Upgrade devcontainer agents feature to v3#64
Merged
Merged
Conversation
agents v3.0.0 is a breaking release that drops the bundled GitHub CLI (gh) and 1Password CLI (op), so the container no longer injects a GitHub token (or 1Password credentials) at shell start. - Bump the agents pin :2 -> :3 in .devcontainer/devcontainer.json - Remove the now-dead GITHUB_TOKEN passthrough in remoteEnv plus the gh/1Password comments. Verified nothing in the repo uses gh or op inside the container (no lifecycle command, script, or in-container CI), so this is behavior-preserving and github-cli was not re-added. - Regenerate .devcontainer/devcontainer-lock.json: agents resolves to the v3 digest and no longer depends on github-cli, so the standalone github-cli lock entry is dropped. claude-code and pnpm are unchanged. - Add .github/dependabot.yml with a devcontainers entry so feature updates are tracked weekly going forward.
|
The latest updates on your projects. Learn more about Vercel for GitHub.
|
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Upgrades the dev container to v3 of
rocicorp/devcontainer-features/agents. v3.0.0 is a breaking release: it drops the bundled GitHub CLI (gh) and 1Password CLI (op), so the container no longer injects aGITHUB_TOKEN(or 1Password credentials) at shell start. See the migration note.There is one dev container config in this repo (
.devcontainer/devcontainer.json); no nested orsrc/*configs exist.Changes
.devcontainer/devcontainer.json:ghcr.io/rocicorp/devcontainer-features/agents:2→:3.pnpm:1is left as-is; nocodexVersionoption was set, so nothing else changed there.remoteEnv.GITHUB_TOKEN(${localEnv:GITHUB_TOKEN}) passthrough and thegh/1Password comments. These existed solely to authenticate the old bundledgh, which v3 no longer ships..devcontainer/devcontainer-lock.jsonregenerated:agentsnow resolves to the v3 digest (sha256:cb7bb04455…) and itsdependsOnno longer listsgithub-cli, so the standalonegithub-cli:1lock entry is removed.claude-code:1andpnpm:1are unchanged..github/dependabot.ymlwith adevcontainersecosystem entry (weekly, grouped). The configs live under the root.devcontainer/, sodirectory: "/"is correct.Risk: risk-free
I grepped the repo for
GITHUB_TOKEN,gh,op,OP_SERVICE_ACCOUNT, "GitHub CLI", and "1Password" — every hit was inside the devcontainer config/lock itself. Nothing in the repo (no lifecycle command, script, or in-container CI) actually invokesghoropinside the container, so the token passthrough was already dead weight.github-cliwas not re-added, because nothing needs it. ThepostCreateCommandis justpnpm install, and CI (.github/workflows/deploy.yml) runs on GitHub-hosted runners (pnpm + Vercel), unaffected by this change.Note on the lockfile
@devcontainers/cli upgradecouldn't complete in the sandbox (egress policy blocks the ghcr.io blob host), so the lock was regenerated by resolving theagents:3manifest digest directly from the registry. The recorded digest is the registry's authoritativeDocker-Content-Digest, verified by hashing the manifest bytes — equivalent to what the CLI would write. A clean localdevcontainer upgradewill be a no-op.