From 032ccc5c1df3dc4733924bfeff0be057bfb88988 Mon Sep 17 00:00:00 2001
From: Ron <45816308+rjaegers@users.noreply.github.com>
Date: Wed, 28 Jan 2026 17:46:54 +0100
Subject: [PATCH 01/11] chore: verify signature for arm-gcc toolchain

---
 .devcontainer/cpp/Dockerfile | 18 +++++++++++++-----
 1 file changed, 13 insertions(+), 5 deletions(-)

diff --git a/.devcontainer/cpp/Dockerfile b/.devcontainer/cpp/Dockerfile
index 509a8ceb..1a9bcdaf 100644
--- a/.devcontainer/cpp/Dockerfile
+++ b/.devcontainer/cpp/Dockerfile
@@ -15,6 +15,8 @@ ADD --checksum=sha256:630c34ec94d451b200f5b14a6a25580d6a45bc80c394b7e0b93e33556e
  https://github.com/ccache/ccache/releases/download/v${CCACHE_VERSION}/ccache-${CCACHE_VERSION}-linux-x86_64.tar.xz /ccache.tar.xz
 ADD --checksum=sha256:f1bffe5319728fca9cde5bb03fcb6c88cdf44922bd003fca8b4b9ce5b6f259d2 \
  https://github.com/Jake-Shadle/xwin/releases/download/${XWIN_VERSION}/xwin-${XWIN_VERSION}-x86_64-unknown-linux-musl.tar.gz /xwin.tar.gz
+ADD --checksum=sha256:62a63b981fe391a9cbad7ef51b17e49aeaa3e7b0d029b36ca1e9c3b2a9b78823 \
+ https://developer.arm.com/-/media/Files/downloads/gnu/14.2.rel1/binrel/arm-gnu-toolchain-14.2.rel1-x86_64-arm-none-eabi.tar.xz /arm-gnu-toolchain.tar.xz
 
 # Downloader stage for ARM64 architecture
 FROM scratch AS downloader-arm64
@@ -26,6 +28,8 @@ ADD --checksum=sha256:b01c270c245e41998ab777164aba085dbeb23ce515f4e2134a1fdddabf
  https://github.com/ccache/ccache/releases/download/v${CCACHE_VERSION}/ccache-${CCACHE_VERSION}-linux-aarch64.tar.xz /ccache.tar.xz
 ADD --checksum=sha256:b85cd1e0c94f249338b02a6e54b380154a5af6b5dd754121b15722125a67cf9f \
  https://github.com/Jake-Shadle/xwin/releases/download/${XWIN_VERSION}/xwin-${XWIN_VERSION}-aarch64-unknown-linux-musl.tar.gz /xwin.tar.gz
+ADD --checksum=sha256:87330bab085dd8749d4ed0ad633674b9dc48b237b61069e3b481abd364d0a684 \
+ https://developer.arm.com/-/media/Files/downloads/gnu/14.2.rel1/binrel/arm-gnu-toolchain-14.2.rel1-aarch64-arm-none-eabi.tar.xz /arm-gnu-toolchain.tar.xz
 
 # Select downloader stage based on target architecture.
 # Linters don't recognize the TARGETARCH variable, so we ignore warnings here.
@@ -45,8 +49,13 @@ ARG XWIN_VERSION
 
 WORKDIR /
 
-RUN --mount=from=downloader,target=/dl <<EOF
+RUN --mount=from=downloader,target=/dl
+    --mount=type=cache,target=/var/cache/apt,sharing=locked \
+    --mount=type=cache,target=/var/lib/apt,sharing=locked <<EOF
+
     set -e
+
+    tar xJf /dl/arm-gnu-toolchain.tar.xz --exclude="*arm-none-eabi-gdb*" --exclude="share" --strip-components=1
     tar xJf /dl/ccache.tar.xz --strip-components=1 "ccache-${CCACHE_VERSION}-linux-$(uname -m)/ccache"
     tar xzf /dl/xwin.tar.gz --strip-components=1 "xwin-${XWIN_VERSION}-$(uname -m)-unknown-linux-musl/xwin"
     cp /dl/llvm.gpg.key /llvm.gpg.key
@@ -111,11 +120,10 @@ RUN --mount=type=bind,source=.devcontainer/cpp/apt-requirements-base.json,target
     echo -e 'Package: *\nPin: origin "apt.llvm.org"\nPin-Priority: 1000' > /etc/apt/preferences
     apt-get update && jq -r 'to_entries | .[] | .key + "=" + .value' /tmp/apt-requirements-clang.json | \
         xargs apt-get install -y --no-install-recommends
-EOF
 
-# Install arm-gcc toolchain
-RUN mkdir /opt/gcc-arm-none-eabi \
- && wget --no-hsts -qO - "https://developer.arm.com/-/media/Files/downloads/gnu/14.2.rel1/binrel/arm-gnu-toolchain-14.2.rel1-$(uname -m)-arm-none-eabi.tar.xz" | tar --exclude='*arm-none-eabi-gdb*' --exclude='share' --strip-components=1 -xJC /opt/gcc-arm-none-eabi
+    # Install arm-gcc toolchain
+    mv /src/arm-none-eabi /opt/gcc-arm-none-eabi
+EOF
 
 # Install include-what-you-use (iwyu) from source
 # hadolint ignore=DL3008

From 8ba1f2cffd64c76a8a9af0420ce4297f67d0ecc3 Mon Sep 17 00:00:00 2001
From: Ron <45816308+rjaegers@users.noreply.github.com>
Date: Wed, 28 Jan 2026 17:49:26 +0100
Subject: [PATCH 02/11] chore: remove unused apt mounts

---
 .devcontainer/cpp/Dockerfile | 4 +---
 1 file changed, 1 insertion(+), 3 deletions(-)

diff --git a/.devcontainer/cpp/Dockerfile b/.devcontainer/cpp/Dockerfile
index 1a9bcdaf..d1dbdefa 100644
--- a/.devcontainer/cpp/Dockerfile
+++ b/.devcontainer/cpp/Dockerfile
@@ -49,9 +49,7 @@ ARG XWIN_VERSION
 
 WORKDIR /
 
-RUN --mount=from=downloader,target=/dl
-    --mount=type=cache,target=/var/cache/apt,sharing=locked \
-    --mount=type=cache,target=/var/lib/apt,sharing=locked <<EOF
+RUN --mount=from=downloader,target=/dl <<EOF
 
     set -e
 

From 46d38cd54942c0f6b51707caf67a84aa80e5456d Mon Sep 17 00:00:00 2001
From: Ron <45816308+rjaegers@users.noreply.github.com>
Date: Thu, 29 Jan 2026 07:42:28 +0100
Subject: [PATCH 03/11] chore: update hashes

---
 .devcontainer/cpp/Dockerfile | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/.devcontainer/cpp/Dockerfile b/.devcontainer/cpp/Dockerfile
index d1dbdefa..aa74de2a 100644
--- a/.devcontainer/cpp/Dockerfile
+++ b/.devcontainer/cpp/Dockerfile
@@ -15,7 +15,7 @@ ADD --checksum=sha256:630c34ec94d451b200f5b14a6a25580d6a45bc80c394b7e0b93e33556e
  https://github.com/ccache/ccache/releases/download/v${CCACHE_VERSION}/ccache-${CCACHE_VERSION}-linux-x86_64.tar.xz /ccache.tar.xz
 ADD --checksum=sha256:f1bffe5319728fca9cde5bb03fcb6c88cdf44922bd003fca8b4b9ce5b6f259d2 \
  https://github.com/Jake-Shadle/xwin/releases/download/${XWIN_VERSION}/xwin-${XWIN_VERSION}-x86_64-unknown-linux-musl.tar.gz /xwin.tar.gz
-ADD --checksum=sha256:62a63b981fe391a9cbad7ef51b17e49aeaa3e7b0d029b36ca1e9c3b2a9b78823 \
+ADD --checksum=sha256:1a0ee4cbea94deb1437d0899fe6b73bac9e5d0b80764c8c994991b16be28adbe \
  https://developer.arm.com/-/media/Files/downloads/gnu/14.2.rel1/binrel/arm-gnu-toolchain-14.2.rel1-x86_64-arm-none-eabi.tar.xz /arm-gnu-toolchain.tar.xz
 
 # Downloader stage for ARM64 architecture
@@ -28,7 +28,7 @@ ADD --checksum=sha256:b01c270c245e41998ab777164aba085dbeb23ce515f4e2134a1fdddabf
  https://github.com/ccache/ccache/releases/download/v${CCACHE_VERSION}/ccache-${CCACHE_VERSION}-linux-aarch64.tar.xz /ccache.tar.xz
 ADD --checksum=sha256:b85cd1e0c94f249338b02a6e54b380154a5af6b5dd754121b15722125a67cf9f \
  https://github.com/Jake-Shadle/xwin/releases/download/${XWIN_VERSION}/xwin-${XWIN_VERSION}-aarch64-unknown-linux-musl.tar.gz /xwin.tar.gz
-ADD --checksum=sha256:87330bab085dd8749d4ed0ad633674b9dc48b237b61069e3b481abd364d0a684 \
+ADD --checksum=sha256:16c280586e65407734229db7e279e7d825f4c5325edbd6ed17d7c332fb7f04ea \
  https://developer.arm.com/-/media/Files/downloads/gnu/14.2.rel1/binrel/arm-gnu-toolchain-14.2.rel1-aarch64-arm-none-eabi.tar.xz /arm-gnu-toolchain.tar.xz
 
 # Select downloader stage based on target architecture.

From 8768c8e6bebe3cb19b47a32230ed2e9fba2cf197 Mon Sep 17 00:00:00 2001
From: Ron <45816308+rjaegers@users.noreply.github.com>
Date: Thu, 29 Jan 2026 07:55:41 +0100
Subject: [PATCH 04/11] chore: revert checksums

---
 .devcontainer/cpp/Dockerfile | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/.devcontainer/cpp/Dockerfile b/.devcontainer/cpp/Dockerfile
index aa74de2a..d1dbdefa 100644
--- a/.devcontainer/cpp/Dockerfile
+++ b/.devcontainer/cpp/Dockerfile
@@ -15,7 +15,7 @@ ADD --checksum=sha256:630c34ec94d451b200f5b14a6a25580d6a45bc80c394b7e0b93e33556e
  https://github.com/ccache/ccache/releases/download/v${CCACHE_VERSION}/ccache-${CCACHE_VERSION}-linux-x86_64.tar.xz /ccache.tar.xz
 ADD --checksum=sha256:f1bffe5319728fca9cde5bb03fcb6c88cdf44922bd003fca8b4b9ce5b6f259d2 \
  https://github.com/Jake-Shadle/xwin/releases/download/${XWIN_VERSION}/xwin-${XWIN_VERSION}-x86_64-unknown-linux-musl.tar.gz /xwin.tar.gz
-ADD --checksum=sha256:1a0ee4cbea94deb1437d0899fe6b73bac9e5d0b80764c8c994991b16be28adbe \
+ADD --checksum=sha256:62a63b981fe391a9cbad7ef51b17e49aeaa3e7b0d029b36ca1e9c3b2a9b78823 \
  https://developer.arm.com/-/media/Files/downloads/gnu/14.2.rel1/binrel/arm-gnu-toolchain-14.2.rel1-x86_64-arm-none-eabi.tar.xz /arm-gnu-toolchain.tar.xz
 
 # Downloader stage for ARM64 architecture
@@ -28,7 +28,7 @@ ADD --checksum=sha256:b01c270c245e41998ab777164aba085dbeb23ce515f4e2134a1fdddabf
  https://github.com/ccache/ccache/releases/download/v${CCACHE_VERSION}/ccache-${CCACHE_VERSION}-linux-aarch64.tar.xz /ccache.tar.xz
 ADD --checksum=sha256:b85cd1e0c94f249338b02a6e54b380154a5af6b5dd754121b15722125a67cf9f \
  https://github.com/Jake-Shadle/xwin/releases/download/${XWIN_VERSION}/xwin-${XWIN_VERSION}-aarch64-unknown-linux-musl.tar.gz /xwin.tar.gz
-ADD --checksum=sha256:16c280586e65407734229db7e279e7d825f4c5325edbd6ed17d7c332fb7f04ea \
+ADD --checksum=sha256:87330bab085dd8749d4ed0ad633674b9dc48b237b61069e3b481abd364d0a684 \
  https://developer.arm.com/-/media/Files/downloads/gnu/14.2.rel1/binrel/arm-gnu-toolchain-14.2.rel1-aarch64-arm-none-eabi.tar.xz /arm-gnu-toolchain.tar.xz
 
 # Select downloader stage based on target architecture.

From 39c7cdf9722431bab2358e53f7e0dff6e5a05e00 Mon Sep 17 00:00:00 2001
From: Ron <45816308+rjaegers@users.noreply.github.com>
Date: Thu, 29 Jan 2026 09:30:59 +0000
Subject: [PATCH 05/11] chore: switch to manual download as ADD leads to 403

---
 .devcontainer/cpp/Dockerfile | 22 ++++++++++++++++------
 1 file changed, 16 insertions(+), 6 deletions(-)

diff --git a/.devcontainer/cpp/Dockerfile b/.devcontainer/cpp/Dockerfile
index d1dbdefa..638c047f 100644
--- a/.devcontainer/cpp/Dockerfile
+++ b/.devcontainer/cpp/Dockerfile
@@ -15,8 +15,6 @@ ADD --checksum=sha256:630c34ec94d451b200f5b14a6a25580d6a45bc80c394b7e0b93e33556e
  https://github.com/ccache/ccache/releases/download/v${CCACHE_VERSION}/ccache-${CCACHE_VERSION}-linux-x86_64.tar.xz /ccache.tar.xz
 ADD --checksum=sha256:f1bffe5319728fca9cde5bb03fcb6c88cdf44922bd003fca8b4b9ce5b6f259d2 \
  https://github.com/Jake-Shadle/xwin/releases/download/${XWIN_VERSION}/xwin-${XWIN_VERSION}-x86_64-unknown-linux-musl.tar.gz /xwin.tar.gz
-ADD --checksum=sha256:62a63b981fe391a9cbad7ef51b17e49aeaa3e7b0d029b36ca1e9c3b2a9b78823 \
- https://developer.arm.com/-/media/Files/downloads/gnu/14.2.rel1/binrel/arm-gnu-toolchain-14.2.rel1-x86_64-arm-none-eabi.tar.xz /arm-gnu-toolchain.tar.xz
 
 # Downloader stage for ARM64 architecture
 FROM scratch AS downloader-arm64
@@ -28,8 +26,6 @@ ADD --checksum=sha256:b01c270c245e41998ab777164aba085dbeb23ce515f4e2134a1fdddabf
  https://github.com/ccache/ccache/releases/download/v${CCACHE_VERSION}/ccache-${CCACHE_VERSION}-linux-aarch64.tar.xz /ccache.tar.xz
 ADD --checksum=sha256:b85cd1e0c94f249338b02a6e54b380154a5af6b5dd754121b15722125a67cf9f \
  https://github.com/Jake-Shadle/xwin/releases/download/${XWIN_VERSION}/xwin-${XWIN_VERSION}-aarch64-unknown-linux-musl.tar.gz /xwin.tar.gz
-ADD --checksum=sha256:87330bab085dd8749d4ed0ad633674b9dc48b237b61069e3b481abd364d0a684 \
- https://developer.arm.com/-/media/Files/downloads/gnu/14.2.rel1/binrel/arm-gnu-toolchain-14.2.rel1-aarch64-arm-none-eabi.tar.xz /arm-gnu-toolchain.tar.xz
 
 # Select downloader stage based on target architecture.
 # Linters don't recognize the TARGETARCH variable, so we ignore warnings here.
@@ -51,13 +47,27 @@ WORKDIR /
 
 RUN --mount=from=downloader,target=/dl <<EOF
 
-    set -e
+    set -euo pipefail
+
+    ARM_GNU_TOOLCHAIN_URL="https://developer.arm.com/-/media/Files/downloads/gnu/14.2.rel1/binrel/arm-gnu-toolchain-14.2.rel1-$(uname -m)-arm-none-eabi.tar.xz"
+    ARM_GNU_TOOLCHAIN_TAR="/tmp/arm-gnu-toolchain.tar.xz"
+
+    if [[ "$(uname -m)" == "x86_64" ]]; then
+        ARM_GNU_TOOLCHAIN_SHA256="62a63b981fe391a9cbad7ef51b17e49aeaa3e7b0d029b36ca1e9c3b2a9b78823"
+    elif [[ "$(uname -m)" == "aarch64" ]]; then
+        ARM_GNU_TOOLCHAIN_SHA256="87330bab085dd8749d4ed0ad633674b9dc48b237b61069e3b481abd364d0a684"
+    fi
 
-    tar xJf /dl/arm-gnu-toolchain.tar.xz --exclude="*arm-none-eabi-gdb*" --exclude="share" --strip-components=1
+    wget --no-hsts -qO "${ARM_GNU_TOOLCHAIN_TAR}" "${ARM_GNU_TOOLCHAIN_URL}"
+    echo "${ARM_GNU_TOOLCHAIN_SHA256}  ${ARM_GNU_TOOLCHAIN_TAR}" | sha256sum -c -
+
+    tar xJf "${ARM_GNU_TOOLCHAIN_TAR}" --exclude="*arm-none-eabi-gdb*" --exclude="share" --strip-components=1
     tar xJf /dl/ccache.tar.xz --strip-components=1 "ccache-${CCACHE_VERSION}-linux-$(uname -m)/ccache"
     tar xzf /dl/xwin.tar.gz --strip-components=1 "xwin-${XWIN_VERSION}-$(uname -m)-unknown-linux-musl/xwin"
     cp /dl/llvm.gpg.key /llvm.gpg.key
     cp /dl/mull.gpg.key /mull.gpg.key
+
+    rm -f "${ARM_GNU_TOOLCHAIN_TAR}"
 EOF
 
 # Final development container image

From 67999822f0ae19c1377e281f02ed27f15bf80c5d Mon Sep 17 00:00:00 2001
From: Ron <45816308+rjaegers@users.noreply.github.com>
Date: Thu, 26 Feb 2026 14:40:44 +0100
Subject: [PATCH 06/11] feat: don't overwrite bin lib

---
 .devcontainer/cpp/Dockerfile | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/.devcontainer/cpp/Dockerfile b/.devcontainer/cpp/Dockerfile
index 638c047f..9698ac0b 100644
--- a/.devcontainer/cpp/Dockerfile
+++ b/.devcontainer/cpp/Dockerfile
@@ -61,7 +61,7 @@ RUN --mount=from=downloader,target=/dl <<EOF
     wget --no-hsts -qO "${ARM_GNU_TOOLCHAIN_TAR}" "${ARM_GNU_TOOLCHAIN_URL}"
     echo "${ARM_GNU_TOOLCHAIN_SHA256}  ${ARM_GNU_TOOLCHAIN_TAR}" | sha256sum -c -
 
-    tar xJf "${ARM_GNU_TOOLCHAIN_TAR}" --exclude="*arm-none-eabi-gdb*" --exclude="share" --strip-components=1
+    tar xJf "${ARM_GNU_TOOLCHAIN_TAR}" --exclude="*arm-none-eabi-gdb*" --exclude="share"
     tar xJf /dl/ccache.tar.xz --strip-components=1 "ccache-${CCACHE_VERSION}-linux-$(uname -m)/ccache"
     tar xzf /dl/xwin.tar.gz --strip-components=1 "xwin-${XWIN_VERSION}-$(uname -m)-unknown-linux-musl/xwin"
     cp /dl/llvm.gpg.key /llvm.gpg.key
@@ -130,7 +130,7 @@ RUN --mount=type=bind,source=.devcontainer/cpp/apt-requirements-base.json,target
         xargs apt-get install -y --no-install-recommends
 
     # Install arm-gcc toolchain
-    mv /src/arm-none-eabi /opt/gcc-arm-none-eabi
+    mv /src/arm-gnu-toolchain-*-arm-none-eabi /opt/gcc-arm-none-eabi
 EOF
 
 # Install include-what-you-use (iwyu) from source

From 6a70cbb6c101febcaaef9be9996644fc00c850a6 Mon Sep 17 00:00:00 2001
From: Ron <45816308+rjaegers@users.noreply.github.com>
Date: Thu, 26 Feb 2026 14:50:55 +0100
Subject: [PATCH 07/11] fix: don't move from r/o filesystem

---
 .devcontainer/cpp/Dockerfile | 4 +---
 1 file changed, 1 insertion(+), 3 deletions(-)

diff --git a/.devcontainer/cpp/Dockerfile b/.devcontainer/cpp/Dockerfile
index e5085e94..a77ee878 100644
--- a/.devcontainer/cpp/Dockerfile
+++ b/.devcontainer/cpp/Dockerfile
@@ -66,8 +66,6 @@ RUN --mount=from=downloader,target=/dl <<EOF
     tar xzf /dl/xwin.tar.gz --strip-components=1 "xwin-${XWIN_VERSION}-$(uname -m)-unknown-linux-musl/xwin"
     cp /dl/llvm.gpg.key /llvm.gpg.key
     cp /dl/mull.gpg.key /mull.gpg.key
-
-    rm -f "${ARM_GNU_TOOLCHAIN_TAR}"
 EOF
 
 # Final development container image
@@ -130,7 +128,7 @@ RUN --mount=type=bind,source=.devcontainer/cpp/apt-requirements-base.json,target
         xargs apt-get install -y --no-install-recommends
 
     # Install arm-gcc toolchain
-    mv /src/arm-gnu-toolchain-*-arm-none-eabi /opt/gcc-arm-none-eabi
+    cp /src/arm-gnu-toolchain-*-arm-none-eabi /opt/gcc-arm-none-eabi
 EOF
 
 # Install include-what-you-use (iwyu) from source

From 0ad292d1d30a9b9e769a9b72f6e88d9e2ebe7025 Mon Sep 17 00:00:00 2001
From: Ron <45816308+rjaegers@users.noreply.github.com>
Date: Thu, 26 Feb 2026 14:52:07 +0100
Subject: [PATCH 08/11] fix: use recursive copy

---
 .devcontainer/cpp/Dockerfile | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/.devcontainer/cpp/Dockerfile b/.devcontainer/cpp/Dockerfile
index a77ee878..f1cbd6f9 100644
--- a/.devcontainer/cpp/Dockerfile
+++ b/.devcontainer/cpp/Dockerfile
@@ -128,7 +128,7 @@ RUN --mount=type=bind,source=.devcontainer/cpp/apt-requirements-base.json,target
         xargs apt-get install -y --no-install-recommends
 
     # Install arm-gcc toolchain
-    cp /src/arm-gnu-toolchain-*-arm-none-eabi /opt/gcc-arm-none-eabi
+    cp -r /src/arm-gnu-toolchain-*-arm-none-eabi /opt/gcc-arm-none-eabi
 EOF
 
 # Install include-what-you-use (iwyu) from source

From 52ffdd484d4a00b2cd771645f7f20e7a5f297dba Mon Sep 17 00:00:00 2001
From: Ron <45816308+rjaegers@users.noreply.github.com>
Date: Thu, 26 Feb 2026 15:15:59 +0100
Subject: [PATCH 09/11] chore: align bash settings

---
 .devcontainer/base/Dockerfile | 2 +-
 .devcontainer/cpp/Dockerfile  | 4 ++--
 2 files changed, 3 insertions(+), 3 deletions(-)

diff --git a/.devcontainer/base/Dockerfile b/.devcontainer/base/Dockerfile
index d27325f4..e946dd60 100644
--- a/.devcontainer/base/Dockerfile
+++ b/.devcontainer/base/Dockerfile
@@ -35,7 +35,7 @@ RUN --mount=type=bind,source=.devcontainer/base/apt-requirements.json,target=/tm
     --mount=type=cache,target=/var/log,sharing=locked \
     --mount=from=extractor,target=/src <<EOF
 
-   set -e
+   set -Eeuo pipefail
 
    # Install the base system with all tool dependencies
    apt-get update && apt-get install -y --no-install-recommends jq
diff --git a/.devcontainer/cpp/Dockerfile b/.devcontainer/cpp/Dockerfile
index f1cbd6f9..586a383d 100644
--- a/.devcontainer/cpp/Dockerfile
+++ b/.devcontainer/cpp/Dockerfile
@@ -47,7 +47,7 @@ WORKDIR /
 
 RUN --mount=from=downloader,target=/dl <<EOF
 
-    set -euo pipefail
+    set -Eeuo pipefail
 
     ARM_GNU_TOOLCHAIN_URL="https://developer.arm.com/-/media/Files/downloads/gnu/14.2.rel1/binrel/arm-gnu-toolchain-14.2.rel1-$(uname -m)-arm-none-eabi.tar.xz"
     ARM_GNU_TOOLCHAIN_TAR="/tmp/arm-gnu-toolchain.tar.xz"
@@ -101,7 +101,7 @@ RUN --mount=type=bind,source=.devcontainer/cpp/apt-requirements-base.json,target
     --mount=type=cache,target=/var/log,sharing=locked \
     --mount=from=extractor,target=/src <<EOF
 
-    set -e
+    set -Eeuo pipefail
 
     # Install the base system with all tool dependencies
     apt-get update && jq -r 'to_entries | .[] | .key + "=" + .value' /tmp/apt-requirements-base.json | \

From 4a5c5a68cf9c3249f1f6ca87ee1435ced8a86db3 Mon Sep 17 00:00:00 2001
From: Ron <45816308+rjaegers@users.noreply.github.com>
Date: Thu, 26 Feb 2026 16:36:51 +0100
Subject: [PATCH 10/11] chore: switch shell to bash

---
 .devcontainer/cpp/Dockerfile | 5 ++---
 1 file changed, 2 insertions(+), 3 deletions(-)

diff --git a/.devcontainer/cpp/Dockerfile b/.devcontainer/cpp/Dockerfile
index 586a383d..7324ecda 100644
--- a/.devcontainer/cpp/Dockerfile
+++ b/.devcontainer/cpp/Dockerfile
@@ -43,12 +43,11 @@ FROM ${BASE_IMAGE} AS extractor
 ARG CCACHE_VERSION
 ARG XWIN_VERSION
 
+SHELL ["/bin/bash", "-Eeuo", "pipefail", "-c"]
+
 WORKDIR /
 
 RUN --mount=from=downloader,target=/dl <<EOF
-
-    set -Eeuo pipefail
-
     ARM_GNU_TOOLCHAIN_URL="https://developer.arm.com/-/media/Files/downloads/gnu/14.2.rel1/binrel/arm-gnu-toolchain-14.2.rel1-$(uname -m)-arm-none-eabi.tar.xz"
     ARM_GNU_TOOLCHAIN_TAR="/tmp/arm-gnu-toolchain.tar.xz"
 

From 0280e71868ba608401bf30c73e198fc2e49029f3 Mon Sep 17 00:00:00 2001
From: Ron <45816308+rjaegers@users.noreply.github.com>
Date: Thu, 26 Feb 2026 19:12:47 +0100
Subject: [PATCH 11/11] fix: use cp -a to preserve links and permissions

---
 .devcontainer/base/Dockerfile | 4 +---
 .devcontainer/cpp/Dockerfile  | 6 ++----
 2 files changed, 3 insertions(+), 7 deletions(-)

diff --git a/.devcontainer/base/Dockerfile b/.devcontainer/base/Dockerfile
index e946dd60..c7db32d7 100644
--- a/.devcontainer/base/Dockerfile
+++ b/.devcontainer/base/Dockerfile
@@ -26,7 +26,7 @@ ARG DEBIAN_FRONTEND=noninteractive
 
 HEALTHCHECK NONE
 
-SHELL ["/bin/bash", "-o", "pipefail", "-c"]
+SHELL ["/bin/bash", "-Eeuo", "pipefail", "-c"]
 
 # hadolint ignore=DL3008
 RUN --mount=type=bind,source=.devcontainer/base/apt-requirements.json,target=/tmp/apt-requirements.json \
@@ -35,8 +35,6 @@ RUN --mount=type=bind,source=.devcontainer/base/apt-requirements.json,target=/tm
     --mount=type=cache,target=/var/log,sharing=locked \
     --mount=from=extractor,target=/src <<EOF
 
-   set -Eeuo pipefail
-
    # Install the base system with all tool dependencies
    apt-get update && apt-get install -y --no-install-recommends jq
    jq -r 'to_entries | .[] | .key + "=" + .value' /tmp/apt-requirements.json | \
diff --git a/.devcontainer/cpp/Dockerfile b/.devcontainer/cpp/Dockerfile
index 7324ecda..5d05e297 100644
--- a/.devcontainer/cpp/Dockerfile
+++ b/.devcontainer/cpp/Dockerfile
@@ -78,7 +78,7 @@ ARG DEBIAN_FRONTEND=noninteractive
 
 HEALTHCHECK NONE
 
-SHELL ["/bin/bash", "-o", "pipefail", "-c"]
+SHELL ["/bin/bash", "-Eeuo", "pipefail", "-c"]
 
 # Set default environment options
 ENV CCACHE_DIR=/cache/.ccache \
@@ -100,8 +100,6 @@ RUN --mount=type=bind,source=.devcontainer/cpp/apt-requirements-base.json,target
     --mount=type=cache,target=/var/log,sharing=locked \
     --mount=from=extractor,target=/src <<EOF
 
-    set -Eeuo pipefail
-
     # Install the base system with all tool dependencies
     apt-get update && jq -r 'to_entries | .[] | .key + "=" + .value' /tmp/apt-requirements-base.json | \
         xargs apt-get install -y --no-install-recommends
@@ -127,7 +125,7 @@ RUN --mount=type=bind,source=.devcontainer/cpp/apt-requirements-base.json,target
         xargs apt-get install -y --no-install-recommends
 
     # Install arm-gcc toolchain
-    cp -r /src/arm-gnu-toolchain-*-arm-none-eabi /opt/gcc-arm-none-eabi
+    cp -a /src/arm-gnu-toolchain-*-arm-none-eabi /opt/gcc-arm-none-eabi
 EOF
 
 # Install include-what-you-use (iwyu) from source