Adds devcontainer config files

[kenorb]

Summary by Sourcery

Add a standardized devcontainer environment with provisioning automation and CI validation, plus supporting Copilot agent setup and development tooling updates.

New Features:

• Introduce a Docker-based devcontainer configuration for local development.
• Add an Ansible-based provisioning playbook to install system packages, Python tooling, and pre-commit hooks inside the devcontainer.
• Define GitHub Actions workflows to build and test the devcontainer image and to prepare Copilot agent customization assets.
• Provide project-level VS Code settings to align the editor with the devcontainer and tooling setup.

Enhancements:

• Expand and refresh devcontainer Python requirements, including additional developer tools and updated dependency versions.
• Update pre-commit hook configurations and pinned versions for ansible-lint and markdownlint-cli to align with the new development environment.

CI:

• Add a reusable GitHub Actions workflow to build, cache, and validate the devcontainer image on pushes, pull requests, and scheduled runs.
• Add a GitHub Actions workflow to set up Copilot agent configuration, cache Python dependencies, and install project requirements for Copilot-related runs.

Summary by CodeRabbit

• Chores
  • Added a reusable devcontainer setup and Dockerfile for consistent dev environments.
  • Expanded container packages and VS Code extensions for development productivity (vim, direnv, ripgrep, GitHub CLI, etc.).
  • Added Ansible-based provisioning and updated Python dependency lists.
  • Added CI workflow to build/test devcontainer and a Copilot setup workflow.
  • Updated pre-commit hooks and CI step for shell formatter installation.

[coderabbitai]

Caution

Review failed

The pull request is closed.

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: c35d39d7-b083-4502-9ffd-9c4dc5660b52

📥 Commits

Reviewing files that changed from the base of the PR and between 013d44a and 44381f5.

📒 Files selected for processing (1)

• .github/workflows/check.yml

---

📝 Walkthrough

Walkthrough

Adds a devcontainer image/config, Ansible provisioning and dependency lists, CI workflows for devcontainer and Copilot setup, and updates pre-commit and VS Code tool settings.

Changes

Development Environment Setup

Layer / File(s)	Summary
Devcontainer image and configuration .devcontainer/Dockerfile, .devcontainer/devcontainer.json	Dockerfile scaffold with VARIANT; devcontainer.json set to noble, updates VS Code extensions and features, and uses initialize/onCreate hooks to prepare directories and run Ansible.
Provisioning dependency lists .devcontainer/apt-packages.txt, .devcontainer/requirements.txt, .devcontainer/requirements-ansible.txt	OS packages list and Python dependency files (dev and Ansible-specific), including docker>=7.1 and requests pinned to 2.32.5.
Ansible provisioning playbook .devcontainer/provision.yml	Installs apt packages from file, provisions Ansible via pipx and requirements-ansible.txt, installs Python requirements, and installs pre-commit hooks idempotently.
Pre-commit and VS Code configuration .pre-commit-config.yaml, .vscode/settings.json	Bumps ansible-lint and markdownlint hook revisions and settings, removes select hooks; VS Code setting auto-approves pre-commit terminal execution.
Devcontainer CI validation workflow .github/workflows/devcontainer-ci.yml	Builds and tests devcontainer image, manages GHCR login/cache, runs devcontainers/ci, and verifies required CLI tools, Python packages, and pre-commit inside the container.
Copilot agent setup workflow .github/workflows/copilot-setup-steps.yml	Clones Copilot agent repos into $HOME/.copilot, sets up Python 3.12 with pip caching, installs devcontainer Python deps, and ensures $HOME/.local/bin is on PATH.
CI shfmt install tweak .github/workflows/check.yml	Changes shfmt installation to use `curl -fsSL

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~25 minutes

Poem

🐰 In a burrow of code I neatly compile,
Containers, playbooks, and workflows in file,
Packages listed, hooks set to run,
CI checks pass when the build is done.
Hop, tweak, and push — a developer's smile!

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title 'Adds devcontainer config files' accurately describes the primary change—introducing development container configuration and related infrastructure.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch feat/devcontainer

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[sourcery-ai]

Hey - I've found 4 issues, and left some high level feedback:

• The GitHub Actions workflows reference non-existent or future action versions (e.g., actions/checkout@v6, docker/login-action@v4.2.0, actions/setup-python@v6.2.0); pin these to currently available major versions to avoid workflow resolution failures.
• In devcontainer-ci.yml, the env values use the inputs context even for non-workflow_call triggers; since inputs is only defined for reusable workflows, consider splitting the env logic or adding conditional defaults so push/PR triggers do not fail expression evaluation.
• The devcontainer provisioning playbook assumes pipx is present before running pipx install ansible; it would be more robust to install or validate pipx first (e.g., via apt or a bootstrap task) to prevent failures on base images that do not ship it.

Prompt for AI Agents

Please address the comments from this code review:

## Overall Comments
- The GitHub Actions workflows reference non-existent or future action versions (e.g., `actions/checkout@v6`, `docker/login-action@v4.2.0`, `actions/setup-python@v6.2.0`); pin these to currently available major versions to avoid workflow resolution failures.
- In `devcontainer-ci.yml`, the `env` values use the `inputs` context even for non-`workflow_call` triggers; since `inputs` is only defined for reusable workflows, consider splitting the env logic or adding conditional defaults so push/PR triggers do not fail expression evaluation.
- The devcontainer provisioning playbook assumes `pipx` is present before running `pipx install ansible`; it would be more robust to install or validate `pipx` first (e.g., via `apt` or a bootstrap task) to prevent failures on base images that do not ship it.

## Individual Comments

### Comment 1
<location path=".github/workflows/devcontainer-ci.yml" line_range="45-54" />
<code_context>
+# GitHub Copilot cloud agent customization.
+# <https://docs.github.com/en/copilot/how-tos/use-copilot-agents/cloud-agent/customize-the-agent-environment>
+name: Copilot Setup Steps
+env:
+  # Pin external repositories to specific SHAs for reproducibility.
+  COGNI_AI_AGENTS_REF: main
</code_context>
<issue_to_address>
**issue (bug_risk):** Referencing `inputs.*` in top-level `env` will fail for non-`workflow_call` events.

Using the `inputs` context in `REQUIRED_COMMANDS` and `REQUIRED_PYTHON_PACKAGES` at the workflow `env` level will cause `push`, `pull_request`, and `schedule` runs to fail with `Unrecognized named-value: 'inputs'`, since `inputs` is only defined for `workflow_call`. Move this logic into a job-level `env` behind `if: github.event_name == 'workflow_call'`, or ensure `inputs` are only referenced inside a `workflow_call`-only job.
</issue_to_address>

### Comment 2
<location path=".github/workflows/devcontainer-ci.yml" line_range="78-79" />
<code_context>
+      packages: write  # Enables push to GHCR
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v6
+        with:
+          fetch-depth: 0
</code_context>
<issue_to_address>
**issue (bug_risk):** Actions are pinned to non-existent major versions, which will cause runtime failures.

`actions/checkout@v6` (and `actions/setup-python@v6.2.0` in the other workflow) are invalid refs and will prevent the workflow from running. Please pin to existing releases, e.g. `actions/checkout@v4` and `actions/setup-python@v5`, optionally with a specific minor/patch or SHA for reproducibility.
</issue_to_address>

### Comment 3
<location path=".github/workflows/copilot-setup-steps.yml" line_range="27" />
<code_context>
+    permissions:
+      contents: read
+    steps:
+      - uses: actions/checkout@v6
+      - name: Clone agents
+        run: |
</code_context>
<issue_to_address>
**issue (bug_risk):** `actions/*` versions here are also pinned to non-existent majors.

These `actions/*` versions (e.g. `actions/checkout@v6`, `actions/setup-python@v6.2.0`, possibly `actions/cache@v5.0.5`) do not exist and will cause the workflow to fail. Please update them to currently published majors (for example `actions/checkout@v4`, `actions/setup-python@v5`, `actions/cache@v4`) and optionally add tighter pinning if deterministic behavior is required.
</issue_to_address>

### Comment 4
<location path=".github/workflows/devcontainer-ci.yml" line_range="99-113" />
<code_context>
+          # Remove /. pattern to handle repos like "org/.github" -> "org/github"
+          SAFE_REPO_NAME="${REPO_LOWER//\/\./\/}"
+          echo "name=ghcr.io/${SAFE_REPO_NAME}/devcontainer" >> "$GITHUB_OUTPUT"
+      - name: Check cache image existence
+        id: cache_check
+        continue-on-error: true
+        run: |
+          IMAGE_NAME="${{ steps.image.outputs.name }}"
+          echo "Checking if cache image exists: ${IMAGE_NAME}:latest"
+          if docker pull "${IMAGE_NAME}:latest" 2>/dev/null; then
+            echo "✓ Cache image found: ${IMAGE_NAME}:latest"
+            echo "exists=true" >> "$GITHUB_OUTPUT"
+          else
+            echo "⚠ Cache image not found: ${IMAGE_NAME}:latest"
+            echo "⚠ Build will proceed without cache (first build or image expired)"
+            echo "exists=false" >> "$GITHUB_OUTPUT"
+          fi
+      - name: Build and test dev container
</code_context>
<issue_to_address>
**suggestion:** The cache existence check sets an output that is never used.

`cache_check` sets an `exists` output that isn’t referenced later (the build step always uses `cacheFrom: ${{ steps.image.outputs.name }}`). If you don’t plan to branch on this, consider removing the step to cut noise and runtime. If you do want conditional cache usage, wire `steps.cache_check.outputs.exists` into a condition or into how `cacheFrom` is set.

```suggestion
      - name: Build and test dev container
```
</issue_to_address>

---

Sourcery is free for open source - if you like our reviews please consider sharing them ✨

• X
• Mastodon
• LinkedIn
• Facebook

_{Help me be more useful! Please click 👍 or 👎 on each comment and I'll use the feedback to improve your reviews.}

[sourcery-ai]

issue (bug_risk): Referencing inputs.* in top-level env will fail for non-workflow_call events.

Using the inputs context in REQUIRED_COMMANDS and REQUIRED_PYTHON_PACKAGES at the workflow env level will cause push, pull_request, and schedule runs to fail with Unrecognized named-value: 'inputs', since inputs is only defined for workflow_call. Move this logic into a job-level env behind if: github.event_name == 'workflow_call', or ensure inputs are only referenced inside a workflow_call-only job.

[sourcery-ai]

issue (bug_risk): Actions are pinned to non-existent major versions, which will cause runtime failures.

actions/checkout@v6 (and actions/setup-python@v6.2.0 in the other workflow) are invalid refs and will prevent the workflow from running. Please pin to existing releases, e.g. actions/checkout@v4 and actions/setup-python@v5, optionally with a specific minor/patch or SHA for reproducibility.

[sourcery-ai]

issue (bug_risk): actions/* versions here are also pinned to non-existent majors.

These actions/* versions (e.g. actions/checkout@v6, actions/setup-python@v6.2.0, possibly actions/cache@v5.0.5) do not exist and will cause the workflow to fail. Please update them to currently published majors (for example actions/checkout@v4, actions/setup-python@v5, actions/cache@v4) and optionally add tighter pinning if deterministic behavior is required.

[sourcery-ai]

suggestion: The cache existence check sets an output that is never used.

cache_check sets an exists output that isn’t referenced later (the build step always uses cacheFrom: ${{ steps.image.outputs.name }}). If you don’t plan to branch on this, consider removing the step to cut noise and runtime. If you do want conditional cache usage, wire steps.cache_check.outputs.exists into a condition or into how cacheFrom is set.

Suggested change

	- name: Check cache image existence
	id: cache_check
	continue-on-error: true
	run: |
	IMAGE_NAME="${{ steps.image.outputs.name }}"
	echo "Checking if cache image exists: ${IMAGE_NAME}:latest"
	if docker pull "${IMAGE_NAME}:latest" 2>/dev/null; then
	echo "✓ Cache image found: ${IMAGE_NAME}:latest"
	echo "exists=true" >> "$GITHUB_OUTPUT"
	else
	echo "⚠ Cache image not found: ${IMAGE_NAME}:latest"
	echo "⚠ Build will proceed without cache (first build or image expired)"
	echo "exists=false" >> "$GITHUB_OUTPUT"
	fi
	- name: Build and test dev container
	- name: Build and test dev container