Conversation
There was a problem hiding this comment.
Pull request overview
This PR enhances the development container environment by adding Starship prompt customization and zsh plugins for improved terminal experience. It also updates the base container image and makes configuration adjustments for resource allocation and Kubernetes cluster setup.
Changes:
- Added Starship prompt configuration and zsh plugin installation (autosuggestions and syntax highlighting)
- Added custom edactl completion script for zsh
- Updated devcontainer configuration to remove common-utils feature (zsh now handled in Dockerfile) and added terminal font settings
- Updated k3s cluster version and added resource configurations for additional components (CX, SE, SA, SC) and Gogs storage
Reviewed changes
Copilot reviewed 8 out of 8 changed files in this pull request and generated 12 comments.
Show a summary per file
| File | Description |
|---|---|
| .devcontainer/shell/starship.toml | New Starship prompt configuration with custom symbols and formatting for git, golang, python, kubernetes, and other tools |
| .devcontainer/shell/install-zsh-plugins.sh | Script to install zsh-autosuggestions and F-Sy-H syntax highlighting plugins |
| .devcontainer/shell/edactl_completion.zsh | Custom zsh completion script for edactl command with intelligent autocompletion |
| .devcontainer/shell/.zshrc | Zsh configuration file with Oh My Zsh, plugins, Starship initialization, and edactl alias |
| .devcontainer/onCreate.sh | Updated k3d cluster creation to specify k3s version v1.34.1-k3s1 |
| .devcontainer/devcontainer.json | Removed common-utils feature, updated base image to pr-2, and added terminal profile and font settings |
| .devcontainer/codespaces-4vcpu-kpt-setters.yaml | Added CPU resource requests for CX, SE, SA, SC components and Gogs persistent volume size |
| .devcontainer/Dockerfile | Added iproute2 package, Oh My Zsh and Starship installation, shell file copying, and kpt version patch to beta59 |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| @@ -0,0 +1,2 @@ | |||
| git clone --depth 1 https://github.com/zsh-users/zsh-autosuggestions ${ZSH_CUSTOM:-~/.oh-my-zsh/custom}/plugins/zsh-autosuggestions | |||
There was a problem hiding this comment.
This shell script is missing a shebang line at the beginning. Add #!/bin/bash or #!/bin/sh as the first line to ensure the script is executed with the correct shell interpreter.
.devcontainer/Dockerfile
Outdated
|
|
||
| # copy shell files (save .zshrc as .zshrc.custom to survive devcontainer features overwriting it) | ||
| COPY --chown=vscode:vscode shell/ /home/vscode/ | ||
| COPY --chown=vscode:vscode shell/.zshrc /home/vscode/.zshrc |
There was a problem hiding this comment.
The COPY command attempts to copy starship.toml to /home/vscode/.config/starship.toml, but the .config directory may not exist yet. This could cause the Docker build to fail. Create the directory first with RUN mkdir -p /home/vscode/.config before this COPY command, or use COPY with the --parents flag if available.
| COPY --chown=vscode:vscode shell/.zshrc /home/vscode/.zshrc | |
| COPY --chown=vscode:vscode shell/.zshrc /home/vscode/.zshrc | |
| RUN mkdir -p /home/vscode/.config |
| RUN sh -c "$(curl -fsSL https://raw.githubusercontent.com/ohmyzsh/ohmyzsh/master/tools/install.sh)" | ||
| RUN curl -sS https://starship.rs/install.sh | sudo sh -s -- -y |
There was a problem hiding this comment.
The lines RUN sh -c "$(curl -fsSL https://raw.githubusercontent.com/ohmyzsh/ohmyzsh/master/tools/install.sh)" and RUN curl -sS https://starship.rs/install.sh | sudo sh -s -- -y download and execute remote shell scripts from third-party domains without any pinning or integrity verification. If either upstream repository or the download path is compromised, an attacker can run arbitrary commands inside the devcontainer build (including as root via sudo), tamper with the image, or implant backdoors that execute whenever the shell starts. Prefer installing these tools from trusted package repositories or, at minimum, pin to specific release artifacts or commit SHAs and verify checksums/signatures before executing downloaded scripts.
| git clone --depth 1 https://github.com/zsh-users/zsh-autosuggestions ${ZSH_CUSTOM:-~/.oh-my-zsh/custom}/plugins/zsh-autosuggestions | ||
| git clone --depth 1 https://github.com/z-shell/F-Sy-H.git ${ZSH_CUSTOM:-$HOME/.oh-my-zsh/custom}/plugins/F-Sy-H No newline at end of file |
There was a problem hiding this comment.
The git clone commands here fetch Zsh plugins (zsh-autosuggestions and F-Sy-H) directly from third-party GitHub repositories at their mutable default branches, and these plugins are then loaded automatically via the .zshrc plugins list. If any of these upstream repos are compromised, malicious code will be sourced into every shell session with access to the developer's environment and credentials, enabling code execution or secret exfiltration. To reduce this supply-chain risk, vendor these plugins or pin them to specific commits/tags and verify integrity before loading them as plugins.
No description provided.