envbuilder icon indicating copy to clipboard operation
envbuilder copied to clipboard

Published 20 hours ago verified publisher icon coder

Implement devcontainer-lock.json

Open ggjulio opened this issue 8 months ago • 0 comments

See the original spec : https://github.com/devcontainers/spec/blob/main/docs/specs/devcontainer-lockfile.md

Example repo : https://github.com/microsoft/vscode/blob/main/.devcontainer/devcontainer-lock.json

Goal

Introduce a lockfile that records the exact version, download information and checksums for each feature listed in the devcontainer.json.

This will allow for:

  • Improved reproducibility of image builds (installing "latest" of a tool will still have different outcomes as the tool publishes new releases).
  • Improved cachability of image builds (image cache checksums will remain stable when the lockfile pins a feature to a particular version).
  • Improved security by detecting when a feature's release artifact changes after its checksum was first recorded in the lockfile ("trust on first use").

Useful resources:

  • https://github.com/devcontainers/spec/issues/236
  • https://github.com/devcontainers/cli/issues/564

ggjulio avatar Jun 20 '24 08:06 ggjulio