Debian:12 for base image, build pipeline and prefetch of srl image

[hellt]

need to fix the k3s image to match the k8s version we use in kind

[Copilot]

Pull request overview

This pull request migrates the devcontainer base image from Ubuntu to Debian 12 (Bookworm), adds a GitHub Actions workflow for automated image building, and introduces a configuration file for resource-constrained codespaces environments. The changes also include pinning k3d to v5.8.3 and prefetching the SRL (SR Linux) container image.

Key Changes:

• New GitHub Actions workflow to build and push devcontainer images to GHCR
• Migration from Ubuntu-based to Debian 12 base image with manual user setup
• Added KPT setters configuration file for 4vCPU codespaces with minimal CPU resource requirements

Reviewed changes

Copilot reviewed 5 out of 5 changed files in this pull request and generated 7 comments.

Show a summary per file

File	Description
.github/workflows/build-devcontainer.yml	New workflow for building and pushing devcontainer images on PR, release, and manual trigger
.devcontainer/Dockerfile	Migrated to Debian 12, added user creation, pinned k3d version, added SRL image prefetch logic
.devcontainer/devcontainer.json	Updated image reference to new GHCR location with PR tag, added auto-forward browser action
.devcontainer/postCreate.sh	Simplified to use KPT setters file, removed separate keycloak configuration step
.devcontainer/codespaces-4vcpu-kpt-setters.yaml	New configuration file defining minimal CPU resource requirements for codespaces deployment

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[Copilot]

The comment has a typo - "codespaces post-create script as an argument to make try-eda." is missing the closing backtick. It should be "argument to make try-eda`."

Suggested change

	# It is applied in the codespaces post-create script as an argument to `make try-eda.
	# It is applied in the codespaces post-create script as an argument to `make try-eda`.

[Copilot]

The curl command in the complex shell pipeline lacks error handling. If any of the curl requests fail or the yq filtering produces no results, the script will continue silently. Consider adding error checks (set -e, or checking exit codes) to ensure the SRL image URL is successfully retrieved and appended.

Suggested change

	RUN SRL=$(curl -s "https://raw.githubusercontent.com/nokia-eda/playground/refs/heads/main/topology/3-nodes-srl.yaml" | $EDA_PLAYGROUND_DIR/tools/yq '.spec.nodeTemplates | filter(.name == "default").[].nodeProfile'); \
	curl "https://raw.githubusercontent.com/nokia-eda/kpt/refs/heads/main/eda-kpt-playground/$SRL/engine_v1_nodeprofile_srlinux_${SRL//[^0-9.]/}.yaml" | \
	$EDA_PLAYGROUND_DIR/tools/yq '.spec.containerImage' >> $HOME/.images.txt
	RUN set -euo pipefail; \
	SRL=$(curl -fsSL "https://raw.githubusercontent.com/nokia-eda/playground/refs/heads/main/topology/3-nodes-srl.yaml" | \
	"$EDA_PLAYGROUND_DIR/tools/yq" '.spec.nodeTemplates | filter(.name == "default").[].nodeProfile'); \
	if [[ -z "${SRL:-}" ]]; then \
	echo "Error: Failed to retrieve SRL node profile from topology definition." >&2; \
	exit 1; \
	fi; \
	IMAGE_URL=$(curl -fsSL "https://raw.githubusercontent.com/nokia-eda/kpt/refs/heads/main/eda-kpt-playground/$SRL/engine_v1_nodeprofile_srlinux_${SRL//[^0-9.]/}.yaml" | \
	"$EDA_PLAYGROUND_DIR/tools/yq" '.spec.containerImage'); \
	if [[ -z "${IMAGE_URL:-}" ]]; then \
	echo "Error: Failed to extract SRL container image from node profile." >&2; \
	exit 1; \
	fi; \
	echo "$IMAGE_URL" >> "$HOME/.images.txt"

[Copilot]

The workflow uses ubuntu-24.04 as the runner. While this is valid, verify that ubuntu-24.04 is available in your GitHub Actions environment as it's a newer LTS version. If there are any compatibility concerns, ubuntu-22.04 or ubuntu-latest might be safer alternatives.

Suggested change

	runs-on: ubuntu-24.04
	runs-on: ubuntu-22.04

[Copilot]

The workflow pushes images on every pull request (type=ref,event=pr), which could clutter the registry with numerous PR images. Consider whether images should only be pushed on merge to main or specific branches, or add cleanup logic for PR images.

Suggested change

	type=ref,event=pr
	type=ref,event=tag
	type=sha
	- name: Build and push image
	uses: docker/build-push-action@v6
	with:
	context: ${{ env.CONTEXT }}
	file: ${{ env.DOCKERFILE }}
	push: true
	type=ref,event=tag
	type=sha
	- name: Build and push image
	uses: docker/build-push-action@v6
	with:
	with:
	context: ${{ env.CONTEXT }}
	file: ${{ env.DOCKERFILE }}
	push: ${{ github.event_name != 'pull_request' }}

[Copilot]

The image tag is set to "pr-1" which appears to be a temporary testing tag. This should be updated to a production-ready tag (e.g., "latest", a version tag, or "main") before merging to ensure the devcontainer uses the correct stable image.

Suggested change

	"image": "ghcr.io/eda-labs/codespaces/base:pr-1",
	"image": "ghcr.io/eda-labs/codespaces/base:latest",

[Copilot]

curl is downloading and piping https://raw.githubusercontent.com/k3d-io/k3d/main/install.sh directly into bash while running as root, and the script is only pinned to the mutable main branch with no integrity verification. If the k3d GitHub repo or the network path is compromised, an attacker can serve arbitrary shell commands and gain code execution in the build environment (and any CI/CD context using this Dockerfile). To mitigate this, pin to an immutable reference (e.g., a specific commit or release asset) and verify its integrity (checksum/signature) before execution, or vendor the installer script in the repo instead of executing it directly from the network.

[Copilot]

This RUN git clone --depth 1 "https://github.com/$EDA_PLAYGROUND_REPO" ... && make download-tools step pulls code from an unpinned external GitHub repository and immediately executes its Makefile, with the repository location also overridable via the EDA_PLAYGROUND_REPO build arg. Because the fetched code is not tied to an immutable commit or verified by checksum/signature, a compromise of that GitHub repo (or a malicious override of the build arg) would allow arbitrary code execution during image build. To reduce this supply-chain risk, pin the clone to a specific, trusted commit or release and/or mirror/vendor the code in a controlled repository, and avoid allowing untrusted overrides of the repo location.