Skip to content

Refresh bench tooling and Claude profiles#1

Open
brettheap wants to merge 2 commits into
mainfrom
agent/bench-refresh-2026-07
Open

Refresh bench tooling and Claude profiles#1
brettheap wants to merge 2 commits into
mainfrom
agent/bench-refresh-2026-07

Conversation

@brettheap

@brettheap brettheap commented Jul 13, 2026

Copy link
Copy Markdown

Summary

  • mount portable Claude account profiles where applicable
  • refresh the bench-specific runtime and administration toolchain
  • keep the bench aligned with the synchronized workBenches parent

Validation

  • git diff --check
  • changed shell scripts: bash -n
  • changed Dockerfile: docker buildx build --check

Summary by Sourcery

Refresh ops tooling and bench environment to track current upstream releases and aligned devcontainer/runtime images.

Enhancements:

  • Update minimal and full ops tool install scripts to resolve tool versions from GitHub releases with newer fallback versions for key CLIs.
  • Align k8s-, security-, and workflow-related CLI versions (e.g., ArgoCD, Tekton, Vault, Grype, Syft, Cosign, Kustomize, Helmfile, kubectx/kubens, pluto, kubeseal, task) with current stable releases.
  • Refresh devcontainer and Docker layer configuration to match the updated bench setup and portable Claude profiles.

Build:

  • Adjust Docker-based bench images to consume the refreshed tooling stack and environment configuration.

Copilot AI review requested due to automatic review settings July 13, 2026 00:14
@brettheap

Copy link
Copy Markdown
Author

@codex review

@sourcery-ai

sourcery-ai Bot commented Jul 13, 2026

Copy link
Copy Markdown

Reviewer's Guide

Refreshes the ops tooling installation scripts to track latest upstream releases with resilient fallbacks, and updates devcontainer/Docker runtime configuration to mount portable Claude profiles and stay aligned with the parent workBenches setup.

Sequence diagram for tool installation with latest-release fallback

sequenceDiagram
    actor User
    participant InstallScript
    participant GitHubAPI
    participant ToolReleaseServer

    User->>InstallScript: run install-ops-tools-minimal.sh
    InstallScript->>GitHubAPI: curl /repos/<tool>/releases/latest
    GitHubAPI-->>InstallScript: tag_name
    alt [tag_name parsed]
        InstallScript->>InstallScript: set TOOL_VERSION=tag_name
    else [tag_name empty]
        InstallScript->>InstallScript: set TOOL_VERSION=fallback_version
    end
    InstallScript->>ToolReleaseServer: download artifact for TOOL_VERSION
    ToolReleaseServer-->>InstallScript: binary/tarball
    InstallScript->>InstallScript: extract and chmod
    InstallScript-->>User: tool --version output
Loading

File-Level Changes

Change Details Files
Make ops tools installation scripts dynamically track latest GitHub release versions with safe fallback pins.
  • Replace hard-coded tool versions with GitHub API calls to fetch latest release tag_name for each tool.
  • Introduce per-tool VERSION variables with default fallback values when API calls fail or return empty.
  • Update all download URLs and extracted paths to interpolate the resolved VERSION variables.
  • Keep minimal and full ops install scripts aligned in behavior and pinned fallback versions.
install-ops-tools-minimal.sh
install-ops-tools.sh
Refresh devcontainer and Docker runtime configuration to support portable Claude profiles and match the synchronized workBenches parent.
  • Update devcontainer configuration to mount Claude account profile directories or volumes into the development environment.
  • Adjust Dockerfile.layer2 to align base image, tooling, and runtime configuration with the parent workBenches image.
  • Sync devcontainer.example configuration with the main devcontainer setup so local benches share the same profile and tooling behavior.
.devcontainer/devcontainer.json
Dockerfile.layer2
devcontainer.example/.devcontainer/devcontainer.json

Tips and commands

Interacting with Sourcery

  • Trigger a new review: Comment @sourcery-ai review on the pull request.
  • Continue discussions: Reply directly to Sourcery's review comments.
  • Generate a GitHub issue from a review comment: Ask Sourcery to create an
    issue from a review comment by replying to it. You can also reply to a
    review comment with @sourcery-ai issue to create an issue from it.
  • Generate a pull request title: Write @sourcery-ai anywhere in the pull
    request title to generate a title at any time. You can also comment
    @sourcery-ai title on the pull request to (re-)generate the title at any time.
  • Generate a pull request summary: Write @sourcery-ai summary anywhere in
    the pull request body to generate a PR summary at any time exactly where you
    want it. You can also comment @sourcery-ai summary on the pull request to
    (re-)generate the summary at any time.
  • Generate reviewer's guide: Comment @sourcery-ai guide on the pull
    request to (re-)generate the reviewer's guide at any time.
  • Resolve all Sourcery comments: Comment @sourcery-ai resolve on the
    pull request to resolve all Sourcery comments. Useful if you've already
    addressed all the comments and don't want to see them anymore.
  • Dismiss all Sourcery reviews: Comment @sourcery-ai dismiss on the pull
    request to dismiss all existing Sourcery reviews. Especially useful if you
    want to start fresh with a new review - don't forget to comment
    @sourcery-ai review to trigger a new review!

Customizing Your Experience

Access your dashboard to:

  • Enable or disable review features such as the Sourcery-generated pull request
    summary, the reviewer's guide, and others.
  • Change the review language.
  • Add, remove or edit custom review instructions.
  • Adjust other review settings.

Getting Help

@sonarqubecloud

Copy link
Copy Markdown

@sourcery-ai sourcery-ai Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Hey - I've found 1 issue

Prompt for AI Agents
Please address the comments from this code review:

## Individual Comments

### Comment 1
<location path="install-ops-tools.sh" line_range="87-88" />
<code_context>
 echo "Installing Vault CLI..."
 VAULT_VERSION=$(curl -s https://api.github.com/repos/hashicorp/vault/releases/latest | grep '"tag_name"' | sed -E 's/.*"v([^"]+)".*/\1/')
 if [ -z "$VAULT_VERSION" ]; then
-    VAULT_VERSION="1.19.2"
+    VAULT_VERSION="2.0.3"
</code_context>
<issue_to_address>
**issue (bug_risk):** Vault version extraction may return multiple lines and break the fallback logic.

In the Vault block, the `sed` pipeline no longer uses `head -1`, unlike the other version lookups. The GitHub API may return multiple matching lines, so `VAULT_VERSION` can end up with multiple newline‑separated values, producing an invalid download URL and blocking the fallback. Please align this with the other version extractions by appending `| head -1` to the pipeline.
</issue_to_address>

Sourcery is free for open source - if you like our reviews please consider sharing them ✨
Help me be more useful! Please click 👍 or 👎 on each comment and I'll use the feedback to improve your reviews.

Comment thread install-ops-tools.sh
Comment on lines 87 to 88
VAULT_VERSION=$(curl -s https://api.github.com/repos/hashicorp/vault/releases/latest | grep '"tag_name"' | sed -E 's/.*"v([^"]+)".*/\1/')
if [ -z "$VAULT_VERSION" ]; then

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

issue (bug_risk): Vault version extraction may return multiple lines and break the fallback logic.

In the Vault block, the sed pipeline no longer uses head -1, unlike the other version lookups. The GitHub API may return multiple matching lines, so VAULT_VERSION can end up with multiple newline‑separated values, producing an invalid download URL and blocking the fallback. Please align this with the other version extractions by appending | head -1 to the pipeline.

Copilot AI left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Refreshes the ops bench tooling and devcontainer configuration to better track upstream CLI releases and support portable Claude account profiles.

Changes:

  • Updated ops tool install scripts to resolve many CLI versions from GitHub Releases and bumped fallback versions across the toolchain.
  • Bumped the ops-bench layer2 image label version.
  • Added devcontainer bind mounts for ~/.claude-profiles to support portable Claude profiles.

Reviewed changes

Copilot reviewed 5 out of 5 changed files in this pull request and generated 6 comments.

Show a summary per file
File Description
install-ops-tools.sh Updates fallback versions for many ops/admin CLIs and continues using GitHub Releases lookups.
install-ops-tools-minimal.sh Replaces pinned versions with GitHub Releases resolution + updated fallbacks for the minimal tool set.
Dockerfile.layer2 Bumps layer2 image label version to reflect refreshed tooling.
devcontainer.example/.devcontainer/devcontainer.json Adds a bind mount for ~/.claude-profiles in the example devcontainer.
.devcontainer/devcontainer.json Adds a bind mount for ~/.claude-profiles in the main devcontainer config.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

Comment on lines +18 to +20
CODE_SERVER_VERSION="4.126.0"
fi
curl -fsSL https://code-server.dev/install.sh | sh -s -- --version "$CODE_SERVER_VERSION"
Comment thread install-ops-tools.sh
Comment on lines +18 to 20
CODE_SERVER_VERSION="4.126.0"
fi
curl -fsSL https://code-server.dev/install.sh | sh -s -- --version "$CODE_SERVER_VERSION"
if [ -z "$ACT_VERSION" ]; then
ACT_VERSION="0.2.89"
fi
curl -L "https://github.com/nektos/act/releases/download/v${ACT_VERSION}/act_Linux_x86_64.tar.gz" -o /tmp/act.tar.gz
Comment thread install-ops-tools.sh
Comment on lines +30 to 32
ACT_VERSION="0.2.89"
fi
curl -L "https://github.com/nektos/act/releases/download/v${ACT_VERSION}/act_Linux_x86_64.tar.gz" -o /tmp/act.tar.gz
// AI Agent Credentials
"source=${localEnv:HOME}/.claude,target=/home/${localEnv:USER}/.claude,type=bind,consistency=cached",
"source=${localEnv:HOME}/.claude.json,target=/home/${localEnv:USER}/.claude.json,type=bind,consistency=cached",
"source=${localEnv:HOME}/.claude-profiles,target=/home/${localEnv:USER}/.claude-profiles,type=bind,consistency=cached",
"source=/var/run/docker.sock,target=/var/run/docker.sock,type=bind",
"source=${localEnv:HOME}/.claude,target=/home/${localEnv:USER}/.claude,type=bind,consistency=cached",
"source=${localEnv:HOME}/.claude.json,target=/home/${localEnv:USER}/.claude.json,type=bind,consistency=cached",
"source=${localEnv:HOME}/.claude-profiles,target=/home/${localEnv:USER}/.claude-profiles,type=bind,consistency=cached",

@chatgpt-codex-connector chatgpt-codex-connector Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: 55fb877e50

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

  • Open a pull request for review
  • Mark a draft as ready
  • Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".


echo "Installing code-server (VS Code in browser)..."
curl -fsSL https://code-server.dev/install.sh | sh -s -- --version 4.100.3
CODE_SERVER_VERSION=$(curl -s https://api.github.com/repos/coder/code-server/releases/latest | grep '"tag_name"' | sed -E 's/.*"v([^"]+)".*/\1/' | head -1)

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

P2 Badge Pin tool versions during image builds

Because Dockerfile.layer2 runs this minimal installer at build time, resolving GitHub's releases/latest makes the same checked-out commit install different tool versions depending on the build date and network response. For a bench image this breaks reproducible runs and can silently pull future major releases while layer.version remains fixed; the hard-coded fallback is only used when the API lookup fails, not during normal builds. Please keep the refreshed versions explicit in the script or pass them as pinned build args instead of querying latest.

Useful? React with 👍 / 👎.

@chatgpt-codex-connector chatgpt-codex-connector Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: 55fb877e50

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

  • Open a pull request for review
  • Mark a draft as ready
  • Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

// AI Agent Credentials
"source=${localEnv:HOME}/.claude,target=/home/${localEnv:USER}/.claude,type=bind,consistency=cached",
"source=${localEnv:HOME}/.claude.json,target=/home/${localEnv:USER}/.claude.json,type=bind,consistency=cached",
"source=${localEnv:HOME}/.claude-profiles,target=/home/${localEnv:USER}/.claude-profiles,type=bind,consistency=cached",

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

P2 Badge Make the Claude profiles mount non-fatal

Devcontainer mounts entries are passed as Docker --mount values, and --mount type=bind fails when the host source path does not exist. With this new unconditional bind, users who have the existing Claude config but have not created $HOME/.claude-profiles can no longer start the devcontainer until they manually create an empty directory; the same entry in the example config should be handled the same way, e.g. by ensuring the directory exists or using a create-safe mount option.

Useful? React with 👍 / 👎.


echo "Installing code-server (VS Code in browser)..."
curl -fsSL https://code-server.dev/install.sh | sh -s -- --version 4.100.3
CODE_SERVER_VERSION=$(curl -s https://api.github.com/repos/coder/code-server/releases/latest | grep '"tag_name"' | sed -E 's/.*"v([^"]+)".*/\1/' | head -1)

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

P2 Badge Keep layer tool versions pinned

Because Dockerfile.layer2 runs this minimal installer to build the shared image, switching the formerly pinned download to GitHub releases/latest makes the same repo commit produce different toolchains as upstream projects publish releases. That breaks reproducibility for bench runs and can also make future rebuilds fail if a latest release changes asset names or archive layout; the script should keep explicit versions here or resolve them before committing.

Useful? React with 👍 / 👎.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants