feat: update container to use correct skill OD-71#1
Conversation
![gemini-code-assist[bot]](https://avatars.githubusercontent.com/in/956858?s=60&v=4){kind=small}
There was a problem hiding this comment.
Code Review
This pull request splits the container's execution into a local-pipeline.sh and a new server-pipeline.sh for server-side autoconfiguration, while narrowing the outbound firewall rules to only allow Claude, Gemini, and Codacy. The review feedback highlights critical improvements for shell script robustness and security in these new scripts. Key recommendations include enabling pipefail in the local pipeline, properly managing set -e error handling around the Claude pipeline and curl uploads in the server pipeline, and preventing credential exposure in .git/config by using Git's http.extraheader instead of embedding the token in the clone URL.
Important
The consumer version of Gemini Code Assist on GitHub is being sunset. Starting June 18, 2026, new organization installations will be blocked, and all code review activity will officially cease on July 17, 2026.
For more details on the timeline and next steps, please review the Help Documentation.
| # Local pipeline: tunes an already-on-Codacy repository's cloud config from a mounted source folder. | ||
| # Runs the /configure-codacy-cloud skill, which uses Codacy Cloud reanalysis (no local analysis tools). | ||
| # Requirement: the repo at /workspace must already be on Codacy with at least one finished analysis. | ||
| set -e |
There was a problem hiding this comment.
In local-pipeline.sh, set -e is enabled but pipefail is not. This means if claude fails but jq succeeds in the pipeline (lines 11-15), the script will still exit with a success status (0), silently hiding failures. Enabling pipefail ensures that the pipeline's exit status reflects any failure in the command chain.
| set -e | |
| set -eo pipefail |
| # Validates env vars, clones the repo, runs the configure-codacy-cloud skill, | ||
| # uploads the summary JSONL to a presigned S3 URL, and exits with the correct status. | ||
|
|
||
| set -uo pipefail |
There was a problem hiding this comment.
The script uses set -uo pipefail but is missing set -e. Without set -e, critical commands like cd or mkdir could fail, and the script would continue executing in an invalid state. To safely handle the potential failure of the claude command while keeping the rest of the script protected by set -e, we can enable set -e globally and temporarily disable it (set +e) around the claude pipeline.
| set -uo pipefail | |
| set -euo pipefail |
| CLONE_URL="https://${GIT_USERNAME}:${GIT_TOKEN}@${CLONE_HOST}/${CODACY_ORG_NAME}/${CODACY_REPO_NAME}.git" | ||
|
|
||
| echo "==> Cloning ${CODACY_PROVIDER}/${CODACY_ORG_NAME}/${CODACY_REPO_NAME} into ${WORKSPACE}" | ||
| if ! git clone --depth 1 "${CLONE_URL}" "${WORKSPACE}" 2>&1 | sed "s|${GIT_USERNAME}:[^@]*@|${GIT_USERNAME}:***@|g"; then | ||
| echo "ERROR: git clone failed" >&2 | ||
| exit 1 | ||
| fi |
There was a problem hiding this comment.
Cloning the repository with the token embedded in the URL (https://username:token@host/...) causes Git to store the plain-text token in .git/config under remote.origin.url. Any subsequent tool or process running in the container can read this file and steal the token.
Using Git's http.extraheader configuration option passes the token securely via an HTTP header for the duration of the clone command without persisting it to .git/config.
| CLONE_URL="https://${GIT_USERNAME}:${GIT_TOKEN}@${CLONE_HOST}/${CODACY_ORG_NAME}/${CODACY_REPO_NAME}.git" | |
| echo "==> Cloning ${CODACY_PROVIDER}/${CODACY_ORG_NAME}/${CODACY_REPO_NAME} into ${WORKSPACE}" | |
| if ! git clone --depth 1 "${CLONE_URL}" "${WORKSPACE}" 2>&1 | sed "s|${GIT_USERNAME}:[^@]*@|${GIT_USERNAME}:***@|g"; then | |
| echo "ERROR: git clone failed" >&2 | |
| exit 1 | |
| fi | |
| CLONE_URL="https://${CLONE_HOST}/${CODACY_ORG_NAME}/${CODACY_REPO_NAME}.git" | |
| AUTH_HEADER=$(printf "%s:%s" "${GIT_USERNAME}" "${GIT_TOKEN}" | base64 | tr -d '\n') | |
| echo "==> Cloning ${CODACY_PROVIDER}/${CODACY_ORG_NAME}/${CODACY_REPO_NAME} into ${WORKSPACE}" | |
| if ! git -c http.extraheader="Authorization: Basic ${AUTH_HEADER}" clone --depth 1 "${CLONE_URL}" "${WORKSPACE}"; then | |
| echo "ERROR: git clone failed" >&2 | |
| exit 1 | |
| fi |
| echo "==> Running configure-codacy-cloud" | ||
| claude -p "/configure-codacy-cloud" \ | ||
| --output-format stream-json \ | ||
| --verbose \ | ||
| --include-partial-messages \ | ||
| | jq --unbuffered -rj 'select(.type == "stream_event" and .event.delta.type? == "text_delta") | .event.delta.text' | ||
| SKILL_EXIT=${PIPESTATUS[0]} |
There was a problem hiding this comment.
To support set -e globally, temporarily disable exit-on-error (set +e) before running the claude pipeline, and re-enable it (set -e) immediately after capturing the exit status.
| echo "==> Running configure-codacy-cloud" | |
| claude -p "/configure-codacy-cloud" \ | |
| --output-format stream-json \ | |
| --verbose \ | |
| --include-partial-messages \ | |
| | jq --unbuffered -rj 'select(.type == "stream_event" and .event.delta.type? == "text_delta") | .event.delta.text' | |
| SKILL_EXIT=${PIPESTATUS[0]} | |
| echo "==> Running configure-codacy-cloud" | |
| set +e | |
| claude -p "/configure-codacy-cloud" \ | |
| --output-format stream-json \ | |
| --verbose \ | |
| --include-partial-messages \ | |
| | jq --unbuffered -rj 'select(.type == "stream_event" and .event.delta.type? == "text_delta") | .event.delta.text' | |
| SKILL_EXIT=${PIPESTATUS[0]} | |
| set -e |
| HTTP_CODE=$( | ||
| curl --silent --show-error \ | ||
| --request PUT \ | ||
| --retry 5 \ | ||
| --retry-delay 2 \ | ||
| --retry-connrefused \ | ||
| --max-time 60 \ | ||
| --upload-file "${SUMMARY_PATH}" \ | ||
| --write-out '%{http_code}' \ | ||
| --output /dev/null \ | ||
| "${RESULT_UPLOAD_URL}" | ||
| ) |
There was a problem hiding this comment.
If set -e is enabled, a network failure during the curl command (e.g., DNS resolution failure) will cause the script to exit immediately instead of executing the custom error handling block. Appending || HTTP_CODE="" allows the script to continue and gracefully handle the failure.
| HTTP_CODE=$( | |
| curl --silent --show-error \ | |
| --request PUT \ | |
| --retry 5 \ | |
| --retry-delay 2 \ | |
| --retry-connrefused \ | |
| --max-time 60 \ | |
| --upload-file "${SUMMARY_PATH}" \ | |
| --write-out '%{http_code}' \ | |
| --output /dev/null \ | |
| "${RESULT_UPLOAD_URL}" | |
| ) | |
| HTTP_CODE=$( | |
| curl --silent --show-error \ | |
| --request PUT \ | |
| --retry 5 \ | |
| --retry-delay 2 \ | |
| --retry-connrefused \ | |
| --max-time 60 \ | |
| --upload-file "${SUMMARY_PATH}" \ | |
| --write-out '%{http_code}' \ | |
| --output /dev/null \ | |
| "${RESULT_UPLOAD_URL}" | |
| ) || HTTP_CODE="" |
There was a problem hiding this comment.
Pull request overview
Updates the autoconfig container to run the /configure-codacy-cloud skill and support two execution modes: a local developer workflow (mounted repo) and a server-side AAM/k8s workflow (clone + upload summary), aligning runtime behavior and egress controls with “cloud reanalysis only”.
Changes:
- Replace the single legacy pipeline with
local-pipeline.sh(default) and a newserver-pipeline.shfor k8s/AAM. - Narrow the in-container firewall allowlist (and skip it in k8s via
RUNNING_IN_K8S) and update docs accordingly. - Adjust the Docker image to include the new pipelines and configure-codacy-cloud skill reference.
Reviewed changes
Copilot reviewed 8 out of 8 changed files in this pull request and generated 5 comments.
Show a summary per file
| File | Description |
|---|---|
| README.md | Documents cloud-only behavior, updated run examples, and the two pipeline modes. |
| docker/server-pipeline.sh | New server pipeline: validates env, clones via token, runs skill, uploads JSONL summary. |
| docker/pipeline.sh | Removes legacy pipeline entrypoint script. |
| docker/local-pipeline.sh | New local pipeline to run /configure-codacy-cloud against /workspace. |
| docker/init-firewall.sh | Narrows egress allowlist to Claude/Gemini/Codacy endpoints and updates messaging. |
| docker/entrypoint.sh | Skips firewall init when RUNNING_IN_K8S is set (k8s relies on NetworkPolicy). |
| docker/Dockerfile | Adds new pipelines, adds configure-codacy-cloud command, changes skills fetch behavior. |
| docker-compose.yml | Removes container memory limits from compose configuration. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| -v codacy-tool-cache:/home/node/.codacy \ | ||
| -v $(pwd):/workspace \ | ||
| --env-file /path/to/.env \ | ||
| --env-file ./../.env \ | ||
| codacy/autoconfig |
| The image ships two entrypoint scripts: | ||
|
|
||
| - `local-pipeline.sh` (default). For developers running the container against a mounted source folder. Used by | ||
| `docker compose` and the `docker run` examples above. Invokes `/configure-codacy-cloud` against `/workspace`. | ||
| - `server-pipeline.sh`. For the Active Analysis Manager (AAM) in production. Clones the repository via `GIT_TOKEN`, | ||
| invokes `/configure-codacy-cloud`, and uploads a JSONL summary to a presigned S3 URL. The clone URL is built per | ||
| provider (`CODACY_PROVIDER` of `gh`/`ghe` for GitHub, `gl`/`gle` for GitLab, `bb` for Bitbucket). |
| # Local pipeline: tunes an already-on-Codacy repository's cloud config from a mounted source folder. | ||
| # Runs the /configure-codacy-cloud skill, which uses Codacy Cloud reanalysis (no local analysis tools). | ||
| # Requirement: the repo at /workspace must already be on Codacy with at least one finished analysis. | ||
| set -e |
| # Pre-bake skills — Claude loads via --plugin-dir, Gemini installs from local path | ||
| # ADD'ing the master ref content makes Docker invalidate this layer whenever codacy-skills master moves, | ||
| # so a fresh `docker build` always gets the latest skills without --no-cache. | ||
| ADD https://api.github.com/repos/codacy/codacy-skills/git/refs/heads/master /tmp/codacy-skills-ref | ||
| RUN git clone --depth 1 https://github.com/codacy/codacy-skills.git /opt/codacy-skills |
| CLONE_URL="https://${GIT_USERNAME}:${GIT_TOKEN}@${CLONE_HOST}/${CODACY_ORG_NAME}/${CODACY_REPO_NAME}.git" | ||
|
|
||
| echo "==> Cloning ${CODACY_PROVIDER}/${CODACY_ORG_NAME}/${CODACY_REPO_NAME} into ${WORKSPACE}" | ||
| if ! git clone --depth 1 "${CLONE_URL}" "${WORKSPACE}" 2>&1 | sed "s|${GIT_USERNAME}:[^@]*@|${GIT_USERNAME}:***@|g"; then | ||
| echo "ERROR: git clone failed" >&2 | ||
| exit 1 | ||
| fi | ||
|
|
||
| cd "${WORKSPACE}" |
No description provided.