eclipse-score · lurtz · Apr 28, 2026 · Apr 23, 2026 · Apr 27, 2026 · Apr 27, 2026
@@ -15,3 +15,9 @@
 # Exported image files shall never be committed.
 /export.img
 build/
+
+# bazel files
+/bazel-*
+
+# AI
+/.codex
@@ -22,6 +22,7 @@ repos:
       - id: check-executables-have-shebangs
       - id: check-added-large-files
         args: [--maxkb=50, --enforce-all] # increase or add git lfs if too strict
+        exclude: ^MODULE\.bazel\.lock$
   - repo: https://github.com/google/yamlfmt
     rev: 21ca5323a9c87ee37a434e0ca908efc0a89daa07 # v0.21.0
     hooks:

@@ -0,0 +1,31 @@
+# *******************************************************************************
+# Copyright (c) 2026 Contributors to the Eclipse Foundation
+#
+# See the NOTICE file(s) distributed with this work for additional
+# information regarding copyright ownership.
+#
+# This program and the accompanying materials are made available under the
+# terms of the Apache License Version 2.0 which is available at
+# https://www.apache.org/licenses/LICENSE-2.0
+#
+# SPDX-License-Identifier: Apache-2.0
+# *******************************************************************************
+
+module(name = "score_devcontainer")
+
+bazel_dep(name = "rules_multitool", version = "1.11.1")
+
+multitool = use_extension("@rules_multitool//multitool:extension.bzl", "multitool")
+
+multitool.hub(lockfile = "//tools:lockfiles/actionlint.lock.json")
+multitool.hub(lockfile = "//tools:lockfiles/ruff.lock.json")
+multitool.hub(lockfile = "//tools:lockfiles/shellcheck.lock.json")
+multitool.hub(lockfile = "//tools:lockfiles/yamlfmt.lock.json")
+multitool.hub(lockfile = "//tools:lockfiles/uv.lock.json")
+multitool.hub(lockfile = "//tools:lockfiles/buildifier.lock.json")
+multitool.hub(lockfile = "//tools:lockfiles/starpls.lock.json")
+multitool.hub(lockfile = "//tools:lockfiles/bazelisk.lock.json")
+
+use_repo(multitool, "multitool")
+
+register_toolchains("@multitool//toolchains:all")
@@ -25,7 +25,9 @@ SPDX-License-Identifier = "Apache-2.0"
 
 [[annotations]]
 path = ["resources/reopen_in_container.png",
-        "resources/devcontainer_success.png"
+        "resources/devcontainer_success.png",
+        "tools/lockfiles/*.lock.json",
+        "MODULE.bazel.lock",
         ]
 SPDX-FileCopyrightText = "Copyright (c) 2026 Contributors to the Eclipse Foundation"
 SPDX-License-Identifier = "Apache-2.0"

@@ -16,4 +16,6 @@ FROM buildpack-deps:noble-curl
 
 LABEL dev.containers.features="common"
 
+COPY tools /usr/local/share/score-tools
+
 RUN userdel -f -r ubuntu
@@ -3,9 +3,6 @@
     "id": "bazel",
     "version": "1.0.0",
     "description": "Bazel and supplimentary tools for working with Bazel-based projects.",
-    "dependsOn": {
-        "./s-core-local": {} // needed for extracting versions (versions.sh)
-    },
     "onCreateCommand": "/devcontainer/features/bazel/on_create_command.sh",
     "postCreateCommand": {
         // The repos in S-CORE may use different Bazel versions. This ensures that the required version is installed.

@@ -29,30 +29,21 @@ rm -f "${COPY_TARGET}/devcontainer-features.env" "${COPY_TARGET}/devcontainer-fe
 DEBIAN_FRONTEND=noninteractive
 
 # Read tool versions + metadata into environment variables
-. /devcontainer/features/s-core-local/versions.sh /devcontainer/features/bazel/versions.yaml
+. /usr/local/share/score-tools/versions.sh /devcontainer/features/bazel/versions.yaml
 
 ARCHITECTURE=$(dpkg --print-architecture)
 
+source /usr/local/share/score-tools/tool_lockfile_helpers.sh
+
 apt-get update
 
 # INSTALL CONTAINER BUILD DEPENDENCIES
 # Container build dependencies are not pinned, since they are removed anyway after container creation.
 apt-get install apt-transport-https -y
 
-# Bazelisk, directly from GitHub
-# Using the existing devcontainer feature is not optimal:
-# - it does not check the SHA256 checksum of the downloaded file
-# - it cannot pre-install a specific version of Bazel, or prepare bash completion
-BAZELISK_VARIANT="amd64"
-SHA256SUM="${bazelisk_amd64_sha256}"
-if [ "${ARCHITECTURE}" = "arm64" ]; then
-    BAZELISK_VARIANT="arm64"
-    SHA256SUM="${bazelisk_arm64_sha256}"
-fi
-curl -L "https://github.com/bazelbuild/bazelisk/releases/download/v${bazelisk_version}/bazelisk-${BAZELISK_VARIANT}.deb" -o /tmp/bazelisk.deb
-echo "${SHA256SUM} /tmp/bazelisk.deb" | sha256sum -c - || exit 1
-apt-get install -y --no-install-recommends --fix-broken /tmp/bazelisk.deb
-rm /tmp/bazelisk.deb
+# Bazelisk + Bazel
+score_install_tool_from_lockfile bazelisk
+ln -sf /usr/local/bin/bazelisk /usr/local/bin/bazel
 
 # Pre-install a fixed Bazel version, setup the bash command completion
 export USE_BAZEL_VERSION=${bazel_version}
@@ -67,28 +58,11 @@ sh -c "echo 'INSTALLED_BAZEL_VERSION=${bazel_version}' >> /devcontainer/features
 # This is required for corporate environments with custom CA certificates
 echo 'startup --host_jvm_args=-Djavax.net.ssl.trustStore=/etc/ssl/certs/java/cacerts --host_jvm_args=-Djavax.net.ssl.trustStorePassword=changeit' >> /etc/bazel.bazelrc
 
-# Buildifier, directly from GitHub (apparently no APT repository available)
-# The version is pinned to a specific release, and the SHA256 checksum is provided by the devcontainer-features.json file.
-BUILDIFIER_VARIANT="amd64"
-SHA256SUM="${buildifier_amd64_sha256}"
-if [ "${ARCHITECTURE}" = "arm64" ]; then
-    BUILDIFIER_VARIANT="arm64"
-    SHA256SUM="${buildifier_arm64_sha256}"
-fi
-curl -L "https://github.com/bazelbuild/buildtools/releases/download/v${buildifier_version}/buildifier-linux-${BUILDIFIER_VARIANT}" -o /usr/local/bin/buildifier
-echo "${SHA256SUM} /usr/local/bin/buildifier" | sha256sum -c - || exit 1
-chmod +x /usr/local/bin/buildifier
+# Buildifier
+score_install_tool_from_lockfile buildifier
 
-# Starlark Language Server, directly from GitHub (apparently no APT repository available)
-STARPLS_VARIANT="amd64"
-SHA256SUM="${starpls_amd64_sha256}"
-if [ "${ARCHITECTURE}" = "arm64" ]; then
-    STARPLS_VARIANT="aarch64"
-    SHA256SUM="${starpls_arm64_sha256}"
-fi
-curl -L "https://github.com/withered-magic/starpls/releases/download/v${starpls_version}/starpls-linux-${STARPLS_VARIANT}" -o /usr/local/bin/starpls
-echo "${SHA256SUM} /usr/local/bin/starpls" | sha256sum -c - || exit 1
-chmod +x /usr/local/bin/starpls
+# Starlark Language Server
+score_install_tool_from_lockfile starpls
 
 # Code completion for C++ code of Bazel projects
 # (see https://github.com/kiron1/bazel-compile-commands)

@@ -16,17 +16,21 @@
 set -euo pipefail
 
 # Read tool versions + metadata into environment variables
-. /devcontainer/features/s-core-local/versions.sh /devcontainer/features/bazel/versions.yaml
+. /usr/local/share/score-tools/versions.sh /devcontainer/features/bazel/versions.yaml
+source /usr/local/share/score-tools/tool_lockfile_helpers.sh
 
+bazelisk_lockfile_version="$(score_tool_version bazelisk)"
+buildifier_lockfile_version="$(score_tool_version buildifier)"
+starpls_lockfile_version="$(score_tool_version starpls)"
 # Bazel-related tools
 ## This is the bazel version preinstalled in the devcontainer.
 ## A solid test would disable the network interface first to prevent a different version from being downloaded,
 ## but that requires CAP_NET_ADMIN, which is not yet added.
 export USE_BAZEL_VERSION=${bazel_version}
-check "validate bazelisk is working and has the correct version" bash -c "bazelisk version | grep '${bazelisk_version}'"
+check "validate bazelisk is working and has the correct version" bash -c "bazelisk version | grep '${bazelisk_lockfile_version}'"
 check "validate bazel is working and has the correct version" bash -c "bazel version | grep '${bazel_version}'"
 unset USE_BAZEL_VERSION
 
-check "validate buildifier is working and has the correct version" bash -c "buildifier --version | grep '${buildifier_version}'"
-check "validate starpls is working and has the correct version" bash -c "starpls version | grep '${starpls_version}'"
+check "validate buildifier is working and has the correct version" bash -c "buildifier --version | grep '${buildifier_lockfile_version}'"
+check "validate starpls is working and has the correct version" bash -c "starpls version | grep '${starpls_lockfile_version}'"
 check "validate bazel-compile-commands is working and has the correct version" bash -c "bazel-compile-commands --version 2>&1 | grep '${bazel_compile_commands_version}'"
@@ -14,40 +14,6 @@ bazel:
   # https://github.com/bazelbuild/bazel/releases -- latest version as of 2025-09-24
   version: 8.4.1
   # no need to define sha256 here, as bazel is installed via bazelisk
-buildifier:
-  version: 8.2.1
-  amd64:
-    # The following sha256sum is for the binary buildifier-linux-amd64
-    # from the GitHub release page of buildtools
-    # It is generated by running 'sha256sum buildifier-linux-amd64'
-    sha256: 6ceb7b0ab7cf66fceccc56a027d21d9cc557a7f34af37d2101edb56b92fcfa1a
-  arm64:
-    # The following sha256sum is for the binary buildifier-linux-arm64
-    # from the GitHub release page of buildtools
-    # It is generated by running 'sha256sum buildifier-linux-arm64'
-    sha256: 3baa1cf7eb41d51f462fdd1fff3a6a4d81d757275d05b2dd5f48671284e9a1a5
-bazelisk:
-  version: 1.27.0
-  amd64:
-    # The following sha256sums are for the deb package bazelisk_<version>_amd64.deb
-    # It is generated by running 'sha256sum bazelisk_<version>_amd64.deb'
-    sha256: d8b00ea975c823e15263c80200ac42979e17368547fbff4ab177af035badfa83
-  arm64:
-    # The following sha256sums are for the deb package bazelisk_<version>_arm64.deb
-    # It is generated by running 'sha256sum bazelisk_<version>_arm64.deb'
-    sha256: 173c5b367b485a30ce58c1d0d560b39d257a2d7a3c859c45d7d05eb61605a2a1
-starpls:
-  version: 0.1.22
-  amd64:
-    # The following sha256sum is for the binary starpls-linux-amd64
-    # from the GitHub release page of starpls
-    # It is generated by running 'sha256sum starpls-linux-amd64'
-    sha256: 7c661cdde0d1c026665086d07523d825671e29056276681616bb32d0273c5eab
-  arm64:
-    # The following sha256sum is for the binary starpls-linux-arm64
-    # from the GitHub release page of starpls
-    # It is generated by running 'sha256sum starpls-linux-arm64'
-    sha256: 55877ec4c3ff03e1d90d59c76f69a3a144b6c29688747c8ac4d77993e2eef1ad
 bazel_compile_commands:
   version: 0.18.0
   amd64:

@@ -2,7 +2,7 @@
     "build": {
         // Installs latest version from the Distribution
         "dockerfile": "./${localEnv:DEVCONTAINER_DOCKERFILE_NAME:Dockerfile}",
-        "context": ".",
+        "context": "../../../",
         "args": {
             "HTTP_PROXY": "${localEnv:HTTP_PROXY}",
             "HTTPS_PROXY": "${localEnv:HTTPS_PROXY}",

@@ -31,57 +31,12 @@ rm -f "${COPY_TARGET}/devcontainer-features.env" "${COPY_TARGET}/devcontainer-fe
 DEBIAN_FRONTEND=noninteractive
 
 # Read tool versions + metadata into environment variables
-. /devcontainer/features/s-core-local/versions.sh /devcontainer/features/s-core-local/versions.yaml
+. /usr/local/share/score-tools/versions.sh /devcontainer/features/s-core-local/versions.yaml
 
 ARCHITECTURE=$(dpkg --print-architecture)
 KERNEL=$(uname -s)
 
-# Downloads and extracts a tool from GitHub releases, based on the provided URL pattern, version and architecture-specific checksums.
-# The URL pattern can include placeholders for version and architecture variant
-download_and_extract_from_github() {
-    local url_pattern="$1"
-    local tool_name="$2"
-    local amd64_name="$3"
-    local arm64_name="$4"
-    local extract_names="$5"
-    local strip_components="${6:-0}"
-    local temp_file="/tmp/${tool_name}"
-
-    local version_name="${tool_name}_version"
-    export version="${!version_name}"
-    variant="${amd64_name}"
-    local sha256sum_name="${tool_name}_amd64_sha256"
-    if [ "${ARCHITECTURE}" = "arm64" ]; then
-        variant="${arm64_name}"
-        sha256sum_name="${tool_name}_arm64_sha256"
-    fi
-    sha256sum="${!sha256sum_name}"
-    export variant
-
-    local url
-    url="$(eval "echo ${url_pattern}")"
-
-    curl -L "${url}" -o "${temp_file}"
-    echo "${sha256sum} ${temp_file}" | sha256sum -c - || exit 1
-
-    local tar_options=""
-    if [[ "${url}" == *.tar.gz ]]; then
-        tar_options="-xzf"
-    elif [[ "${url}" == *.tar.xz ]]; then
-        tar_options="-xf"
-    elif [[ "${url}" == *.tar.zst ]]; then
-        tar_options="-I zstd -xf"
-    fi
-
-    local extract_names_expanded
-    extract_names_expanded="$(eval "echo ${extract_names}")"
-
-    # shellcheck disable=SC2086
-    # tar_options and extract_names_expanded are expected to be word-split
-    tar ${tar_options} "${temp_file}" -C "/usr/local/bin" --strip-components="${strip_components}" ${extract_names_expanded}
-
-    rm "${temp_file}"
-}
+source /usr/local/share/score-tools/tool_lockfile_helpers.sh
 
 # always add PIPX_BIN_DIR to path
 PIPX_BIN_DIR_EXPORT="$(grep "export PIPX_BIN_DIR" /etc/bash.bashrc)"
@@ -98,13 +53,14 @@ apt-get install -y man-db manpages manpages-dev manpages-posix manpages-posix-de
 # Container build dependencies are not pinned, since they are removed anyway after container creation.
 apt-get install apt-transport-https -y
 
+# Python, via APT
+apt-get install -y "python${python_version}" python3-pip python3-venv
+# The following packages correspond to the list of packages installed by the
+# devcontainer feature "python" (cf. https://github.com/devcontainers/features/tree/main/src/python )
+apt-get install -y flake8 python3-autopep8 black python3-yapf mypy pydocstyle pycodestyle bandit pipenv virtualenv pylint
+
 # static code analysis for shell scripts
-download_and_extract_from_github \
-    'https://github.com/koalaman/shellcheck/releases/download/v${version}/shellcheck-v${version}.linux.${variant}.tar.xz' \
-    "shellcheck" \
-    "x86_64" "aarch64" \
-    'shellcheck-v${version}/shellcheck' \
-    1
+score_install_tool_from_lockfile shellcheck
 
 # GraphViz
 # The Ubuntu Noble package of GraphViz
@@ -118,12 +74,6 @@ apt-get install -y git
 apt-get install -y git-lfs
 apt-get install -y gh
 
-# Python, via APT
-apt-get install -y "python${python_version}" python3-pip python3-venv
-# The following packages correspond to the list of packages installed by the
-# devcontainer feature "python" (cf. https://github.com/devcontainers/features/tree/main/src/python )
-apt-get install -y flake8 python3-autopep8 black python3-yapf mypy pydocstyle pycodestyle bandit pipenv virtualenv pylint
-
 # OpenJDK 21, via APT
 # Set JAVA_HOME environment variable system-wide, since some tools rely on it (e.g., Bazel's rules_java)
 apt-get install -y ca-certificates-java openjdk-21-jdk-headless="${openjdk_21_version}*"
@@ -135,34 +85,17 @@ echo -e "JAVA_HOME=${JAVA_HOME}\nexport JAVA_HOME" > /etc/profile.d/java_home.sh
 apt-get install -y --no-install-recommends --fix-broken qemu-system-arm="${qemu_system_arm_version}*"
 
 # ruff
-download_and_extract_from_github \
-    'https://github.com/astral-sh/ruff/releases/download/${version}/ruff-${variant}-unknown-linux-gnu.tar.gz' \
-    "ruff" \
-    "x86_64" "aarch64" \
-    'ruff-${variant}-unknown-linux-gnu/ruff' \
-    1
+score_install_tool_from_lockfile ruff
 
 # actionlint
-download_and_extract_from_github \
-    'https://github.com/rhysd/actionlint/releases/download/v${version}/actionlint_${version}_linux_${variant}.tar.gz' \
-    "actionlint" \
-    "amd64" "arm64" \
-    'actionlint'
+score_install_tool_from_lockfile actionlint
 
 # yamlfmt
-download_and_extract_from_github \
-    'https://github.com/google/yamlfmt/releases/download/v${version}/yamlfmt_${version}_Linux_${variant}.tar.gz' \
-    "yamlfmt" \
-    "x86_64" "arm64" \
-    'yamlfmt'
+score_install_tool_from_lockfile yamlfmt
 
 # uv
-download_and_extract_from_github \
-    'https://github.com/astral-sh/uv/releases/download/${version}/uv-${variant}-unknown-linux-gnu.tar.gz' \
-    "uv" \
-    "x86_64" "aarch64" \
-    'uv-${variant}-unknown-linux-gnu/uv uv-${variant}-unknown-linux-gnu/uvx' \
-    1
+score_install_tool_from_lockfile uv
+score_install_tool_from_lockfile uvx uv
 
 # basedpyright
 su $(ls /home) -c "uv tool install basedpyright@\"${basedpyright_version}\""
Original file line number	Diff line number	Diff line change
Expand Up		@@ -16,4 +16,6 @@ FROM buildpack-deps:noble-curl

		LABEL dev.containers.features="common"

		COPY tools /usr/local/share/score-tools

		RUN userdel -f -r ubuntu