First public PR: devcontainer JSON fix + minimal CI guardrails #40093
Conversation
- Remove SSH daemon feature to prevent unauthorized access - Pin GitHub CLI to specific version (2.40.1) instead of latest - Disable automatic git fetching for manual control - Remove external repository permissions (docs-early-access) - Minimize automatic command execution for security - Create multiple security-focused configuration options - Add comprehensive security documentation - All configurations pass security validation tests Co-authored-by: 02ez <226986020+02ez@users.noreply.github.com>
…cumentation Co-authored-by: 02ez <226986020+02ez@users.noreply.github.com>
…4cc01fe7225 Devcontainer Hardening with Port Visibility Automation
|
Thanks for opening this pull request! A GitHub docs team member should be by to give feedback soon. In the meantime, please check out the contributing guidelines. |
This comment was marked as outdated.
This comment was marked as outdated.
Sorry, something went wrong.
- Convert examples to strict JSON (no comments/trailing commas). - Recommend forwardPorts: [4000] and `gh codespace ports visibility 4000:public -c "$CODESPACE_NAME"`. - Add quick validation: `jq -e .` and `npx @devcontainers/cli validate`. - Scope is docs only; happy to adjust to house style. Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
Replace `gh cs` alias with `gh codespace` for portability and docs parity; avoids environments lacking the alias. No behavior change. Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
There was a problem hiding this comment.
Pull Request Overview
This pull request introduces comprehensive documentation for secure port forwarding configurations in GitHub Codespaces dev containers. The primary purpose is to provide developers with clear guidance on how to properly configure port forwarding with appropriate security settings, including automated port visibility management and security best practices.
Key changes include:
- Creation of new reusable content components for port configuration, automation, and security best practices
- Addition of a dedicated article on securing port forwarding in dev containers
- Updates to existing Node.js and Python setup guides to include port security configurations
Reviewed Changes
Copilot reviewed 10 out of 10 changed files in this pull request and generated 4 comments.
Show a summary per file
| File | Description |
|---|---|
data/reusables/codespaces/portsattributes-configuration.md |
New reusable content explaining portsAttributes property configuration |
data/reusables/codespaces/port-visibility-automation.md |
New reusable content covering automated port visibility using GitHub CLI |
data/reusables/codespaces/port-security-best-practices.md |
New reusable content outlining security best practices for port forwarding |
data/reusables/codespaces/devcontainer-properties-2.md |
Added documentation for postAttachCommand property |
data/reusables/codespaces/devcontainer-properties-1.md |
Added documentation for portsAttributes property with reference to reusable content |
content/codespaces/setting-up-your-project-for-codespaces/adding-a-dev-container-configuration/setting-up-your-python-project-for-codespaces.md |
Enhanced with Flask port forwarding configuration and security settings |
content/codespaces/setting-up-your-project-for-codespaces/adding-a-dev-container-configuration/setting-up-your-nodejs-project-for-codespaces.md |
Enhanced with Node.js port forwarding configuration and security settings |
content/codespaces/setting-up-your-project-for-codespaces/adding-a-dev-container-configuration/securing-port-forwarding-in-dev-containers.md |
New comprehensive article on secure port forwarding practices |
content/codespaces/setting-up-your-project-for-codespaces/adding-a-dev-container-configuration/introduction-to-dev-containers.md |
Added security considerations section with reference to new article |
content/codespaces/setting-up-your-project-for-codespaces/adding-a-dev-container-configuration/index.md |
Updated navigation to include new security article |
...odespaces/adding-a-dev-container-configuration/securing-port-forwarding-in-dev-containers.md
Show resolved
Hide resolved
...spaces/adding-a-dev-container-configuration/setting-up-your-python-project-for-codespaces.md
Show resolved
Hide resolved
...spaces/adding-a-dev-container-configuration/setting-up-your-nodejs-project-for-codespaces.md
Show resolved
Hide resolved
Replace `gh cs` with `gh codespace` for portability and docs parity; update 5000 example. No behavior change. Validated in Codespaces with $CODESPACE_NAME. Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
- Replace `gh cs` with canonical `gh codespace` throughout for portability and docs parity. - Keep single-port example and show one multi-port example; dedupe wording; preserve `-c "$CODESPACE_NAME"`. - Examples: - `"postAttachCommand": "gh codespace ports visibility 3000:org -c \"$CODESPACE_NAME\""` - `"postAttachCommand": "gh codespace ports visibility 3000:private 8080:org 4000:public -c \"$CODESPACE_NAME\""` - No behavior change; happy to match house style on phrasing or ports. Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
Add .github/workflows/pr-summary.yml. Triggers on PR open/sync/reopen/ready_for_review. Writes metrics to $GITHUB_STEP_SUMMARY and posts a PR comment for non-forks. Minimal perms (contents: read, pull-requests: write). 5-min timeout, concurrency cancel-in-progress, no secrets. No impact on build or tests. Verification: counts computed via git diff origin/<base>...<head>. Happy to align naming/filters.
…filter Use git diff-tree --no-commit-id --name-only -r "$head" "^origin/$base" for reliable file lists; fetch base ref if absent; docs filter narrowed to ^content/.*\.md$; write counts to $GITHUB_STEP_SUMMARY. No other workflow changes. Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
…tree, precise docs filter, minimal perms) Purpose - Fast, visible PR context for reviewers; zero impact on build/tests. What changed - New .github/workflows/pr-summary.yml; triggers: PR opened/sync/reopened/ready_for_review. - Concurrency group + cancel-in-progress, timeout 5m. - Step writes summary to $GITHUB_STEP_SUMMARY and comments on non-forks. - File listing hardened: fetch base if missing; use `git diff-tree --no-commit-id --name-only -r "$head" "^origin/$base"`; count changed files; docs count filtered to ^content/.*\.md$. Safety - Permissions: contents:read, pull-requests:write only. - No secrets; read-only ops; idempotent; logs show counts only. Verification - Ran on this PR; summary visible in Checks; comment posted on non-fork; all jobs green. Rollback - Remove workflow file; no state or side effects. Follow-ups (optional) - Add coverage/test counts to summary; make comment sticky; autolabel docs-only PRs.
|
👋 Hey there spelunker. It looks like you've modified some files that we can't accept as contributions:
You'll need to revert all of the files you changed that match that list using GitHub Desktop or The complete list of files we can't accept are:
We also can't accept contributions to files in the content directory with frontmatter |
|
👋 Hey there spelunker. It looks like you've modified some files that we can't accept as contributions:
You'll need to revert all of the files you changed that match that list using GitHub Desktop or The complete list of files we can't accept are:
We also can't accept contributions to files in the content directory with frontmatter |
…3cb3c8922fb Implement comprehensive devcontainer security hardening with multiple configuration options
|
👋 Hey there spelunker. It looks like you've modified some files that we can't accept as contributions:
You'll need to revert all of the files you changed that match that list using GitHub Desktop or The complete list of files we can't accept are:
We also can't accept contributions to files in the content directory with frontmatter |
Hi team—first public PR. Kept scope small, surgical, and reversible.
Why
What changed
gh codespace ports visibility 4000:public.Validation
jq -e . .devcontainer/devcontainer.jsonpasses.npx @devcontainers/cli validate --file .devcontainer/devcontainer.jsonpasses.permissions:; CI error messages are actionable.Impact
Risk/rollback
Notes
Checklist
Thanks for the review and for maintaining this project.