LabAutomationAndScreening · ejfine · Sep 23, 2025 · Sep 22, 2025 · Sep 22, 2025 · Sep 22, 2025
diff --git a/.devcontainer/devcontainer.json b/.devcontainer/devcontainer.json
@@ -59,5 +59,5 @@
   "initializeCommand": "sh .devcontainer/initialize-command.sh",
   "onCreateCommand": "sh .devcontainer/on-create-command.sh",
   "postStartCommand": "sh .devcontainer/post-start-command.sh"
-  // Devcontainer context hash (do not manually edit this, it's managed by a pre-commit hook): d461f957 # spellchecker:disable-line
+  // Devcontainer context hash (do not manually edit this, it's managed by a pre-commit hook): d1386cd9 # spellchecker:disable-line
 }
diff --git a/.devcontainer/install-ci-tooling.py b/.devcontainer/install-ci-tooling.py
@@ -5,7 +5,7 @@
 import subprocess
 import sys
 
-UV_VERSION = "0.8.17"
+UV_VERSION = "0.8.19"
 COPIER_VERSION = "9.10.2"
 COPIER_TEMPLATE_EXTENSIONS_VERSION = "0.3.3"
 PRE_COMMIT_VERSION = "4.3.0"

diff --git a/.github/workflows/ci.yaml b/.github/workflows/ci.yaml
@@ -25,6 +25,8 @@ jobs:
     runs-on: ${{ matrix.os }}
     steps:
       - uses: actions/checkout@v5.0.0
+        with:
+          persist-credentials: false
 
       - name: Setup Python
         uses: actions/setup-python@v6.0.0
@@ -80,6 +82,8 @@ jobs:
 
     steps:
       - uses: actions/checkout@v5.0.0
+        with:
+          persist-credentials: false
 
       - name: Setup Python
         uses: actions/setup-python@v6.0.0
@@ -153,6 +157,7 @@ jobs:
     runs-on: ubuntu-24.04
     needs: [ lint-matrix ]
     if: always()
+    permissions: {}
     steps:
       - name: fail if prior job failure
         if: needs.lint-matrix.result != 'success'

diff --git a/.github/workflows/tag-on-merge.yaml b/.github/workflows/tag-on-merge.yaml
@@ -17,7 +17,8 @@ jobs:
         with:
           ref: ${{ github.event.pull_request.merge_commit_sha }}
           fetch-depth: '0'
+          persist-credentials: false
       - name: Bump version and push tag
-        uses: mathieudutour/github-tag-action@v6.2
+        uses: mathieudutour/github-tag-action@a22cf08638b34d5badda920f9daf6e72c477b07b # v6.2
         with:
           github_token: ${{ secrets.GITHUB_TOKEN }}
diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml
@@ -102,8 +102,8 @@ repos:
               .*pyrightconfig\.json|
           )$
 
-  - repo: https://github.com/pre-commit/mirrors-prettier # TODO: switch to a different approach...this was archived in 2024
-    rev: f12edd9c7be1c20cfa42420fd0e6df71e42b51ea # frozen: v4.0.0-alpha.8
+  - repo: https://github.com/rbubley/mirrors-prettier
+    rev: 5ba47274f9b181bce26a5150a725577f3c336011  # frozen: v3.6.2
     hooks:
       - id: prettier
         # TODO: get template YAML and MD files more in line with prettier expectations so we can start using prettier on those too
@@ -125,6 +125,7 @@ repos:
               .*/vendor_files/.*|
               .*/schema.graphql|
               .*generated/graphql.ts|
+              template/.*|
           )$
         files: (.*.json)|(.*.ts)|(.*.jsx)|(.*.tsx)|(.*.yaml)|(.*.yml)|(.*.md)|(.*.html)|(.*.css)|(.*.scss)|(.*.less)|(.*.vue)|(.*.graphql)|(.*.gql)
 
@@ -178,6 +179,11 @@ repos:
       - id: check-merge-conflict
       - id: check-case-conflict
 
+  - repo: https://github.com/python-jsonschema/check-jsonschema
+    rev: 83987cd6ad8943c7f029b500b14aaf82c00a01fa  # frozen: 0.34.0
+    hooks:
+      - id: check-github-workflows
+
   - repo: https://github.com/maresb/check-json5
     rev: 893a2b5a0a27c3540bd8fcafe2968ccc05237179 # 1.0
     hooks:
@@ -205,6 +211,11 @@ repos:
     hooks:
       - id: detect-private-key
 
+  # - repo: https://github.com/woodruffw/zizmor-pre-commit # TODO: implement this: https://github.com/LabAutomationAndScreening/copier-base-template/issues/95
+  #   rev: b933184438555436e38621f46ceb0c417cbed400  # frozen: v1.13.0
+  #   hooks:
+  #     - id: zizmor
+
   # Linting
 
   - repo: https://github.com/Lucas-C/pre-commit-hooks-markup
@@ -215,15 +226,15 @@ repos:
         exclude: docs/.*\.rst$
 
   - repo: https://github.com/hadolint/hadolint
-    rev: 87de847754330ad47ae16bdfe2d1a757ccb4b4d4  # frozen: v2.13.1
+    rev: 4e697ba704fd23b2409b947a319c19c3ee54d24f  # frozen: v2.14.0
     hooks:
       - id: hadolint-docker
         name: Lint Dockerfiles
         exclude: .*\.jinja$
         description: Runs hadolint to lint Dockerfiles
 
   - repo: https://github.com/astral-sh/ruff-pre-commit
-    rev: 13a6bda8ea7612b3aec844ded16569d424b9a1ab  # frozen: v0.13.0
+    rev: a113f03edeabb71305f025e6e14bd2cd68660e29  # frozen: v0.13.1
     hooks:
       - id: ruff
         name: ruff-src

diff --git a/copier.yaml b/copier.yaml
@@ -7,6 +7,11 @@ repo_org_name:
     type: str
     help: What's the organization or username that owns this repository (look in the URL)?
 
+repo_org_name_for_copyright:
+    type: str
+    help: What's the human-readable organization or username that should be set for the copyright?
+    default: "{{ repo_org_name }}"
+
 description:
     type: str
     help: What is this copier template used for?

diff --git a/extensions/context.py b/extensions/context.py
@@ -11,21 +11,21 @@ class ContextUpdater(ContextHook):
     @override
     def hook(self, context: dict[Any, Any]) -> dict[Any, Any]:
         # These are duplicated in the install-ci-tooling.py script in this repository
-        context["uv_version"] = "0.8.17"
+        context["uv_version"] = "0.8.19"
         context["pre_commit_version"] = "4.3.0"
         # These also in pyproject.toml
         context["copier_version"] = "9.10.2"
         context["copier_template_extensions_version"] = "0.3.3"
         #######
-        context["pnpm_version"] = "10.17.0"
+        context["pnpm_version"] = "10.17.1"
         # These are duplicated in the pyproject.toml of this repository
         context["pyright_version"] = "1.1.405"
         context["pytest_version"] = "8.4.2"
         context["pytest_randomly_version"] = "4.0.1"
         context["pytest_cov_version"] = "7.0.0"
         #######
         context["sphinx_version"] = "8.1.3"
-        context["pulumi_version"] = "3.196.0"
+        context["pulumi_version"] = "3.197.0"
         context["pulumi_aws_version"] = "7.7.0"
         context["pulumi_aws_native_version"] = "1.33.0"
         context["pulumi_command_version"] = "1.1.0"
@@ -37,9 +37,9 @@ def hook(self, context: dict[Any, Any]) -> dict[Any, Any]:
         context["pyinstaller_version"] = "6.16.0"
         context["setuptools_version"] = "80.7.1"
         context["strawberry_graphql_version"] = "0.282.0"
-        context["fastapi_version"] = "0.116.1"
+        context["fastapi_version"] = "0.117.1"
         context["fastapi_offline_version"] = "1.7.4"
-        context["uvicorn_version"] = "0.35.0"
+        context["uvicorn_version"] = "0.36.0"
         context["lab_auto_pulumi_version"] = "0.1.16"
         context["ariadne_codegen_version"] = "0.15.2"
         context["pytest_mock_version"] = "3.15.0"

diff --git a/ruff.toml b/ruff.toml
@@ -45,6 +45,7 @@ ignore = [
     "D102", # Docstrings are not always necessary for public methods
     "D103", # Docstrings are not always necessary for public functions
     "D104", # Docstrings are not always necessary for public packages
+    "D105", # Docstrings are not always necessary for magic methods
     "D106", # Nested classes are usually library-specific and don't always require its own docstring
     "D107", # Init shouldn't need its own docstring, those arguments can be captured in the class level docstring
     "D203", # Ignore D203 because it's a bug https://github.com/PyCQA/pydocstyle/issues/141

diff --git a/template/.github/reusable_workflows/build-docker-image.yaml.jinja-base b/template/.github/reusable_workflows/build-docker-image.yaml.jinja-base
@@ -66,6 +66,8 @@ jobs:
 
       - name: Checkout code
         uses: actions/checkout@{% endraw %}{{ gha_checkout }}{% raw %}
+        with:
+          persist-credentials: false
 
       - name: OIDC Auth for ECR
         if: ${{ inputs.push-role-name != 'no-push' }}

diff --git a/template/.github/workflows/ci.yaml.jinja-base b/template/.github/workflows/ci.yaml.jinja-base
@@ -51,6 +51,8 @@ jobs:
     steps:
       - name: Checkout code
         uses: actions/checkout@{% endraw %}{{ gha_checkout }}{% raw %}
+        with:
+          persist-credentials: false
 
       - name: Move python script that replaces private package registry information to temp folder so it doesn't get deleted
         run: |

diff --git a/template/.github/workflows/get-values.yaml.jinja-base b/template/.github/workflows/get-values.yaml.jinja-base
@@ -29,6 +29,8 @@ jobs:
 
       - name: Checkout code
         uses: actions/checkout@{% endraw %}{{ gha_checkout }}{% raw %}
+        with:
+          persist-credentials: false
 
       - name: Update Devcontainer Hash
         if: ${{ github.actor == 'dependabot[bot]' && github.event_name == 'push' }}

diff --git a/template/.github/workflows/pre-commit.yaml.jinja-base b/template/.github/workflows/pre-commit.yaml.jinja-base
@@ -35,10 +35,13 @@ jobs:
         uses: actions/checkout@{% endraw %}{{ gha_checkout }}{% raw %}
         with:
           ref: ${{ github.ref_name }} # explicitly get the head of the branch, which will include any new commits pushed if this is a dependabot branch
+          persist-credentials: false
 
       - name: Checkout code not during push
         if: ${{ github.event_name != 'push' }}
         uses: actions/checkout@{% endraw %}{{ gha_checkout }}{% raw %}
+        with:
+          persist-credentials: false
 
       - name: Install latest versions of packages
         uses: ./.github/actions/install_deps

diff --git a/template/.github/zizmor.yml b/template/.github/zizmor.yml
@@ -0,0 +1,5 @@
+rules:
+  template-injection:
+    ignore:
+      # this is just echo-ing out the github context to be visible for debugging, it's not executing commands
+      - get-values.yaml:28
diff --git a/template/README.md.jinja-base b/template/README.md.jinja-base
@@ -7,7 +7,7 @@
 # Usage
 To create a new repository using this template:
 1. Create a basic devcontainer either using the Codespaces default or using the file `.devcontainer/devcontainer-to-instantiate-template.json` from [the base template repo](https://github.com/LabAutomationAndScreening/copier-base-template/blob/main/.devcontainer/devcontainer-to-instantiate-template.json)
-1. Inside that devcontainer, run `python .devcontainer/install-ci-tooling.py` to install necessary tooling to instantiate the template (you can copy/paste the script from this
+1. Inside that devcontainer, run `python .devcontainer/install-ci-tooling.py` to install necessary tooling to instantiate the template (you can copy/paste the script from this repo...and you can paste it in the root of the repo if you want)
 1. Delete all files currently in the repository. Optional...but makes it easiest to avoid git conflicts.
 1. Run copier to instantiate the template: `copier copy --trust gh:{% endraw %}{{ repo_org_name }}/{{ repo_name }}{% raw %}.git .`
 1. Run `python .devcontainer/manual-setup-deps.py --only-create-lock` to generate the lock file(s)

diff --git a/tests/copier_data/data1.yaml b/tests/copier_data/data1.yaml
@@ -6,6 +6,7 @@ python_ci_versions:
 template_uses_python: true
 template_uses_pulumi: true
 repo_org_name: theGreatestOrg
+repo_org_name_for_copyright: The Greatest Org
 template_uses_javascript: false
 template_uses_vuejs: false
 template_might_want_to_install_aws_ssm_port_forwarding_plugin: true
diff --git a/tests/copier_data/data2.yaml b/tests/copier_data/data2.yaml
@@ -7,6 +7,7 @@ python_ci_versions:
 template_uses_python: true
 template_uses_pulumi: false
 repo_org_name: Initech
+repo_org_name_for_copyright: Initech Corporation
 template_uses_javascript: true
 template_uses_vuejs: true
 template_might_want_to_install_aws_ssm_port_forwarding_plugin: false