diff --git a/.copier-answers.yml b/.copier-answers.yml
index cf527074..13330300 100644
--- a/.copier-answers.yml
+++ b/.copier-answers.yml
@@ -1,5 +1,5 @@
 # Changes here will be overwritten by Copier
-_commit: v0.0.41-2-g01ccd8c
+_commit: v0.0.41-10-g38b62f8
 _src_path: gh:LabAutomationAndScreening/copier-base-template.git
 description: Copier template for creating Python libraries and executables
 python_ci_versions:
diff --git a/.github/actions/update-devcontainer-hash/action.yml b/.github/actions/update-devcontainer-hash/action.yml
new file mode 100644
index 00000000..50d77f15
--- /dev/null
+++ b/.github/actions/update-devcontainer-hash/action.yml
@@ -0,0 +1,45 @@
+name: Update Devcontainer Hash
+
+inputs:
+  branch:
+    description: 'Branch to checkout and update'
+    required: true
+
+permissions:
+  contents: write
+
+
+runs:
+  using: composite
+  steps:
+    - name: Verify Dependabot actor
+      if: ${{ github.actor != 'dependabot[bot]' }}
+      run: |
+        echo "Action can only be run by dependabot[bot], but was invoked by ${GITHUB_ACTOR}." >&2
+        exit 1
+
+    - name: Checkout code
+      uses: actions/checkout@v4.2.2
+      with:
+        persist-credentials: true
+        fetch-depth: 1
+        ref: ${{ inputs.branch }}
+
+    - name: Configure Git author
+      run: |
+        git config user.name "github-actions[bot]"
+        git config user.email "github-actions[bot]@users.noreply.github.com"
+
+    - name: Update devcontainer hash
+      run: |
+        python3 .github/workflows/hash_git_files.py . --for-devcontainer-config-update --exit-zero
+
+    - name: Commit & push changes
+      run: |
+        if ! git diff --quiet; then
+          git add .
+          git commit -m "chore: update devcontainer hash [dependabot skip]"
+          git push origin HEAD:${{ inputs.branch }}
+        else
+          echo "No changes to commit"
+        fi
diff --git a/.github/workflows/ci.yaml b/.github/workflows/ci.yaml
index d3d595c8..8b1b9848 100644
--- a/.github/workflows/ci.yaml
+++ b/.github/workflows/ci.yaml
@@ -5,7 +5,6 @@ on:
     branches-ignore:
       - 'gh-readonly-queue/**' # don't run (again) when on these special branches created during merge groups; the `on: merge_group` already triggers it.
   merge_group:
-  workflow_dispatch:
 
 env:
   PYTHONUNBUFFERED: True
@@ -16,7 +15,17 @@ permissions:
     contents: write # needed for mutex
 
 jobs:
+  get-values:
+    runs-on: ubuntu-24.04
+    steps:
+      - name: Update Devcontainer Hash
+        if: ${{ github.actor == 'dependabot[bot]' }}
+        uses: ./.github/actions/update-devcontainer-hash
+        with:
+          branch: ${{ github.ref_name }}
+
   pre-commit:
+    needs: [ get-values ]
     strategy:
       fail-fast: false
       matrix:
@@ -29,6 +38,8 @@ jobs:
     steps:
       - name: Checkout code
         uses: actions/checkout@v4.2.2
+        with:
+          ref: ${{ github.ref_name }} # explicitly get the head of
 
 
 
diff --git a/.github/workflows/dependabot-post-update.yaml b/.github/workflows/dependabot-post-update.yaml
deleted file mode 100644
index 54d6bca2..00000000
--- a/.github/workflows/dependabot-post-update.yaml
+++ /dev/null
@@ -1,59 +0,0 @@
-name: Dependabot Post-Update
-permissions:
-  contents: write  # so the commit can be pushed
-  actions: write   # so createWorkflowDispatch can be invoked
-on:
-  pull_request:
-    types: [opened, synchronize]
-    branches:
-      - main
-
-jobs:
-  post-update:
-    if: ${{ github.actor == 'dependabot[bot]' }}
-    runs-on: ubuntu-24.04
-
-    steps:
-      - name: Checkout code
-        uses: actions/checkout@v4.2.2
-        with:
-          persist-credentials: true   # (default) makes GITHUB_TOKEN available for git push
-          fetch-depth: 1 # Fetch tip commit so we can push back
-          ref: ${{ github.event.pull_request.head.ref }} # Check out the head ref of the PR instead of detached HEAD
-
-      - name: Configure Git author
-        run: |
-          git config user.name "github-actions[bot]"
-          git config user.email "github-actions[bot]@users.noreply.github.com"
-
-      - name: Update devcontainer hash
-        run: python3 .github/workflows/hash_git_files.py . --for-devcontainer-config-update --exit-zero
-
-      - name: Commit & push changes
-        id: commit
-        run: |
-          if ! git diff --quiet; then
-            git add .
-            git commit -m "chore: apply post-Dependabot script changes [dependabot skip]"
-            git push origin HEAD:${{ github.event.pull_request.head.ref }}
-            echo "pushed=true" >> $GITHUB_OUTPUT
-          else
-            echo "pushed=false" >> $GITHUB_OUTPUT
-          fi
-
-      - name: Dispatch CI on PR branch # pushes done by GITHUB_TOKEN don't trigger workflows, so we have to restart the CI job manually, see https://docs.github.com/en/actions/using-workflows/triggering-a-workflow#triggering-a-workflow-from-a-workflow
-        if: steps.commit.outputs.pushed == 'true'
-        uses: actions/github-script@v7.0.1
-        with:
-          github-token: ${{ secrets.GITHUB_TOKEN }}
-          script: |
-            const pr = context.payload.pull_request;
-            if (!pr) {
-              throw new Error("No pull_request found in payload; aborting dispatch.");
-            }
-            await github.rest.actions.createWorkflowDispatch({
-              owner:       context.repo.owner,
-              repo:        context.repo.repo,
-              workflow_id: "ci.yaml",
-              ref:         pr.head.ref,
-            });
diff --git a/template/.github/actions/update-devcontainer-hash/action.yml b/template/.github/actions/update-devcontainer-hash/action.yml
new file mode 100644
index 00000000..50d77f15
--- /dev/null
+++ b/template/.github/actions/update-devcontainer-hash/action.yml
@@ -0,0 +1,45 @@
+name: Update Devcontainer Hash
+
+inputs:
+  branch:
+    description: 'Branch to checkout and update'
+    required: true
+
+permissions:
+  contents: write
+
+
+runs:
+  using: composite
+  steps:
+    - name: Verify Dependabot actor
+      if: ${{ github.actor != 'dependabot[bot]' }}
+      run: |
+        echo "Action can only be run by dependabot[bot], but was invoked by ${GITHUB_ACTOR}." >&2
+        exit 1
+
+    - name: Checkout code
+      uses: actions/checkout@v4.2.2
+      with:
+        persist-credentials: true
+        fetch-depth: 1
+        ref: ${{ inputs.branch }}
+
+    - name: Configure Git author
+      run: |
+        git config user.name "github-actions[bot]"
+        git config user.email "github-actions[bot]@users.noreply.github.com"
+
+    - name: Update devcontainer hash
+      run: |
+        python3 .github/workflows/hash_git_files.py . --for-devcontainer-config-update --exit-zero
+
+    - name: Commit & push changes
+      run: |
+        if ! git diff --quiet; then
+          git add .
+          git commit -m "chore: update devcontainer hash [dependabot skip]"
+          git push origin HEAD:${{ inputs.branch }}
+        else
+          echo "No changes to commit"
+        fi
diff --git a/template/.github/workflows/dependabot-post-update.yaml b/template/.github/workflows/dependabot-post-update.yaml
deleted file mode 100644
index 54d6bca2..00000000
--- a/template/.github/workflows/dependabot-post-update.yaml
+++ /dev/null
@@ -1,59 +0,0 @@
-name: Dependabot Post-Update
-permissions:
-  contents: write  # so the commit can be pushed
-  actions: write   # so createWorkflowDispatch can be invoked
-on:
-  pull_request:
-    types: [opened, synchronize]
-    branches:
-      - main
-
-jobs:
-  post-update:
-    if: ${{ github.actor == 'dependabot[bot]' }}
-    runs-on: ubuntu-24.04
-
-    steps:
-      - name: Checkout code
-        uses: actions/checkout@v4.2.2
-        with:
-          persist-credentials: true   # (default) makes GITHUB_TOKEN available for git push
-          fetch-depth: 1 # Fetch tip commit so we can push back
-          ref: ${{ github.event.pull_request.head.ref }} # Check out the head ref of the PR instead of detached HEAD
-
-      - name: Configure Git author
-        run: |
-          git config user.name "github-actions[bot]"
-          git config user.email "github-actions[bot]@users.noreply.github.com"
-
-      - name: Update devcontainer hash
-        run: python3 .github/workflows/hash_git_files.py . --for-devcontainer-config-update --exit-zero
-
-      - name: Commit & push changes
-        id: commit
-        run: |
-          if ! git diff --quiet; then
-            git add .
-            git commit -m "chore: apply post-Dependabot script changes [dependabot skip]"
-            git push origin HEAD:${{ github.event.pull_request.head.ref }}
-            echo "pushed=true" >> $GITHUB_OUTPUT
-          else
-            echo "pushed=false" >> $GITHUB_OUTPUT
-          fi
-
-      - name: Dispatch CI on PR branch # pushes done by GITHUB_TOKEN don't trigger workflows, so we have to restart the CI job manually, see https://docs.github.com/en/actions/using-workflows/triggering-a-workflow#triggering-a-workflow-from-a-workflow
-        if: steps.commit.outputs.pushed == 'true'
-        uses: actions/github-script@v7.0.1
-        with:
-          github-token: ${{ secrets.GITHUB_TOKEN }}
-          script: |
-            const pr = context.payload.pull_request;
-            if (!pr) {
-              throw new Error("No pull_request found in payload; aborting dispatch.");
-            }
-            await github.rest.actions.createWorkflowDispatch({
-              owner:       context.repo.owner,
-              repo:        context.repo.repo,
-              workflow_id: "ci.yaml",
-              ref:         pr.head.ref,
-            });