chore: replace multiple devcontainers with a single mise-based one#179
Conversation
Consolidates node-20, node-22, node-24, deno-2, and python-3 devcontainers into a single container. mise.toml at the repo root declares all runtimes (Node 24, Deno 2.4.5, Python 3.10, uv 0.9.21) so any developer gets the full toolchain in one container. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
- Switch devcontainer from image+postCreateCommand to a Dockerfile so tools are baked in at build time rather than downloaded on first open - Add mise.lock (generated by `mise lock`) to pin exact versions and checksums for all platforms - Enable lockfile = true in mise.toml [settings] - Remove Trunk and .trunk/; replace trunk fmt/check in CONTRIBUTING.md with direct biome/prettier invocations Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
…cksum Downloads the binary directly from github.com/jdx/mise/releases with SHA-256 verification rather than piping a script into the shell. The ARG makes the version and its checksums easy to bump together. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
![arcjet-review[bot]](https://avatars.githubusercontent.com/u/24397786?s=60&v=4){kind=small}
There was a problem hiding this comment.
Arcjet Review — 🟢 Low Risk
Decision: Approved
Rationale: This PR is a dev-tooling consolidation: it replaces four per-runtime devcontainers (node-20/22/24, deno-2, python-3) and the Trunk linting setup with a single mise-based devcontainer driven by mise.toml/mise.lock. Only dev-environment files are touched — no application code, no CI workflows, no production runtime behavior. The Dockerfile follows good supply-chain hygiene: mise is pinned to a specific version (2026.5.12), downloaded from the official GitHub release, and verified against pinned SHA256 checksums for both x86_64 and aarch64 before being made executable. MISE_TRUSTED_CONFIG_PATHS is scoped to /workspaces and the bundled mise.toml is explicitly trusted, which is appropriate inside a devcontainer. CONTRIBUTING.md is updated consistently to drop Trunk references. No secrets, no auth/permissions changes, no migrations.
Summary of Changes
Replaces the per-runtime devcontainers (node-20/22/24, deno-2, python-3) and the Trunk linting config with a single mise-based devcontainer. Adds .devcontainer/Dockerfile (mise pinned + SHA256-verified), a top-level mise.toml pinning node/deno/python/uv versions, rewrites .devcontainer/devcontainer.json to build from the new Dockerfile, and updates CONTRIBUTING.md to run Biome/Prettier directly instead of via Trunk.
Escalation Triggers
- CI/CD Pipeline: New .devcontainer/Dockerfile added. Note: this is a devcontainer Dockerfile (local developer environment), not a CI or production image — impact is limited to contributor tooling.
Notes
Diff is well under the 1000-line threshold. Security skill checklist applied: no auth, secrets, crypto, or injection surface introduced; mise binary download uses HTTPS + pinned SHA256, which mitigates supply-chain tampering for this dependency.
Path filtering: 1 file excluded by ignore paths. 14 of 15 files included in review.
Review: 313a06f2 | Powered by Arcjet Review
1 participant
No description provided.