Skip to content

TRT-2689: Add devcontainer, APM config, and agentic CI scaffolding#31371

Open
smg247 wants to merge 4 commits into
openshift:mainfrom
smg247:add-devcontainer-and-agentic-config
Open

TRT-2689: Add devcontainer, APM config, and agentic CI scaffolding#31371
smg247 wants to merge 4 commits into
openshift:mainfrom
smg247:add-devcontainer-and-agentic-config

Conversation

@smg247

@smg247 smg247 commented Jul 8, 2026

Copy link
Copy Markdown
Member

Add a Fedora 43 devcontainer with Go toolchain, golangci-lint, gh CLI, and Claude Code support via Vertex AI. Includes devcontainer.json, post-create.sh, .env.example, README with setup instructions, and an interactive /origin-dev-setup slash command.

Add APM configuration (apm.yml, instructions, prompts) that generates agent context for Claude, Cursor, Gemini, and OpenCode. Instructions document the openshift-tests architecture including e2e tests, monitor tests, disruption tests, and the OTE extension framework.

Add .agentic/ config overlays for the TRT agentic CI workflow (jira-solver and review-responder) and hack/agentic_setup.sh.

Summary by CodeRabbit

  • New Features
    • Added guided “Origin” development container setup workflows across editor/assistant tools.
    • Added Atlassian MCP configuration support for agent connectivity.
  • Documentation
    • Expanded repository guidance for build, verification, and Go/E2E testing practices.
    • Added onboarding checklists and instructions for regenerating AI/editor context artifacts.
  • Chores
    • Introduced automation to regenerate generated context documentation and related config/lock files.
    • Updated ignore rules and added a setup helper to streamline environment initialization.

Add a Fedora 43 devcontainer with Go toolchain, golangci-lint, gh CLI,
and Claude Code support via Vertex AI. Includes devcontainer.json,
post-create.sh, .env.example, README with setup instructions, and an
interactive /origin-dev-setup slash command.

Add APM configuration (apm.yml, instructions, prompts) that generates
agent context for Claude, Cursor, Gemini, and OpenCode. Instructions
document the openshift-tests architecture including e2e tests, monitor
tests, disruption tests, and the OTE extension framework.

Add .agentic/ config overlays for the TRT agentic CI workflow
(jira-solver and review-responder) and hack/agentic_setup.sh.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
@openshift-merge-bot

Copy link
Copy Markdown
Contributor

Pipeline controller notification
This repo is configured to use the pipeline controller. Second-stage tests will be triggered either automatically or after lgtm label is added, depending on the repository configuration. The pipeline controller will automatically detect which contexts are required and will utilize /test Prow commands to trigger the second stage.

For optional jobs, comment /test ? to see a list of all defined jobs. To trigger manually all jobs from second stage use /pipeline required command.

This repository is configured in: automatic mode

@openshift-ci-robot

openshift-ci-robot commented Jul 8, 2026

Copy link
Copy Markdown

@smg247: This pull request references TRT-2689 which is a valid jira issue.

Warning: The referenced jira issue has an invalid target version for the target branch this PR targets: expected the story to target the "5.0.0" version, but no target version was set.

Details

In response to this:

Add a Fedora 43 devcontainer with Go toolchain, golangci-lint, gh CLI, and Claude Code support via Vertex AI. Includes devcontainer.json, post-create.sh, .env.example, README with setup instructions, and an interactive /origin-dev-setup slash command.

Add APM configuration (apm.yml, instructions, prompts) that generates agent context for Claude, Cursor, Gemini, and OpenCode. Instructions document the openshift-tests architecture including e2e tests, monitor tests, disruption tests, and the OTE extension framework.

Add .agentic/ config overlays for the TRT agentic CI workflow (jira-solver and review-responder) and hack/agentic_setup.sh.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

@openshift-ci-robot openshift-ci-robot added the jira/valid-reference Indicates that this PR references a valid Jira ticket of any type. label Jul 8, 2026
@openshift-ci

openshift-ci Bot commented Jul 8, 2026

Copy link
Copy Markdown
Contributor

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: smg247

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@openshift-ci openshift-ci Bot added the approved Indicates a PR has been approved by an approver from all required OWNERS files. label Jul 8, 2026
@openshift-ci openshift-ci Bot requested review from bparees and sjenning July 8, 2026 17:55
Auto-collapses agent context files in GitHub PR diffs.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
@coderabbitai

coderabbitai Bot commented Jul 8, 2026

Copy link
Copy Markdown

Walkthrough

This PR adds APM-generated agent-context files and regeneration tooling, MCP settings, a Podman-based devcontainer, and interactive Origin setup prompts and commands.

Changes

APM context, MCP, and devcontainer setup

Layer / File(s) Summary
APM rules and generated context
.apm/instructions/*, .agentic/*-config.md, .claude/rules/*, .cursor/rules/*, .github/instructions/*, AGENTS.md, CLAUDE.md, GEMINI.md, Makefile, apm.yml, apm.lock.yaml, .gitattributes
Adds APM source instructions, generated repository docs, the apm make target, and generated-file metadata for the new agent-context files.
MCP and devcontainer base config
.cursor/mcp.json, .gemini/settings.json, .mcp.json, .devcontainer/.env.example, .devcontainer/devcontainer.json, .devcontainer/Dockerfile, .gitignore
Adds Atlassian MCP endpoint configuration, devcontainer environment defaults, container image setup, and ignore rules for generated and local environment files.
Devcontainer bootstrap and docs
.devcontainer/README.md, .devcontainer/post-create.sh, hack/agentic_setup.sh
Adds the Fedora-based devcontainer bootstrap flow, post-create setup, and the CI wrapper that reuses it without Claude installation.
Origin setup prompts and commands
.apm/prompts/origin-dev-setup.prompt.md, .claude/commands/origin-dev-setup.md, .cursor/commands/origin-dev-setup.md, .gemini/commands/origin-dev-setup.toml, .github/prompts/origin-dev-setup.prompt.md, .opencode/commands/origin-dev-setup.md
Adds interactive Origin devcontainer setup prompts and commands covering OS checks, Podman setup, env file preparation, container startup, and host GCP auth.

Estimated code review effort: 3 (Moderate) | ~25 minutes

🚥 Pre-merge checks | ✅ 15
✅ Passed checks (15 passed)
Check name Status Explanation
Description Check ✅ Passed Check skipped - CodeRabbit’s high-level summary is enabled.
Title check ✅ Passed The title accurately summarizes the main additions: devcontainer, APM config, and agentic CI scaffolding.
Docstring Coverage ✅ Passed No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check ✅ Passed Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check ✅ Passed Check skipped because no linked issues were found for this pull request.
Stable And Deterministic Test Names ✅ Passed Only .agentic/solve-config.md changed; it contains no test code or Ginkgo titles, so there are no dynamic test names to flag.
Test Structure And Quality ✅ Passed No Ginkgo test code was changed in this PR; the diff only adds docs/config and devcontainer files, so the test-structure check is not applicable.
Microshift Test Compatibility ✅ Passed PR only adds docs/config/scripts; no Go/_test.go files or Ginkgo e2e tests were added, so MicroShift compatibility check is not applicable.
Single Node Openshift (Sno) Test Compatibility ✅ Passed PR only adds docs/config/scripts; no new Go/Ginkgo e2e tests or multi-node assumptions were introduced.
Topology-Aware Scheduling Compatibility ✅ Passed The PR only changes docs/config/scripts; no deployment manifests, operators, or controllers were modified, and no topology-sensitive scheduling fields appear.
Ote Binary Stdout Contract ✅ Passed Effective diff changes docs/config/scripts only; no Go entrypoints or suite setup code were modified, so no stdout contract violation.
Ipv6 And Disconnected Network Test Compatibility ✅ Passed No new Ginkgo e2e test code was added; the current diff is only a docs/config change (.agentic/solve-config.md).
No-Weak-Crypto ✅ Passed No MD5/SHA1/DES/RC4/3DES/Blowfish/ECB or secret comparisons were added; only sha256 lockfile hashes and benign install scripts appear.
Container-Privileges ✅ Passed No PR file sets privileged/host* flags or SYS_ADMIN/allowPrivilegeEscalation; devcontainer runs as vscode, and Dockerfile ends with USER vscode.
No-Sensitive-Data-In-Logs ✅ Passed Only generic status echoes appear; no changed code prints passwords, tokens, API keys, env contents, or user data.
✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests

Comment @coderabbitai help to get the list of available commands.

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 8

🧹 Nitpick comments (3)
.devcontainer/devcontainer.json (1)

10-14: 🔒 Security & Privacy | 🔵 Trivial | ⚖️ Poor tradeoff

Host credential mounts widen container blast radius.

Mounting ~/.config/gcloud, ~/.config/gh, and ~/.claude into the container means any compromised dependency or malicious code executed inside the devcontainer (e.g. via the unverified installers in the Dockerfile/post-create.sh) gets direct access to GCP credentials, GitHub tokens, and Claude session data. Consider documenting this risk in the README or scoping mounts to only what's strictly necessary.

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.devcontainer/devcontainer.json around lines 10 - 14, The devcontainer
mounts in devcontainer.json expose host credentials and should be tightened or
clearly documented. Review the mounts array that binds ~/.config/gcloud,
~/.config/gh, and ~/.claude into the container, then either scope them down to
only the minimum required credentials or add explicit README guidance about the
security risk and when to use these mounts.
.devcontainer/post-create.sh (1)

22-29: 📐 Maintainability & Code Quality | 🔵 Trivial | 💤 Low value

Symlink-based Claude project linking relies on unsanitized path substitution.

sed 's|/|-|g' on HOST_WORKSPACE_FOLDER is a reasonable approach but shellcheck suggests bash parameter expansion instead of spawning sed. Minor style nit, functionally fine as written.

♻️ Optional simplification
-  host_project_dir=$(echo "$HOST_WORKSPACE_FOLDER" | sed 's|/|-|g')
+  host_project_dir="${HOST_WORKSPACE_FOLDER//\//-}"
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.devcontainer/post-create.sh around lines 22 - 29, The Claude project
linking block in post-create.sh uses sed to replace slashes in
HOST_WORKSPACE_FOLDER, but this can be simplified with shell parameter
expansion. Update the host_project_dir assignment in the symlink setup logic to
use bash’s built-in string substitution instead of spawning sed, keeping the
existing HOST_WORKSPACE_FOLDER, claude_projects, and -workspace symlink behavior
unchanged.

Source: Linters/SAST tools

.devcontainer/Dockerfile (1)

32-35: 🔒 Security & Privacy | 🔵 Trivial | 💤 Low value

Passwordless sudo for vscode user.

NOPASSWD:ALL grants unrestricted root escalation inside the container. Acceptable for a dev-only container, but worth a brief comment explaining the tradeoff since it broadens the attack surface if the container is ever exposed or reused for other purposes.

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.devcontainer/Dockerfile around lines 32 - 35, The `vscode` user setup in
the Dockerfile grants unrestricted passwordless sudo via the sudoers entry, so
add a brief inline comment near the `useradd`/`sudoers.d/vscode` setup
explaining that this is intentional for a dev-only container and broadens the
attack surface if reused elsewhere. Keep the existing `vscode` provisioning
behavior unchanged and document the tradeoff where the `vscode` user and sudoers
rule are defined.
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In @.agentic/solve-config.md:
- Line 9: The repo guidance in solve-config is out of sync with the vendoring
workflow because it only mentions running go mod vendor after go.mod changes.
Update the instruction text to match the repo standard by including go mod tidy
before go mod vendor, so the dependency metadata and vendor tree stay aligned.
Keep the fix localized to the vendoring guidance in the solve-config document.

In @.apm/instructions/general.instructions.md:
- Line 33: Update the vendoring guidance so it tells contributors to run go mod
tidy before go mod vendor when changing go.mod; this applies to the vendor/
instruction in the general instructions file, and the wording should make it
clear that both go.mod/go.sum and vendor/ must stay in sync.

In @.apm/prompts/origin-dev-setup.prompt.md:
- Around line 60-90: The Linux container startup logic is using a generic
`command -v docker` check, which can succeed for native Docker and incorrectly
skip the `--docker-path podman` fallback. Update the detection in the origin dev
setup prompt to explicitly verify the Podman Docker shim (or package presence)
before selecting the Linux path, and keep the `devcontainer up` command choice
tied to that shim-specific check.

In @.devcontainer/Dockerfile:
- Line 42: The uv installation step is piping a remote installer directly into
sh, so replace it with a safer flow in the Dockerfile’s uv install RUN step.
Download the installer separately, verify it against a pinned known-good
checksum before executing, or switch to a package-managed installation path.
Keep the existing INSTALLER_NO_MODIFY_PATH and UV_INSTALL_DIR behavior, but make
the install sequence explicit and verifiable.
- Around line 24-30: The devcontainer build in the Dockerfile downloads
golangci-lint and gh release artifacts without integrity verification. Update
the existing RUN block that fetches these binaries to validate them with pinned
checksums or signatures before installation, or, if this is intentionally left
unchecked, document that decision clearly in the Dockerfile so the risk is
explicit.

In @.devcontainer/post-create.sh:
- Around line 12-17: The Claude Code install step in post-create.sh currently
pipes the remote installer directly into sh, which should be replaced with a
safer download-and-verify flow. Update the install logic in the main Claude
installation block to fetch the installer first, verify its checksum or
signature before execution, and only then run it; keep the SKIP_CLAUDE_INSTALL
branch unchanged.

In @.devcontainer/README.md:
- Around line 23-26: Remove the redundant bootstrap step from the README
instructions: the manual podman exec invocation that runs
.devcontainer/post-create.sh repeats the work already handled by
postCreateCommand during devcontainer up. Update the instructions near the
numbered setup steps in .devcontainer/README.md so that the “Exec in” example
uses the same origin-dev podman exec command only to open an interactive bash
shell, and no longer references running the post-create script manually.

In `@hack/agentic_setup.sh`:
- Around line 8-11: The wrapper in agentic_setup.sh resolves REPO_ROOT and
invokes post-create.sh but never changes into the repository before running it.
Update this flow so the script enters ${REPO_ROOT} before calling
.devcontainer/post-create.sh, keeping the existing SKIP_CLAUDE_INSTALL=true
environment, so repo-relative commands inside post-create.sh such as go mod
download and make build run from the checkout root.

---

Nitpick comments:
In @.devcontainer/devcontainer.json:
- Around line 10-14: The devcontainer mounts in devcontainer.json expose host
credentials and should be tightened or clearly documented. Review the mounts
array that binds ~/.config/gcloud, ~/.config/gh, and ~/.claude into the
container, then either scope them down to only the minimum required credentials
or add explicit README guidance about the security risk and when to use these
mounts.

In @.devcontainer/Dockerfile:
- Around line 32-35: The `vscode` user setup in the Dockerfile grants
unrestricted passwordless sudo via the sudoers entry, so add a brief inline
comment near the `useradd`/`sudoers.d/vscode` setup explaining that this is
intentional for a dev-only container and broadens the attack surface if reused
elsewhere. Keep the existing `vscode` provisioning behavior unchanged and
document the tradeoff where the `vscode` user and sudoers rule are defined.

In @.devcontainer/post-create.sh:
- Around line 22-29: The Claude project linking block in post-create.sh uses sed
to replace slashes in HOST_WORKSPACE_FOLDER, but this can be simplified with
shell parameter expansion. Update the host_project_dir assignment in the symlink
setup logic to use bash’s built-in string substitution instead of spawning sed,
keeping the existing HOST_WORKSPACE_FOLDER, claude_projects, and -workspace
symlink behavior unchanged.
🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

  • Push a commit to this branch (recommended)
  • Create a new PR with the fixes

ℹ️ Review info
⚙️ Run configuration

Configuration used: Repository YAML (base), Central YAML (inherited)

Review profile: CHILL

Plan: Enterprise

Run ID: a2311ea8-6503-43ff-913f-e1763cd419d3

📥 Commits

Reviewing files that changed from the base of the PR and between da416b0 and 6dc73f4.

📒 Files selected for processing (34)
  • .agentic/followup-config.md
  • .agentic/solve-config.md
  • .apm/instructions/general.instructions.md
  • .apm/instructions/testing.instructions.md
  • .apm/prompts/origin-dev-setup.prompt.md
  • .claude/commands/origin-dev-setup.md
  • .claude/rules/general.md
  • .claude/rules/testing.md
  • .cursor/commands/origin-dev-setup.md
  • .cursor/mcp.json
  • .cursor/rules/general.mdc
  • .cursor/rules/testing.mdc
  • .devcontainer/.env.example
  • .devcontainer/Dockerfile
  • .devcontainer/README.md
  • .devcontainer/devcontainer.json
  • .devcontainer/post-create.sh
  • .gemini/commands/origin-dev-setup.toml
  • .gemini/settings.json
  • .gitattributes
  • .github/instructions/general.instructions.md
  • .github/instructions/testing.instructions.md
  • .github/prompts/origin-dev-setup.prompt.md
  • .gitignore
  • .mcp.json
  • .opencode/commands/origin-dev-setup.md
  • AGENTS.md
  • CLAUDE.md
  • GEMINI.md
  • Makefile
  • apm.lock.yaml
  • apm.yml
  • hack/agentic_setup.sh
  • opencode.json

Comment thread .agentic/solve-config.md Outdated
Comment thread .apm/instructions/general.instructions.md Outdated
Comment on lines +60 to +90
Also check for `podman-docker`:

```bash
command -v docker
```

If missing, suggest installing `podman-docker` (dnf or apt depending on `/etc/os-release`).

### 5. Environment file

Check if `.devcontainer/.env` exists:

```bash
test -f .devcontainer/.env
```

If missing, copy from the example:

```bash
cp .devcontainer/.env.example .devcontainer/.env
```

Then read `.devcontainer/.env` and check for empty required values. If any are blank (e.g. `ANTHROPIC_VERTEX_PROJECT_ID`), tell the user which values need to be filled in and ask them to edit `.devcontainer/.env` and let you know when they're done. **Do not** ask for the values directly or write to the file yourself — the user should edit it. Wait for them to confirm before continuing.

### 6. Start the container

Determine the right command based on OS:

- **macOS**: `devcontainer up --workspace-folder . --docker-path podman`
- **Linux** (with `podman-docker`): `devcontainer up --workspace-folder .`
- **Linux** (without `podman-docker`): `devcontainer up --workspace-folder . --docker-path podman`

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🎯 Functional Correctness | 🟠 Major | ⚡ Quick win

Check for the Podman Docker shim explicitly. command -v docker also matches native Docker, so the Linux branch can incorrectly assume podman-docker is present and skip --docker-path podman when it isn’t. Use a shim-specific check or package verification before choosing that path.

🧰 Tools
🪛 LanguageTool

[style] ~82-~82: Consider using “who” when you are referring to a person instead of an object.
Context: ...OPIC_VERTEX_PROJECT_ID`), tell the user which values need to be filled in and ask the...

(THAT_WHO)

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.apm/prompts/origin-dev-setup.prompt.md around lines 60 - 90, The Linux
container startup logic is using a generic `command -v docker` check, which can
succeed for native Docker and incorrectly skip the `--docker-path podman`
fallback. Update the detection in the origin dev setup prompt to explicitly
verify the Podman Docker shim (or package presence) before selecting the Linux
path, and keep the `devcontainer up` command choice tied to that shim-specific
check.

Comment thread .devcontainer/Dockerfile
Comment on lines +24 to +30
RUN ARCH=$(uname -m) && \
if [ "$ARCH" = "aarch64" ]; then GO_ARCH="arm64"; else GO_ARCH="amd64"; fi && \
rpm -i "https://github.com/golangci/golangci-lint/releases/download/v${GOLANGCI_LINT_VERSION}/golangci-lint-${GOLANGCI_LINT_VERSION}-linux-${GO_ARCH}.rpm" && \
curl -fsSL "https://github.com/cli/cli/releases/download/v${GH_VERSION}/gh_${GH_VERSION}_linux_${GO_ARCH}.tar.gz" \
| tar xz -C /tmp && \
mv "/tmp/gh_${GH_VERSION}_linux_${GO_ARCH}/bin/gh" /usr/local/bin/gh && \
chmod +x /usr/local/bin/gh

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🔒 Security & Privacy | 🟡 Minor | ⚡ Quick win

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
set -euo pipefail

echo "== relevant files =="
git ls-files .devcontainer . | rg '(^|/)(Dockerfile|post-create\.sh|devcontainer.*json|compose\.ya?ml|README\.md)$' || true

echo
echo "== .devcontainer/Dockerfile =="
nl -ba .devcontainer/Dockerfile | sed -n '1,220p'

echo
echo "== search for golangci-lint / gh / checksum / signature / sha256 =="
rg -n 'golangci-lint|gh_|sha256|checksum|gpg|cosign|cosign|verify|devcontainer|post-create' .devcontainer . -g '!**/node_modules/**' -g '!**/dist/**' -g '!**/build/**' || true

Repository: openshift/origin

Length of output: 19790


🏁 Script executed:

#!/bin/bash
set -euo pipefail

echo "== relevant files =="
git ls-files .devcontainer . | rg '(^|/)(Dockerfile|post-create\.sh|devcontainer.*json|compose\.ya?ml|README\.md)$' || true

echo
echo "== .devcontainer/Dockerfile =="
nl -ba .devcontainer/Dockerfile | sed -n '1,220p'

echo
echo "== search for golangci-lint / gh / checksum / signature / sha256 =="
rg -n 'golangci-lint|gh_|sha256|checksum|gpg|cosign|verify|devcontainer|post-create' .devcontainer . -g '!**/node_modules/**' -g '!**/dist/**' -g '!**/build/**' || true

Repository: openshift/origin

Length of output: 19790


🏁 Script executed:

#!/bin/bash
set -euo pipefail

echo "== .devcontainer/Dockerfile =="
cat -n .devcontainer/Dockerfile

echo
echo "== .devcontainer/devcontainer.json =="
cat -n .devcontainer/devcontainer.json

echo
echo "== .devcontainer/post-create.sh =="
cat -n .devcontainer/post-create.sh

echo
echo "== .devcontainer/README.md =="
cat -n .devcontainer/README.md

echo
echo "== search =="
rg -n 'golangci-lint|gh_|sha256|checksum|gpg|cosign|verify|devcontainer|local development|developer|dev-only' .devcontainer README.md . -g '!**/node_modules/**' -g '!**/dist/**' -g '!**/build/**' || true

Repository: openshift/origin

Length of output: 50373


🏁 Script executed:

#!/bin/bash
set -euo pipefail

echo "== .devcontainer/Dockerfile (lines 1-120) =="
awk '{printf "%4d  %s\n", NR, $0}' .devcontainer/Dockerfile | sed -n '1,120p'

echo
echo "== .devcontainer/devcontainer.json =="
awk '{printf "%4d  %s\n", NR, $0}' .devcontainer/devcontainer.json

echo
echo "== .devcontainer/post-create.sh =="
awk '{printf "%4d  %s\n", NR, $0}' .devcontainer/post-create.sh

echo
echo "== .devcontainer/README.md =="
awk '{printf "%4d  %s\n", NR, $0}' .devcontainer/README.md

echo
echo "== focused search in .devcontainer =="
rg -n 'golangci-lint|gh_|sha256|checksum|gpg|cosign|verify|local development|developer|dev-only|security|supply chain' .devcontainer

Repository: openshift/origin

Length of output: 8295


Pin checksums or signatures for the devcontainer downloads. The devcontainer is for local development, but these release artifacts are still fetched and executed during the image build. Add integrity checks if this image may be shared, or document the risk as intentional.

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.devcontainer/Dockerfile around lines 24 - 30, The devcontainer build in the
Dockerfile downloads golangci-lint and gh release artifacts without integrity
verification. Update the existing RUN block that fetches these binaries to
validate them with pinned checksums or signatures before installation, or, if
this is intentionally left unchecked, document that decision clearly in the
Dockerfile so the risk is explicit.

Comment thread .devcontainer/Dockerfile
ENV GOPATH=/home/vscode/go
ENV PATH="/home/vscode/.local/bin:${GOPATH}/bin:/usr/local/go/bin:${PATH}"

RUN curl -LsSf https://astral.sh/uv/install.sh | env INSTALLER_NO_MODIFY_PATH=1 UV_INSTALL_DIR=/usr/local/bin sh

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🔒 Security & Privacy | 🟠 Major | ⚡ Quick win

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
set -euo pipefail

printf '\n== File context ==\n'
git ls-files .devcontainer/Dockerfile .devcontainer/post-create.sh
printf '\n== Relevant snippets ==\n'
sed -n '1,120p' .devcontainer/Dockerfile
printf '\n--- post-create.sh ---\n'
sed -n '1,200p' .devcontainer/post-create.sh

printf '\n== Search for uv install references ==\n'
rg -n "astral\.sh/uv/install\.sh|uv install|INSTALLER_NO_MODIFY_PATH|UV_INSTALL_DIR" .devcontainer .

Repository: openshift/origin

Length of output: 3311


Avoid piping the uv installer into sh. Download the script first and pin a known-good checksum before execution, or use a package-managed install; otherwise a compromised CDN or installer can execute arbitrary code during the image build.

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.devcontainer/Dockerfile at line 42, The uv installation step is piping a
remote installer directly into sh, so replace it with a safer flow in the
Dockerfile’s uv install RUN step. Download the installer separately, verify it
against a pinned known-good checksum before executing, or switch to a
package-managed installation path. Keep the existing INSTALLER_NO_MODIFY_PATH
and UV_INSTALL_DIR behavior, but make the install sequence explicit and
verifiable.

Comment on lines +12 to +17
if [[ "${SKIP_CLAUDE_INSTALL:-}" != "true" ]]; then
echo "==> Installing Claude Code..."
curl -fsSL https://claude.ai/install.sh | sh
else
echo "==> Skipping Claude Code install (SKIP_CLAUDE_INSTALL=true)."
fi

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🔒 Security & Privacy | 🟠 Major | ⚡ Quick win

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
set -euo pipefail

printf '\n## File map\n'
git ls-files '.devcontainer/post-create.sh' 'hack/agentic_setup.sh'

printf '\n## Line-numbered snippets\n'
for f in '.devcontainer/post-create.sh' 'hack/agentic_setup.sh'; do
  echo "\n### $f"
  wc -l "$f"
  cat -n "$f"
done

printf '\n## Search for Claude install references\n'
rg -n 'SKIP_CLAUDE_INSTALL|claude\.ai/install\.sh|Claude Code|install\.sh' .devcontainer hack -S

Repository: openshift/origin

Length of output: 2980


Avoid piping the Claude installer directly into sh. Download it first and verify a checksum/signature before execution; otherwise a compromised claude.ai endpoint/CDN or MITM can execute arbitrary code in the devcontainer.

🧰 Tools
🪛 ast-grep (0.44.1)

[error] 13-13: Remote content fetched with curl/wget is piped directly into a shell interpreter, so any server compromise, MITM, or tampered mirror results in arbitrary code execution on this host. Download the script to a file first, verify its integrity (checksum/signature) and inspect it, then run the verified local copy.
Context: curl -fsSL https://claude.ai/install.sh | sh
Note: [CWE-494] Download of Code Without Integrity Check.

(curl-pipe-to-shell-bash)

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.devcontainer/post-create.sh around lines 12 - 17, The Claude Code install
step in post-create.sh currently pipes the remote installer directly into sh,
which should be replaced with a safer download-and-verify flow. Update the
install logic in the main Claude installation block to fetch the installer
first, verify its checksum or signature before execution, and only then run it;
keep the SKIP_CLAUDE_INSTALL branch unchanged.

Comment thread .devcontainer/README.md Outdated
Comment thread hack/agentic_setup.sh
@openshift-merge-bot

Copy link
Copy Markdown
Contributor

Scheduling required tests:
/test e2e-aws-csi
/test e2e-aws-ovn-fips
/test e2e-aws-ovn-microshift
/test e2e-aws-ovn-microshift-serial
/test e2e-aws-ovn-serial-1of2
/test e2e-aws-ovn-serial-2of2
/test e2e-gcp-csi
/test e2e-gcp-ovn
/test e2e-gcp-ovn-upgrade
/test e2e-metal-ipi-ovn-ipv6
/test e2e-vsphere-ovn
/test e2e-vsphere-ovn-upi

- Fix vendor guidance: `go mod tidy && go mod vendor` in general instructions
- Add `cd` to repo root in hack/agentic_setup.sh before running post-create.sh
- Remove redundant post-create exec from README (postCreateCommand handles it)
- Add dev-only comment on passwordless sudo in Dockerfile
- Use bash parameter expansion instead of sed in post-create.sh

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
@openshift-merge-bot

Copy link
Copy Markdown
Contributor

Scheduling required tests:
/test e2e-aws-csi
/test e2e-aws-ovn-fips
/test e2e-aws-ovn-microshift
/test e2e-aws-ovn-microshift-serial
/test e2e-aws-ovn-serial-1of2
/test e2e-aws-ovn-serial-2of2
/test e2e-gcp-csi
/test e2e-gcp-ovn
/test e2e-gcp-ovn-upgrade
/test e2e-metal-ipi-ovn-ipv6
/test e2e-vsphere-ovn
/test e2e-vsphere-ovn-upi

@smg247

smg247 commented Jul 8, 2026

Copy link
Copy Markdown
Member Author

@coderabbitai can you summarize the findings that are still present here?

@coderabbitai

coderabbitai Bot commented Jul 8, 2026

Copy link
Copy Markdown

Tip

For best results, initiate chat on the files or code changes.

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
gh pr view 31371 --repo openshift/origin --json reviews,comments --jq '.reviews[] | {author: .author.login, body: .body, state: .state}' | head -c 3000
echo "---review comments---"
gh api repos/openshift/origin/pulls/31371/comments --paginate --jq '.[] | select(.user.login=="coderabbitai[bot]" or .user.login=="coderabbitai") | {id, path, line, body: .body[0:300], in_reply_to: .in_reply_to_id}'

Length of output: 7029


🏁 Script executed:

#!/bin/bash
set -euo pipefail

echo "=== Full comment bodies ==="
gh api repos/openshift/origin/pulls/31371/comments --paginate --jq '.[] | select(.user.login=="coderabbitai[bot]" or .user.login=="coderabbitai") | "----\nID: \(.id)\nPATH: \(.path)\nLINE: \(.line)\n\(.body)\n"'

Length of output: 20386


🏁 Script executed:

#!/bin/bash
set -euo pipefail
echo "=== .agentic/solve-config.md ==="
cat -n .agentic/solve-config.md
echo "=== .apm/instructions/general.instructions.md (vendor line) ==="
grep -n "vendor" .apm/instructions/general.instructions.md
echo "=== .devcontainer/post-create.sh ==="
cat -n .devcontainer/post-create.sh
echo "=== .devcontainer/Dockerfile ==="
cat -n .devcontainer/Dockerfile
echo "=== .apm/prompts/origin-dev-setup.prompt.md podman docker check ==="
grep -n "docker" .apm/prompts/origin-dev-setup.prompt.md

Length of output: 5295


@smg247 Here's a summary of where things stand. Of the 8 actionable findings I raised, 3 are addressed and 5 are still open:

✅ Addressed (in commit 1cb8403)

  • .apm/instructions/general.instructions.md (Line 33) — vendor guidance now says go mod tidy && go mod vendor.
  • .devcontainer/README.md — removed the redundant manual post-create.sh bootstrap step.
  • hack/agentic_setup.sh (Line ~9-11) — now cds into ${REPO_ROOT} before invoking post-create.sh.
  • .devcontainer/post-create.sh (Line 23) — sed replaced with bash parameter expansion (${HOST_WORKSPACE_FOLDER//\//-}).

🟡 Still open

  1. .agentic/solve-config.md (Line 9) — this copy still reads Run \go mod vendor`only, withoutgo mod tidy. The equivalent fix was applied to .apm/instructions/general.instructions.md` but not here, so it's now inconsistent with the rest of the guidance.
  2. .apm/prompts/origin-dev-setup.prompt.md (Line 63) — Linux podman-docker detection still uses a generic command -v docker, which also matches native Docker and can cause the setup flow to skip --docker-path podman when it's actually needed.
  3. .devcontainer/Dockerfile (Lines 24-30)golangci-lint and gh release artifacts are still downloaded and installed without checksum/signature verification.
  4. .devcontainer/Dockerfile (Line 43) — the uv installer is still piped directly into sh (curl -LsSf https://astral.sh/uv/install.sh | ... sh) without integrity verification.
  5. .devcontainer/post-create.sh (Line 14) — the Claude Code installer is still piped directly into sh (curl -fsSL https://claude.ai/install.sh | sh) without integrity verification.

Nitpick, unresolved (informational only)

  • .devcontainer/devcontainer.json (Lines 10-14) — mounting ~/.config/gcloud, ~/.config/gh, and ~/.claude into the container still widens the blast radius if any devcontainer-installed tooling is compromised. This is a design tradeoff worth documenting in the README rather than a hard blocker.

Items 3-5 are the same class of concern (unverified curl | sh supply-chain risk) — since this is a dev-only container, you may choose to document that as an accepted risk instead of adding checksum pinning, but worth an explicit call either way.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
@smg247

smg247 commented Jul 8, 2026

Copy link
Copy Markdown
Member Author

@coderabbitai

origin-dev-setup.prompt.md command -v docker — Skip. This is an interactive Claude prompt, not a script. Claude asks the user what they have and adapts. Matches sippy's identical pattern which works in
production.

curl|sh supply chain (uv, golangci-lint/gh, Claude installer) — Skip. Dev-only container, all match sippy's pattern, versions are pinned. The installers don't publish stable checksums to verify against (they
change per release). Not worth the maintenance burden of tracking checksums for dev tooling.

Mount blast radius docs — Skip. Already documented in README Prerequisites section with all three mounts, what they're for, and how to create them.

@coderabbitai

coderabbitai Bot commented Jul 8, 2026

Copy link
Copy Markdown

Tip

For best results, initiate chat on the files or code changes.

@smg247 Understood — those are reasonable tradeoffs for a dev-only container, and consistent with the existing sippy pattern. I'm marking those three as withdrawn.

That leaves one still-open item from my earlier summary that wasn't addressed:

  • .agentic/solve-config.md (Line 9) — still reads Run \go mod vendor`only, withoutgo mod tidy, unlike the equivalent fix applied to .apm/instructions/general.instructions.md`. Let me know if you'd like to skip this one too for consistency's sake, or if it's just an oversight worth aligning.

✏️ Learnings added
Learnt from: smg247
URL: https://github.com/openshift/origin/pull/31371

Timestamp: 2026-07-08T20:03:16.694Z
Learning: In the openshift/origin repository's `.devcontainer` and `.apm`/`.claude`/`.cursor`/`.gemini`/`.opencode` devcontainer/APM tooling files, curl-piped-to-shell installers (e.g., `uv`, `golangci-lint`, `gh`, Claude Code CLI) are intentionally used without checksum/signature verification. This is an accepted tradeoff since the container is dev-only, versions are pinned, and the upstream installers don't publish stable checksums across releases. This pattern matches the existing `sippy` repository's devcontainer setup. Do not flag this as a security concern in future reviews of these files.

Learnt from: smg247
URL: https://github.com/openshift/origin/pull/31371

Timestamp: 2026-07-08T20:03:16.694Z
Learning: In openshift/origin, `.apm/prompts/origin-dev-setup.prompt.md` (and its generated copies under `.claude/commands/`, `.cursor/commands/`, `.gemini/commands/`, `.opencode/commands/`) is an interactive Claude/agent prompt, not a shell script. Using a generic `command -v docker` there to detect Docker/podman-docker is intentional — the agent asks the user what tooling they have and adapts, rather than relying on fully robust detection logic. This matches the `sippy` repository's identical pattern. Do not flag this as a script robustness bug.

Note: Learnings are effective only in the context of similar code segments. To apply general coding guidelines, please configure review instructions. You can manage existing learnings in the app.

@smg247

smg247 commented Jul 8, 2026

Copy link
Copy Markdown
Member Author

@coderabbitai, I have just addressed that in the latest commit

@coderabbitai

coderabbitai Bot commented Jul 8, 2026

Copy link
Copy Markdown

Tip

For best results, initiate chat on the files or code changes.

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
set -euo pipefail
cat -n .agentic/solve-config.md

Length of output: 578


@smg247 Confirmed — Line 9 now reads Run \go mod tidy && go mod vendor`after changinggo.mod, consistent with .apm/instructions/general.instructions.md`. That resolves the last open item from my summary. Thanks for the quick turnaround!

@smg247

smg247 commented Jul 8, 2026

Copy link
Copy Markdown
Member Author

@coderabbitai can you do a fresh review?

@coderabbitai

coderabbitai Bot commented Jul 8, 2026

Copy link
Copy Markdown

@smg247 Sure thing — kicking off a fresh, full review of the PR now.

✅ Action performed

Full review finished.

@openshift-merge-bot

Copy link
Copy Markdown
Contributor

Scheduling required tests:
/test e2e-aws-csi
/test e2e-aws-ovn-fips
/test e2e-aws-ovn-microshift
/test e2e-aws-ovn-microshift-serial
/test e2e-aws-ovn-serial-1of2
/test e2e-aws-ovn-serial-2of2
/test e2e-gcp-csi
/test e2e-gcp-ovn
/test e2e-gcp-ovn-upgrade
/test e2e-metal-ipi-ovn-ipv6
/test e2e-vsphere-ovn
/test e2e-vsphere-ovn-upi

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 2

🧹 Nitpick comments (2)
.devcontainer/post-create.sh (1)

1-2: 🩺 Stability & Availability | 🔵 Trivial | ⚡ Quick win

Consider adding pipefail to guard the curl | sh pipeline.

set -eu doesn't include pipefail, so if curl (line 14) fails mid-pipeline, the exit status of the pipeline is sh's, not curl's — a network failure could silently skip the Claude install without tripping set -e.

🔧 Proposed fix
 #!/bin/bash
-set -eu
+set -euo pipefail
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.devcontainer/post-create.sh around lines 1 - 2, The shell setup in
post-create.sh only enables errexit and nounset, so failures in the curl | sh
install pipeline can be hidden by the shell at the end of the pipe. Update the
script’s safety flags to include pipefail alongside the existing set options,
and keep the Claude install flow in the same script so the pipeline exits on
curl failures instead of silently continuing.
.apm/instructions/general.instructions.md (1)

8-10: 📐 Maintainability & Code Quality | 🔵 Trivial | ⚡ Quick win

Include the GitHub mirrors in the regeneration guidance.

The generated surface in .gitattributes and apm.lock.yaml also includes .github/instructions/** and .github/prompts/**. Calling those out here would keep the source-of-truth doc aligned with the full deployed set.

♻️ Proposed edit
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.apm/instructions/general.instructions.md around lines 8 - 10, The
regeneration guidance is incomplete because it omits the GitHub mirror outputs
that are also generated from .apm sources. Update the instructions in the
general guidance so the make apm workflow explicitly includes the
.github/instructions/** and .github/prompts/** mirrors alongside the existing
AGENTS.md, CLAUDE.md, GEMINI.md, .claude/, .cursor/, .gemini/, and .opencode/
targets, using the same source-of-truth framing as the surrounding .apm docs.
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In @.devcontainer/.env.example:
- Around line 2-4: The example env keys are in the wrong order and violate the
lint rule. Reorder the entries in the .env example so
ANTHROPIC_VERTEX_PROJECT_ID appears before CLAUDE_CODE_USE_VERTEX, keeping
CLOUD_ML_REGION in the same block and preserving the existing values.

In @.devcontainer/Dockerfile:
- Line 52: The devcontainer currently installs gotestsum with a floating `@latest`
tag, which makes rebuilds non-reproducible; update the RUN go install
gotest.tools/gotestsum@latest step to use a pinned version so the Dockerfile
always installs the same tool version. Keep the change localized to the
gotestsum install line in the Dockerfile.

---

Nitpick comments:
In @.apm/instructions/general.instructions.md:
- Around line 8-10: The regeneration guidance is incomplete because it omits the
GitHub mirror outputs that are also generated from .apm sources. Update the
instructions in the general guidance so the make apm workflow explicitly
includes the .github/instructions/** and .github/prompts/** mirrors alongside
the existing AGENTS.md, CLAUDE.md, GEMINI.md, .claude/, .cursor/, .gemini/, and
.opencode/ targets, using the same source-of-truth framing as the surrounding
.apm docs.

In @.devcontainer/post-create.sh:
- Around line 1-2: The shell setup in post-create.sh only enables errexit and
nounset, so failures in the curl | sh install pipeline can be hidden by the
shell at the end of the pipe. Update the script’s safety flags to include
pipefail alongside the existing set options, and keep the Claude install flow in
the same script so the pipeline exits on curl failures instead of silently
continuing.
🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

  • Push a commit to this branch (recommended)
  • Create a new PR with the fixes

ℹ️ Review info
⚙️ Run configuration

Configuration used: Repository YAML (base), Central YAML (inherited)

Review profile: CHILL

Plan: Enterprise

Run ID: 44eec234-7dc6-40d6-9d4e-b3607c37bffe

📥 Commits

Reviewing files that changed from the base of the PR and between da416b0 and 9287017.

📒 Files selected for processing (34)
  • .agentic/followup-config.md
  • .agentic/solve-config.md
  • .apm/instructions/general.instructions.md
  • .apm/instructions/testing.instructions.md
  • .apm/prompts/origin-dev-setup.prompt.md
  • .claude/commands/origin-dev-setup.md
  • .claude/rules/general.md
  • .claude/rules/testing.md
  • .cursor/commands/origin-dev-setup.md
  • .cursor/mcp.json
  • .cursor/rules/general.mdc
  • .cursor/rules/testing.mdc
  • .devcontainer/.env.example
  • .devcontainer/Dockerfile
  • .devcontainer/README.md
  • .devcontainer/devcontainer.json
  • .devcontainer/post-create.sh
  • .gemini/commands/origin-dev-setup.toml
  • .gemini/settings.json
  • .gitattributes
  • .github/instructions/general.instructions.md
  • .github/instructions/testing.instructions.md
  • .github/prompts/origin-dev-setup.prompt.md
  • .gitignore
  • .mcp.json
  • .opencode/commands/origin-dev-setup.md
  • AGENTS.md
  • CLAUDE.md
  • GEMINI.md
  • Makefile
  • apm.lock.yaml
  • apm.yml
  • hack/agentic_setup.sh
  • opencode.json

Comment thread .devcontainer/.env.example
Comment thread .devcontainer/Dockerfile

USER vscode

RUN go install gotest.tools/gotestsum@latest

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

📐 Maintainability & Code Quality | 🟡 Minor | ⚡ Quick win

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
set -euo pipefail

# Map the Dockerfile and inspect the relevant section with line numbers.
git ls-files .devcontainer/Dockerfile
wc -l .devcontainer/Dockerfile
cat -n .devcontainer/Dockerfile | sed -n '1,120p'

Repository: openshift/origin

Length of output: 2521


🏁 Script executed:

#!/bin/bash
set -euo pipefail

rg -n "gotestsum|gotest\.tools/gotestsum" . -g '!**/.git/**'

Repository: openshift/origin

Length of output: 1760


Pin gotestsum instead of @latest. This keeps devcontainer rebuilds reproducible and avoids pulling a different tool version over time.

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.devcontainer/Dockerfile at line 52, The devcontainer currently installs
gotestsum with a floating `@latest` tag, which makes rebuilds non-reproducible;
update the RUN go install gotest.tools/gotestsum@latest step to use a pinned
version so the Dockerfile always installs the same tool version. Keep the change
localized to the gotestsum install line in the Dockerfile.

@openshift-ci

openshift-ci Bot commented Jul 9, 2026

Copy link
Copy Markdown
Contributor

@smg247: The following test failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name Commit Details Required Rerun command
ci/prow/e2e-aws-ovn-fips 9287017 link true /test e2e-aws-ovn-fips

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

approved Indicates a PR has been approved by an approver from all required OWNERS files. jira/valid-reference Indicates that this PR references a valid Jira ticket of any type.

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants