Conversation
Move custom README content into NOTES.md files so it is preserved when READMEs are auto-generated from devcontainer-feature.json. Regenerate all feature READMEs. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
- Remove unused YELLOW color variable - Remove misleading comment about adding leading v to version - Pass cli_filename as parameter instead of leaking across functions - Make cli_filename local to install_using_github - Add version-specific assertion in scenario test Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
There was a problem hiding this comment.
Pull request overview
Adds and documents a new gitlab-ci-local devcontainer feature, aligns feature docs with the repo’s NOTES.md-based README generation approach, and expands local/CI workflows to build and test the new feature.
Changes:
- Add
gitlab-ci-localfeature (install script, feature manifest, README/NOTES) and include it in CI test matrices. - Add
NOTES.mdforprompty-dumpty(and forgitlab-ci-local) so custom documentation survives README regeneration. - Add
just generate-docsrecipe and introduce a version scenario test forgitlab-ci-local.
Reviewed changes
Copilot reviewed 12 out of 12 changed files in this pull request and generated 3 comments.
Show a summary per file
| File | Description |
|---|---|
src/gitlab-ci-local/install.sh |
Implements installation logic for gitlab-ci-local from GitHub releases. |
src/gitlab-ci-local/devcontainer-feature.json |
Declares the feature metadata/options and VS Code customizations. |
src/gitlab-ci-local/README.md |
Auto-generated feature README content including usage notes. |
src/gitlab-ci-local/NOTES.md |
Custom documentation to be preserved across README regeneration. |
test/gitlab-ci-local/test.sh |
Default feature test assertions for executability and version output. |
test/gitlab-ci-local/scenarios.json |
Adds a pinned-version scenario configuration. |
test/gitlab-ci-local/version.sh |
Scenario test asserting the pinned version is installed. |
src/prompty-dumpty/NOTES.md |
Moves/keeps custom docs outside the generated README. |
src/prompty-dumpty/README.md |
Minor formatting adjustment consistent with generated output. |
src/copilot-persistence/README.md |
Regenerated/standardized README structure and notes section. |
justfile |
Adds build target for gitlab-ci-local, extends build-all, adds generate-docs, updates clean. |
.github/workflows/test.yaml |
Includes gitlab-ci-local in autogenerated and scenario test matrices. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| fi | ||
|
|
||
| apt_get_update() { | ||
| if [ "$(find /var/lib/apt/lists/* | wc -l)" = "0" ]; then |
There was a problem hiding this comment.
apt_get_update uses find /var/lib/apt/lists/* under set -e. On images where the glob doesn't match (or lists dir is empty), find can exit non-zero and abort the install script before apt-get update runs. Use a safer emptiness check that doesn't rely on a glob (e.g., find /var/lib/apt/lists -maxdepth 1 -type f | wc -l, ls -A /var/lib/apt/lists, or guard errors with 2>/dev/null || true).
| if [ "$(find /var/lib/apt/lists/* | wc -l)" = "0" ]; then | |
| if [ "$(find /var/lib/apt/lists -maxdepth 1 -type f 2>/dev/null | wc -l)" = "0" ]; then |
| if ! dpkg -s "$@" > /dev/null 2>&1; then | ||
| apt_get_update | ||
| apt-get -y install --no-install-recommends "$@" | ||
| fi |
There was a problem hiding this comment.
This feature uses apt-get without setting DEBIAN_FRONTEND=noninteractive. Other feature install scripts in this repo set it before apt operations (e.g., src/ohmyposh/install.sh:23, src/microsoft-security-devops-cli/install.sh:21) to avoid occasional interactive prompts during package configuration. Consider exporting DEBIAN_FRONTEND=noninteractive before apt-get update/install here as well.
| wget --show-progress --progress=dot:giga "${release_url}" | ||
| tar -xzf /tmp/gitlab-ci-local/"${filename}" | ||
| mv gitlab-ci-local /usr/local/bin/gitlab-ci-local | ||
| popd | ||
| rm -rf /tmp/gitlab-ci-local | ||
| } | ||
|
|
||
| install_using_github() { | ||
| check_packages wget tar ca-certificates git | ||
| echo "Finished setting up dependencies" | ||
|
|
||
| arch=$(dpkg --print-architecture) | ||
| if [ "${arch}" != "amd64" ] && [ "${arch}" != "arm64" ]; then | ||
| echo -e "${RED}Unsupported architecture: ${arch}${NC}" >&2 | ||
| echo -e "${RED}Only amd64 and arm64 are supported.${NC}" >&2 | ||
| exit 1 | ||
| fi | ||
|
|
||
| local cli_filename="gitlab-ci-local-linux-${arch}.tar.gz" | ||
| echo "Installing gitlab-ci-local for ${arch} architecture: ${cli_filename}" | ||
|
|
||
| if [ "${CLI_VERSION}" = "latest" ]; then | ||
| download_from_github "https://github.com/firecow/gitlab-ci-local/releases/latest/download/${cli_filename}" "${cli_filename}" | ||
| else | ||
| download_from_github "https://github.com/firecow/gitlab-ci-local/releases/download/${CLI_VERSION}/${cli_filename}" "${cli_filename}" |
There was a problem hiding this comment.
The install.sh script downloads and extracts a binary tarball from GitHub using wget and tar without any checksum, signature, or other integrity verification, and then installs it as root. If the firecow/gitlab-ci-local release or the download channel is compromised, an attacker could deliver a malicious binary that is installed and executed with full privileges in the devcontainer. To reduce supply chain risk, pin downloads to immutable release artifacts and verify them (e.g., with a published checksum or signature) before extraction and installation.
Summary
NOTES.mdforgitlab-ci-localandprompty-dumptyfeatures so custom README content is preserved across auto-generationcli_filenameas parameter instead of leaking across functionsjust generate-docsrecipe to regenerate READMEs locallyAddresses feedback patterns from previous PRs (#10, #11) around using
NOTES.mdfor custom content and keeping feature code clean.