Basic CI Checks (#3)

## Why is this change necessary?
CI is good


 ## How does this change address the issue?
Adds basic precommit hooks and CI workflow for eslint and typescript
checking


 ## What side effects does this change have?
None


 ## How is this change tested?
Downstream repo


 ## Other
Added some boilerplate Nuxt files that are needed for type checking to
work well

Author: ejfine

.copier-answers.yml

@@ -1,5 +1,5 @@
 # Changes here will be overwritten by Copier
-_commit: v0.0.10
+_commit: v0.0.12
 _src_path: gh:LabAutomationAndScreening/copier-base-template.git
 description: A web app that is hosted within a local intranet. Nuxt frontend, python
     backend, docker-compose

.devcontainer/install-ci-tooling.sh

@@ -2,6 +2,11 @@
 # can pass in the full major.minor.patch version of python as an optional argument
 set -ex
 
+
+npm -v
+npm install -g [email protected]
+pnpm -v
+
 curl -LsSf https://astral.sh/uv/0.6.6/install.sh | sh
 uv --version
 # TODO: add uv autocompletion to the shell https://docs.astral.sh/uv/getting-started/installation/#shell-autocompletion

.github/actions/install_deps_uv/action.yml

@@ -56,7 +56,7 @@ runs:
 
     - name: OIDC Auth for CodeArtifact
       if: ${{ inputs.code-artifact-auth-role-name != 'no-code-artifact' }}
-      uses: aws-actions/configure-aws-credentials@v4.0.2
+      uses: aws-actions/configure-aws-credentials@v4.1.0
       with:
         role-to-assume: arn:aws:iam::${{ inputs.code-artifact-auth-role-account-id }}:role/${{ inputs.code-artifact-auth-role-name }}
         aws-region: ${{ inputs.code-artifact-auth-region }}

.github/workflows/ci.yaml

@@ -23,12 +23,19 @@ jobs:
           - "ubuntu-24.04"
         python-version:
             - 3.12.7
+        node-version:
+            - 22.14.0
     name: Pre-commit for Py${{ matrix.python-version }} on ${{ matrix.os }}
     runs-on: ${{ matrix.os }}
     steps:
       - name: Checkout code
         uses: actions/[email protected]
 
+      - name: Setup node
+        uses: actions/[email protected]
+        with:
+          node-version: ${{ matrix.node-version }}
+
       - name: Install latest versions of python packages
         uses: ./.github/actions/install_deps_uv
         with:
@@ -42,7 +49,7 @@ jobs:
         timeout-minutes: 30 # this is the amount of time this action will wait to attempt to acquire the mutex lock before failing, e.g. if other jobs are queued up in front of it
 
       - name: Cache Pre-commit hooks
-        uses: actions/[email protected].0
+        uses: actions/[email protected].2
         env:
           cache-name: cache-pre-commit-hooks
         with:
@@ -129,7 +136,7 @@ jobs:
         timeout-minutes: 30 # this is the amount of time this action will wait to attempt to acquire the mutex lock before failing, e.g. if other jobs are queued up in front of it
 
       - name: Cache Pre-commit hooks
-        uses: actions/[email protected].0
+        uses: actions/[email protected].2
         env:
           cache-name: cache-pre-commit-hooks
         with:

extensions/context.py

@@ -11,6 +11,7 @@ class ContextUpdater(ContextHook):
     @override
     def hook(self, context: dict[Any, Any]) -> dict[Any, Any]:
         context["uv_version"] = "0.6.6"
+        context["pnpm_version"] = "10.6.3"
         context["pre_commit_version"] = "4.1.0"
         context["pyright_version"] = "1.1.396"
         context["pytest_version"] = "8.3.4"
@@ -19,22 +20,23 @@ def hook(self, context: dict[Any, Any]) -> dict[Any, Any]:
         context["copier_version"] = "9.5.0"
         context["copier_templates_extension_version"] = "0.3.0"
         context["sphinx_version"] = "8.1.3"
-        context["pulumi_version"] = "3.155.0"
-        context["pulumi_aws_version"] = "6.67.0"
-        context["pulumi_aws_native_version"] = "1.25.0"
-        context["pulumi_command_version"] = "1.0.1"
+        context["pulumi_version"] = "3.156.0"
+        context["pulumi_aws_version"] = "6.72.0"
+        context["pulumi_aws_native_version"] = "1.26.0"
+        context["pulumi_command_version"] = "1.0.2"
         context["pulumi_github"] = ""
         context["boto3_version"] = "1.37.11"
-        context["ephemeral_pulumi_deploy_version"] = "0.0.2"
+        context["ephemeral_pulumi_deploy_version"] = "0.0.4"
         context["pydantic_version"] = "2.10.6"
         context["pyinstaller_version"] = "6.12.0"
         context["setuptools_version"] = "76.0.0"
 
         context["gha_checkout"] = "v4.2.2"
         context["gha_setup_python"] = "v5.4.0"
-        context["gha_cache"] = "v4.2.0"
-        context["gha_upload_artifact"] = "v4.4.3"
-        context["gha_configure_aws_credentials"] = "v4.0.2"
+        context["gha_cache"] = "v4.2.2"
+        context["gha_upload_artifact"] = "v4.6.1"
+        context["gha_configure_aws_credentials"] = "v4.1.0"
+        context["gha_setup_node"] = "v4.3.0"
         context["gha_mutex"] = "1ebad517141198e08d47cf72f3c0975316620a65 # v1.0.0-alpha.10"
         context["gha_linux_runner"] = "ubuntu-24.04"
         context["gha_windows_runner"] = "windows-2022"

template/.devcontainer/install-ci-tooling.sh.jinja

@@ -2,6 +2,11 @@
 # can pass in the full major.minor.patch version of python as an optional argument
 set -ex
 
+{% endraw %}{% if template_uses_javascript is defined and template_uses_javascript is sameas(true) %}{% raw %}
+npm -v
+npm install -g pnpm@{% endraw %}{{ pnpm_version }}{% raw %}
+pnpm -v{% endraw %}{% endif %}{% raw %}
+
 curl -LsSf https://astral.sh/uv/{% endraw %}{{ uv_version }}{% raw %}/install.sh | sh
 uv --version
 # TODO: add uv autocompletion to the shell https://docs.astral.sh/uv/getting-started/installation/#shell-autocompletion

template/.devcontainer/manual-setup-deps.sh.jinja

@@ -30,11 +30,11 @@ export UV_PYTHON="$python_version"
 export UV_PYTHON_PREFERENCE=only-system
 
 SCRIPT_DIR="$(dirname "$0")"
-PROJECT_ROOT_DIR="$(realpath "$SCRIPT_DIR/../backend")"
-
+PROJECT_ROOT_DIR="$(realpath "$SCRIPT_DIR/..")"
+PYTHON_PROJECT_DIR="$PROJECT_ROOT_DIR/backend"
 # If optionally_lock is set, decide whether to skip locking based on the presence of uv.lock
 if [ "$optionally_lock" = "true" ]; then
-    if [ ! -f "$PROJECT_ROOT_DIR/uv.lock" ]; then
+    if [ ! -f "$PYTHON_PROJECT_DIR/uv.lock" ]; then
         skip_lock=true
     else
         skip_lock=false
@@ -46,8 +46,11 @@ fi
 
 # Ensure that the lock file is in a good state
 if [ "$skip_lock" = "false" ]; then
-    uv lock --check --directory "$PROJECT_ROOT_DIR"
+    uv lock --check --directory "$PYTHON_PROJECT_DIR"
 fi
 
-uv sync $( [ "$skip_lock" = "false" ] && echo "--frozen" ) --directory "$PROJECT_ROOT_DIR"
-uv pip list --directory "$PROJECT_ROOT_DIR"{% endraw %}
+uv sync $( [ "$skip_lock" = "false" ] && echo "--frozen" ) --directory "$PYTHON_PROJECT_DIR"
+uv pip list --directory "$PYTHON_PROJECT_DIR"
+
+NPM_PROJECT_DIR="$PROJECT_ROOT_DIR/frontend"
+pnpm install --dir="$NPM_PROJECT_DIR"{% endraw %}

template/.github/actions/install_deps_uv/action.yml

@@ -56,7 +56,7 @@ runs:
 
     - name: OIDC Auth for CodeArtifact
       if: ${{ inputs.code-artifact-auth-role-name != 'no-code-artifact' }}
-      uses: aws-actions/configure-aws-credentials@v4.0.2
+      uses: aws-actions/configure-aws-credentials@v4.1.0
       with:
         role-to-assume: arn:aws:iam::${{ inputs.code-artifact-auth-role-account-id }}:role/${{ inputs.code-artifact-auth-role-name }}
         aws-region: ${{ inputs.code-artifact-auth-region }}

template/.github/workflows/ci.yaml.jinja

@@ -0,0 +1,63 @@
+{% raw %}name: CI
+
+on:
+  push:
+    branches-ignore:
+      - 'gh-readonly-queue/**' # don't run (again) when on these special branches created during merge groups; the `on: merge_group` already triggers it.
+  merge_group:
+
+env:
+  PYTHONUNBUFFERED: True
+  PRE_COMMIT_HOME: ${{ github.workspace }}/.precommit_cache
+
+permissions:
+    id-token: write
+    contents: write # needed for mutex
+
+jobs:
+  lint:
+    name: Pre-commit
+    runs-on: {% endraw %}{{ gha_linux_runner }}{% raw %}
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@{% endraw %}{{ gha_checkout }}{% raw %}
+
+      - name: Setup node
+        uses: actions/setup-node@{% endraw %}{{ gha_setup_node }}{% raw %}
+        with:
+          node-version: {% endraw %}{{ node_version }}{% raw %}
+
+      - name: Install latest versions of python packages
+        uses: ./.github/actions/install_deps_uv
+        with:
+          python-version: {% endraw %}{{ python_version }}{% raw %}
+
+      - name: Set up mutex # Github concurrency management is horrible, things get arbitrarily cancelled if queued up. So using mutex until github fixes itself. When multiple jobs are modifying cache at once, weird things can happen.  possible issue is https://github.com/actions/toolkit/issues/658
+        if: ${{ runner.os != 'Windows' }} # we're just gonna have to YOLO on Windows, because this action doesn't support it yet https://github.com/ben-z/gh-action-mutex/issues/14
+        uses: ben-z/gh-action-mutex@{% endraw %}{{ gha_mutex }}{% raw %}
+        with:
+          branch: mutex-venv-{% endraw %}{{ gha_linux_runner }}{% raw %}-py{% endraw %}{{ python_version }}{% raw %}
+        timeout-minutes: 30 # this is the amount of time this action will wait to attempt to acquire the mutex lock before failing, e.g. if other jobs are queued up in front of it
+
+      - name: Cache Pre-commit hooks
+        uses: actions/cache@{% endraw %}{{ gha_cache }}{% raw %}
+        env:
+          cache-name: cache-pre-commit-hooks
+        with:
+          path: ${{ env.PRE_COMMIT_HOME }}
+          key: {% endraw %}{{ gha_linux_runner }}{% raw %}-py{% endraw %}{{ python_version }}{% raw %}-build-${{ env.cache-name }}-${{ hashFiles('.pre-commit-config.yaml') }}
+          restore-keys: |
+            {% endraw %}{{ gha_linux_runner }}{% raw %}-py{% endraw %}{{ python_version }}{% raw %}-build-${{ env.cache-name }}-
+
+      - name: Run pre-commit
+        run:  pre-commit run -a
+
+  required-check:
+    runs-on: {% endraw %}{{ gha_linux_runner }}{% raw %}
+    needs: [ lint ]
+    if: always()
+    steps:
+      - name: fail if prior job failure
+        if: needs.lint.result != 'success'
+        run: |
+          exit 1{% endraw %}

template/.pre-commit-config.yaml

@@ -162,6 +162,34 @@ repos:
 
   # Linting
 
+  - repo: local
+    hooks:
+      - id: typescript-check
+        name: typescript-check
+        entry: bash -c "pnpm --dir frontend run type-check"
+        files: '.+\.ts$|.+\.vue$'
+        # don't pass filenames else the command line sees them twice
+        pass_filenames: false
+        language: system
+        # use require_serial so that script is only called once per commit
+        require_serial: true
+        # print the number of files as a sanity-check
+        verbose: true
+
+  - repo: local
+    hooks:
+      - id: eslint
+        name: eslint
+        entry: bash -c "pnpm --dir frontend run lint"
+        files: '.+\.ts$|.+\.vue$|.+\.js$'
+        # don't pass filenames else the command line sees them twice
+        pass_filenames: false
+        language: system
+        # use require_serial so that script is only called once per commit
+        require_serial: true
+        # print the number of files as a sanity-check
+        verbose: true
+
   - repo: https://github.com/Lucas-C/pre-commit-hooks-markup
     rev: 501f3d60cee13c712492103343bc23efdc7b3d1f #v1.0.1
     hooks: