Copier update: fail on dev tag CI job

.copier-answers.yml

@@ -1,5 +1,5 @@
 # Changes here will be overwritten by Copier
-_commit: v0.0.106
+_commit: v0.0.106-25-g3f683ae
 _src_path: gh:LabAutomationAndScreening/copier-base-template.git
 description: A web app that is hosted within a local intranet. Nuxt frontend, python
     backend, docker-compose

.devcontainer/Dockerfile

@@ -1,7 +1,7 @@
 # base image tags available at https://mcr.microsoft.com/v2/devcontainers/universal/tags/list
 # added the platform flag to override any local settings since this image is only compatible with linux/amd64. since this image is only x64 compatible, suppressing the hadolint rule
 # hadolint ignore=DL3029
-FROM --platform=linux/amd64 mcr.microsoft.com/devcontainers/universal:5.1.4-noble
+FROM --platform=linux/amd64 mcr.microsoft.com/devcontainers/universal:5.1.5-noble
 
 SHELL ["/bin/bash", "-o", "pipefail", "-c"]
 

.devcontainer/devcontainer.json

@@ -1,4 +1,8 @@
 {
+  "hostRequirements": {
+    "cpus": 2,
+    "memory": "4gb"
+  },
   "dockerComposeFile": "docker-compose.yml",
   "service": "devcontainer",
   "workspaceFolder": "/workspaces/${localWorkspaceFolderBasename}",
@@ -22,21 +26,21 @@
         "ms-vscode.live-server@0.5.2025051301",
         "MS-vsliveshare.vsliveshare@1.0.5905",
         "github.copilot@1.388.0",
-        "github.copilot-chat@0.38.2026022704",
-        "anthropic.claude-code@2.1.74",
+        "github.copilot-chat@0.42.2026032602",
+        "anthropic.claude-code@2.1.84",
 
         // Python
-        "ms-python.python@2026.2.2026021801",
-        "ms-python.vscode-pylance@2026.1.1",
+        "ms-python.python@2026.5.2026032701",
+        "ms-python.vscode-pylance@2026.1.102",
         "ms-vscode-remote.remote-containers@0.414.0",
-        "charliermarsh.ruff@2026.36.0",
+        "charliermarsh.ruff@2026.38.0",
 
         // Misc file formats
         "bierner.markdown-mermaid@1.29.0",
         "samuelcolvin.jinjahtml@0.20.0",
         "tamasfe.even-better-toml@0.19.2",
         "emilast.LogFileHighlighter@3.3.3",
-        "esbenp.prettier-vscode@12.3.0"
+        "esbenp.prettier-vscode@12.4.0"
       ],
       "settings": {
         "editor.accessibilitySupport": "off", // turn off sounds
@@ -61,5 +65,5 @@
   "initializeCommand": "sh .devcontainer/initialize-command.sh",
   "onCreateCommand": "sh .devcontainer/on-create-command.sh",
   "postStartCommand": "sh .devcontainer/post-start-command.sh"
-  // Devcontainer context hash (do not manually edit this, it's managed by a pre-commit hook): f6b6ee32 # spellchecker:disable-line
+  // Devcontainer context hash (do not manually edit this, it's managed by a pre-commit hook): 80d9f36a # spellchecker:disable-line
 }

.devcontainer/install-ci-tooling.py

@@ -8,7 +8,7 @@
 from pathlib import Path
 
 UV_VERSION = "0.10.12"
-PNPM_VERSION = "10.32.1"
+PNPM_VERSION = "10.33.0"
 COPIER_VERSION = "==9.14.0"
 COPIER_TEMPLATE_EXTENSIONS_VERSION = "==0.3.3"
 PRE_COMMIT_VERSION = "4.5.1"

.devcontainer/on-create-command.sh

@@ -3,12 +3,12 @@ set -ex
 
 # For some reason the directory is not setup correctly and causes build of devcontainer to fail since
 # it doesn't have access to the workspace directory. This can normally be done in post-start-command
-git config --global --add safe.directory /workspaces/copier-nuxt-python-intranet-app
+script_dir="$(CDPATH= cd -- "$(dirname -- "$0")" && pwd)"
+repo_root="$(CDPATH= cd -- "$script_dir/.." && pwd)"
+git config --global --add safe.directory "$repo_root"
 
 sh .devcontainer/on-create-command-boilerplate.sh
 # install json5 for merging claude settings.  TODO: consider if we can install json5 globally...or somehow eliminate this dependency
-script_dir="$(CDPATH= cd -- "$(dirname -- "$0")" && pwd)"
-repo_root="$(CDPATH= cd -- "$script_dir/.." && pwd)"
 mkdir -p "$repo_root/.claude"
 chmod -R ug+rwX "$repo_root/.claude"
 chgrp -R 0 "$repo_root/.claude" || true

.devcontainer/post-start-command.sh

@@ -3,7 +3,9 @@ set -ex
 
 # For some reason the directory is not setup correctly and causes build of devcontainer to fail since
 # it doesn't have access to the workspace directory. This can normally be done in post-start-command
-git config --global --add safe.directory /workspaces/copier-nuxt-python-intranet-app
+script_dir="$(CDPATH= cd -- "$(dirname -- "$0")" && pwd)"
+repo_root="$(CDPATH= cd -- "$script_dir/.." && pwd)"
+git config --global --add safe.directory "$repo_root"
 pre-commit run merge-claude-settings -a
 if ! bd ready; then
 	echo "It's likely the Dolt server has not yet been initialized to support beads, running that now" # TODO: figure out a better way to match this specific scenario than just a non-zero exit code...but beads still seems like in high flux right now so not sure what to tie it to

.github/actions/check-skip-duplicates/action.yml

@@ -0,0 +1,44 @@
+name: Check Skip Duplicates
+description: 'Check that will output a variable to allow you to skip duplicate runs. Example: If you have both push and pull_request triggers enabled and you dont want to run 2 jobs for the same commit if a PR is already open you can add this to your jobs to skip that extra execution.'
+
+outputs:
+  should-run:
+    description: 'Flag that determines if this execution should run or not'
+    value: ${{ steps.check.outputs.should_run }}
+
+runs:
+  using: composite
+  steps:
+    - name: Check if push has associated open PR
+      id: check
+      env:
+        GH_TOKEN: ${{ github.token }}
+        REF_NAME: ${{ github.ref_name }}
+        REPO_NAME: ${{ github.repository }}
+        EVENT_NAME: ${{ github.event_name }}
+      shell: bash
+      run: |
+        # For non-push events, always run
+        if [ "$EVENT_NAME" != "push" ]; then
+          echo "should_run=true" >> $GITHUB_OUTPUT
+          echo "Event is $EVENT_NAME, will run CI"
+          exit 0
+        fi
+
+        # For push events, check if there's an open PR for this branch
+        pr_json=$(gh pr list \
+          --repo "$REPO_NAME" \
+          --head "$REF_NAME" \
+          --state open \
+          --json number \
+          --limit 1)
+
+        pr_number=$(echo "$pr_json" | jq -r '.[0].number // ""')
+
+        if [ -n "$pr_number" ]; then
+          echo "should_run=false" >> $GITHUB_OUTPUT
+          echo "Push to branch with open PR #$pr_number detected, skipping (PR event will run CI)"
+        else
+          echo "should_run=true" >> $GITHUB_OUTPUT
+          echo "Push to branch without open PR, will run CI"
+        fi

.github/workflows/ci.yaml

@@ -5,6 +5,7 @@ on:
     branches-ignore:
       - 'gh-readonly-queue/**' # don't run (again) when on these special branches created during merge groups; the `on: merge_group` already triggers it.
   merge_group:
+  pull_request:
 
 env:
   PYTHONUNBUFFERED: True
@@ -19,9 +20,23 @@ jobs:
     permissions:
       contents: write # needed for updating dependabot branches
 
+  check-skip-duplicate:
+    runs-on: ubuntu-24.04
+    outputs:
+      should-run: ${{ steps.check.outputs.should-run }}
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v6.0.2
+        with:
+          persist-credentials: false
+      - id: check
+        uses: ./.github/actions/check-skip-duplicates
+
   pre-commit:
     needs:
       - get-values
+      - check-skip-duplicate
+    if: needs.check-skip-duplicate.outputs.should-run == 'true'
     uses: ./.github/workflows/pre-commit.yaml
     permissions:
       contents: write # needed for mutex
@@ -32,6 +47,8 @@ jobs:
   unit-test:
     needs:
       - pre-commit
+      - check-skip-duplicate
+    if: needs.check-skip-duplicate.outputs.should-run == 'true'
     strategy:
       matrix:
         os:
@@ -66,6 +83,8 @@ jobs:
   lint-matrix:
     needs:
       - pre-commit
+      - check-skip-duplicate
+    if: needs.check-skip-duplicate.outputs.should-run == 'true'
     strategy:
       matrix:
         os:
@@ -177,11 +196,18 @@ jobs:
           name: pre-commit-log--${{ github.jobs.lint-matrix.name }}
           path: "${{ github.workspace }}/.precommit_cache/pre-commit.log"
 
-  required-check:
+  confirm-on-tagged-copier-template:
+    if: ${{ github.event_name == 'pull_request' || github.event_name == 'merge_group' }}
+    uses: ./.github/workflows/confirm-on-tagged-copier-template.yaml
+
+
+  workflow-summary:
     runs-on: ubuntu-24.04
     timeout-minutes: 2
     needs:
       - get-values
+      - check-skip-duplicate
+      - confirm-on-tagged-copier-template
       - pre-commit
       - unit-test
       - lint-matrix
@@ -194,13 +220,27 @@ jobs:
           success_pattern="^(skipped|success)$" # these are the possibilities: https://docs.github.com/en/actions/reference/workflows-and-actions/contexts#needs-context
 
           if [[ ! "${{ needs.get-values.result }}" =~ $success_pattern ]] ||
+            [[ ! "${{ needs.confirm-on-tagged-copier-template.result }}" =~ $success_pattern ]] ||
+            [[ ! "${{ needs.check-skip-duplicate.result }}" =~ $success_pattern ]] ||
             [[ ! "${{ needs.pre-commit.result }}" =~ $success_pattern ]] ||
             [[ ! "${{ needs.unit-test.result }}" =~ $success_pattern ]] ||
             [[ ! "${{ needs.lint-matrix.result }}" =~ $success_pattern ]]; then
             echo "❌ One or more jobs did not finish with skipped or success"
             exit 1
           fi
           echo "✅ All jobs finished with skipped or success"
+
+      - name: Mark the required-check as succeeded so the PR can be merged
+        if: ${{ github.event_name == 'pull_request' || github.event_name == 'merge_group' }}
+        env:
+          GH_TOKEN: ${{ github.token }}
+        run: |
+          gh api \
+            -X POST -H "Accept: application/vnd.github.v3+json" \
+            "${{ github.event.pull_request.statuses_url }}" \
+            -f state=success -f context="required-check" -f description="✅ All required checks passed in the job triggered by pull_request" \
+            -f target_url="${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }}"
+
       - name: Mark updated dependabot hash commit as succeeded
         if: needs.get-values.outputs.dependabot-commit-created == 'true'
         env:

.github/workflows/confirm-on-tagged-copier-template.yaml

@@ -0,0 +1,34 @@
+name: Confirm using tagged copier template version
+
+on:
+  workflow_call:
+    inputs:
+      answers_file:
+        description: 'Path to the copier answers file'
+        type: string
+        default: '.copier-answers.yml'
+
+jobs:
+  confirm-on-tagged-copier-template:
+    runs-on: ubuntu-24.04
+    timeout-minutes: 2
+    name: Fail if template under development
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v6.0.2
+        with:
+          persist-credentials: false
+
+      - name: Check _commit is a clean release tag
+        run: |
+          ANSWERS_FILE="${{ inputs.answers_file }}"
+          if [ ! -f "$ANSWERS_FILE" ]; then
+            echo "Error: $ANSWERS_FILE not found"
+            exit 1
+          fi
+          COMMIT_LINE=$(grep "^_commit:" "$ANSWERS_FILE")
+          if echo "$COMMIT_LINE" | grep -q "-"; then
+            echo "Error: $COMMIT_LINE"
+            echo "_commit must be a clean release tag (e.g. v0.0.111), not a dev commit (e.g. v0.0.106-14-g7847d7b)"
+            exit 1
+          fi

.github/workflows/tag-on-merge.yaml

@@ -14,12 +14,12 @@ jobs:
     permissions:
       contents: write
     steps:
-      - uses: actions/checkout@v6.0.1
+      - uses: actions/checkout@v6.0.2
         with:
           ref: ${{ github.event.pull_request.merge_commit_sha }}
           fetch-depth: '0'
           persist-credentials: false
       - name: Bump version and push tag
-        uses: mathieudutour/github-tag-action@a22cf08638b34d5badda920f9daf6e72c477b07b # v6.2
+        uses: nickkostov/github-tag-action@b3aa34b4ac9c7843ee609ba5d0b0a50b962647b9 # v1.3.0 # a fork of https://github.com/mathieudutour/github-tag-action, which is still on Node 20
         with:
           github_token: ${{ secrets.GITHUB_TOKEN }}

AGENTS.md

@@ -43,8 +43,8 @@ This project is a Copier template used to generate applications that are able to
 
 ## Tooling
 
-- Always use `uv run python` instead of `python3` or `python` when running Python commands.
-- Prefer dedicated shell tools over `python3`/`python` for simple one-off tasks: use `jq` for JSON parsing, standard shell builtins for string manipulation, etc. Only reach for `python3` when no simpler tool covers the need.
+- ❌ Never use `python3` or `python` directly. ✅ Always use `uv run python` for Python commands.
+- ❌ Never use `python3`/`python` for one-off data tasks. ✅ Use `jq` for JSON parsing, standard shell builtins for string manipulation. Only reach for `uv run python` when no dedicated tool covers the need.
 - Check .devcontainer/devcontainer.json for tooling versions (Python, Node, etc.) when reasoning about version-specific stdlib or tooling behavior.
 - For frontend tests, run commands via `pnpm` scripts from `frontend/package.json` — never invoke tools directly (not pnpm exec <tool>, npx <tool>, etc.). ✅ pnpm test-unit  ❌ pnpm vitest ... or npx vitest ...
 - For linting and type-checking, prefer `pre-commit run <hook-id>` over invoking tools directly — this matches the permission allow-list and mirrors what CI runs. Key hook IDs: `typescript-check`, `eslint`, `pyright`, `ruff`, `ruff-format`.

extensions/context.py

@@ -11,7 +11,7 @@ class ContextUpdater(ContextHook):
     @override
     def hook(self, context: dict[Any, Any]) -> dict[Any, Any]:
         context["uv_version"] = "0.10.12"
-        context["pnpm_version"] = "10.32.1"
+        context["pnpm_version"] = "10.33.0"
         context["pre_commit_version"] = "4.5.1"
         context["pyright_version"] = ">=1.1.408"
         context["pytest_version"] = ">=9.0.2"
@@ -51,7 +51,7 @@ def hook(self, context: dict[Any, Any]) -> dict[Any, Any]:
         context["python_faker_version"] = ">=40.4.0"
 
         context["default_node_version"] = "24.11.1"
-        context["nuxt_ui_version"] = "^4.5.1"
+        context["nuxt_ui_version"] = "^4.6.0"
         context["nuxt_version"] = "~4.3.1"
         context["nuxt_icon_version"] = "^2.2.1"
         context["typescript_version"] = "^5.9.3"
@@ -61,14 +61,14 @@ def hook(self, context: dict[Any, Any]) -> dict[Any, Any]:
         context["vue_devtools_api_version"] = "^8.1.0"
         context["vue_router_version"] = "^5.0.3"
         context["dotenv_cli_version"] = "^11.0.0"
-        context["faker_version"] = "^10.3.0"
+        context["faker_version"] = "^10.4.0"
         context["vitest_version"] = "^3.2.4"
         context["eslint_version"] = "~9.38.0"
         context["nuxt_eslint_version"] = "^1.15.1"
         context["zod_version"] = "^4.3.6"
         context["zod_from_json_schema_version"] = "^0.5.1"
         context["nuxt_apollo_version"] = "5.0.0-alpha.15"
-        context["graphql_codegen_cli_version"] = "^6.1.0"
+        context["graphql_codegen_cli_version"] = "^6.2.1"
         context["graphql_codegen_typescript_version"] = "^5.0.7"
         context["graphql_tools_mock_version"] = "^9.1.0"
         context["tailwindcss_version"] = "^4.2.0"

template/.devcontainer/Dockerfile

@@ -1,7 +1,7 @@
 # base image tags available at https://mcr.microsoft.com/v2/devcontainers/universal/tags/list
 # added the platform flag to override any local settings since this image is only compatible with linux/amd64. since this image is only x64 compatible, suppressing the hadolint rule
 # hadolint ignore=DL3029
-FROM --platform=linux/amd64 mcr.microsoft.com/devcontainers/universal:5.1.4-noble
+FROM --platform=linux/amd64 mcr.microsoft.com/devcontainers/universal:5.1.5-noble
 
 SHELL ["/bin/bash", "-o", "pipefail", "-c"]
 

template/.devcontainer/devcontainer.json.jinja

@@ -1,4 +1,9 @@
 {% raw %}{
+  "hostRequirements": {
+    "cpus": 2,
+    // Static site generation requires more memory
+    "memory": "10gb"
+  },
   "dockerComposeFile": "docker-compose.yml",
   "service": "devcontainer",
   "workspaceFolder": "/workspaces/${localWorkspaceFolderBasename}",
@@ -40,28 +45,28 @@
         "ms-vscode.live-server@0.5.2025051301",
         "MS-vsliveshare.vsliveshare@1.0.5905",
         "github.copilot@1.388.0",
-        "github.copilot-chat@0.38.2026022704",{% endraw %}{% if install_claude_cli %}{% raw %}
-        "anthropic.claude-code@2.1.74",{% endraw %}{% endif %}{% raw %}
+        "github.copilot-chat@0.42.2026032602",{% endraw %}{% if install_claude_cli %}{% raw %}
+        "anthropic.claude-code@2.1.84",{% endraw %}{% endif %}{% raw %}
 
         // Python
-        "ms-python.python@2026.2.2026021801",
-        "ms-python.vscode-pylance@2026.1.1",
+        "ms-python.python@2026.5.2026032701",
+        "ms-python.vscode-pylance@2026.1.102",
         "ms-vscode-remote.remote-containers@0.414.0",
-        "charliermarsh.ruff@2026.36.0",
+        "charliermarsh.ruff@2026.38.0",
 {% endraw %}{% if is_child_of_copier_base_template is not defined and template_uses_vuejs is defined and template_uses_vuejs is sameas(true) %}{% raw %}
         // VueJS
         "vue.volar@3.2.5",
         "vitest.explorer@1.36.0",
 {% endraw %}{% endif %}{% raw %}{% endraw %}{% if is_child_of_copier_base_template is not defined and template_uses_javascript is defined and template_uses_javascript is sameas(true) %}{% raw %}
         // All javascript
-        "dbaeumer.vscode-eslint@3.0.21",
+        "dbaeumer.vscode-eslint@3.0.24",
 {% endraw %}{% endif %}{% raw %}
         // Misc file formats
         "bierner.markdown-mermaid@1.29.0",
         "samuelcolvin.jinjahtml@0.20.0",
         "tamasfe.even-better-toml@0.19.2",
         "emilast.LogFileHighlighter@3.3.3",
-        "esbenp.prettier-vscode@12.3.0"
+        "esbenp.prettier-vscode@12.4.0"
       ],
       "settings": {
         "editor.accessibilitySupport": "off", // turn off sounds