Conversation
There was a problem hiding this comment.
Pull request overview
Adds opt-in support to the dev-container image for installing GitHub Copilot CLI, seeding a Copilot CLI MCP configuration (initially WebdriverIO MCP), and optionally installing a browser runtime to support browser-driven MCP workflows.
Changes:
- Add opt-in Copilot CLI installer script with optional MCP config seeding.
- Add opt-in browser runtime installer script (Chromium + deps).
- Wire new build args/env vars through Dockerfile, docker-compose, env.example, and document usage in README.
Reviewed changes
Copilot reviewed 7 out of 7 changed files in this pull request and generated 3 comments.
Show a summary per file
| File | Description |
|---|---|
src/scripts/install_copilot_cli.sh |
Installs Copilot CLI (script/npm/auto) and optionally seeds CLI MCP config. |
src/scripts/install_browsers.sh |
Installs a Chromium-based browser runtime (opt-in). |
src/copilot/mcp-config.json |
Seeds Copilot CLI MCP servers with @wdio/mcp configuration. |
env.example |
Documents new opt-in variables for Copilot CLI and browser install. |
docker-compose.yml |
Passes new variables as build args and runtime env. |
README.md |
Adds usage documentation for enabling Copilot CLI + MCP seeding and the demo flow. |
Dockerfile |
Adds build args + env defaults; copies MCP templates; runs optional install scripts. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
|
@copilot open a new pull request to apply changes based on the comments in this thread |
…me (#15) * Initial plan * fix: pin @wdio/mcp version and use Google Chrome over snap Chromium Co-authored-by: netzulo <11871932+netzulo@users.noreply.github.com> --------- Co-authored-by: copilot-swe-agent[bot] <198982749+Copilot@users.noreply.github.com> Co-authored-by: netzulo <11871932+netzulo@users.noreply.github.com>
There was a problem hiding this comment.
Pull request overview
Copilot reviewed 7 out of 7 changed files in this pull request and generated 2 comments.
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
|
@copilot open a new pull request to apply changes based on the comments in this thread |
* Initial plan * fix: use HTTPS for Chrome APT repo and align README browser wording Co-authored-by: netzulo <11871932+netzulo@users.noreply.github.com> --------- Co-authored-by: copilot-swe-agent[bot] <198982749+Copilot@users.noreply.github.com> Co-authored-by: netzulo <11871932+netzulo@users.noreply.github.com>
There was a problem hiding this comment.
Pull request overview
Copilot reviewed 8 out of 8 changed files in this pull request and generated 7 comments.
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| # -------------------------------------------- | ||
| # Optional: browsers + Copilot CLI | ||
| # -------------------------------------------- | ||
| RUN bash /opt/scripts/install_browsers.sh | ||
| RUN bash /opt/scripts/install_copilot_cli.sh |
There was a problem hiding this comment.
install_browsers.sh and install_copilot_cli.sh run at image build time, but the PR only wires COPILOT_CLI_ENABLED/BROWSERS_ENABLED via runtime docker-compose environment variables. As a result, these opt-in installs can’t be enabled via compose as documented. Use ARG + ENV in the Dockerfile and build.args in docker-compose.yml (or move these installs to container startup).
| COPILOT_CLI_ENABLED: "${COPILOT_CLI_ENABLED:-false}" | ||
| COPILOT_CLI_MCP_ENABLED: "${COPILOT_CLI_MCP_ENABLED:-false}" | ||
| COPILOT_CLI_INSTALL_METHOD: "${COPILOT_CLI_INSTALL_METHOD:-auto}" | ||
| COPILOT_CLI_VERSION: "${COPILOT_CLI_VERSION:-}" | ||
| COPILOT_CLI_PREFIX: "${COPILOT_CLI_PREFIX:-/usr/local}" | ||
| BROWSERS_ENABLED: "${BROWSERS_ENABLED:-false}" |
There was a problem hiding this comment.
These variables are set under environment: (container runtime), but the Copilot/Chrome installs happen during docker build (Dockerfile RUN bash /opt/scripts/...). As written, toggling COPILOT_CLI_ENABLED / BROWSERS_ENABLED here won’t change what gets installed in the image. Add build.args for these flags (and consume them via ARG in the Dockerfile), or perform the installs at container startup.
| Use build args (recommended) to enable the install and seed the MCP config: | ||
|
|
||
| ```bash | ||
| COPILOT_CLI_ENABLED=true \ | ||
| COPILOT_CLI_MCP_ENABLED=true \ | ||
| docker compose -f docker-compose.yml up --build | ||
| ``` |
There was a problem hiding this comment.
The “Enable during build” snippet sets env vars for docker compose up --build, but the compose file doesn’t pass these as build.args, and the Dockerfile doesn’t declare ARGs for them. This means the Copilot/browser installs won’t actually be enabled during build as documented. Update the docs to show the correct build-arg usage (or update compose/Dockerfile to match the documented flow).
| : "${COPILOT_GITHUB_TOKEN:=your_github_personal_access_token_here }" | ||
|
|
There was a problem hiding this comment.
COPILOT_GITHUB_TOKEN default value has trailing spaces and a } (your_github_personal_access_token_here }). This won’t match the placeholder check later and can cause an unintended auth attempt with an invalid token. Make the default empty (or make the placeholder string consistent with the later comparison).
| if [[ -n "${COPILOT_GITHUB_TOKEN}" && "${COPILOT_GITHUB_TOKEN}" != "your_github_personal_access_token_here" ]]; then | ||
| echo "Logging into Copilot CLI with provided GitHub token to cache credentials..." | ||
| echo "${COPILOT_GITHUB_TOKEN}" | copilot auth login --with-token || echo "Copilot CLI login failed; please check your token and login manually." >&2 | ||
| else |
There was a problem hiding this comment.
Running copilot auth login --with-token during docker build will cache credentials into the image layer (under root’s home), which risks leaking access tokens to anyone who can pull the image. Prefer removing build-time login entirely and require interactive login at runtime, or use BuildKit secrets and ensure no credentials are persisted into the final image.
There was a problem hiding this comment.
agree, swap login part to entrypoint.sh
| curl -fsSL "${COPILOT_CLI_INSTALL_URL}" | VERSION="${COPILOT_CLI_VERSION}" PREFIX="${COPILOT_CLI_PREFIX}" bash | ||
| else | ||
| curl -fsSL "${COPILOT_CLI_INSTALL_URL}" | PREFIX="${COPILOT_CLI_PREFIX}" bash |
There was a problem hiding this comment.
The install_via_script function downloads a remote shell script via curl from COPILOT_CLI_INSTALL_URL and pipes it directly into bash without any integrity or authenticity verification. If the URL, DNS, or network is compromised—or if COPILOT_CLI_INSTALL_URL is overridden to a malicious endpoint—an attacker-controlled script will execute with build-time privileges and can fully compromise the resulting image and any secrets available during the build. To mitigate this, fetch a specific, pinned installer artifact and verify it using a checksum or vendor signature before execution instead of executing the HTTP response body directly via a pipe.
| COPILOT_CLI_INSTALL_METHOD=auto \ | ||
| COPILOT_CLI_VERSION= \ | ||
| COPILOT_CLI_PREFIX=/usr/local \ | ||
| COPILOT_GITHUB_TOKEN=${COPILOT_GITHUB_TOKEN} \ |
There was a problem hiding this comment.
The ENV COPILOT_GITHUB_TOKEN=${COPILOT_GITHUB_TOKEN} line bakes whatever COPILOT_GITHUB_TOKEN is set to at build time (including a real GitHub personal access token from the host environment or build args) directly into the final image. Anyone with access to the image or a running container can read this environment variable (e.g., via docker inspect or /proc), leading to credential theft and compromise of the associated GitHub account. Avoid persisting this token in the image and instead pass it only at runtime when needed, ensuring it is not stored in image layers or default ENV values.
Summary
Testing
Closes #13