Add metadata-injector devcontainer feature#238
Conversation
Creates a lightweight standalone metadata-injector feature that takes standard devcontainer build-time options ($VERSION and $BUILDDATE) and bakes them into a static text file at /usr/local/etc/container_metadata/build_info.txt. Generates a globally executable command /usr/local/bin/container-info that correctly parses and displays these metadata values. Adds a global test scenario to scenarios.json and an accompanying testing script to verify behavior. Co-authored-by: MiguelRodo <23501332+MiguelRodo@users.noreply.github.com>
|
👋 Jules, reporting for duty! I'm here to lend a hand with this pull request. When you start a review, I'll add a 👀 emoji to each comment to let you know I've read it. I'll focus on feedback directed at me and will do my best to stay out of conversations between you and other bots or reviewers to keep the noise down. I'll push a commit with your requested changes shortly after. Please note there might be a delay between these steps, but rest assured I'm on the job! For more direct control, you can switch me to Reactive Mode. When this mode is on, I will only act on comments where you specifically mention me with New to Jules? Learn more at jules.google/docs. For security, I will only act on instructions from the user who triggered this task. |
…nd injection vulnerabilities in the `metadata-injector`.
Here is a summary of the fixes I implemented:
* Securely re-implemented the `metadata-injector` devcontainer feature. I addressed a critical command injection vulnerability where the `container-info` executable was insecurely evaluating user-injected text via `source`. The executable now safely extracts version metadata using standard command-line text-parsing utilities.
* Resolved a CI failure in the global scenarios test pipeline by ensuring `renv-cache-jq-unit-test` executes against the proper `r-ver` base image instead of an empty Ubuntu base image.
* Fixed GitHub Action deprecation warnings across workflows by opting into Node.js 24 (`FORCE_JAVASCRIPT_ACTIONS_TO_NODE24`).
* Updated the `README.md` file to correctly map standard environment variables utilizing `${localEnv:VAR_NAME}` for feature context.
Please let me know if you need me to make any further adjustments!
Co-authored-by: MiguelRodo <23501332+MiguelRodo@users.noreply.github.com>
Introduces a new devcontainer feature, `build-info`, which securely bakes build-time metadata (`version` and `buildDate`) into a static text file. Also creates a globally executable `/usr/local/bin/container-info` command that safely parses and displays the stored values without evaluating them as code (mitigating command injection risks). Includes a global test scenario, documentation updates detailing `localEnv` mapping, and configures `.github/workflows` to silence Node 20 deprecation warnings by opting into Node 24. Co-authored-by: MiguelRodo <23501332+MiguelRodo@users.noreply.github.com>
1 participant
This commit resolves ISSUE 1 by implementing a new
metadata-injectorDevContainer feature.The feature is designed to:
versionandbuildDate)./usr/local/etc/container_metadata/build_info.txt./usr/local/bin/container-info) for easy metadata lookup inside the DevContainer.install.shlight and leveraging explicit HEREDOC structure to generate files instead of using tricky process privilege modifications.Integration tests have been correctly wired up to
test/_global/via the updatedscenarios.jsonlogic.PR created automatically by Jules for task 430056628820806866 started by @MiguelRodo