Add chezmoi toolbox image with optional dotfiles initialization #10
Conversation
Co-authored-by: jhulten <[email protected]>
Co-authored-by: jhulten <[email protected]>
jhulten
left a comment
jhulten
left a comment
There was a problem hiding this comment.
Isnt git part of the base image? If not, add it there instead of in chezmoi image.
Co-authored-by: jhulten <[email protected]>
Co-authored-by: jhulten <[email protected]>
You're right - git wasn't in the base image but was being duplicated in both devcontainer and chezmoi. I've moved it to the base image in commit 8c68db7, which also cleaned up the devcontainer Dockerfile by removing the duplicate git installation. |
There was a problem hiding this comment.
Pull request overview
This PR adds a new chezmoi toolbox image for managing dotfiles via containers. The changes refactor git installation to the base image, eliminating duplication across derived images, and introduce a new chezmoi image with optional dotfiles initialization during build time.
Key changes:
- Consolidates git installation into the base image, removing duplication from devcontainer
- Adds new chezmoi toolbox with version-pinned installation and optional CHEZMOI_REPO build argument
- Implements CI/CD workflow following the established devcontainer pattern with base image dependency triggers
Reviewed changes
Copilot reviewed 5 out of 5 changed files in this pull request and generated 4 comments.
Show a summary per file
| File | Description |
|---|---|
| base/Dockerfile | Adds git package to base image for reuse across all derived toolboxes |
| devcontainer/Dockerfile | Removes redundant git installation now inherited from base |
| chezmoi/Dockerfile | New toolbox image with chezmoi v2.56.1 and optional dotfiles repo initialization |
| .github/workflows/build-chezmoi-image.yml | CI/CD pipeline for building and publishing chezmoi image with base image dependency handling |
| README.md | Documents the new chezmoi toolbox with usage examples and security warnings |
Comments suppressed due to low confidence (1)
chezmoi/Dockerfile:15
- The chezmoi installation uses
curl -fsLSwithout verifying the downloaded script's integrity (e.g., checksum or signature). Consider adding verification or using a pinned version with checksum validation for better security.
RUN sh -c "$(curl -fsLS get.chezmoi.io)" -- -b /usr/local/bin -t v${CHEZMOI_VERSION}
| build-args: | | ||
| BASE_IMAGE_TAG=${{ steps.base-tag.outputs.tag }} | ||
| cache-from: type=gha | ||
| cache-to: type=gha,mode=max |
There was a problem hiding this comment.
Missing trailing newline at end of file. According to POSIX standard and common best practices, text files should end with a newline character.
README.md
Outdated
| Base toolbox image with common dependencies (ca-certificates, curl, git, zsh, mise). | ||
|
|
||
| ### Devcontainer | ||
| Development container image with git, SSH, GPG, and locale support. |
There was a problem hiding this comment.
The description mentions "git" as available in the base image, but the Devcontainer description also lists "git" as one of its features. Since git is now inherited from the base image, this creates redundancy. Consider updating the description to focus on what Devcontainer adds beyond the base: "Development container image with SSH, GPG, and locale support."
| Development container image with git, SSH, GPG, and locale support. | |
| Development container image with SSH, GPG, and locale support. |
chezmoi/Dockerfile
Outdated
|
|
||
| # Install chezmoi using the official installation script | ||
| ARG CHEZMOI_VERSION=2.56.1 | ||
| RUN sh -c "$(curl -fsLS get.chezmoi.io)" -- -b /usr/local/bin -t v${CHEZMOI_VERSION} |
There was a problem hiding this comment.
The install command uses curl get.chezmoi.io without an explicit scheme, which defaults to HTTP. Piping unverified HTTP content directly to sh enables a network attacker (e.g., MITM) to inject and execute arbitrary code during the image build. Fix by explicitly using https://get.chezmoi.io and adding integrity checks (e.g., download a specific release asset over https and verify its checksum/signature), for example:
RUN sh -c "$(curl -fsLS --proto '=https' https://get.chezmoi.io)" -- -b /usr/local/bin -t v${CHEZMOI_VERSION}| RUN sh -c "$(curl -fsLS get.chezmoi.io)" -- -b /usr/local/bin -t v${CHEZMOI_VERSION} | |
| RUN sh -c "$(curl -fsLS --proto '=https' https://get.chezmoi.io)" -- -b /usr/local/bin -t v${CHEZMOI_VERSION} |
There was a problem hiding this comment.
Instead of using the curl endpoint, please install chezmoi with mise (aqua:twpayne/chezmoi).
`... || exit 1` is redundant Co-authored-by: Copilot <[email protected]>
chezmoi/Dockerfile
Outdated
|
|
||
| # Install chezmoi using the official installation script | ||
| ARG CHEZMOI_VERSION=2.56.1 | ||
| RUN sh -c "$(curl -fsLS get.chezmoi.io)" -- -b /usr/local/bin -t v${CHEZMOI_VERSION} |
There was a problem hiding this comment.
Instead of using the curl endpoint, please install chezmoi with mise (aqua:twpayne/chezmoi).
README.md
Outdated
| Run the container: | ||
| ```bash | ||
| docker run -it my-chezmoi zsh |
There was a problem hiding this comment.
Make zsh the default command for a run or start
There was a problem hiding this comment.
Fixed in commit 679a0c4 by adding CMD ["/bin/zsh"] to the Dockerfile.
| # Optional: Initialize chezmoi with a dotfiles repo | ||
| # WARNING: This will execute code from the dotfiles repository during build. | ||
| # Only use with trusted repositories. | ||
| ARG CHEZMOI_REPO="" |
There was a problem hiding this comment.
How would we pass credentials to chezmoi to get dotfiles from a private repo?
There was a problem hiding this comment.
For private repos, credentials can be passed by:
- Using
--build-arg CHEZMOI_REPO=https://[email protected]/user/dotfiles.gitwith a GitHub personal access token - Mounting SSH keys at build time with
--sshin Docker buildx (requires modifying the Dockerfile to useRUN --mount=type=ssh) - Or, skip initialization during build and run
chezmoi initmanually after starting the container with mounted credentials
The current implementation supports option 1. Options 2-3 would require additional Dockerfile modifications if you'd like me to add them.
Co-authored-by: jhulten <[email protected]>
Co-authored-by: jhulten <[email protected]>
|
Just as a heads up, I was blocked by some firewall rules while working on your feedback. Expand below for details. Warning Firewall rules blocked me from connecting to one or more addresses (expand for details)I tried to connect to the following addresses, but was blocked by firewall rules:
If you need me to access, download, or install something from one of these locations, you can either:
|
|
@copilot Lets see option 2 |
Co-authored-by: jhulten <[email protected]>
… SSH when needed Co-authored-by: jhulten <[email protected]>
Implemented in commits f8ca570 and dcfd2b3. The Dockerfile now supports SSH key mounting with:
Usage: |
Adds a chezmoi toolbox for managing dotfiles via container image.
Changes
base/Dockerfile: Added git to base imagechezmoi/Dockerfile: New image extending base toolboxCHEZMOI_REPObuild arg to initialize dotfiles during buildRUN --mount=type=sshdevcontainer/Dockerfile: Simplified to remove git installation.github/workflows/build-chezmoi-image.yml: CI/CD pipeline following devcontainer patternREADME.md: Documents available toolboxes and usageCHEZMOI_REPOusageUsage
Warning
Using
CHEZMOI_REPOwill execute code from the dotfiles repository during the build process. Only use with trusted repositories.Private Repository Access
For private dotfiles repositories, you can pass credentials via:
--build-arg CHEZMOI_REPO=https://[email protected]/user/dotfiles.git--ssh defaultflag with SSH URL format (git@host:user/repo.git)chezmoi initafter starting the container with mounted credentialsOriginal prompt
💡 You can make Copilot smarter by setting up custom instructions, customizing its development environment and configuring Model Context Protocol (MCP) servers. Learn more Copilot coding agent tips in the docs.