From 82e1545ca9d8ad941b176e4a63bd432b7270e776 Mon Sep 17 00:00:00 2001 From: Claude Date: Tue, 14 Jul 2026 11:03:31 +0000 Subject: [PATCH 1/2] template: refresh template descriptions to reflect new repository messaging Rewrite each template's description around the security-focused messaging introduced in the updated repository description and README intro, sync the root README templates table to the same strings, bump each template's patch version, and raise the CI description length limit from 80 to 88 characters. Co-Authored-By: Claude Fable 5 Claude-Session: https://claude.ai/code/session_01LjtasUDz8tNuF7Nb1ZetRB --- .github/workflows/ci.yml | 4 ++-- README.md | 18 +++++++++--------- src/bun/devcontainer-template.json | 4 ++-- src/debian/devcontainer-template.json | 4 ++-- src/golang/devcontainer-template.json | 4 ++-- src/mise/devcontainer-template.json | 4 ++-- src/node/devcontainer-template.json | 4 ++-- src/rust/devcontainer-template.json | 4 ++-- src/terraform/devcontainer-template.json | 4 ++-- src/uv/devcontainer-template.json | 4 ++-- src/zig/devcontainer-template.json | 4 ++-- 11 files changed, 29 insertions(+), 29 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 4eec1c1..14a18ec 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -21,13 +21,13 @@ jobs: with: persist-credentials: false - - name: Check description length (max 80 chars) + - name: Check description length (max 88 chars) run: | failed=0 while IFS= read -r file; do desc=$(jq -r '.description' "$file") len=${#desc} - if [[ $len -gt 80 ]]; then + if [[ $len -gt 88 ]]; then echo "FAIL ($len chars): $file" echo " $desc" failed=1 diff --git a/README.md b/README.md index a609b3d..4cd870d 100644 --- a/README.md +++ b/README.md @@ -41,15 +41,15 @@ If you use [Renovate](https://docs.renovatebot.com/) or Dependabot, they can aut | Template | Registry | Description | |----------|----------|-------------| -| [Bun](src/bun) | `ghcr.io/bare-devcontainer/templates/bun` | A JavaScript/TypeScript development environment based on the bare-devcontainer Bun image, with the Bun runtime installed. | -| [Debian](src/debian) | `ghcr.io/bare-devcontainer/templates/debian` | A minimal Debian development environment based on the bare-devcontainer Debian image. | -| [Go](src/golang) | `ghcr.io/bare-devcontainer/templates/golang` | A Go development environment based on the bare-devcontainer Go image. | -| [mise](src/mise) | `ghcr.io/bare-devcontainer/templates/mise` | A development environment with mise (polyglot runtime manager) on Debian, for managing multiple language runtimes per project. | -| [Node.js](src/node) | `ghcr.io/bare-devcontainer/templates/node` | A Node.js development environment based on the bare-devcontainer Node.js image. | -| [Rust](src/rust) | `ghcr.io/bare-devcontainer/templates/rust` | A Rust development environment based on the bare-devcontainer Rust image, with Rust installed via rustup. | -| [Terraform](src/terraform) | `ghcr.io/bare-devcontainer/templates/terraform` | An infrastructure-as-code development environment based on the bare-devcontainer Terraform image, with the Terraform CLI and terraform-ls installed. | -| [uv](src/uv) | `ghcr.io/bare-devcontainer/templates/uv` | A Python development environment based on the bare-devcontainer uv image, with uv installed for managing Python versions and packages. | -| [Zig](src/zig) | `ghcr.io/bare-devcontainer/templates/zig` | A Zig development environment based on the bare-devcontainer Zig image. | +| [Bun](src/bun) | `ghcr.io/bare-devcontainer/templates/bun` | Security-focused Bun dev container for JS/TS with hardened defaults and cached installs. | +| [Debian](src/debian) | `ghcr.io/bare-devcontainer/templates/debian` | Security-focused minimal Debian base for any stack, with hardened container defaults. | +| [Go](src/golang) | `ghcr.io/bare-devcontainer/templates/golang` | Security-focused Go dev container with hardened defaults and rebuild-friendly caches. | +| [mise](src/mise) | `ghcr.io/bare-devcontainer/templates/mise` | Security-focused mise dev container for multiple runtimes, with rebuild-friendly caches. | +| [Node.js](src/node) | `ghcr.io/bare-devcontainer/templates/node` | Security-focused Node.js dev container for JS/TS with hardened, non-root defaults. | +| [Rust](src/rust) | `ghcr.io/bare-devcontainer/templates/rust` | Security-focused Rust dev container with rust-analyzer and persistent Cargo caches. | +| [Terraform](src/terraform) | `ghcr.io/bare-devcontainer/templates/terraform` | Security-focused Terraform dev container with terraform-ls and rebuild-friendly caching. | +| [uv](src/uv) | `ghcr.io/bare-devcontainer/templates/uv` | Security-focused Python dev container with uv, hardened defaults, and cached packages. | +| [Zig](src/zig) | `ghcr.io/bare-devcontainer/templates/zig` | Security-focused Zig dev container with zls integration and a persistent build cache. | ## License diff --git a/src/bun/devcontainer-template.json b/src/bun/devcontainer-template.json index 555d5ff..ac9f089 100644 --- a/src/bun/devcontainer-template.json +++ b/src/bun/devcontainer-template.json @@ -1,8 +1,8 @@ { "id": "bun", - "version": "1.0.3", + "version": "1.0.4", "name": "Bun", - "description": "Minimal, supply-chain-secure dev container with Bun for JS/TypeScript.", + "description": "Security-focused Bun dev container for JS/TS with hardened defaults and cached installs.", "publisher": "Bare Dev Container Maintainers", "documentationURL": "https://github.com/bare-devcontainer/templates/tree/main/src/bun", "licenseURL": "https://github.com/bare-devcontainer/templates/blob/main/LICENSE", diff --git a/src/debian/devcontainer-template.json b/src/debian/devcontainer-template.json index 11fbfe9..62432cb 100644 --- a/src/debian/devcontainer-template.json +++ b/src/debian/devcontainer-template.json @@ -1,8 +1,8 @@ { "id": "debian", - "version": "1.2.4", + "version": "1.2.5", "name": "Debian", - "description": "Minimal, supply-chain-secure Debian base for any development stack.", + "description": "Security-focused minimal Debian base for any stack, with hardened container defaults.", "publisher": "Bare Dev Container Maintainers", "documentationURL": "https://github.com/bare-devcontainer/templates/tree/main/src/debian", "licenseURL": "https://github.com/bare-devcontainer/templates/blob/main/LICENSE", diff --git a/src/golang/devcontainer-template.json b/src/golang/devcontainer-template.json index ba60890..978d50c 100644 --- a/src/golang/devcontainer-template.json +++ b/src/golang/devcontainer-template.json @@ -1,8 +1,8 @@ { "id": "golang", - "version": "1.2.4", + "version": "1.2.5", "name": "Go", - "description": "Minimal, supply-chain-secure dev container with Go toolchain.", + "description": "Security-focused Go dev container with hardened defaults and rebuild-friendly caches.", "publisher": "Bare Dev Container Maintainers", "documentationURL": "https://github.com/bare-devcontainer/templates/tree/main/src/golang", "licenseURL": "https://github.com/bare-devcontainer/templates/blob/main/LICENSE", diff --git a/src/mise/devcontainer-template.json b/src/mise/devcontainer-template.json index 8c2a058..87bde5d 100644 --- a/src/mise/devcontainer-template.json +++ b/src/mise/devcontainer-template.json @@ -1,8 +1,8 @@ { "id": "mise", - "version": "1.3.0", + "version": "1.3.1", "name": "mise", - "description": "Minimal, supply-chain-secure dev container with mise for multiple runtimes.", + "description": "Security-focused mise dev container for multiple runtimes, with rebuild-friendly caches.", "publisher": "Bare Dev Container Maintainers", "documentationURL": "https://github.com/bare-devcontainer/templates/tree/main/src/mise", "licenseURL": "https://github.com/bare-devcontainer/templates/blob/main/LICENSE", diff --git a/src/node/devcontainer-template.json b/src/node/devcontainer-template.json index e406846..cecaac4 100644 --- a/src/node/devcontainer-template.json +++ b/src/node/devcontainer-template.json @@ -1,8 +1,8 @@ { "id": "node", - "version": "1.0.3", + "version": "1.0.4", "name": "Node.js", - "description": "Minimal, supply-chain-secure Node.js dev container for JS/TypeScript.", + "description": "Security-focused Node.js dev container for JS/TS with hardened, non-root defaults.", "publisher": "Bare Dev Container Maintainers", "documentationURL": "https://github.com/bare-devcontainer/templates/tree/main/src/node", "licenseURL": "https://github.com/bare-devcontainer/templates/blob/main/LICENSE", diff --git a/src/rust/devcontainer-template.json b/src/rust/devcontainer-template.json index 95eeaf4..a0a2281 100644 --- a/src/rust/devcontainer-template.json +++ b/src/rust/devcontainer-template.json @@ -1,8 +1,8 @@ { "id": "rust", - "version": "1.3.0", + "version": "1.3.1", "name": "Rust", - "description": "Minimal, supply-chain-secure dev container with Rust.", + "description": "Security-focused Rust dev container with rust-analyzer and persistent Cargo caches.", "publisher": "Bare Dev Container Maintainers", "documentationURL": "https://github.com/bare-devcontainer/templates/tree/main/src/rust", "licenseURL": "https://github.com/bare-devcontainer/templates/blob/main/LICENSE", diff --git a/src/terraform/devcontainer-template.json b/src/terraform/devcontainer-template.json index e2ef78e..e116dd9 100644 --- a/src/terraform/devcontainer-template.json +++ b/src/terraform/devcontainer-template.json @@ -1,8 +1,8 @@ { "id": "terraform", - "version": "1.2.3", + "version": "1.2.4", "name": "Terraform", - "description": "Minimal, supply-chain-secure dev container with Terraform CLI and terraform-ls.", + "description": "Security-focused Terraform dev container with terraform-ls and rebuild-friendly caching.", "publisher": "Bare Dev Container Maintainers", "documentationURL": "https://github.com/bare-devcontainer/templates/tree/main/src/terraform", "licenseURL": "https://github.com/bare-devcontainer/templates/blob/main/LICENSE", diff --git a/src/uv/devcontainer-template.json b/src/uv/devcontainer-template.json index ef31843..270780f 100644 --- a/src/uv/devcontainer-template.json +++ b/src/uv/devcontainer-template.json @@ -1,8 +1,8 @@ { "id": "uv", - "version": "1.0.3", + "version": "1.0.4", "name": "Python (uv)", - "description": "Minimal, supply-chain-secure Python dev container with uv.", + "description": "Security-focused Python dev container with uv, hardened defaults, and cached packages.", "publisher": "Bare Dev Container Maintainers", "documentationURL": "https://github.com/bare-devcontainer/templates/tree/main/src/uv", "licenseURL": "https://github.com/bare-devcontainer/templates/blob/main/LICENSE", diff --git a/src/zig/devcontainer-template.json b/src/zig/devcontainer-template.json index 7e6de17..b2d3a39 100644 --- a/src/zig/devcontainer-template.json +++ b/src/zig/devcontainer-template.json @@ -1,8 +1,8 @@ { "id": "zig", - "version": "1.2.4", + "version": "1.2.5", "name": "Zig", - "description": "Minimal, supply-chain-secure dev container with Zig.", + "description": "Security-focused Zig dev container with zls integration and a persistent build cache.", "publisher": "Bare Dev Container Maintainers", "documentationURL": "https://github.com/bare-devcontainer/templates/tree/main/src/zig", "licenseURL": "https://github.com/bare-devcontainer/templates/blob/main/LICENSE", From c9722d9a32ba1cdf4bd3b912aee6a70a2c413de2 Mon Sep 17 00:00:00 2001 From: Claude Date: Tue, 14 Jul 2026 11:03:31 +0000 Subject: [PATCH 2/2] docs: add NOTES.md to each template for generated README content Document each template's security hardening, persistent cache volumes, editor integration, and usage tips. The release workflow's generate-docs step appends NOTES.md into the auto-generated per-template README.md. Co-Authored-By: Claude Fable 5 Claude-Session: https://claude.ai/code/session_01LjtasUDz8tNuF7Nb1ZetRB --- src/bun/NOTES.md | 26 ++++++++++++++++++++++++++ src/debian/NOTES.md | 22 ++++++++++++++++++++++ src/golang/NOTES.md | 29 +++++++++++++++++++++++++++++ src/mise/NOTES.md | 34 ++++++++++++++++++++++++++++++++++ src/node/NOTES.md | 24 ++++++++++++++++++++++++ src/rust/NOTES.md | 30 ++++++++++++++++++++++++++++++ src/terraform/NOTES.md | 26 ++++++++++++++++++++++++++ src/uv/NOTES.md | 36 ++++++++++++++++++++++++++++++++++++ src/zig/NOTES.md | 27 +++++++++++++++++++++++++++ 9 files changed, 254 insertions(+) create mode 100644 src/bun/NOTES.md create mode 100644 src/debian/NOTES.md create mode 100644 src/golang/NOTES.md create mode 100644 src/mise/NOTES.md create mode 100644 src/node/NOTES.md create mode 100644 src/rust/NOTES.md create mode 100644 src/terraform/NOTES.md create mode 100644 src/uv/NOTES.md create mode 100644 src/zig/NOTES.md diff --git a/src/bun/NOTES.md b/src/bun/NOTES.md new file mode 100644 index 0000000..b85acfa --- /dev/null +++ b/src/bun/NOTES.md @@ -0,0 +1,26 @@ +## Security Hardening + +This template applies the shared hardening defaults of Bare Dev Container Templates: + +- Runs as the non-root `dev` user. +- Drops all Linux capabilities (`--cap-drop=ALL`) and sets the `no-new-privileges` security option, so processes cannot gain elevated privileges inside the container. Remove `no-new-privileges` from `securityOpt` if you need `su`/`sudo`. +- Starts an init process (`"init": true`) to reap zombie processes. +- The base image `ghcr.io/bare-devcontainer/bun` is a minimal [Bare Dev Container Image](https://github.com/bare-devcontainer/images) that limits trusted upstreams to official sources to reduce supply-chain risk. + +After applying the template, we recommend pinning the image to a digest so every rebuild uses exactly the image you expect — see [Pinning Images to a Digest](https://github.com/bare-devcontainer/templates#pinning-images-to-a-digest). + +## Persistent Caches + +Bun's global install cache is persisted in a named volume, so rebuilding the container to pick up image updates doesn't require re-downloading packages: + +| Volume | Mount path | Purpose | +|--------|------------|---------| +| `${devcontainerId}-bun-install-cache` | `/home/dev/.bun/install/cache` | Bun's global install cache | + +## Editor Integration + +- Installs the `oven.bun-vscode` VS Code extension, with `bun.runtime` preconfigured to the Bun binary shipped in the image (`/usr/local/bin/bun`). + +## Tips + +- If you use VS Code, uncomment the `remoteEnv` block in `devcontainer.json` to open `$EDITOR`/`$VISUAL`/`$GIT_EDITOR` (e.g. `git commit`) in a VS Code tab. diff --git a/src/debian/NOTES.md b/src/debian/NOTES.md new file mode 100644 index 0000000..88b6c53 --- /dev/null +++ b/src/debian/NOTES.md @@ -0,0 +1,22 @@ +## Security Hardening + +This template applies the shared hardening defaults of Bare Dev Container Templates: + +- Runs as the non-root `dev` user. +- Drops all Linux capabilities (`--cap-drop=ALL`) and sets the `no-new-privileges` security option, so processes cannot gain elevated privileges inside the container. Remove `no-new-privileges` from `securityOpt` if you need `su`/`sudo`. +- Starts an init process (`"init": true`) to reap zombie processes. +- The base image `ghcr.io/bare-devcontainer/debian` is a minimal [Bare Dev Container Image](https://github.com/bare-devcontainer/images) that limits trusted upstreams to official sources to reduce supply-chain risk. + +After applying the template, we recommend pinning the image to a digest so every rebuild uses exactly the image you expect — see [Pinning Images to a Digest](https://github.com/bare-devcontainer/templates#pinning-images-to-a-digest). + +## Usage Notes + +This template is a minimal Debian base for any development stack — no language toolchain is preinstalled. To add tooling, you can: + +- layer [Dev Container Features](https://containers.dev/features) on top of the image, +- extend the image with your own `Dockerfile`, or +- switch to a stack-specific Bare Dev Container template (Go, Rust, Node.js, ...). + +## Tips + +- If you use VS Code, uncomment the `remoteEnv` block in `devcontainer.json` to open `$EDITOR`/`$VISUAL`/`$GIT_EDITOR` (e.g. `git commit`) in a VS Code tab. diff --git a/src/golang/NOTES.md b/src/golang/NOTES.md new file mode 100644 index 0000000..198c295 --- /dev/null +++ b/src/golang/NOTES.md @@ -0,0 +1,29 @@ +## Security Hardening + +This template applies the shared hardening defaults of Bare Dev Container Templates: + +- Runs as the non-root `dev` user. +- Drops all Linux capabilities (`--cap-drop=ALL`) and sets the `no-new-privileges` security option, so processes cannot gain elevated privileges inside the container. Remove `no-new-privileges` from `securityOpt` if you need `su`/`sudo`. +- Starts an init process (`"init": true`) to reap zombie processes. +- The base image `ghcr.io/bare-devcontainer/golang` is a minimal [Bare Dev Container Image](https://github.com/bare-devcontainer/images) that limits trusted upstreams to official sources to reduce supply-chain risk. + +After applying the template, we recommend pinning the image to a digest so every rebuild uses exactly the image you expect — see [Pinning Images to a Digest](https://github.com/bare-devcontainer/templates#pinning-images-to-a-digest). + +## Persistent Caches + +The Go module and build caches are persisted in named volumes, so rebuilding the container to pick up image updates doesn't require re-downloading modules or recompiling packages: + +| Volume | Mount path | Purpose | +|--------|------------|---------| +| `${devcontainerId}-golang-pkg-mod` | `/home/dev/go/pkg/mod` | Go module cache (`GOMODCACHE`) | +| `${devcontainerId}-golang-build-cache` | `/home/dev/.cache/go-build` | Go build cache (`GOCACHE`) | + +## Editor Integration + +- Installs the `golang.go` VS Code extension, with format-on-save and organize-imports enabled for Go files and gopls semantic tokens turned on. +- Automatic updates of the Go tools are disabled (`go.toolsManagement.autoUpdate: false`, update checks are local only), so the editor does not download tools behind your back. + +## Tips + +- To use the debugger (delve), uncomment `"capAdd": ["SYS_PTRACE"]` in `devcontainer.json`. +- If you use VS Code, uncomment the `remoteEnv` block in `devcontainer.json` to open `$EDITOR`/`$VISUAL`/`$GIT_EDITOR` (e.g. `git commit`) in a VS Code tab. diff --git a/src/mise/NOTES.md b/src/mise/NOTES.md new file mode 100644 index 0000000..105e625 --- /dev/null +++ b/src/mise/NOTES.md @@ -0,0 +1,34 @@ +## Security Hardening + +This template applies the shared hardening defaults of Bare Dev Container Templates: + +- Runs as the non-root `dev` user. +- Drops all Linux capabilities (`--cap-drop=ALL`) and sets the `no-new-privileges` security option, so processes cannot gain elevated privileges inside the container. Remove `no-new-privileges` from `securityOpt` if you need `su`/`sudo`. +- Starts an init process (`"init": true`) to reap zombie processes. +- The base image `ghcr.io/bare-devcontainer/mise` is a minimal [Bare Dev Container Image](https://github.com/bare-devcontainer/images) that limits trusted upstreams to official sources to reduce supply-chain risk. + +After applying the template, we recommend pinning the image to a digest so every rebuild uses exactly the image you expect — see [Pinning Images to a Digest](https://github.com/bare-devcontainer/templates#pinning-images-to-a-digest). + +## Persistent Caches + +mise's data directory and download cache are persisted in named volumes, so toolchains installed with mise survive container rebuilds and don't need to be re-downloaded: + +| Volume | Mount path | Purpose | +|--------|------------|---------| +| `${devcontainerId}-mise-data` | `/home/dev/.local/share/mise` | mise-managed toolchains | +| `${devcontainerId}-mise-cache` | `/home/dev/.cache/mise` | mise's download cache | + +## Usage Notes + +[mise](https://mise.jdx.dev/) is a polyglot runtime manager. Install and pin the runtimes your project needs, for example: + +```sh +mise use node@24 +mise use python@3.13 +``` + +The installed runtimes are stored in the persisted data volume, so they remain available after rebuilding the container. + +## Tips + +- If you use VS Code, uncomment the `remoteEnv` block in `devcontainer.json` to open `$EDITOR`/`$VISUAL`/`$GIT_EDITOR` (e.g. `git commit`) in a VS Code tab. diff --git a/src/node/NOTES.md b/src/node/NOTES.md new file mode 100644 index 0000000..576c755 --- /dev/null +++ b/src/node/NOTES.md @@ -0,0 +1,24 @@ +## Security Hardening + +This template applies the shared hardening defaults of Bare Dev Container Templates: + +- Runs as the non-root `dev` user. +- Drops all Linux capabilities (`--cap-drop=ALL`) and sets the `no-new-privileges` security option, so processes cannot gain elevated privileges inside the container. Remove `no-new-privileges` from `securityOpt` if you need `su`/`sudo`. +- Starts an init process (`"init": true`) to reap zombie processes. +- The base image `ghcr.io/bare-devcontainer/node` is a minimal [Bare Dev Container Image](https://github.com/bare-devcontainer/images) that limits trusted upstreams to official sources to reduce supply-chain risk. + +After applying the template, we recommend pinning the image to a digest so every rebuild uses exactly the image you expect — see [Pinning Images to a Digest](https://github.com/bare-devcontainer/templates#pinning-images-to-a-digest). + +## Tips + +- To keep npm's download cache across container rebuilds, add a named volume to `mounts` in `devcontainer.json`: + + ```json + { + "source": "${devcontainerId}-npm-cache", + "target": "/home/dev/.npm", + "type": "volume" + } + ``` + +- If you use VS Code, uncomment the `remoteEnv` block in `devcontainer.json` to open `$EDITOR`/`$VISUAL`/`$GIT_EDITOR` (e.g. `git commit`) in a VS Code tab. diff --git a/src/rust/NOTES.md b/src/rust/NOTES.md new file mode 100644 index 0000000..bc892ff --- /dev/null +++ b/src/rust/NOTES.md @@ -0,0 +1,30 @@ +## Security Hardening + +This template applies the shared hardening defaults of Bare Dev Container Templates: + +- Runs as the non-root `dev` user. +- Drops all Linux capabilities (`--cap-drop=ALL`) and sets the `no-new-privileges` security option, so processes cannot gain elevated privileges inside the container. Remove `no-new-privileges` from `securityOpt` if you need `su`/`sudo`. +- Starts an init process (`"init": true`) to reap zombie processes. +- The base image `ghcr.io/bare-devcontainer/rust` is a minimal [Bare Dev Container Image](https://github.com/bare-devcontainer/images) that limits trusted upstreams to official sources to reduce supply-chain risk. + +After applying the template, we recommend pinning the image to a digest so every rebuild uses exactly the image you expect — see [Pinning Images to a Digest](https://github.com/bare-devcontainer/templates#pinning-images-to-a-digest). + +## Persistent Caches + +Cargo's registry and git caches are persisted in named volumes, so rebuilding the container to pick up image updates doesn't require re-downloading crates: + +| Volume | Mount path | Purpose | +|--------|------------|---------| +| `${devcontainerId}-rust-cargo-registry` | `/home/dev/.cargo/registry` | Cargo registry cache | +| `${devcontainerId}-rust-cargo-git` | `/home/dev/.cargo/git` | Cargo's cache of git-sourced dependencies | + +Only `registry/` and `git/` are mounted; `~/.cargo/bin` is intentionally left in the image layer so the toolchain binaries always come from the image. + +## Editor Integration + +- Installs the `rust-lang.rust-analyzer` VS Code extension, with format-on-save enabled for Rust files. + +## Tips + +- To use the debugger, uncomment `"capAdd": ["SYS_PTRACE"]` in `devcontainer.json`. +- If you use VS Code, uncomment the `remoteEnv` block in `devcontainer.json` to open `$EDITOR`/`$VISUAL`/`$GIT_EDITOR` (e.g. `git commit`) in a VS Code tab. diff --git a/src/terraform/NOTES.md b/src/terraform/NOTES.md new file mode 100644 index 0000000..5d07142 --- /dev/null +++ b/src/terraform/NOTES.md @@ -0,0 +1,26 @@ +## Security Hardening + +This template applies the shared hardening defaults of Bare Dev Container Templates: + +- Runs as the non-root `dev` user. +- Drops all Linux capabilities (`--cap-drop=ALL`) and sets the `no-new-privileges` security option, so processes cannot gain elevated privileges inside the container. Remove `no-new-privileges` from `securityOpt` if you need `su`/`sudo`. +- Starts an init process (`"init": true`) to reap zombie processes. +- The base image `ghcr.io/bare-devcontainer/terraform` is a minimal [Bare Dev Container Image](https://github.com/bare-devcontainer/images) that limits trusted upstreams to official sources to reduce supply-chain risk. + +After applying the template, we recommend pinning the image to a digest so every rebuild uses exactly the image you expect — see [Pinning Images to a Digest](https://github.com/bare-devcontainer/templates#pinning-images-to-a-digest). + +## Persistent Caches + +The Terraform plugin cache directory is persisted in a named volume, so rebuilding the container to pick up image updates doesn't require re-downloading providers: + +| Volume | Mount path | Purpose | +|--------|------------|---------| +| `${devcontainerId}-terraform-plugin-cache` | `/home/dev/.terraform.d/plugin-cache` | Terraform provider plugin cache | + +## Editor Integration + +- Installs the `hashicorp.terraform` and `hashicorp.hcl` VS Code extensions, with the language server paths preconfigured to the `terraform-ls` and `terraform` binaries shipped in the image, and format-on-save enabled for `.tf` and `.tfvars` files. + +## Tips + +- If you use VS Code, uncomment the `remoteEnv` block in `devcontainer.json` to open `$EDITOR`/`$VISUAL`/`$GIT_EDITOR` (e.g. `git commit`) in a VS Code tab. diff --git a/src/uv/NOTES.md b/src/uv/NOTES.md new file mode 100644 index 0000000..360d7d3 --- /dev/null +++ b/src/uv/NOTES.md @@ -0,0 +1,36 @@ +## Security Hardening + +This template applies the shared hardening defaults of Bare Dev Container Templates: + +- Runs as the non-root `dev` user. +- Drops all Linux capabilities (`--cap-drop=ALL`) and sets the `no-new-privileges` security option, so processes cannot gain elevated privileges inside the container. Remove `no-new-privileges` from `securityOpt` if you need `su`/`sudo`. +- Starts an init process (`"init": true`) to reap zombie processes. +- The base image `ghcr.io/bare-devcontainer/uv` is a minimal [Bare Dev Container Image](https://github.com/bare-devcontainer/images) that limits trusted upstreams to official sources to reduce supply-chain risk. + +After applying the template, we recommend pinning the image to a digest so every rebuild uses exactly the image you expect — see [Pinning Images to a Digest](https://github.com/bare-devcontainer/templates#pinning-images-to-a-digest). + +## Persistent Caches + +uv's cache is persisted in a named volume, so Python interpreters and packages downloaded by uv survive container rebuilds: + +| Volume | Mount path | Purpose | +|--------|------------|---------| +| `${devcontainerId}-uv-cache` | `/home/dev/.cache/uv` | uv's cache of downloaded Python interpreters and packages | + +## Usage Notes + +[uv](https://docs.astral.sh/uv/) manages Python versions, virtual environments, and packages. For example: + +```sh +uv python install 3.13 # install a Python interpreter +uv venv # create a virtual environment +uv sync # install project dependencies +``` + +## Editor Integration + +- Installs the `ms-python.python` and `charliermarsh.ruff` VS Code extensions, with Ruff as the default formatter and fix-all/organize-imports run on save for Python files. + +## Tips + +- If you use VS Code, uncomment the `remoteEnv` block in `devcontainer.json` to open `$EDITOR`/`$VISUAL`/`$GIT_EDITOR` (e.g. `git commit`) in a VS Code tab. diff --git a/src/zig/NOTES.md b/src/zig/NOTES.md new file mode 100644 index 0000000..02424ee --- /dev/null +++ b/src/zig/NOTES.md @@ -0,0 +1,27 @@ +## Security Hardening + +This template applies the shared hardening defaults of Bare Dev Container Templates: + +- Runs as the non-root `dev` user. +- Drops all Linux capabilities (`--cap-drop=ALL`) and sets the `no-new-privileges` security option, so processes cannot gain elevated privileges inside the container. Remove `no-new-privileges` from `securityOpt` if you need `su`/`sudo`. +- Starts an init process (`"init": true`) to reap zombie processes. +- The base image `ghcr.io/bare-devcontainer/zig` is a minimal [Bare Dev Container Image](https://github.com/bare-devcontainer/images) that limits trusted upstreams to official sources to reduce supply-chain risk. + +After applying the template, we recommend pinning the image to a digest so every rebuild uses exactly the image you expect — see [Pinning Images to a Digest](https://github.com/bare-devcontainer/templates#pinning-images-to-a-digest). + +## Persistent Caches + +The Zig global cache is persisted in a named volume, so rebuilding the container to pick up image updates doesn't require re-downloading packages or recompiling dependencies: + +| Volume | Mount path | Purpose | +|--------|------------|---------| +| `${devcontainerId}-zig-global-cache` | `/home/dev/.cache/zig` | Zig global cache | + +## Editor Integration + +- Installs the `ziglang.vscode-zig` VS Code extension, with the `zig` and `zls` paths preconfigured to the binaries shipped in the image and the Zig Language Server (zls) enabled. + +## Tips + +- To use the debugger, uncomment `"capAdd": ["SYS_PTRACE"]` in `devcontainer.json`. +- If you use VS Code, uncomment the `remoteEnv` block in `devcontainer.json` to open `$EDITOR`/`$VISUAL`/`$GIT_EDITOR` (e.g. `git commit`) in a VS Code tab.