Skip to content

feat: 优化开发容器配置和开发环境 #57

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
andaoai wants to merge 6 commits into
base: main
Choose a base branch
from
Open

feat: 优化开发容器配置和开发环境 #57

Show file tree
Hide file tree
Changes from 5 commits
Commits
Show all changes
6 commits
Select commit Hold shift + click to select a range
665dbf0
refactor: 完善VS Code Dev Containers配置,添加MongoDB支持
andaoai Nov 17, 2025
e24a8cf
Merge remote-tracking branch 'origin/main' into feat/devcontainer-ali…
andaoai Nov 18, 2025
fc548f3
feat: 配置开发环境使用 uv 进行依赖管理
andaoai Nov 18, 2025
10c6f42
feat: 更新开发容器配置以优化开发环境
andaoai Nov 18, 2025
e33e1b2
fix: 移除重复的硬编码环境变量并修复用户权限
andaoai Nov 22, 2025
af69a13
fix: 切换开发容器用户为root以支持VSCode命令执行
andaoai Nov 22, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
64 changes: 57 additions & 7 deletions .devcontainer/devcontainer.json
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,6 +1,14 @@
{
"name": "Python & Typescript",
"image": "ghcr.io/prulloac/base:bookworm",
"name": "Code Review GPT (Dev Environment)",

// 👇 使用 Docker Compose 方式支持多服务
"dockerComposeFile": "docker-compose.yml",

// 👇 指定主开发容器服务
"service": "app",

// 👇 工作目录
"workspaceFolder": "/workspaces",

// 👇 Features to add to the Dev Container. More info: https://containers.dev/implementors/features.
"features": {
Expand All @@ -12,14 +20,56 @@
},

// 👇 Commands to run when the container is created.
"postCreateCommand": "curl -LsSf https://astral.sh/uv/install.sh | sh"
"postCreateCommand": "curl -LsSf https://astral.sh/uv/install.sh | sh && cd /workspaces/backend && uv sync",
Copy link

@coderabbitai coderabbitai bot Nov 22, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🟠 Major

Inefficient uv installation on every container creation.

Installing uv via a shell script in postCreateCommand runs on every container creation, which is inefficient. The uv tool should be installed once during the Docker image build process.

Move the uv installation to the Dockerfile or a build script so it's baked into the image, then simplify the postCreateCommand:

-	"postCreateCommand": "curl -LsSf https://astral.sh/uv/install.sh | sh && cd /workspaces/backend && uv sync",
+	"postCreateCommand": "cd /workspaces/backend && uv sync",

Ensure your Docker image (referenced by docker-compose.yml) installs uv during the build:

RUN curl -LsSf https://astral.sh/uv/install.sh | sh
ENV PATH="/root/.cargo/bin:${PATH}"
🤖 Prompt for AI Agents 
.devcontainer/devcontainer.json around line 23: the postCreateCommand currently
installs uv on every container creation which is inefficient; move the uv
installation into the Docker image build instead (e.g., add the curl install
command and PATH update in the Dockerfile or build script used by
docker-compose), then simplify postCreateCommand to only run workspace setup
(remove the curl install) so uv is baked into the image and not reinstalled each
time.


// 👇 端口转发 - 将服务端口暴露到本地
"forwardPorts": [8000, 3000, 27017],

// 👇 Use 'forwardPorts' to make a list of ports inside the container available locally.
// "forwardPorts": [],
// 👇 端口属性
"portsAttributes": {
"8000": {
"label": "Django Backend",
"onAutoForward": "notify"
},
"3000": {
"label": "Vue.js Frontend",
"onAutoForward": "notify"
},
"27017": {
"label": "MongoDB",
"onAutoForward": "silent"
}
},

// 👇 Configure tool-specific properties.
// "customizations": {},
"customizations": {
"vscode": {
"extensions": [
"ms-python.python",
"ms-python.black-formatter",
"ms-python.flake8",
"Vue.volar",
"Vue.vscode-typescript-vue-plugin",
"bradlc.vscode-tailwindcss",
"ms-azuretools.vscode-docker"
],
"settings": {
"python.defaultInterpreterPath": "/usr/local/bin/python",
Copy link

@coderabbitai coderabbitai bot Nov 22, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🔴 Critical

🧩 Analysis chain

Verify Python interpreter path for uv-managed environments.

The configured Python interpreter path /usr/local/bin/python may not match where uv creates or locates the Python interpreter in its virtual environment.

Once the container is running, verify the correct interpreter path by running:

Then update the setting to match the actual interpreter path if needed. Alternatively, leave the setting unset and let VSCode auto-detect from the uv environment.

🏁 Script executed:

cd /workspaces/backend && uv run which python

Length of output: 69

I need to gather information about how uv manages Python interpreters and the best practices for VSCode devcontainer configuration.

I need to examine the actual devcontainer configuration to provide a more informed rewrite. Let me search for the full devcontainer.json file.

This command didn't clonethe repository. Let me try with the repo:


---

🏁 Script executed:

```shell
#!/bin/bash
# Find and examine devcontainer.json
fd devcontainer.json --type f

Length of output: 0

🏁 Script executed:

#!/bin/bash
# Examine the devcontainer.json file
cat .devcontainer/devcontainer.json | head -100

Length of output: 1986

Now let me search for best practices on configuring uv with VSCode devcontainers.

Now I have enough information to provide a definitive rewrite. The review's concern is valid—the hardcoded /usr/local/bin/python points to the system Python, not the uv-managed virtual environment.

Update python.defaultInterpreterPath to point to the uv-managed virtual environment instead of the system Python.

Based on the devcontainer configuration, uv sync is run in /workspaces/backend (line 16: postCreateCommand: "curl ... && cd /workspaces/backend && uv sync"), which creates .venvat that location. Updatepython.defaultInterpreterPath` to use the workspace-relative variable for the venv position with uv.

Change line 57 from:

"python.defaultInterpreterPath": "/usr/local/bin/python",

To:

"python.defaultInterpreterPath": "/workspaces/backend/.venv/bin/python",
🤖 Prompt for AI Agents 
.devcontainer/devcontainer.json around line 57: the
python.defaultInterpreterPath is hardcoded to the system Python
(/usr/local/bin/python) which won't point to the uv-created virtualenv; change
it to the workspace venv path used by the postCreateCommand (set
python.defaultInterpreterPath to /workspaces/backend/.venv/bin/python) so VSCode
uses the uv-managed virtual environment.

"python.formatting.provider": "black",
"editor.formatOnSave": true
}
}
},

// 👇 挂载卷(如果有需要持久化的数据)
"mounts": [
"source=${localWorkspaceFolder}/backend,target=/workspaces/backend,type=bind",
"source=${localWorkspaceFolder}/frontend,target=/workspaces/frontend,type=bind"
],

// 👇 生命周期脚本
"postStartCommand": "cd /workspaces/backend && uv run python manage.py migrate",
Copy link

@coderabbitai coderabbitai bot Nov 22, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🟡 Minor

Reconsider automatic database migrations on startup.

Running migrate automatically on every container start could cause issues, especially if:

  • Migrations fail and prevent the container from starting properly
  • Multiple developers work on conflicting migrations
  • The database state is inconsistent

Consider making migrations a manual step or at least make it more robust:

-	"postStartCommand": "cd /workspaces/backend && uv run python manage.py migrate",
+	"postStartCommand": "cd /workspaces/backend && uv run python manage.py migrate --check || echo 'Migrations need to be applied. Run: uv run python manage.py migrate'",

Or simply document that developers should run migrations manually when needed.

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change
"postStartCommand": "cd /workspaces/backend && uv run python manage.py migrate",
"postStartCommand": "cd /workspaces/backend && uv run python manage.py migrate --check || echo 'Migrations need to be applied. Run: uv run python manage.py migrate'",
🤖 Prompt for AI Agents 
In .devcontainer/devcontainer.json around line 79, the postStartCommand
auto-runs Django migrations on every container start which can cause failed
starts and conflicts; change this to either remove the automatic migrate and
document that developers must run python manage.py migrate manually, or make it
opt-in by replacing the command with a conditional that checks an environment
variable (e.g. DEV_AUTO_MIGRATE) and only runs `python manage.py migrate` when
that variable is true, ensuring the container will not fail on migration errors.


// 👇 Uncomment to connect as root instead. More info: https://aka.ms/dev-containers-non-root.
// "remoteUser": "root"
"remoteUser": "vscode"
}
50 changes: 50 additions & 0 deletions .devcontainer/docker-compose.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,50 @@
version: '3.8'

services:
# 主开发容器应用
app:
image: ghcr.io/prulloac/base:bookworm
container_name: dev_code_review_app
restart: unless-stopped
command: sleep infinity
volumes:
- ..:/workspaces:cached
- uv_cache:/root/.cache/uv
working_dir: /workspaces
networks:
- dev_network
environment:
- MONGODB_HOST=mongodb
- MONGODB_PORT=27017
- MONGODB_USER=admin
- MONGODB_PASSWORD=password
Comment on lines +17 to +20
Copy link

@coderabbitai coderabbitai bot Nov 22, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🟠 Major

Use secrets or environment files for MongoDB credentials.

Hard-coded credentials (admin/password) are present in the compose file, even for development. This creates a security risk if the file is accidentally committed with production-like credentials or if developers adopt this pattern for other environments.

Consider using a .env file (excluded from git) or Docker secrets:

+    env_file:
+      - .env
     environment:
       - MONGODB_HOST=mongodb
       - MONGODB_PORT=27017
-      - MONGODB_USER=admin
-      - MONGODB_PASSWORD=password
+      - MONGODB_USER=${MONGODB_USER}
+      - MONGODB_PASSWORD=${MONGODB_PASSWORD}
       - UV_LINK_MODE=copy

And for the MongoDB service:

     environment:
-      MONGO_INITDB_ROOT_USERNAME: admin
-      MONGO_INITDB_ROOT_PASSWORD: password
+      MONGO_INITDB_ROOT_USERNAME: ${MONGODB_USER}
+      MONGO_INITDB_ROOT_PASSWORD: ${MONGODB_PASSWORD}
       MONGO_INITDB_DATABASE: code_review_gpt

Then create a .env.example file with placeholders and add .env to .gitignore.

Also applies to: 33-36

🤖 Prompt for AI Agents 
.devcontainer/docker-compose.yml lines 17-20 (and similarly 33-36) contain
hard-coded MongoDB credentials; replace them with references to environment
variables or Docker secrets, move actual values into a local .env (or create
Docker secrets) that is excluded from git, add a .env.example with placeholder
values to the repo, and add .env to .gitignore; update the compose file to use
env_file or secret references for MONGODB_HOST, MONGODB_PORT, MONGODB_USER, and
MONGODB_PASSWORD so no plaintext credentials remain in the committed compose
file.

- UV_LINK_MODE=copy
depends_on:
- mongodb
ports:
- "3000:3000"
- "8000:8000"

# MongoDB 服务
mongodb:
image: mongo:6.0
Copy link

@coderabbitai coderabbitai bot Nov 22, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🟠 Major

🧩 Analysis chain

Verify MongoDB version compatibility.

MongoDB 6.0 is being used. Ensure this version is compatible with your application requirements and has no known security vulnerabilities.

🌐 Web query:

What is the latest stable version of MongoDB and are there any known security issues with MongoDB 6.0?

💡 Result:

Latest stable MongoDB (on‑premises): 8.2.1 (current production release). [1][5]

Known security issues with MongoDB 6.0 (summary):

  • MongoDB 6.0 reached End-of-Life on July 31, 2025 — it is no longer fully supported. [2]
  • Multiple security vulnerabilities affecting 6.0 were disclosed in 2025 (examples): CVE-2025-6709 (OIDC-related DoS, requires auth on 6.0; fixed in 6.0.21+), CVE-2025-6707 (privilege-cache race, fixed in 6.0.24+), and CVE-2025-10061 (aggregation/$group crash, fixed in later 6.0 patches). You should upgrade to the latest 6.0 patch (or to 8.2.x) or apply MongoDB’s security patches. [3][4][5]

If you want, I can list all 6.0 CVEs with affected/patched subversions and upgrade recommendations for your deployment.

Upgrade MongoDB from 6.0 — version is EOL and has known security vulnerabilities.

MongoDB 6.0 reached End-of-Life on July 31, 2025 and is no longer fully supported. Multiple security vulnerabilities affecting 6.0 were disclosed in 2025, including privilege escalation and denial-of-service issues. Upgrade to the latest 6.0 patch or to 8.2.x, or apply MongoDB's security patches. The latest stable version is MongoDB 8.2.1.

🤖 Prompt for AI Agents 
.devcontainer/docker-compose.yml around line 30: the service currently pins
image: mongo:6.0 which is EOL and insecure; update the image to a supported
release (recommended: mongo:8.2.1) or at minimum to the latest 6.0 patch (e.g.,
mongo:6.0.X) depending on compatibility, then adjust any MongoDB-specific
configuration (auth, featureCompatibilityVersion, storage engine settings) if
required for the newer major version, run local integration tests and migrate or
backup data before switching, and update any documentation or CI/devcontainer
references to reflect the new image tag.

container_name: dev_code_review_mongodb
restart: unless-stopped
environment:
MONGO_INITDB_ROOT_USERNAME: admin
MONGO_INITDB_ROOT_PASSWORD: password
MONGO_INITDB_DATABASE: code_review_gpt
ports:
- "27017:27017"
volumes:
- mongodb_dev_data:/data/db
networks:
- dev_network

volumes:
mongodb_dev_data:
uv_cache:

networks:
dev_network:
driver: bridge
31 changes: 31 additions & 0 deletions backend/pyproject.toml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,31 @@
[project]
name = "code-review-gpt-gitlab"
version = "1.0.0"
description = "Code Review GPT GitLab Backend"
requires-python = ">=3.11"

dependencies = [
"Django==4.1.13",
"djangorestframework==3.14.0",
"django-cors-headers==4.3.1",
"requests==2.31.0",
"requests-toolbelt==1.0.0",
"retrying==1.3.4",
"openai==1.59.7",
"unionllm==0.1.23",
"litellm==1.58.2",
"python-gitlab==3.15.0",
"python-dateutil==2.8.2",
"gunicorn==21.2.0",
"gevent==23.9.1",
"python-dotenv==1.0.0",
"psutil==5.9.8",
]

[dependency-groups]
dev = [
"black>=23.0.0",
"flake8>=6.0.0",
"pytest>=7.0.0",
"pytest-django>=4.5.0",
]
Comment on lines +1 to +31
Copy link

@coderabbitai coderabbitai bot Nov 22, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🔴 Critical

🧩 Analysis chain

Verify dependency versions for security vulnerabilities and latest releases.

Several dependencies are pinned to specific versions that may be outdated or have known security vulnerabilities. Given the project involves Django and OpenAI integrations, it's critical to ensure these are secure.

Run the following script to check for security advisories and available updates:

🏁 Script executed:

#!/bin/bash
# Check for security vulnerabilities in Python dependencies

echo "=== Checking for security advisories ==="
for pkg in "Django" "djangorestframework" "django-cors-headers" "requests" "openai" "python-gitlab" "gunicorn" "gevent"; do
  echo "--- $pkg ---"
  gh api graphql -f query="
  {
    securityVulnerabilities(first: 5, ecosystem: PIP, package: \"$pkg\") {
      nodes {
        advisory {
          summary
          severity
          publishedAt
        }
        vulnerableVersionRange
        firstPatchedVersion {
          identifier
        }
      }
    }
  }"
done

echo ""
echo "=== Checking latest versions on PyPI ==="
for pkg in "Django" "djangorestframework" "django-cors-headers" "requests" "openai" "litellm" "python-gitlab" "gunicorn"; do
  echo -n "$pkg: "
  curl -s "https://pypi.org/pypi/$pkg/json" | jq -r '.info.version'
done

Length of output: 4857

Update dependencies to address critical and high-severity security vulnerabilities.

Verification found multiple security issues:

  • CRITICAL: Django 4.1.13 contains SQL injection vulnerability via _connector keyword argument (update to ≥4.2.26)
  • HIGH: Gunicorn 21.2.0 contains HTTP Request/Response Smuggling and request smuggling vulnerabilities (update to ≥22.0.0)
  • MODERATE: Requests 2.31.0 contains .netrc credentials leak and session verification bypass (update to ≥2.32.4)
  • LOW/MODERATE: djangorestframework 3.14.0 contains XSS vulnerabilities (update to ≥3.15.2)

Recommended versions: Django ≥4.2.26, Gunicorn ≥22.0.0, requests ≥2.32.5, djangorestframework ≥3.16.1

🤖 Prompt for AI Agents 
In backend/pyproject.toml around lines 1 to 31, several pinned dependencies have
known security vulnerabilities; update the listed packages to the recommended
minimum safe versions: set "Django" to >=4.2.26 (or a specific secure patch),
"gunicorn" to >=22.0.0, "requests" to >=2.32.5 (or >=2.32.4 if preferred), and
"djangorestframework" to >=3.16.1, then run dependency resolution
(pip-tools/poetry/installer) and run tests to ensure compatibility and adjust
any code breaking changes.

Loading