feat: add support for devcontainers#5366
Conversation
remyleone
changed the title
Codecov Report✅ All modified and coverable lines are covered by tests. Additional details and impacted files@@ Coverage Diff @@
## main #5366 +/- ##
==========================================
- Coverage 55.53% 55.53% -0.01%
==========================================
Files 320 320
Lines 72408 72414 +6
==========================================
Hits 40212 40212
- Misses 30702 30708 +6
Partials 1494 1494 ☔ View full report in Codecov by Sentry. 🚀 New features to boost your workflow:
|
There was a problem hiding this comment.
Pull request overview
Adds Dev Container automation to keep the repository’s development container configuration up to date and continuously validated in CI.
Changes:
- Add a GitHub Actions workflow that builds/runs the devcontainer and executes
go run ./cmd/scw --help. - Enable Dependabot updates for the
devcontainersecosystem. - Introduce
.devcontainerconfiguration (Dockerfile + devcontainer.json) for local development and CI validation.
Reviewed changes
Copilot reviewed 4 out of 4 changed files in this pull request and generated 2 comments.
| File | Description |
|---|---|
.github/workflows/devcontainer.yml |
New CI workflow to build and execute a command inside the devcontainer on PRs. |
.github/dependabot.yml |
Adds monthly Dependabot updates for devcontainer dependencies. |
.devcontainer/devcontainer.json |
Defines the devcontainer build, VS Code settings/extensions, env passthrough, and runtime args. |
.devcontainer/Dockerfile |
Minimal Dockerfile that selects the Go devcontainer base image via VARIANT. |
Comments suppressed due to low confidence (1)
.devcontainer/devcontainer.json:11
- The comment describing valid Go
VARIANTvalues is outdated (mentions 1.18/1.17 and buster/bullseye), but the config now usesdev-1.26-bookworm. Updating these comments to match the actual image/tag scheme used here will reduce confusion for future edits.
// Update the VARIANT arg to pick a version of Go: 1, 1.18, 1.17
// Append -bullseye or -buster to pin to an OS version.
// Use -bullseye variants on local arm64/Apple Silicon.
"VARIANT": "dev-1.26-bookworm",
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
|
|
||
| on: | ||
| pull_request: | ||
| branches: [main] |
There was a problem hiding this comment.
This workflow only runs on pull_request events targeting main and does not run for merge_group (merge queue) events, while other CI workflows in this repo run on both. Consider adding merge_group: and (if not intentionally limited) removing the branches: [main] filter so the devcontainer check is consistently enforced for all PR targets and merge-queue runs.
| branches: [main] | |
| merge_group: |
| "NODE_VERSION": "none" | ||
| } | ||
| }, | ||
| "runArgs": [ "--cap-add=SYS_PTRACE", "--security-opt", "seccomp=unconfined" ], |
There was a problem hiding this comment.
runArgs includes --security-opt seccomp=unconfined and --cap-add=SYS_PTRACE. When this devcontainer is built/run in CI (via .github/workflows/devcontainer.yml), it grants extra container privileges on pull_request code, increasing the blast radius of a compromised build. Consider removing these flags by default, or splitting into a local-dev devcontainer and a CI-safe devcontainer configuration without elevated privileges.
| "runArgs": [ "--cap-add=SYS_PTRACE", "--security-opt", "seccomp=unconfined" ], | |
| // Note: Avoid elevated container privileges by default, especially in CI. | |
| // If you *must* enable debugging that requires ptrace locally, you can | |
| // temporarily add: | |
| // "runArgs": [ "--cap-add=SYS_PTRACE", "--security-opt", "seccomp=unconfined" ], |
Community Note
Relates OR Closes #0000
Release note for CHANGELOG: