diff --git a/.devcontainer/devcontainer.json b/.devcontainer/devcontainer.json
index a17fde12..087a1a5c 100644
--- a/.devcontainer/devcontainer.json
+++ b/.devcontainer/devcontainer.json
@@ -71,5 +71,5 @@
   "initializeCommand": "sh .devcontainer/initialize-command.sh",
   "onCreateCommand": "sh .devcontainer/on-create-command.sh",
   "postStartCommand": "sh .devcontainer/post-start-command.sh"
-  // Devcontainer context hash (do not manually edit this, it's managed by a pre-commit hook): eb7c79fa # spellchecker:disable-line
+  // Devcontainer context hash (do not manually edit this, it's managed by a pre-commit hook): b93e7b48 # spellchecker:disable-line
 }
diff --git a/.devcontainer/install-ci-tooling.py b/.devcontainer/install-ci-tooling.py
index 8771071f..76fbb9b6 100644
--- a/.devcontainer/install-ci-tooling.py
+++ b/.devcontainer/install-ci-tooling.py
@@ -5,8 +5,8 @@
 import subprocess
 import sys
 
-UV_VERSION = "0.10.9"
-COPIER_VERSION = "9.12.0"
+UV_VERSION = "0.10.10"
+COPIER_VERSION = "9.14.0"
 COPIER_TEMPLATE_EXTENSIONS_VERSION = "0.3.3"
 PRE_COMMIT_VERSION = "4.5.1"
 GITHUB_WINDOWS_RUNNER_BIN_PATH = r"C:\Users\runneradmin\.local\bin"
diff --git a/AGENTS.md b/AGENTS.md
index 1e167c18..07e276f3 100644
--- a/AGENTS.md
+++ b/AGENTS.md
@@ -12,7 +12,7 @@
 - Test coverage requirements are usually at 100%, so when running a subset of tests, always disable test coverage to avoid the test run failing for insufficient coverage.
 - Avoid magic values in comparisons in tests in all languages (like ruff rule PLR2004 specifies)
 - Prefer using random values in tests rather than arbitrary ones (e.g. the faker library, uuids, random.randint) when possible.
-- Avoid loops in tests — assert each item explicitly so failures pinpoint the exact element.
+- Avoid loops in tests — assert each item explicitly so failures pinpoint the exact element. When verifying a condition across all items in a collection, collect the violations into a list and assert it's empty (e.g., assert [x for x in items if bad_condition(x)] == []).
 - Key `data-testid` selectors off unique IDs (e.g. UUIDs), not human-readable names which may collide or change.
 
 ### Python Testing
diff --git a/extensions/context.py b/extensions/context.py
index 47cad74a..294d6202 100644
--- a/extensions/context.py
+++ b/extensions/context.py
@@ -11,10 +11,10 @@ class ContextUpdater(ContextHook):
     @override
     def hook(self, context: dict[Any, Any]) -> dict[Any, Any]:
         # These are duplicated in the install-ci-tooling.py script in this repository
-        context["uv_version"] = "0.10.9"
+        context["uv_version"] = "0.10.10"
         context["pre_commit_version"] = "4.5.1"
         # These also in pyproject.toml
-        context["copier_version"] = "==9.12.0"
+        context["copier_version"] = "==9.14.0"
         context["copier_template_extensions_version"] = "==0.3.3"
         #######
         context["pnpm_version"] = "10.32.1"
@@ -40,7 +40,7 @@ def hook(self, context: dict[Any, Any]) -> dict[Any, Any]:
         context["strawberry_graphql_version"] = ">=0.298.0"
         context["fastapi_version"] = ">=0.135.1"
         context["fastapi_offline_version"] = ">=1.7.4"
-        context["uvicorn_version"] = ">=0.41.0"
+        context["uvicorn_version"] = ">=0.42.0"
         context["lab_auto_pulumi_version"] = ">=0.1.18"
         context["ariadne_codegen_version"] = ">=0.17.0"
         context["pytest_mock_version"] = ">=3.15.1"
@@ -48,7 +48,7 @@ def hook(self, context: dict[Any, Any]) -> dict[Any, Any]:
         context["syrupy_version"] = ">=5.1.0"
         context["structlog_version"] = ">=25.5.0"
         context["httpx_version"] = ">=0.28.1"
-        context["python_kiota_bundle_version"] = ">=1.9.8"
+        context["python_kiota_bundle_version"] = ">=1.9.10"
         context["vcrpy_version"] = ">=8.1.1"
         context["pytest_recording_version"] = ">=0.13.4"
         context["pytest_asyncio_version"] = ">=1.3.0"
@@ -85,7 +85,7 @@ def hook(self, context: dict[Any, Any]) -> dict[Any, Any]:
         context["nuxt_test_utils_version"] = "3.19.1"
         context["vue_eslint_parser_version"] = "^10.4.0"
         context["happy_dom_version"] = "^20.8.3"
-        context["node_kiota_bundle_version"] = "1.0.0-preview.99"
+        context["node_kiota_bundle_version"] = "1.0.0-preview.100"
         #######
         # These are duplicated in the CI files for this repository
         context["gha_checkout"] = "v6.0.2"
@@ -99,9 +99,9 @@ def hook(self, context: dict[Any, Any]) -> dict[Any, Any]:
         context["gha_setup_buildx"] = "v3.11.1"
         context["buildx_version"] = "v0.27.0"
         context["gha_docker_build_push"] = "v6.18.0"
-        context["gha_configure_aws_credentials"] = "v5.1.1"
-        context["gha_amazon_ecr_login"] = "v2.0.1"
-        context["gha_setup_node"] = "v6.2.0"
+        context["gha_configure_aws_credentials"] = "v6.0.0"
+        context["gha_amazon_ecr_login"] = "v2.0.2"
+        context["gha_setup_node"] = "v6.3.0"
         context["gha_action_gh_release"] = "v2.2.1"
         context["gha_mutex"] = "1ebad517141198e08d47cf72f3c0975316620a65 # v1.0.0-alpha.10"
         context["gha_pypi_publish"] = "v1.13.0"
diff --git a/pyproject.toml b/pyproject.toml
index e1f7efad..85b04d05 100644
--- a/pyproject.toml
+++ b/pyproject.toml
@@ -10,6 +10,6 @@ dependencies = [
     "pytest-randomly>=4.0.1",
     "pyright[nodejs]>=1.1.408",
     "ty>=0.0.23",
-    "copier==9.12.0",
+    "copier==9.14.0",
     "copier-template-extensions==0.3.3"
 ]
diff --git a/template/.github/reusable_workflows/build-docker-image.yaml.jinja-base b/template/.github/reusable_workflows/build-docker-image.yaml.jinja-base
index 895b11d3..636c801a 100644
--- a/template/.github/reusable_workflows/build-docker-image.yaml.jinja-base
+++ b/template/.github/reusable_workflows/build-docker-image.yaml.jinja-base
@@ -72,9 +72,9 @@ jobs:
 
       - name: OIDC Auth for ECR
         if: ${{ inputs.push-role-name != 'no-push' }}
-        uses: aws-actions/configure-aws-credentials@{% endraw %}{{ gha_configure_aws_credentials }}{% raw %}
+        uses: ./.github/actions/ecr-auth
         with:
-          role-to-assume: arn:aws:iam::${{ steps.parse_ecr_url.outputs.aws_account_id }}:role/${{ inputs.push-role-name }}
+          role-arn: arn:aws:iam::${{ steps.parse_ecr_url.outputs.aws_account_id }}:role/${{ inputs.push-role-name }}
           aws-region: ${{ steps.parse_ecr_url.outputs.aws_region }}
 
       - name: Calculate hash of files in build context
@@ -111,11 +111,6 @@ jobs:
             echo "status=notfound" >> $GITHUB_OUTPUT
           fi
 
-      - name: Login to Amazon ECR
-        if: ${{ inputs.push-role-name != 'no-push' && (steps.check-if-exists.outputs.status == 'notfound' || inputs.save-as-artifact ) }}
-        id: login-ecr
-        uses: aws-actions/amazon-ecr-login@{% endraw %}{{ gha_amazon_ecr_login }}{% raw %}
-
       - name: Pull existing image to package as artifact
         if: ${{ inputs.save-as-artifact && steps.check-if-exists.outputs.status == 'found' }}
         run: |
diff --git a/template/template/.github/actions/ecr-auth/action.yml.jinja b/template/template/.github/actions/ecr-auth/action.yml.jinja
new file mode 100644
index 00000000..82faf894
--- /dev/null
+++ b/template/template/.github/actions/ecr-auth/action.yml.jinja
@@ -0,0 +1,23 @@
+{% raw %}name: AWS ECR Auth
+description: 'Use OIDC to Authenticate and login to an AWS ECR.'
+
+inputs:
+  aws-region:
+    description: AWS region to use for ECR authentication
+    required: false
+    default: '{% endraw %}{{ aws_org_home_region }}{% raw %}'
+  role-arn:
+    description: AWS IAM Role ARN to assume for ECR authentication
+    required: false
+    default: 'arn:aws:iam::{% endraw %}{{ aws_central_infrastructure_account_id }}{% raw %}:role/{% endraw %}{{ core_infra_base_access_profile_name }}{% raw %}'
+
+runs:
+  using: composite
+  steps:
+    - name: OIDC Auth for ECR
+      uses: aws-actions/configure-aws-credentials@{% endraw %}{{ gha_configure_aws_credentials }}{% raw %}
+      with:
+        role-to-assume: ${{ inputs.role-arn }}
+        aws-region: ${{ inputs.aws-region }}
+    - name: Login to Amazon ECR
+      uses: aws-actions/amazon-ecr-login@{% endraw %}{{ gha_amazon_ecr_login }}
diff --git a/uv.lock b/uv.lock
index 6c80f323..05483380 100644
--- a/uv.lock
+++ b/uv.lock
@@ -22,7 +22,7 @@ wheels = [
 
 [[package]]
 name = "copier"
-version = "9.12.0"
+version = "9.14.0"
 source = { registry = "https://pypi.org/simple" }
 dependencies = [
     { name = "colorama" },
@@ -39,9 +39,9 @@ dependencies = [
     { name = "pyyaml" },
     { name = "questionary" },
 ]
-sdist = { url = "https://files.pythonhosted.org/packages/6b/e0/5187c63a9020e84cfbb3cc52b52d7fc15aab73fd1e9106ae33167116a3f9/copier-9.12.0.tar.gz", hash = "sha256:87986637205a0443dbf7e5946502e5c71962a559c25f436642a08203cf61ef54", size = 611292, upload-time = "2026-02-21T13:32:40.37Z" }
+sdist = { url = "https://files.pythonhosted.org/packages/cb/35/42b9e1c2b4adab0ebb788eae1f1800fa5f481ff5552a6e58c3d953dd11c0/copier-9.14.0.tar.gz", hash = "sha256:4d1b6a19538a5d170f913afb7682fe745c74b35c84085890809cb8d8d4d8fe7a", size = 618593, upload-time = "2026-03-13T15:55:30.796Z" }
 wheels = [
-    { url = "https://files.pythonhosted.org/packages/9c/22/6d9cfea622a064d17f406bbea1dd37f95ac75094d44e23447df934661add/copier-9.12.0-py3-none-any.whl", hash = "sha256:a1bc84dfd2a4b85dbe034999026c0e24ca02a6bc1574f45df07fd76d935c2ea9", size = 58805, upload-time = "2026-02-21T13:32:38.767Z" },
+    { url = "https://files.pythonhosted.org/packages/df/91/4a151c94320458895049a3e23b7b2cfc08953c60b14892de837e8eb51d0a/copier-9.14.0-py3-none-any.whl", hash = "sha256:e12a18cfef22e67254e5229f0b4bdab85e1e3e82926e448226be0b70d0f4de53", size = 59425, upload-time = "2026-03-13T15:55:29.273Z" },
 ]
 
 [[package]]
@@ -60,7 +60,7 @@ dependencies = [
 
 [package.metadata]
 requires-dist = [
-    { name = "copier", specifier = "==9.12.0" },
+    { name = "copier", specifier = "==9.14.0" },
     { name = "copier-template-extensions", specifier = "==0.3.3" },
     { name = "pyright", extras = ["nodejs"], specifier = ">=1.1.408" },
     { name = "pytest", specifier = ">=9.0.2" },