feat(build): improve performance and reliability of devcontainer launch (#977)

[stewartadam]

Pull Request

Description

Captures learnings from recent customer projects to enhance the build speed and launch reliability of the dev container.

• removes unused Python feature from container, which was causing compilation of Python on build
• add volume mounts for node_modules and user config for better I/O performance
• normalize workspace mount to /workspace for consistency across environments
• add CA certificate injection for corporate TLS inspection (ZScaler, etc.)
• add git config include parsing workaround for devcontainer identity issues

Related Issue(s)

Type of Change

Select all that apply:

Code & Documentation:

• Bug fix (non-breaking change fixing an issue)
• New feature (non-breaking change adding functionality)
• Breaking change (fix or feature causing existing functionality to change)
• Documentation update

Infrastructure & Configuration:

• GitHub Actions workflow
• Linting configuration (markdown, PowerShell, etc.)
• Security configuration
• DevContainer configuration
• Dependency update

AI Artifacts:

• Reviewed contribution with prompt-builder agent and addressed all feedback
• Copilot instructions (.github/instructions/*.instructions.md)
• Copilot prompt (.github/prompts/*.prompt.md)
• Copilot agent (.github/agents/*.agent.md)
• Copilot skill (.github/skills/*/SKILL.md)

Note for AI Artifact Contributors:

• Agents: Research, indexing/referencing other project (using standard VS Code GitHub Copilot/MCP tools), planning, and general implementation agents likely already exist. Review .github/agents/ before creating new ones.
• Skills: Must include both bash and PowerShell scripts. See Skills.
• Model Versions: Only contributions targeting the latest Anthropic and OpenAI models will be accepted. Older model versions (e.g., GPT-3.5, Claude 3) will be rejected.
• See Agents Not Accepted and Model Version Requirements.

Other:

• Script/automation (.ps1, .sh, .py)
• Other (please describe):

Sample Prompts (for AI Artifact Contributions)

User Request:

Execution Flow:

Output Artifacts:

Success Indicators:

For detailed contribution requirements, see:

• Common Standards: docs/contributing/ai-artifacts-common.md - Shared standards for XML blocks, markdown quality, RFC 2119, validation, and testing
• Agents: docs/contributing/custom-agents.md - Agent configurations with tools and behavior patterns
• Prompts: docs/contributing/prompts.md - Workflow-specific guidance with template variables
• Instructions: docs/contributing/instructions.md - Technology-specific standards with glob patterns
• Skills: docs/contributing/skills.md - Task execution utilities with cross-platform scripts

Testing

Checklist

Required Checks

• Documentation is updated (if applicable)
• Files follow existing naming conventions
• Changes are backwards compatible (if applicable)
• Tests added for new functionality (if applicable)

AI Artifact Contributions

• Used /prompt-analyze to review contribution
• Addressed all feedback from prompt-builder review
• Verified contribution follows common standards and type-specific requirements

Required Automated Checks

The following validation commands must pass before merging:

• Markdown linting: npm run lint:md
• Spell checking: npm run spell-check
• Frontmatter validation: npm run lint:frontmatter
• Skill structure validation: npm run validate:skills
• Link validation: npm run lint:md-links
• PowerShell analysis: npm run lint:ps
• Plugin freshness: npm run plugin:generate

Security Considerations

• This PR does not contain any sensitive or NDA information
• Any new dependencies have been reviewed for security issues
• Security-related scripts follow the principle of least privilege

Additional Notes

[stewartadam]

Follow up to #119.

[codecov-commenter]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 88.01%. Comparing base (c2b806f) to head (8bd6188).

Additional details and impacted files

@@           Coverage Diff           @@
##             main     #472   +/-   ##
=======================================
  Coverage   88.01%   88.01%           
=======================================
  Files          45       45           
  Lines        7886     7886           
=======================================
  Hits         6941     6941           
  Misses        945      945           

Flag	Coverage Δ
pester	86.91% <ø> (ø)

Flags with carried forward coverage won't be shown. Click here to find out more.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

[Copilot]

Pull request overview

Improves devcontainer build/attach performance and reliability by removing unneeded features, standardizing the workspace path, and adding volume mounts and git-config handling for better cross-environment behavior.

Changes:

• Standardize devcontainer workspace to /workspace and add volumes for user config + node_modules.
• Add post-create ownership workaround for mounted volumes and a post-attach git identity reconfiguration step.
• Add repository-level ignores/attributes to support the new devcontainer flow (gitconfig exports, dockerignore, line ending rules).

Reviewed changes

Copilot reviewed 6 out of 7 changed files in this pull request and generated 6 comments.

Show a summary per file

File	Description
.gitignore	Ignores generated gitconfig export files used by the devcontainer attach workaround.
.gitattributes	Adds explicit checkout line-ending rules for scripts and Dockerfiles.
.dockerignore	Excludes .git and node_modules from Docker build contexts for speed/smaller contexts.
.devcontainer/scripts/post-create.sh	Adds volume ownership fix step and installs Node dependencies during container setup.
.devcontainer/scripts/post-attach.sh	Applies exported git identity settings inside the container after attach.
.devcontainer/devcontainer.json	Normalizes workspace mount/folder, adds volumes, removes unused features, and wires initialize/postAttach commands.
.devcontainer/README.md	Updates documented toolset and troubleshooting guidance to match the new devcontainer behavior.

[WilliamBerryiii]

Looking sharp

[WilliamBerryiii]

@stewartadam - reverting to draft for now.

[WilliamBerryiii]

Hey @stewartadam — thanks for capturing these devcontainer learnings from customer projects! 🚀 We've updated the PR title scope from devcontainer to build to align with our conventional commits conventions. No action needed on your end.

[WilliamBerryiii]

We've updated the PR description to align with the current pull request template. All original content has been preserved and relocated into the appropriate template sections. No action needed on your end — though you're welcome to review the updated description and fill in any remaining sections (testing details, checklist confirmations, etc.) at your convenience.

[WilliamBerryiii]

Hi @stewartadam — Thanks for this contribution! A quick note on project conventions: we ask that pull requests be paired with a corresponding backlog issue for tracking purposes. I wasn't able to find an existing issue related to devcontainer performance and reliability improvements.

When you get a chance, could you file an issue describing the changes this PR addresses and link it here using Closes #NNN in the PR body? This helps the team track work across the backlog and ensures issues are automatically closed when PRs merge. Thanks! 🙏

[stewartadam]

Created #977 and updated based on feedback

[chaosdinosaur]

Devcontainer Enhancement Review

Solid set of improvements for devcontainer performance and reliability. The volume mounts, workspace normalization, and git config include workaround address real pain points from customer projects.

Key items to address before merge:

1. 🔴 Node.js version regression — branch has v20, main has v24. Needs rebase/merge.
2. 🟡 Security: initializeCommand dumps full git config — suggest filtering to only needed keys.
3. 🟡 updateContentCommand removal — suggest keeping it for automatic npm ci on content updates.

Minor items:

4. 🟢 Hardcoded /workspace path coupling in post-create.sh
5. 🔵 sudo -n base image dependency (well-documented)
6. 🔵 .dockerignore with no Dockerfile (harmless, forward-looking)

The .gitattributes additions for line-ending enforcement across script types are a welcome improvement.

[chaosdinosaur]

🔴 High — Node.js version regression

The PR branch specifies Node.js "version": "20", but origin/main now uses "version": "24". Merging as-is would regress the Node.js version. The branch needs a rebase or merge from main to pick up this change.

Suggested change

	"version": "20"
	"version": "24"

[chaosdinosaur]

🟡 Medium — initializeCommand dumps full git config to disk

This writes the entire global and local git config to plaintext files in the workspace root. While post-attach.sh only reads a safe allow-list (user.name, user.email, user.signingkey, commit.gpgsign) and then deletes the files, there's a window where sensitive config values (credential helpers, proxy settings, insteadOf rewrites) are exposed on disk.

Consider filtering at the source to only extract the keys actually needed:

Suggested change

	"extractGitGlobals": "(git config -l --global --include || true) > .gitconfig.global",
	"extractGitLocals": "(git config -l --local --include || true) > .gitconfig.local"
	"extractGitGlobals": "(git config --global --include user.name; git config --global --include user.email; git config --global --include user.signingkey; git config --global --include commit.gpgsign) > .gitconfig.global 2>/dev/null || true",
	"extractGitLocals": "(git config --local --include user.name; git config --local --include user.email; git config --local --include user.signingkey; git config --local --include commit.gpgsign) > .gitconfig.local 2>/dev/null || true"

This eliminates the information disclosure window by never writing unneeded config values to disk.

[chaosdinosaur]

🟡 Medium — Was the updateContentCommand removal intentional?

The base branch uses updateContentCommand: "npm ci", which runs during both initial creation and content update events (branch switches, pulls while the container is running). This lifecycle hook is also parallelizable with other steps.

Moving npm ci exclusively into postCreateCommand (via post-create.sh) means it only runs on initial container creation, not on content updates. If package-lock.json changes on a branch switch inside a running container, developers will need to manually run npm ci.

I'd suggest keeping updateContentCommand: "npm ci" alongside the postCreateCommand call to maintain automatic dependency updates on content changes:

Suggested change

	"onCreateCommand": "bash .devcontainer/scripts/on-create.sh",
	"updateContentCommand": "npm ci",
	"postCreateCommand": "bash .devcontainer/scripts/post-create.sh",
	"onCreateCommand": "bash .devcontainer/scripts/on-create.sh",
	"updateContentCommand": "npm ci",
	"postCreateCommand": "bash .devcontainer/scripts/post-create.sh",

[chaosdinosaur]

🟢 Low — Hardcoded /workspace path

This hardcodes /workspace/node_modules which couples the script to the workspaceFolder value in devcontainer.json. If the mount path ever changes, this line silently breaks.

Consider using "$PWD/node_modules" or a variable to keep the two in sync:

Suggested change

	}
	fix_volume_ownership "$PWD/node_modules"

[chaosdinosaur]

🔵 Informational — sudo -n dependency on base image

sudo -n chown requires passwordless sudo, which the current base image (mcr.microsoft.com/devcontainers/base:2-jammy) provides. The inline comment documenting this assumption is appreciated. Just flagging for awareness — if the base image ever changes, this assumption will need revalidation.

[chaosdinosaur]

🔵 Informational — .dockerignore has no current effect

The devcontainer uses "image:" rather than a Dockerfile build, so .dockerignore has no current effect (it only applies to Docker build contexts). The file is harmless and good practice if the setup ever transitions to a Dockerfile-based build — just noting for transparency.