Open
Conversation
spencrr
force-pushed
the
spencrr/devcontainer-dockerfile-optimize
branch
from
e6bdaa7 to
98ffd93
Compare
spencrr
changed the title
devcontainer Dockerfile
spencrr
force-pushed
the
spencrr/devcontainer-dockerfile-optimize
branch
3 times, most recently
from
c76738c to
0d08b6b
Compare
Contributor
There was a problem hiding this comment.
Pull request overview
This PR optimizes the development container and related tooling scripts to improve devcontainer build performance, reduce image size, and tighten default permissions while updating Node.js expectations.
Changes:
- Updated
.devcontainer/Dockerfileto use a pinned Bookworm base image, BuildKit apt cache mounts,--no-install-recommends, multi-stageuvinstall, and Node.js 24.x. - Tightened cache directory permissions (e.g., mypy cache, various
.cache/*directories) from777to755. - Moved CLI installs into devcontainer features and updated packaging guidance to expect Node.js 24.x.
Reviewed changes
Copilot reviewed 6 out of 6 changed files in this pull request and generated 4 comments.
Show a summary per file
| File | Description |
|---|---|
.devcontainer/Dockerfile |
BuildKit caching, pinned base image, uv multi-stage install, Node.js 24.x, and permission tightening. |
.devcontainer/devcontainer.json |
Adds devcontainer features (Azure CLI, Copilot CLI). |
.devcontainer/devcontainer_setup.sh |
Tightens mypy cache permissions and keeps devcontainer setup behavior. |
build_scripts/prepare_package.py |
Removes shebang and updates Node.js version guidance in error output. |
docker/build_pyrit_docker.py |
Removes shebang (script intended to be run via python ...). |
docker/run_pyrit_docker.py |
Removes shebang (script intended to be run via python ...). |
You can also share your feedback on Copilot code review. Take the survey.
romanlutz
approved these changes
Mar 7, 2026
spencrr
force-pushed
the
spencrr/devcontainer-dockerfile-optimize
branch
from
a772cd5 to
f89ef09
Compare
Contributor
There was a problem hiding this comment.
Pull request overview
Copilot reviewed 6 out of 6 changed files in this pull request and generated 1 comment.
You can also share your feedback on Copilot code review. Take the survey.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Description
Optimizes the devcontainer Dockerfile to improve build speed, reduce image size, and tighten permissions.
Key changes:
Build performance
--mount=type=cache) for allapt-getlayers instead ofapt-get clean && rm -rf /var/lib/apt/lists/*— cached packages persist across local rebuilds, so subsequent builds skip re-downloading unchanged packages. Note: these mounts only benefit local builds; in CI, GHA layer caching (cache-from: type=gha) handles caching at the layer level.uvviaCOPY --from=ghcr.io/astral-sh/uv:0.10.8multi-stage copy instead ofcurl | sh— avoids a network round-trip, shell pipe execution, and the extra cleanup of/root/.local/bin.Image size
--no-install-recommendsconsistently to allapt-get installinvocations (previously only used on the Speech SDK block) — prevents pulling in unnecessary Recommends dependencies (e.g., X11 libs, man pages).Reproducibility
python:3.11-bookworminstead ofpython:3.11— prevents silent shifts between Debian releases (e.g., Bookworm to Trixie) when the base image is updated. (and match existing bookworm apt repo call)uvto a specific version (0.10.8) via multi-stageCOPY --from— the previouscurl | shalways fetched the latest release, making builds non-deterministic.DEBIAN_FRONTEND=noninteractiveas a globalENVinstead of inline per-command — prevents anyapt-getinvocation from prompting for interactive input.Security hardening
chmod 777tochmod 755for all cache directories (pip, pylance, venv, uv, mypy) —777is unnecessarily permissive in a single-user devcontainer wherevscodeowns these directories.python script_name.pyto avoid precommit complaint.Dependency cleanup
apt-transport-httpsfrom explicit install — this is a transitional no-op package on Debian Bookworm (HTTPS support is built intoaptnatively). The base image already includes it.lsb-releasefrom explicit install — the base image already includes itrm -rf /opt/venvand debugls -la /opt/venv/bin/activatefrom the uv/venv setup step.Node.js
npm install -g @github/copilotto a devcontainer feature to remove unecessary tool from production builds.Minor cleanup
Tests and Documentation