Dev container Dependabot fixes for docker-in-docker and go features

[brooke-hamilton]

Description

Fix broken Dependabot runs against the dev container configuration and unblock the post-create script when installing global pnpm packages.

Dependabot was failing on the dev container because two feature references in .devcontainer/devcontainer.json and .devcontainer/devcontainer-lock.json were pinned to an empty version tag (ghcr.io/devcontainers/features/docker-in-docker: and ghcr.io/devcontainers/features/go:). Dependabot cannot parse an empty version and the run errors out. Example failing run: https://github.com/radius-project/radius/actions/runs/26043583065/job/76561626915

Changes:

• .devcontainer/devcontainer.json
  • Pin ghcr.io/devcontainers/features/go to major version 1.
  • Pin ghcr.io/devcontainers/features/docker-in-docker to 3.0.0 (latest stable major).
  • Bump base image from mcr.microsoft.com/devcontainers/base:ubuntu to mcr.microsoft.com/devcontainers/base:ubuntu-24.04 so the base image is also explicitly versioned and trackable by Dependabot.
• .devcontainer/devcontainer-lock.json
  • Regenerated lock entries to match the new feature version pins.
• .devcontainer/post-create.sh
  • Ensure PNPM_HOME and the pnpm global bin directory exist and are on PATH before running pnpm add -g cspell. Without this, pnpm setup only updates shell rc files for future sessions, causing the global install in the post-create script to fail.

Type of change

• This pull request is a minor refactor, code cleanup, test improvement, or other maintenance task and doesn't change the functionality of Radius (issue link optional).

Contributor checklist

Please verify that the PR meets the following requirements, where applicable:

• An overview of proposed schema changes is included in a linked GitHub issue.
  • Yes
  • Not applicable
• A design document is added or updated under eng/design-notes/ in this repository, if new APIs are being introduced.
  • Yes
  • Not applicable
• The design document has been reviewed and approved by Radius maintainers/approvers.
  • Yes
  • Not applicable
• A PR for resource-types-contrib is created, if resource types or recipes are affected by the changes in this PR.
  • Yes
  • Not applicable
• A PR for dashboard is created, if the Radius Dashboard is affected by the changes in this PR.
  • Yes
  • Not applicable
• A PR for the documentation repository is created, if the changes in this PR affect the documentation or any user facing updates are made.
  • Yes
  • Not applicable

[github-actions]

Dependency Review

✅ No vulnerabilities or license issues or OpenSSF Scorecard issues found.

Scanned Files

None

[Copilot]

Pull request overview

This PR fixes Dependabot parsing for dev container feature references and makes the dev container post-create setup more reliable for global pnpm installs.

Changes:

• Pins dev container base image and feature references to explicit versions.
• Regenerates devcontainer lock entries for the updated feature pins.
• Configures pnpm global bin path during post-create before installing cspell.

Reviewed changes

Copilot reviewed 3 out of 3 changed files in this pull request and generated no comments.

File	Description
.devcontainer/devcontainer.json	Pins base image, Go feature, and docker-in-docker feature versions.
.devcontainer/devcontainer-lock.json	Updates lock metadata to match the pinned feature references.
.devcontainer/post-create.sh	Ensures pnpm global bin directory exists and is on PATH before installing cspell.