Support for updating devcontainer.json files (for dev containers)

[apgrucza]

Is there an existing issue for this?

• [X] I have searched the existing issues

Feature description

Dev containers are growing in popularity. They are used in VSCode and GitHub Codespaces, and support is being added to other tools such as Gitpod. Dependabot itself even uses them here.

Dependabot should support updating versions in the devcontainer.json file (specification here). This should include updating both the image and features properties.

Image example:

{
  "image": "mcr.microsoft.com/devcontainers/go:1"
}

Features example (note that both feature versions and package versions can appear in this object):

"features": {
  "ghcr.io/user/repo/go": {},
  "ghcr.io/user/repo1/go:1": {},
  "ghcr.io/user/repo2/go:latest": {},
  "https://github.com/user/repo/releases/devcontainer-feature-go.tgz": { 
        "optionA": "value" 
  },
  "./myGoFeature": { 
        "optionA": true,
        "optionB": "hello",
        "version" : "1.0.0"
  }
}

[jeffwidman]

👋 it's a good suggestion, we've had an internal team request this as well.

No idea if/when we'll support this, given that we're (mostly) on pause for new ecosystems right now... long term we'd like to figure out a way to be more of a platform that others can build on top of so that if you wanted something you could build it yourself but that's still closer to a dream rather than reality.

For anyone else coming along, if adding support for this ecosystem is of interest please 👍 it as we use that as one signal of impact when prioritizing what to work on.

[hfhbd]

Do you also have a configuration sample for the yaml file to enable the devcontainers ecosystem?

[deivid-rodriguez]

Sorry, this is not yet fully released, let me reopen this and I'll share a link to documentation once it's working.

[chris-bateman]

Might be too early to try this but I did anyway :) Purposely mistyped devcontainer to generate the below error -

So devcontainers is in the package list.

I then update it to use that and get this error -

Config used -

# To get started with Dependabot version updates, you'll need to specify which
# package ecosystems to update and where the package manifests are located.
# Please see the documentation for all configuration options:
# https://docs.github.com/github/administering-a-repository/configuration-options-for-dependency-updates

version: 2
enable-beta-ecosystems: true
updates:
  - package-ecosystem: "devcontainers" # See documentation for possible values
    directory: "/" # Location of package manifests
    schedule:
      interval: "weekly"

What am I missing?

[joshspicer]

Hey there @chris-bateman, the ecosystem is still disabled on our end! Excited that you're excited to try it - keep an eye out for it real soon :)

[joshspicer]

This is now GA! Thank you for your interest/patience! More information can be found here: https://containers.dev/guide/dependabot

[chris-bateman]

@joshspicer Amazing, seems to be working well. Just some quick observations from the logs -

A few 401s on trying to get details about a few features. Hasn't broken the workflow or anything but its still day 1 release of course.

  proxy | 2024/01/24 22:53:24 [010] GET https://ghcr.io:443/v2/devcontainers/features/github-cli/tags/list
  proxy | 2024/01/24 22:53:24 [011] GET https://ghcr.io:443/v2/devcontainers/features/docker-in-docker/tags/list
  proxy | 2024/01/24 22:53:24 [012] GET https://ghcr.io:443/v2/devcontainers/features/node/tags/list
  proxy | 2024/01/24 22:53:24 [012] 401 https://ghcr.io:443/v2/devcontainers/features/node/tags/list
  proxy | 2024/01/24 22:53:24 [012] Remote response: {"errors":[{"code":"UNAUTHORIZED","message":"authentication required"}]}
  proxy | 2024/01/24 22:53:24 [011] 401 https://ghcr.io:443/v2/devcontainers/features/docker-in-docker/tags/list
  proxy | 2024/01/24 22:53:24 [011] Remote response: {"errors":[{"code":"UNAUTHORIZED","message":"authentication required"}]}
  proxy | 2024/01/24 22:53:24 [010] 401 https://ghcr.io:443/v2/devcontainers/features/github-cli/tags/list
  proxy | 2024/01/24 22:53:24 [010] Remote response: {"errors":[{"code":"UNAUTHORIZED","message":"authentication required"}]}

[joshspicer]

Hi @chris-bateman , I believe this is expected. The container registry spec (where the Features are hosted) requires trying to make a request unauthenticated first, and if auth is needed a 401 is returned with a specific header (allowing the client to request a token). You'll likely see that further down in the logs. The implementation is here if you're curious :) https://github.com/devcontainers/cli/blob/main/src/spec-configuration/httpOCIRegistry.ts#L64

If things still don't seem right after reviewing this comment, please let me know!

[lure8225]

Is there something which checks the base container for new updates? I understand that this currently is only handling updated features. Correct?

[Brend-Smits]

Is there something which checks the base container for new updates? I understand that this currently is only handling updated features. Correct?

I don't think this is implemented yet, that's likely the reason why this issue is still open. I was hoping it was going to update my base image as well, but I just tried it out and it does not look like it will update it automatically, only features.

Looking forward to it supporting base image updates.