feat(build): add Python extensions and uv package manager to devcontainer

[WilliamBerryiii]

Description

Added Python development tooling to the devcontainer environment, bringing first-class Python support to the development workflow. Three VS Code extensions provide language services, linting, and formatting, while the uv package manager enables dependency resolution for Python-based skills.

This change supports the growing number of Python-based skills in .github/skills/ by ensuring developers have consistent tooling and dependencies available immediately on container creation.

Related Issue(s)

Closes #887

Type of Change

Code & Documentation

• Bug fix (non-breaking change which fixes an issue)
• New feature (non-breaking change which adds functionality)
• Breaking change (fix or feature that would cause existing functionality to not work as expected)
• Documentation update

Infrastructure & Configuration

• GitHub Actions workflow
• Linting configuration
• Security configuration
• DevContainer configuration
• Dependency update

AI Artifacts

• I have run prompt-builder review and attested to quality
• Copilot instructions (.instructions.md)
• Copilot prompt (.prompt.md)
• Copilot agent (.agent.md)
• Copilot skill (SKILL.md)

Other

• Script or automation
• Other (please describe):

Sample Prompts

Testing

Automated Validation

• npm run lint:all — passed (0 errors)
• npm run test:ps — passed (1610 tests, 0 failures)

Security Analysis

• No secrets, tokens, or credentials introduced in changes.
• uv v0.10.8 binary download uses per-architecture SHA256 checksums for integrity verification.
• Download uses curl -sSfL to detect HTTP errors and prevent silent corruption.
• Failed checksum triggers cleanup (rm -f) before exit to prevent corrupted binaries from persisting.
• uv version is pinned rather than using a latest-follow pattern.

Diff-Based Assessment

• Changes are purely additive — no existing functionality removed or altered.
• Installation block follows the same architecture-detection and checksum-verification pattern used by the existing actionlint installation in the same script.

Manual Testing

Not performed — infrastructure change validated through automated linting and test suites.

Checklist

Required Checks

• Documentation is updated (N/A — no documentation changes required for devcontainer tooling)
• Files follow existing naming conventions
• Changes are backwards compatible
• Tests added for new functionality (N/A — devcontainer setup scripts validated through container build)

AI Artifact Contributions

• I have run prompt-analyze on the changed artifact
• I have addressed all findings from prompt-analyze
• Changes follow the Contributing AI Artifacts standards

Required Automated Checks

• npm run lint:md
• npm run spell-check
• npm run lint:frontmatter
• npm run validate:skills
• npm run lint:md-links — 8 pre-existing broken links, none introduced by this PR
• npm run lint:ps
• npm run plugin:generate

Security Considerations

• This PR does not contain any sensitive or NDA information
• Any new dependencies have been reviewed for security issues
• Security-related scripts follow the principle of least privilege (N/A — no security-scoped script changes)

Additional Notes

• The uv installation block in on-create.sh mirrors the existing actionlint installation pattern: architecture detection, download, SHA256 verification, extraction, and cleanup.
• Both commits follow conventional commit format (feat(build): and fix(build):).
• The uv sync command dynamically discovers pyproject.toml files under .github/skills/, avoiding hard-coded paths that would break as skills are added or removed.

[github-actions]

Dependency Review

✅ No vulnerabilities or license issues or OpenSSF Scorecard issues found.

Scanned Files

None

[WilliamBerryiii]

Closing in favor of #920 — the hardening improvements from this PR have been merged into that one.