO
and tracking reference for the temporary Yarn GPG workaround: update the
Dockerfile near the RUN rm /etc/apt/sources.list.d/yarn.list || true line to
include a short TODO comment that references an issue number or a GitHub issue
template (e.g., "TODO: remove when Yarn GPG key is updated — tracked by
ISSUE-XXXX/URL") and, if no issue exists, create a lightweight issue in the
repository titled "Remove temporary Yarn GPG key workaround" with context so the
TODO can point to that issue ID/URL.