Refresh bench tooling and Claude profiles#1
Conversation
|
@codex review |
Reviewer's GuideRefreshes the ops tooling installation scripts to track latest upstream releases with resilient fallbacks, and updates devcontainer/Docker runtime configuration to mount portable Claude profiles and stay aligned with the parent workBenches setup. Sequence diagram for tool installation with latest-release fallbacksequenceDiagram
actor User
participant InstallScript
participant GitHubAPI
participant ToolReleaseServer
User->>InstallScript: run install-ops-tools-minimal.sh
InstallScript->>GitHubAPI: curl /repos/<tool>/releases/latest
GitHubAPI-->>InstallScript: tag_name
alt [tag_name parsed]
InstallScript->>InstallScript: set TOOL_VERSION=tag_name
else [tag_name empty]
InstallScript->>InstallScript: set TOOL_VERSION=fallback_version
end
InstallScript->>ToolReleaseServer: download artifact for TOOL_VERSION
ToolReleaseServer-->>InstallScript: binary/tarball
InstallScript->>InstallScript: extract and chmod
InstallScript-->>User: tool --version output
File-Level Changes
Tips and commandsInteracting with Sourcery
Customizing Your ExperienceAccess your dashboard to:
Getting Help
|
|
There was a problem hiding this comment.
Hey - I've found 1 issue
Prompt for AI Agents
Please address the comments from this code review:
## Individual Comments
### Comment 1
<location path="install-ops-tools.sh" line_range="87-88" />
<code_context>
echo "Installing Vault CLI..."
VAULT_VERSION=$(curl -s https://api.github.com/repos/hashicorp/vault/releases/latest | grep '"tag_name"' | sed -E 's/.*"v([^"]+)".*/\1/')
if [ -z "$VAULT_VERSION" ]; then
- VAULT_VERSION="1.19.2"
+ VAULT_VERSION="2.0.3"
</code_context>
<issue_to_address>
**issue (bug_risk):** Vault version extraction may return multiple lines and break the fallback logic.
In the Vault block, the `sed` pipeline no longer uses `head -1`, unlike the other version lookups. The GitHub API may return multiple matching lines, so `VAULT_VERSION` can end up with multiple newline‑separated values, producing an invalid download URL and blocking the fallback. Please align this with the other version extractions by appending `| head -1` to the pipeline.
</issue_to_address>Help me be more useful! Please click 👍 or 👎 on each comment and I'll use the feedback to improve your reviews.
| VAULT_VERSION=$(curl -s https://api.github.com/repos/hashicorp/vault/releases/latest | grep '"tag_name"' | sed -E 's/.*"v([^"]+)".*/\1/') | ||
| if [ -z "$VAULT_VERSION" ]; then |
There was a problem hiding this comment.
issue (bug_risk): Vault version extraction may return multiple lines and break the fallback logic.
In the Vault block, the sed pipeline no longer uses head -1, unlike the other version lookups. The GitHub API may return multiple matching lines, so VAULT_VERSION can end up with multiple newline‑separated values, producing an invalid download URL and blocking the fallback. Please align this with the other version extractions by appending | head -1 to the pipeline.
There was a problem hiding this comment.
Pull request overview
Refreshes the ops bench tooling and devcontainer configuration to better track upstream CLI releases and support portable Claude account profiles.
Changes:
- Updated ops tool install scripts to resolve many CLI versions from GitHub Releases and bumped fallback versions across the toolchain.
- Bumped the ops-bench layer2 image label version.
- Added devcontainer bind mounts for
~/.claude-profilesto support portable Claude profiles.
Reviewed changes
Copilot reviewed 5 out of 5 changed files in this pull request and generated 6 comments.
Show a summary per file
| File | Description |
|---|---|
| install-ops-tools.sh | Updates fallback versions for many ops/admin CLIs and continues using GitHub Releases lookups. |
| install-ops-tools-minimal.sh | Replaces pinned versions with GitHub Releases resolution + updated fallbacks for the minimal tool set. |
| Dockerfile.layer2 | Bumps layer2 image label version to reflect refreshed tooling. |
| devcontainer.example/.devcontainer/devcontainer.json | Adds a bind mount for ~/.claude-profiles in the example devcontainer. |
| .devcontainer/devcontainer.json | Adds a bind mount for ~/.claude-profiles in the main devcontainer config. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| CODE_SERVER_VERSION="4.126.0" | ||
| fi | ||
| curl -fsSL https://code-server.dev/install.sh | sh -s -- --version "$CODE_SERVER_VERSION" |
| CODE_SERVER_VERSION="4.126.0" | ||
| fi | ||
| curl -fsSL https://code-server.dev/install.sh | sh -s -- --version "$CODE_SERVER_VERSION" |
| if [ -z "$ACT_VERSION" ]; then | ||
| ACT_VERSION="0.2.89" | ||
| fi | ||
| curl -L "https://github.com/nektos/act/releases/download/v${ACT_VERSION}/act_Linux_x86_64.tar.gz" -o /tmp/act.tar.gz |
| ACT_VERSION="0.2.89" | ||
| fi | ||
| curl -L "https://github.com/nektos/act/releases/download/v${ACT_VERSION}/act_Linux_x86_64.tar.gz" -o /tmp/act.tar.gz |
| // AI Agent Credentials | ||
| "source=${localEnv:HOME}/.claude,target=/home/${localEnv:USER}/.claude,type=bind,consistency=cached", | ||
| "source=${localEnv:HOME}/.claude.json,target=/home/${localEnv:USER}/.claude.json,type=bind,consistency=cached", | ||
| "source=${localEnv:HOME}/.claude-profiles,target=/home/${localEnv:USER}/.claude-profiles,type=bind,consistency=cached", |
| "source=/var/run/docker.sock,target=/var/run/docker.sock,type=bind", | ||
| "source=${localEnv:HOME}/.claude,target=/home/${localEnv:USER}/.claude,type=bind,consistency=cached", | ||
| "source=${localEnv:HOME}/.claude.json,target=/home/${localEnv:USER}/.claude.json,type=bind,consistency=cached", | ||
| "source=${localEnv:HOME}/.claude-profiles,target=/home/${localEnv:USER}/.claude-profiles,type=bind,consistency=cached", |
There was a problem hiding this comment.
💡 Codex Review
Here are some automated review suggestions for this pull request.
Reviewed commit: 55fb877e50
ℹ️ About Codex in GitHub
Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you
- Open a pull request for review
- Mark a draft as ready
- Comment "@codex review".
If Codex has suggestions, it will comment; otherwise it will react with 👍.
Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".
|
|
||
| echo "Installing code-server (VS Code in browser)..." | ||
| curl -fsSL https://code-server.dev/install.sh | sh -s -- --version 4.100.3 | ||
| CODE_SERVER_VERSION=$(curl -s https://api.github.com/repos/coder/code-server/releases/latest | grep '"tag_name"' | sed -E 's/.*"v([^"]+)".*/\1/' | head -1) |
There was a problem hiding this comment.
Pin tool versions during image builds
Because Dockerfile.layer2 runs this minimal installer at build time, resolving GitHub's releases/latest makes the same checked-out commit install different tool versions depending on the build date and network response. For a bench image this breaks reproducible runs and can silently pull future major releases while layer.version remains fixed; the hard-coded fallback is only used when the API lookup fails, not during normal builds. Please keep the refreshed versions explicit in the script or pass them as pinned build args instead of querying latest.
Useful? React with 👍 / 👎.
There was a problem hiding this comment.
💡 Codex Review
Here are some automated review suggestions for this pull request.
Reviewed commit: 55fb877e50
ℹ️ About Codex in GitHub
Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you
- Open a pull request for review
- Mark a draft as ready
- Comment "@codex review".
If Codex has suggestions, it will comment; otherwise it will react with 👍.
Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".
| // AI Agent Credentials | ||
| "source=${localEnv:HOME}/.claude,target=/home/${localEnv:USER}/.claude,type=bind,consistency=cached", | ||
| "source=${localEnv:HOME}/.claude.json,target=/home/${localEnv:USER}/.claude.json,type=bind,consistency=cached", | ||
| "source=${localEnv:HOME}/.claude-profiles,target=/home/${localEnv:USER}/.claude-profiles,type=bind,consistency=cached", |
There was a problem hiding this comment.
Make the Claude profiles mount non-fatal
Devcontainer mounts entries are passed as Docker --mount values, and --mount type=bind fails when the host source path does not exist. With this new unconditional bind, users who have the existing Claude config but have not created $HOME/.claude-profiles can no longer start the devcontainer until they manually create an empty directory; the same entry in the example config should be handled the same way, e.g. by ensuring the directory exists or using a create-safe mount option.
Useful? React with 👍 / 👎.
|
|
||
| echo "Installing code-server (VS Code in browser)..." | ||
| curl -fsSL https://code-server.dev/install.sh | sh -s -- --version 4.100.3 | ||
| CODE_SERVER_VERSION=$(curl -s https://api.github.com/repos/coder/code-server/releases/latest | grep '"tag_name"' | sed -E 's/.*"v([^"]+)".*/\1/' | head -1) |
There was a problem hiding this comment.
Keep layer tool versions pinned
Because Dockerfile.layer2 runs this minimal installer to build the shared image, switching the formerly pinned download to GitHub releases/latest makes the same repo commit produce different toolchains as upstream projects publish releases. That breaks reproducibility for bench runs and can also make future rebuilds fail if a latest release changes asset names or archive layout; the script should keep explicit versions here or resolve them before committing.
Useful? React with 👍 / 👎.



Summary
Validation
git diff --checkbash -ndocker buildx build --checkSummary by Sourcery
Refresh ops tooling and bench environment to track current upstream releases and aligned devcontainer/runtime images.
Enhancements:
Build: