feat(devcontainer): improve performance and reliability of devcontainer launch

.devcontainer/README.md

@@ -46,14 +46,12 @@ A pre-configured development environment that includes all tools, extensions, an
 ### Languages & Runtimes
 
 - Node.js (LTS)
-- Python 3.11
 - PowerShell 7.x
 
 ### CLI Tools
 
 - Git
 - GitHub CLI (`gh`)
-- Azure CLI (`az`)
 
 ### Code Quality
 
@@ -93,9 +91,11 @@ gitleaks detect --source . --verbose
 
 ## Troubleshooting
 
-**Container won't build**: Ensure Docker Desktop is running and you have sufficient disk space (5GB+).
+1. **Container won't build**: Ensure Docker Desktop is running and you have sufficient disk space (5GB+).
 
-**Extensions not loading**: Reload the window (`F1` → **Developer: Reload Window**).
+2. **Extensions not loading**: Reload the window (`F1` → **Developer: Reload Window**).
+
+3. **HTTP/TLS errors during build**: Machines with corporate firewalls performing TLS inspection will need to drop their corporate root trust certificate (PEM-formatted with `.crt` extension) file into the `.devcontainer` and rebuild the devcontainer. Also run `docker buildx use desktop-linux` to ensure you are using the default builder, which honors OS root certificate trust stores.
 
 For more help, see [SUPPORT.md](../SUPPORT.md).
 

.devcontainer/devcontainer.json

@@ -1,16 +1,35 @@
 {
   "name": "HVE Core - Markdown Editing",
   "image": "mcr.microsoft.com/devcontainers/base:ubuntu",
+  // Rename the mount to /workspace for consistency, otherwise its mounted using
+  // whatever folder name the user cloned the repo as
+  "workspaceMount": "\"source=${localWorkspaceFolder}\",target=/workspace,type=bind",
+  "workspaceFolder": "/workspace",
+  "mounts": [
+    // Put GitHub local user data in a volume
+    {
+      "type": "volume",
+      "source": "${devcontainerId}-userconfig",
+      "target": "/home/vscode/.config"
+    },
+    // Put node modules into volume for better performance
+    {
+      "type": "volume",
+      "source": "${devcontainerId}-nodemodules",
+      "target": "/workspace/node_modules"
+    }
+  ],
+  "containerEnv": {
+    "REQUESTS_CA_BUNDLE": "/etc/ssl/certs/ca-certificates.crt", // for pip
+    "NODE_EXTRA_CA_CERTS": "/etc/ssl/certs/ca-certificates.crt", // for nodejs
+    "SSL_CERT_FILE": "/etc/ssl/certs/ca-certificates.crt" // for uv (else use --native-tls flag)
+  },
   "features": {
     "ghcr.io/devcontainers/features/node:1": {
       "version": "lts"
     },
-    "ghcr.io/devcontainers/features/python:1": {
-      "version": "3.11"
-    },
     "ghcr.io/devcontainers/features/git:1": {},
     "ghcr.io/devcontainers/features/github-cli:1": {},
-    "ghcr.io/devcontainers/features/azure-cli:1": {},
     "ghcr.io/devcontainers/features/powershell:1": {}
   },
   "customizations": {
@@ -23,9 +42,21 @@
         "bierner.markdown-mermaid",
         "bpruitt-goddard.mermaid-markdown-syntax-highlighting",
         "github.vscode-pull-request-github"
-      ]
+      ],
+      "settings": {
+        // Prevent extensions from stealing focus, see microsoft/vscode#205225
+        "workbench.view.showQuietly": {
+          "workbench.panel.output": true
+        },
+      }
     }
   },
+  // This is to ensure support for config includes is properly handled, see microsoft/vscode-remote-release/2084
+  "initializeCommand": {
+    "extractGitGlobals": "(git config -l --global --include || true) > .gitconfig.global",
+    "extractGitLocals": "(git config -l --local --include || true) > .gitconfig.local"
+  },
+  "postAttachCommand": "/bin/bash .devcontainer/scripts/post-attach.sh",
   "onCreateCommand": "bash .devcontainer/scripts/on-create.sh",
   "postCreateCommand": "bash .devcontainer/scripts/post-create.sh",
   "remoteUser": "vscode"

.devcontainer/scripts/post-attach.sh

@@ -0,0 +1,29 @@
+#!/bin/bash
+set -euo pipefail
+
+# devcontainers copy your local gitconfig but do not parse conditional includes.
+# This re-configures the devcontainer git identities based on the prior exported
+# global and local git configurations *after* parsing host includes. See also:
+# https://github.com/microsoft/vscode-remote-release/issues/2084#issuecomment-2289987894
+function copy_user_gitconfig() {
+  for conf in .gitconfig.global .gitconfig.local; do
+    if [ -f $conf ]; then
+      echo "*** Parsing ${conf##.gitconfig.} Git configuration export"
+      while IFS='=' read -r key value; do
+        case "$key" in
+        user.name | user.email | user.signingkey | commit.gpgsign)
+          echo "Set Git config ${key}=${value}"
+          git config --global "$key" "$value"
+          ;;
+        esac
+      done < "$conf"
+      rm -f "${conf}"
+    fi
+  done
+}
+
+#
+# Main execution path
+#
+
+copy_user_gitconfig

.devcontainer/scripts/post-create.sh

@@ -5,10 +5,49 @@
 
 set -euo pipefail
 
-main() {
+# Volume ownership is not set automatically due to a bug:
+# https://github.com/microsoft/vscode-remote-release/issues/9931
+#
+# IMPORTANT: workaround requires Docker base image to have password-less sudo.
+function fix_volume_ownership() {
+  volume_path="$1"
+
+  if [ ! -d "$volume_path" ]; then
+    echo "ERROR: the volume path provided '$volume_path' does not exist."
+    exit 1
+  fi
+
+  echo "Setting volume ownership for $volume_path"
+  sudo chown "$USER:$USER" "$volume_path"
+}
+
+function fix_volume_ownerships() {
+  echo "Applying volume ownership workaround (see microsoft/vscode-remote-release#9931)..."
+  fix_volume_ownership "/home/${USER}/.config"
+  fix_volume_ownership "/workspace/node_modules"
+}
+
+function npm_install() {
   echo "Installing NPM dependencies..."
   npm install
   echo "NPM dependencies installed successfully"
 }
 
+function update_ca_certs() {
+  # Adds a root CA to the system certificate store. Useful if developer machines
+  # have MITM TLS inspection happening, e.g. with ZScaler.
+  echo "Updating container system CA certificates..."
+  if compgen -G ".devcontainer/*.crt" > /dev/null; then
+    sudo cp .devcontainer/*.crt /usr/local/share/ca-certificates/
+    sudo update-ca-certificates
+  fi
+  echo "Container's system CA certificates updated successfully"
+}
+
+main() {
+  fix_volume_ownerships
+  npm_install
+  update_ca_certs
+}
+
 main "$@"

.dockerignore

@@ -0,0 +1,2 @@
+**/.git/
+**/node_modules/

.gitattributes

@@ -1,8 +1,18 @@
 # Set the default behavior, in case core.autocrlf has not been set.
 * text=auto
 
-# Declare files that will always have LF line endings on checkout.
+# Declare files that must have specific line endings on checkout.
+## Windows scripts - must be CRLF
+*.ps text eol=crlf
+*.ps1 text eol=crlf
+*.bat text eol=crlf
+*.cmd text eol=crlf
+*.bat text eol=crlf
+
+## Linux scripts - must be LF
 *.sh text eol=lf
+*.Dockerfile text eol=lf
+Dockerfile text eol=lf
 
 # Denote all files that are truly binary and should not be modified.
 *.docx binary

.gitignore

@@ -442,3 +442,7 @@ pr-reference.xml
 .mcp/*-local.json
 .mcp/*.local.json
 .mcp/.env
+
+# devcontainer rebuild
+/.gitconfig.global
+/.gitconfig.local