Copier update: base image

.coderabbit.yaml

@@ -1,9 +1,12 @@
 # yaml-language-server: $schema=https://coderabbit.ai/integrations/schema.v2.json
+early_access: true
 reviews:
   profile: assertive
   path_instructions:
     - path: "**/vendor_files/**"
       instructions: "These files came from a vendor and we're not allowed to change them. Refer to it if you need to understand how the main code interacts with it, but do not make comments about it."
+    - path: "**/*.py"
+      instructions: "Do not express concerns about assert statements being removed by using the -O python flag; we never use that flag. Do not express concerns about ruff rules; a pre-commit hook already runs a ruff check. Do not warn about unnecessary super().init() calls; pyright prefers those to be present."
   tools:
     eslint: # when the code contains typescript, eslint will be run by pre-commit, and coderabbit often generates false positives
       enabled: false
@@ -14,6 +17,7 @@ reviews:
     flake8: # we use ruff instead (when we use Python)
       enabled: false
   poem: false
+  in_progress_fortune: false
   # the commit status is driven by our repository config and required checks, we don't want CodeRabbit messing with it
   commit_status: false
   auto_review:

.copier-answers.yml

@@ -1,5 +1,5 @@
 # Changes here will be overwritten by Copier
-_commit: v0.0.90
+_commit: v0.0.94
 _src_path: gh:LabAutomationAndScreening/copier-base-template.git
 description: Copier template for creating Python libraries and executables
 install_claude_cli: false

.devcontainer/Dockerfile

@@ -1,19 +1,22 @@
 # base image tags available at https://mcr.microsoft.com/v2/devcontainers/universal/tags/list
 # added the platform flag to override any local settings since this image is only compatible with linux/amd64. since this image is only x64 compatible, suppressing the hadolint rule
 # hadolint ignore=DL3029
-FROM --platform=linux/amd64 mcr.microsoft.com/devcontainers/universal:2.13.1-focal
+FROM --platform=linux/amd64 mcr.microsoft.com/devcontainers/universal:5.1.1-noble
 
 SHELL ["/bin/bash", "-o", "pipefail", "-c"]
 
+# temporary hack until yarn updates its GPG key
+RUN rm /etc/apt/sources.list.d/yarn.list || true
+
 RUN apt-get update -y && apt-get install -y \
-    "bash-completion=$(apt-cache madison bash-completion | awk '{print $3}' | grep '^1:2.10' | head -n 1)" --no-install-recommends \
+    "bash-completion=$(apt-cache madison bash-completion | awk '{print $3}' | grep '^1:2.11' | head -n 1)" --no-install-recommends \
     && apt-get clean \
     && rm -rf /var/lib/apt/lists/*
 
 # Create the venv folder and set permissions for anyone to modify---this is necessary to be able to break out the venv folder as a separate docker volume for better performance on Windows hosts
 ARG REPO_NAME=copier-base-template
 ENV VENV_PATH=/workspaces/${REPO_NAME}/.venv
-RUN mkdir -p /workspace && \
+RUN mkdir -p /workspaces && \
     mkdir -p ${VENV_PATH} && \
     chmod -R 777 /workspaces ${VENV_PATH} && \
     chgrp -R 0 /workspaces ${VENV_PATH}

.devcontainer/devcontainer.json

@@ -16,24 +16,24 @@
       "extensions": [
         // basic tooling
         // "eamodio.gitlens@15.5.1",
-        "coderabbit.coderabbit-vscode@0.16.1",
+        "coderabbit.coderabbit-vscode@0.16.6",
         "ms-vscode.live-server@0.5.2025051301",
         "MS-vsliveshare.vsliveshare@1.0.5905",
         "github.copilot@1.388.0",
-        "github.copilot-chat@0.34.2025112401",
+        "github.copilot-chat@0.36.2026010502",
 
         // Python
-        "ms-python.python@2025.17.2025100201",
-        "ms-python.vscode-pylance@2025.8.3",
+        "ms-python.python@2025.21.2026010501",
+        "ms-python.vscode-pylance@2025.10.100",
         "ms-vscode-remote.remote-containers@0.414.0",
-        "charliermarsh.ruff@2025.28.0",
+        "charliermarsh.ruff@2025.32.0",
 
         // Misc file formats
-        "bierner.markdown-mermaid@1.28.0",
+        "bierner.markdown-mermaid@1.29.0",
         "samuelcolvin.jinjahtml@0.20.0",
         "tamasfe.even-better-toml@0.19.2",
         "emilast.LogFileHighlighter@3.3.3",
-        "esbenp.prettier-vscode@11.0.0"
+        "esbenp.prettier-vscode@11.0.2"
       ],
       "settings": {
         "editor.accessibilitySupport": "off", // turn off sounds
@@ -58,5 +58,5 @@
   "initializeCommand": "sh .devcontainer/initialize-command.sh",
   "onCreateCommand": "sh .devcontainer/on-create-command.sh",
   "postStartCommand": "sh .devcontainer/post-start-command.sh"
-  // Devcontainer context hash (do not manually edit this, it's managed by a pre-commit hook): 99b3f7c4 # spellchecker:disable-line
+  // Devcontainer context hash (do not manually edit this, it's managed by a pre-commit hook): 69bb472f # spellchecker:disable-line
 }

.devcontainer/install-ci-tooling.py

@@ -7,11 +7,11 @@
 import tempfile
 from pathlib import Path
 
-UV_VERSION = "0.9.17"
-PNPM_VERSION = "10.25.0"
-COPIER_VERSION = "9.11.0"
-COPIER_TEMPLATE_EXTENSIONS_VERSION = "0.3.3"
-PRE_COMMIT_VERSION = "4.5.0"
+UV_VERSION = "0.9.26"
+PNPM_VERSION = "10.28.1"
+COPIER_VERSION = "==9.11.2"
+COPIER_TEMPLATE_EXTENSIONS_VERSION = "==0.3.3"
+PRE_COMMIT_VERSION = "4.5.1"
 GITHUB_WINDOWS_RUNNER_BIN_PATH = r"C:\Users\runneradmin\.local\bin"
 INSTALL_SSM_PLUGIN_BY_DEFAULT = False
 parser = argparse.ArgumentParser(description="Install CI tooling for the repo")
@@ -76,9 +76,9 @@ def main():
                 uv_path,
                 "tool",
                 "install",
-                f"copier=={COPIER_VERSION}",
+                f"copier{COPIER_VERSION}",
                 "--with",
-                f"copier-template-extensions=={COPIER_TEMPLATE_EXTENSIONS_VERSION}",
+                f"copier-template-extensions{COPIER_TEMPLATE_EXTENSIONS_VERSION}",
             ],
             check=True,
             env=uv_env,

.github/actions/install_deps/action.yml

@@ -58,13 +58,13 @@ runs:
 
     - name: Setup python
       if: ${{ inputs.python-version != 'notUsing' }}
-      uses: actions/setup-python@v6.1.0
+      uses: actions/setup-python@v6.2.0
       with:
         python-version: ${{ env.PYTHON_VERSION }}
 
     - name: Setup node
       if: ${{ inputs.node-version != 'notUsing' }}
-      uses: actions/setup-node@v6.1.0
+      uses: actions/setup-node@v6.2.0
       with:
         node-version: ${{ inputs.node-version }}
 

.github/actions/update-devcontainer-hash/action.yml

@@ -5,9 +5,6 @@ inputs:
     description: 'Branch to checkout and update'
     required: true
 
-permissions:
-  contents: write
-
 outputs:
   new-sha:
     description: 'The SHA of the branch tip after update'

.github/reusable_workflows/build-docker-image.yaml

@@ -156,7 +156,7 @@ jobs:
 
       - name: Upload Docker Image Artifact
         if: ${{ inputs.save-as-artifact }}
-        uses: actions/upload-artifact@v5.0.0
+        uses: actions/upload-artifact@v6.0.0
         with:
           name: ${{ steps.calculate-build-context-hash.outputs.image_name_no_slashes }}
           path: ${{ steps.calculate-build-context-hash.outputs.image_name_no_slashes }}.tar

.github/workflows/ci.yaml

@@ -113,7 +113,7 @@ jobs:
         timeout-minutes: 8  # this is the amount of time this action will wait to attempt to acquire the mutex lock before failing, e.g. if other jobs are queued up in front of it
 
       - name: Cache Pre-commit hooks
-        uses: actions/cache@v4.3.0
+        uses: actions/cache@v5.0.2
         env:
           cache-name: cache-pre-commit-hooks
         with:

.github/workflows/pre-commit.yaml

@@ -59,7 +59,7 @@ jobs:
         timeout-minutes: 8  # this is the amount of time this action will wait to attempt to acquire the mutex lock before failing, e.g. if other jobs are queued up in front of it
 
       - name: Cache Pre-commit hooks
-        uses: actions/cache@v4.3.0
+        uses: actions/cache@v5.0.2
         env:
           cache-name: cache-pre-commit-hooks
         with:

.pre-commit-config.yaml

@@ -42,7 +42,7 @@ repos:
 
   # Reformatting (should generally come before any file format or other checks, because reformatting can change things)
   - repo: https://github.com/crate-ci/typos
-    rev: 802d5794ff9cf7b15610c47eca99cd1ab757d8d4  # frozen: v1
+    rev: b31d3aa6e8e43e6a9cf7a1d137baf189dec0922b  # frozen: v1
     hooks:
       - id: typos
         exclude: |
@@ -195,12 +195,12 @@ repos:
       - id: check-case-conflict
 
   - repo: https://github.com/python-jsonschema/check-jsonschema
-    rev: 16a6ad2fead09286ee6eb6b0a3fab55655a6c22a  # frozen: 0.35.0
+    rev: b035497fb64e3f9faa91e833331688cc185891e6  # frozen: 0.36.0
     hooks:
       - id: check-github-workflows
 
   - repo: https://github.com/maresb/check-json5
-    rev: 893a2b5a0a27c3540bd8fcafe2968ccc05237179 # 1.0
+    rev: bd4737432a2175617a9eeaa510ab369cbc1cbd3d  # frozen: v1.0.1
     hooks:
       - id: check-json5
         files: |
@@ -249,7 +249,7 @@ repos:
         description: Runs hadolint to lint Dockerfiles
 
   - repo: https://github.com/astral-sh/ruff-pre-commit
-    rev: 1a1f58ba4c35362efe8fed2279715a905baee93d  # frozen: v0.14.8
+    rev: 5ba58aca0bd5bc7c0e1c0fc45af2e88d6a2bde83  # frozen: v0.14.10
     hooks:
       - id: ruff
         name: ruff-src

copier.yml

@@ -1,3 +1,9 @@
+# Questions specific to this template
+
+
+
+
+
 # Questions managed by upstream template
 repo_name:
     type: str
@@ -27,6 +33,11 @@ ssh_port_number:
     # Pick a random port, but ensure it's not in the excluded port range on Windows (powershell: `netsh int ipv4 show excludedportrange protocol=tcp`)
     default: "{{ ( (range(49152, 49752)   | list) + (range(49852, 50000)   | list) + (range(50060, 50160)   | list) + (range(50160, 50260)   | list) + (range(50260, 50360)   | list) + (range(50914, 51014)   | list) + (range(51114, 51214)   | list) + (range(51214, 51314)   | list) + (range(51314, 51414)   | list) + (range(51623, 51723)   | list) + (range(51723, 51823)   | list) + (range(65269, 65369)   | list) + (range(65369, 65469)   | list) ) | random }}"
 
+pull_from_ecr:
+    type: bool
+    help: Will you need to pull images from a central AWS Elastic Container Registry?
+    default: no
+
 use_windows_in_ci:
     type: bool
     help: Should CI in the instantiated template also use Windows runners?
@@ -72,24 +83,24 @@ python_ci_versions:
 aws_identity_center_id:
     type: str
     help: What's the ID of your Organization's AWS Identity center, e.g. d-9145c20053?
-    when: "{{ python_package_registry == 'AWS CodeArtifact' or install_aws_ssm_port_forwarding_plugin }}"
+    when: "{{ python_package_registry == 'AWS CodeArtifact' or install_aws_ssm_port_forwarding_plugin or pull_from_ecr }}"
 
 aws_org_home_region:
     type: str
     help: What is the home region of the AWS Organization (where all of the central infrastructure is deployed)?
     default: us-east-1
-    when: "{{ python_package_registry == 'AWS CodeArtifact' or install_aws_ssm_port_forwarding_plugin }}"
+    when: "{{ python_package_registry == 'AWS CodeArtifact' or install_aws_ssm_port_forwarding_plugin or pull_from_ecr }}"
 
 aws_central_infrastructure_account_id:
     type: str
     help: What's the ID of your Organization's AWS Account containing Central Infrastructure (e.g. CodeArtifact)?
-    when: "{{ python_package_registry == 'AWS CodeArtifact' }}"
+    when: "{{ python_package_registry == 'AWS CodeArtifact' or pull_from_ecr }}"
     default: "000000000000"
 
 core_infra_base_access_profile_name:
     type: str
     help: What's the AWS Identity Center Profile name for base access to the Central Infrastructure account (i.e. to read from CodeArtifact)?
-    when: "{{ python_package_registry == 'AWS CodeArtifact' }}"
+    when: "{{ python_package_registry == 'AWS CodeArtifact' or pull_from_ecr }}"
     default: CoreInfraBaseAccess