Conversation
There was a problem hiding this comment.
Pull request overview
This PR refactors devcontainer tool installation to use verified GitHub release downloads, adds zizmor to the base image/tool build pipeline, and replaces the AWS SAM CLI install with a signature-verifying installer.
Changes:
- Replace project-specific
tflintbuild assets with shared base devcontainer tool images and a generic GitHub-release installer script. - Add
zizmoras a tool image and include it in the base image build. - Replace AWS SAM CLI install logic with a GPG signature verification script; remove user-level pip installs from several Node+Python language images.
Reviewed changes
Copilot reviewed 19 out of 19 changed files in this pull request and generated 7 comments.
Show a summary per file
| File | Description |
|---|---|
| src/projects/eps-storage-terraform/.devcontainer/scripts/install_tflint.sh | Removes legacy tflint install script (migrated to shared tooling). |
| src/projects/eps-storage-terraform/.devcontainer/Dockerfile.tflint | Removes legacy project tflint tool image Dockerfile (migrated to shared tooling). |
| src/languages/node_24_python_3_14/.devcontainer/scripts/vscode_install.sh | Stops installing requirements-user.txt via pip. |
| src/languages/node_24_python_3_14/.devcontainer/scripts/requirements-user.txt | Removes user requirements (previously zizmor, cfn-lint). |
| src/languages/node_24_python_3_13/.devcontainer/scripts/vscode_install.sh | Stops installing requirements-user.txt via pip. |
| src/languages/node_24_python_3_13/.devcontainer/scripts/requirements-user.txt | Removes user requirements (previously zizmor, cfn-lint). |
| src/languages/node_24_python_3_12/.devcontainer/scripts/vscode_install.sh | Stops installing requirements-user.txt via pip. |
| src/languages/node_24_python_3_12/.devcontainer/scripts/requirements-user.txt | Removes user requirements (previously zizmor, cfn-lint). |
| src/languages/node_24_python_3_10/.devcontainer/scripts/vscode_install.sh | Stops installing requirements-user.txt via pip. |
| src/languages/node_24_python_3_10/.devcontainer/scripts/requirements-user.txt | Removes user requirements (previously zizmor). |
| src/base/.devcontainer/scripts/root_install.sh | Switches AWS SAM CLI installation to a dedicated installer script. |
| src/base/.devcontainer/scripts/install_github_release.sh | Adds a shared installer for GitHub release assets with optional attestation/checksum verification. |
| src/base/.devcontainer/scripts/install_aws_sam_cli.sh | Adds AWS SAM CLI installer that verifies GPG signatures. |
| src/base/.devcontainer/devcontainer.json | Documents using devcontainer features for github-cli and aws-cli. |
| src/base/.devcontainer/Dockerfile.zizmor | Adds a dedicated tool image to install verified zizmor binary. |
| src/base/.devcontainer/Dockerfile.tflint | Adds a dedicated tool image to install verified tflint binary via shared installer. |
| src/base/.devcontainer/Dockerfile | Adds zizmor to the base image build and introduces SAM_VERSION build arg/env. |
| Makefile | Adds build-zizmor and build-tools; updates build-tflint to use shared base tool Dockerfile. |
| .github/workflows/build_all_images.yml | Consolidates tool builds and adds saving local_zizmor image tar. |
Comments suppressed due to low confidence (4)
src/languages/node_24_python_3_13/.devcontainer/scripts/vscode_install.sh:9
- Removing the
pip install --user -r requirements-user.txtstep means any user-level tools previously provided by this image (e.g.,cfn-lint/zizmor) will no longer be installed. Also,src/common_node_24/Dockerfilestill attempts toCOPY scripts/requirements-user.txtinto the image; with this file removed, the build will fail unless that Dockerfile is updated accordingly.
asdf install python
asdf install
src/languages/node_24_python_3_14/.devcontainer/scripts/vscode_install.sh:9
- Removing the
pip install --user -r requirements-user.txtstep means any user-level tools previously provided by this image (e.g.,cfn-lint/zizmor) will no longer be installed. Also,src/common_node_24/Dockerfilestill attempts toCOPY scripts/requirements-user.txtinto the image; with this file removed, the build will fail unless that Dockerfile is updated accordingly.
asdf install python
asdf install
src/languages/node_24_python_3_12/.devcontainer/scripts/vscode_install.sh:9
- Removing the
pip install --user -r requirements-user.txtstep means any user-level tools previously provided by this image (e.g.,cfn-lint/zizmor) will no longer be installed. Also,src/common_node_24/Dockerfilestill attempts toCOPY scripts/requirements-user.txtinto the image; with this file removed, the build will fail unless that Dockerfile is updated accordingly.
asdf install python
asdf install
src/languages/node_24_python_3_10/.devcontainer/scripts/vscode_install.sh:9
- Removing the
pip install --user -r requirements-user.txtstep means any user-level tools previously provided by this image (e.g.,cfn-lint/zizmor) will no longer be installed. Also,src/common_node_24/Dockerfilestill attempts toCOPY scripts/requirements-user.txtinto the image; with this file removed, the build will fail unless that Dockerfile is updated accordingly.
asdf install python
asdf install
| verify_aws_sam_cli_gpg_signature() { | ||
| local filePath=$1 | ||
| local sigFilePath=$2 | ||
| tmp_dir="$(mktemp -d)" | ||
| trap 'rm -rf "${tmp_dir}"' EXIT | ||
| local awsGpgKeyring="${tmp_dir}/aws-sam-cli-public-key.gpg" | ||
|
|
||
| echo "${PRIMARY_PUBLIC_KEY}" | gpg --dearmor > "${awsGpgKeyring}" | ||
| echo "${SIGNER_PUBLIC_KEY}" | gpg --dearmor >> "${awsGpgKeyring}" | ||
|
|
||
| gpg --batch --quiet --no-default-keyring --keyring "${awsGpgKeyring}" --verify "${sigFilePath}" "${filePath}" | ||
| local status=$? | ||
|
|
||
| return ${status} | ||
| } | ||
|
|
||
| install() { | ||
| tmp_dir="$(mktemp -d)" | ||
| trap 'rm -rf "${tmp_dir}"' EXIT | ||
|
|
There was a problem hiding this comment.
Both verify_aws_sam_cli_gpg_signature and install set a global trap ... EXIT and reuse the same tmp_dir variable. The inner function call overwrites the trap and tmp_dir, which can leave the outer temp directory uncleaned and makes cleanup order hard to reason about. Prefer using function-local temp vars and explicit rm -rf cleanup (or use trap ... RETURN / a subshell) to avoid trap clobbering.
| if [ "${VERIFY_BINARY_ATTESTATION}" != "true" ] && [ "${VERIFY_CHECKSUM}" != "true" ]; then | ||
| echo "VERIFY_BINARY_ATTESTATION or VERIFY_CHECKSUM must be set to true" | ||
| exit 1 | ||
| fi | ||
|
|
||
| BINARY_URL="https://github.com/${GITHUB_REPO}/releases/download/${VERSION}/${DOWNLOAD_BINARY}" | ||
| BINARY_ASSET_NAME="${DOWNLOAD_BINARY}" | ||
| CHECKSUMS_URL="https://github.com/${GITHUB_REPO}/releases/download/${VERSION}/checksums.txt" | ||
| tmp_dir="$(mktemp -d)" |
There was a problem hiding this comment.
This installer relies on several environment variables (GITHUB_REPO, VERSION, DOWNLOAD_BINARY, TOOL, COMPRESSION, VERIFY_*) but doesn’t validate them with clear errors. With set -u, missing inputs will fail with an “unbound variable” message that’s hard to diagnose. Add explicit required-variable checks near the top (e.g., using parameter expansion with :?) so failures are actionable.
| ARCH="${TARGETARCH}" \ | ||
| VERSION="${ZIZMOR_VERSION}" \ | ||
| GITHUB_REPO="zizmorcore/zizmor" \ | ||
| TOOL="zizmor" \ |
There was a problem hiding this comment.
In the RUN command, the line continuation is broken because there’s a trailing space after the backslash (TOOL="zizmor" \ ). In a shell this prevents the newline from being escaped, so the subsequent environment variable assignments won’t be part of the same command and the install will fail. Remove the trailing whitespace so the backslash is the final character on the line.
| TOOL="zizmor" \ | |
| TOOL="zizmor" \ |
|
|
||
| build-tools: build-syft build-grype build-grant build-tflint build-zizmor | ||
|
|
||
| build-image: build-syft build-grype build-grant build-tflint guard-CONTAINER_NAME guard-BASE_VERSION_TAG guard-BASE_FOLDER guard-IMAGE_TAG |
There was a problem hiding this comment.
make build-image now builds a base image that depends on local_zizmor:latest (via FROM local_zizmor:latest in the base Dockerfile), but build-image does not ensure that image exists. This will break local builds and any CI paths that call make build-image without first running make build-tools. Add build-zizmor (or build-tools) as a prerequisite of build-image.
| build-image: build-syft build-grype build-grant build-tflint guard-CONTAINER_NAME guard-BASE_VERSION_TAG guard-BASE_FOLDER guard-IMAGE_TAG | |
| build-image: build-syft build-grype build-grant build-tflint build-zizmor guard-CONTAINER_NAME guard-BASE_VERSION_TAG guard-BASE_FOLDER guard-IMAGE_TAG |
| run: | | ||
| make build-grype | ||
| make build-tools | ||
| docker save "local_grype:latest" -o grype_image.tar | ||
| - name: build_syft | ||
| run: | | ||
| make build-syft | ||
| docker save "local_syft:latest" -o syft_image.tar | ||
| - name: build_grant | ||
| run: | | ||
| make build-grant | ||
| docker save "local_grant:latest" -o grant_image.tar | ||
|
|
||
| - name: build_tflint | ||
| run: | | ||
| make build-tflint | ||
| docker save "local_tflint:latest" -o tflint_image.tar | ||
| docker save "local_zizmor:latest" -o zizmor_image.tar |
There was a problem hiding this comment.
This step now saves zizmor_image.tar, but the subsequent actions/upload-artifact step (not shown in this hunk) still only uploads grype/syft/grant/tflint tarballs. Downstream jobs load tool images from the artifact’s *.tar files, so local_zizmor:latest won’t be available and base image builds will fail. Ensure zizmor_image.tar is added to the uploaded artifact path list.
| verify_aws_sam_cli_gpg_signature "$scriptZipFile" "$scriptSigFile" | ||
| if (( $? > 0 )); then | ||
| echo "Could not verify GPG signature of AWS CLI install script. Make sure you provided a valid version." |
There was a problem hiding this comment.
This script calls verify_aws_sam_cli_gpg_signature and then checks $?, but the script is running with set -e. If signature verification fails, the script will exit immediately at the verification command and will never reach the error handling block (and the error message currently refers to “AWS CLI” rather than “AWS SAM CLI”). Use an if ! verify_...; then ... fi pattern (or temporarily disable errexit) so the failure is handled deterministically with the intended message.
| verify_aws_sam_cli_gpg_signature "$scriptZipFile" "$scriptSigFile" | |
| if (( $? > 0 )); then | |
| echo "Could not verify GPG signature of AWS CLI install script. Make sure you provided a valid version." | |
| if ! verify_aws_sam_cli_gpg_signature "$scriptZipFile" "$scriptSigFile"; then | |
| echo "Could not verify GPG signature of AWS SAM CLI install script. Make sure you provided a valid version." |
| ARCH="${TARGETARCH}" \ | ||
| VERSION="${TFLINT_VERSION}" \ | ||
| GITHUB_REPO="terraform-linters/tflint" \ | ||
| TOOL="tflint" \ |
There was a problem hiding this comment.
In the RUN command, the line continuation is broken because there’s a trailing space after the backslash (TOOL="tflint" \ ). This prevents the remaining environment variable assignments and script invocation from being part of the same shell command, which can cause the image build to fail. Remove the trailing whitespace so the backslash is the last character on the line.
| TOOL="tflint" \ | |
| TOOL="tflint" \ |
Summary
Details