DiamondLightSource · OCopping · Nov 20, 2025 · Sep 26, 2025 · Nov 20, 2025 · Nov 20, 2025
diff --git a/.copier-answers.yml b/.copier-answers.yml
@@ -1,5 +1,5 @@
 # Changes here will be overwritten by Copier
-_commit: 4.1.0-7-gb8b3f90
+_commit: 5.0.0a4
 _src_path: gh:DiamondLightSource/python-copier-template
 author_email: oliver.copping@diamond.ac.uk
 author_name: Oliver Copping

diff --git a/.devcontainer/devcontainer.json b/.devcontainer/devcontainer.json
@@ -8,28 +8,28 @@
     "remoteEnv": {
         // Allow X11 apps to run inside the container
         "DISPLAY": "${localEnv:DISPLAY}",
-        // We put venv on a different volume to cache so have to copy
-        "UV_LINK_MODE": "copy",
+        // Put things that allow it in the persistent cache
+        "PRE_COMMIT_HOME": "/cache/pre-commit",
+        "UV_CACHE_DIR": "/cache/uv",
+        "UV_PYTHON_CACHE_DIR": "/cache/uv-python",
+        // Make a venv that is specific for this workspace path as the cache is shared
+        "UV_PROJECT_ENVIRONMENT": "/cache/venv-for${localWorkspaceFolder}",
         // Do the equivalent of "activate" the venv so we don't have to "uv run" everything
-        "PATH": "/workspaces/${localWorkspaceFolderBasename}/.venv/bin:${localEnv:PATH}"
+        "VIRTUAL_ENV": "/cache/venv-for${localWorkspaceFolder}",
+        "PATH": "/cache/venv-for${localWorkspaceFolder}/bin:${containerEnv:PATH}"
     },
     "customizations": {
         "vscode": {
             // Set *default* container specific settings.json values on container create.
             "settings": {
-                "python.defaultInterpreterPath": "/workspaces/${localWorkspaceFolderBasename}/.venv/bin/python",
+                // Use the container's python by default
+                "python.defaultInterpreterPath": "/cache/venv-for${localWorkspaceFolder}/bin/python",
+                // Don't activate the venv as it is already in the PATH
                 "python.terminal.activateEnvInCurrentTerminal": false,
                 "python.terminal.activateEnvironment": false,
-                "python.testing.unittestEnabled": false,
-                "python.testing.pytestEnabled": true,
-                "editor.formatOnSave": true,
-                "editor.codeActionsOnSave": {
-                    "source.organizeImports": "explicit"
-                },
-                "remote.autoForwardPorts": false,
-                "[python]": {
-                    "editor.defaultFormatter": "charliermarsh.ruff"
-                }
+                // Workaround to prevent garbled python REPL in the terminal
+                // https://github.com/microsoft/vscode-python/issues/25505
+                "python.terminal.shellIntegration.enabled": false
             },
             // Add the IDs of extensions you want installed when the container is created.
             "extensions": [
@@ -44,36 +44,29 @@
         }
     },
     // Create the config folder for the bash-config feature and uv cache
-    "initializeCommand": "mkdir -p ${localEnv:HOME}/.config/terminal-config ${localEnv:HOME}/.cache/uv",
+    "initializeCommand": "mkdir -p ${localEnv:HOME}/.config/terminal-config",
     "runArgs": [
         // Allow the container to access the host X11 display and EPICS CA
         "--net=host",
         // Make sure SELinux does not disable with access to host filesystems like tmp
         "--security-opt=label=disable"
     ],
-    // Populate the user's terminal config folder with default config if it is blank
-    "onCreateCommand": "/root/terminal-config/ensure-user-terminal-config.sh",
     "mounts": [
         // Mount in the user terminal config folder so it can be edited
         {
             "source": "${localEnv:HOME}/.config/terminal-config",
             "target": "/user-terminal-config",
             "type": "bind"
         },
-        // Keep a persistent cross container cache for uv
+        // Keep a persistent cross container cache for uv, pre-commit, and the venvs
         {
-            "source": "${localEnv:HOME}/.cache/uv",
-            "target": "/root/.cache/uv",
-            "type": "bind"
-        },
-        // Use a volume mount for the uv venv so it is local to the container
-        {
-            "target": "/workspaces/${localWorkspaceFolderBasename}/.venv",
+            "source": "devcontainer-shared-cache",
+            "target": "/cache",
             "type": "volume"
         }
     ],
     // Mount the parent as /workspaces so we can pip install peers as editable
     "workspaceMount": "source=${localWorkspaceFolder}/..,target=/workspaces,type=bind",
-    // After the container is created, install the python project in editable form
-    "postCreateCommand": "uv sync && uv run pre-commit install"
+    // After the container is created, recreate the venv then make pre-commit first run faster
+    "postCreateCommand": "uv venv --clear && uv sync && pre-commit install --install-hooks"
 }
diff --git a/.github/CONTRIBUTING.md b/.github/CONTRIBUTING.md
@@ -24,4 +24,4 @@ It is recommended that developers use a [vscode devcontainer](https://code.visua
 
 This project was created using the [Diamond Light Source Copier Template](https://github.com/DiamondLightSource/python-copier-template) for Python projects.
 
-For more information on common tasks like setting up a developer environment, running the tests, and setting a pre-commit hook, see the template's [How-to guides](https://diamondlightsource.github.io/python-copier-template/4.1.0/how-to.html).
+For more information on common tasks like setting up a developer environment, running the tests, and setting a pre-commit hook, see the template's [How-to guides](https://diamondlightsource.github.io/python-copier-template/5.0.0a4/how-to.html).
diff --git a/.github/actions/install_requirements/action.yml b/.github/actions/install_requirements/action.yml
diff --git a/.github/workflows/_test.yml b/.github/workflows/_test.yml
@@ -3,8 +3,8 @@ on:
     inputs:
       python-version:
         type: string
-        description: The version of python to install
-        required: true
+        description: The version of python to install, default is from .python-version file
+        default: ""
       runs-on:
         type: string
         description: The runner to run this job on
@@ -16,6 +16,7 @@ on:
 env:
   # https://github.com/pytest-dev/pytest/issues/2042
   PY_IGNORE_IMPORTMISMATCH: "1"
+  UV_PYTHON: ${{ inputs.python-version }}
 
 jobs:
   run:
@@ -29,30 +30,11 @@ jobs:
           fetch-depth: 0
           submodules: recursive
 
-      - if: inputs.python-version == 'dev'
-        name: Install dev versions of python packages
-        uses: ./.github/actions/install_requirements
-
-      - if: inputs.python-version == 'dev'
-        name: Write the requirements as an artifact
-        run: uv pip freeze --exclude-editable > /tmp/dev-requirements.txt
-
-      - if: inputs.python-version == 'dev'
-        name: Upload dev-requirements.txt
-        uses: actions/upload-artifact@v5
-        with:
-          name: dev-requirements
-          path: /tmp/dev-requirements.txt
-
-      - if: inputs.python-version != 'dev'
-        name: Install latest versions of python packages
-        uses: ./.github/actions/install_requirements
-        with:
-          python-version: ${{ inputs.python-version }}
-          uv-sync: ""
+      - name: Install uv
+        uses: astral-sh/setup-uv@v7
 
       - name: Run tests
-        run: tox -e tests
+        run: uv run --locked tox -e tests
 
       - name: Upload coverage to Codecov
         uses: codecov/codecov-action@v5

diff --git a/.github/workflows/_tox.yml b/.github/workflows/_tox.yml
@@ -15,8 +15,8 @@ jobs:
       - name: Checkout
         uses: actions/checkout@v5
 
-      - name: Install python packages
-        uses: ./.github/actions/install_requirements
+      - name: Install uv
+        uses: astral-sh/setup-uv@v7
 
       - name: Run tox
-        run: tox -e ${{ inputs.tox }}
+        run: uv run --locked tox -e ${{ inputs.tox }}
diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
@@ -5,11 +5,10 @@ on:
     branches:
       - main
     tags:
-      - '*'
+      - "*"
   pull_request:
 
 jobs:
-
   lint:
     uses: ./.github/workflows/_tox.yml
     with:
@@ -18,8 +17,8 @@ jobs:
   test:
     strategy:
       matrix:
-        runs-on: ["ubuntu-latest"] # can add macos-latest
-        python-version: ["3.12"]
+        runs-on: ["ubuntu-latest"] # can add windows-latest, macos-latest
+        python-version: ["3.12", "3.13"]
       fail-fast: false
     uses: ./.github/workflows/_test.yml
     with:
@@ -30,14 +29,14 @@ jobs:
 
   dist:
     uses: ./.github/workflows/_dist.yml
-  
+
   pypi:
     needs: [dist, test]
     if: github.ref_type == 'tag'
     uses: ./.github/workflows/_pypi.yml
     permissions:
       id-token: write
-  
+
   release:
     needs: [dist, test]
     if: github.ref_type == 'tag'

diff --git a/.gitleaks.toml b/.gitleaks.toml
@@ -0,0 +1,19 @@
+# This allow-list is limited to YAML/YML files to cut down SealedSecrets false positives.
+# All gitleaks default rules still apply everywhere (useDefault = true).
+# To broaden this allow-list to all files, comment out the 'paths' line below.
+
+[extend]
+useDefault = true
+
+[[rules]]
+id = "generic-api-key"
+
+# Pattern-only allowlist for long Ag… tokens in YAML 
+[[rules.allowlists]]
+condition = "AND"
+regexes = [
+  # Boundary-safe Ag… token without lookarounds (RE2-safe)
+  '''(?:^|[^A-Za-z0-9+/=])(Ag[A-Za-z0-9+/]{500,}={0,2})(?:[^A-Za-z0-9+/=]|$)'''
+]
+# Limit to YAML only for now. Comment this out if you want it to apply everywhere.
+paths = ['''(?i).*\.ya?ml$''']
diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml
@@ -1,34 +1,37 @@
 repos:
   - repo: https://github.com/pre-commit/pre-commit-hooks
-    rev: v5.0.0
+    rev: v6.0.0
     hooks:
       - id: check-added-large-files
+        args: ["--maxkb=1000"] # uv.lock is more than 500kB
       - id: check-yaml
       - id: check-merge-conflict
       - id: end-of-file-fixer
 
-  - repo: https://github.com/astral-sh/uv-pre-commit
-    # uv version.
-    rev: 0.6.14
+  - repo: local
     hooks:
-      - id: uv-lock
-
-  - repo: https://github.com/astral-sh/ruff-pre-commit
-    # Ruff version.
-    rev: v0.11.4
-    hooks:
-      # Run the linter.
       - id: ruff
         name: lint with ruff
         language: system
         entry: ruff check --force-exclude --fix
         types: [python]
         require_serial: true
 
-      # Run the formatter.
       - id: ruff-format
         name: format with ruff
         language: system
         entry: ruff format --force-exclude
         types: [python]
         require_serial: true
+
+      - id: uv-sync
+        name: update uv.lock and venv
+        pass_filenames: false
+        language: system
+        entry: uv sync
+        files: ^(uv\.lock|pyproject\.toml)$
+
+  - repo: https://github.com/gitleaks/gitleaks
+    rev: v8.28.0
+    hooks:
+      - id: gitleaks
diff --git a/.python-version b/.python-version
@@ -0,0 +1 @@
+3.12
diff --git a/Dockerfile b/Dockerfile
@@ -1,43 +1,8 @@
-# The developer stage is used as a devcontainer including dev versions
-# of the build dependencies
+# The devcontainer should use the developer target and run as root with podman
+# or docker with user namespaces.
 FROM ghcr.io/diamondlightsource/ubuntu-devcontainer:noble AS developer
-# RUN apt-get update -y && apt-get install -y --no-install-recommends \
-#     libevent-dev \
-#     libreadline-dev
 
-# The build stage makes some assets using the developer tools
-FROM developer AS build
-# Copy only dependency files first
-COPY pyproject.toml uv.lock /assets/
-WORKDIR /assets
-
-ENV UV_LINK_MODE=copy
-
-# Install the project's dependencies using the lockfile and settings
-RUN --mount=type=cache,target=/root/.cache/uv \
-    --mount=type=bind,source=uv.lock,target=uv.lock \
-    --mount=type=bind,source=pyproject.toml,target=pyproject.toml \
-    uv sync --locked --no-install-project --no-dev
-
-# Then, add the rest of the project source code and install it
-# Installing separately from its dependencies allows optimal layer caching
-COPY . /assets/
-RUN --mount=type=cache,target=/root/.cache/uv \
-    uv sync --locked --no-dev
-
-# The runtime stage installs runtime deps then copies in built assets
-# This time we remove the apt lists to save disk space
-FROM ubuntu:noble AS runtime
-# RUN apt-get update -y && apt-get install -y --no-install-recommends \
-#     libevent-2.1-7t64 \
-#     libreadline8 \
-#     && rm -rf /var/lib/apt/lists/*
-COPY --from=build /assets /
-
-# We need to keep the venv at the same absolute path as in the build stage
-COPY --from=build /assets/.venv/ .venv/
-ENV PATH=.venv/bin:$PATH
-
-# Change this entrypoint if it is not the same as the repo
-ENTRYPOINT ["techui-builder"]
-CMD ["--version"]
+# Add any system dependencies for the developer/build environment here
+RUN apt-get update -y && apt-get install -y --no-install-recommends \
+    graphviz \
+    && apt-get dist-clean
Original file line number	Diff line number	Diff line change
Expand Up		@@ -24,4 +24,4 @@ It is recommended that developers use a [vscode devcontainer](https://code.visua

		This project was created using the [Diamond Light Source Copier Template](https://github.com/DiamondLightSource/python-copier-template) for Python projects.

		For more information on common tasks like setting up a developer environment, running the tests, and setting a pre-commit hook, see the template's [How-to guides](https://diamondlightsource.github.io/python-copier-template/4.1.0/how-to.html).
		For more information on common tasks like setting up a developer environment, running the tests, and setting a pre-commit hook, see the template's [How-to guides](https://diamondlightsource.github.io/python-copier-template/5.0.0a4/how-to.html).