[WIP] MAINT: Optimize devcontainer Dockerfile

[spencrr]

Description

Optimizes the devcontainer Dockerfile to significantly improve build speed, reduce image size, and tighten permissions.

Key changes:

Build performance

• Use BuildKit cache mounts (--mount=type=cache) for all apt-get layers instead of apt-get clean && rm -rf /var/lib/apt/lists/* — cached packages persist across rebuilds, so subsequent docker build invocations skip re-downloading unchanged packages. This is a Docker best practice for development images recommended by Copilot.
• Install uv via COPY --from=ghcr.io/astral-sh/uv:0.10.8 multi-stage copy instead of curl | sh — avoids a network round-trip, shell pipe execution, and the extra cleanup of /root/.local/bin. Multi-stage COPY --from is a Docker best practice recommended by Copilot for installing standalone binaries.
• Remove redundant npm install -g npm@latest — the NodeSource setup script already installs a compatible npm version, and running a global npm self-upgrade adds build time and a mutable layer. Copilot flagged this as unnecessary.

Image size

• Add --no-install-recommends to all apt-get install invocations — Debian's "Recommends" packages are not required for runtime correctness and can add 100+ MB of unnecessary dependencies (e.g., X11 libs, man pages). This is a widely recognized Dockerfile best practice recommended by Copilot.
• Remove apt-transport-https — this package was required on older Debian/Ubuntu versions (pre-Buster) to enable HTTPS in APT. Since Debian Bookworm, HTTPS support is built into apt natively, making this package a no-op. Copilot identified it as obsolete for the current base image.
• Remove lsb-release — this was previously used to dynamically detect the distro codename for the Microsoft APT repo URL. Since the repo URL is now hardcoded to bookworm (matching the pinned base image), lsb-release is no longer needed. Copilot confirmed the removal is safe given the pinned base.

Reproducibility

• Pin base image to python:3.11-bookworm instead of python:3.11 — the untagged variant can silently shift between Debian releases (e.g., Bookworm → Trixie) when Microsoft updates the base image, potentially breaking apt repo URLs and package availability. Pinning to a specific distro release is a Copilot-recommended best practice for deterministic builds.
• Set DEBIAN_FRONTEND=noninteractive as a global ENV instead of inline per-command — prevents any apt-get invocation from prompting for interactive input (e.g., timezone or keyboard layout). Setting it once at the top is cleaner and avoids forgetting it on new RUN lines. This is a standard Dockerfile pattern recommended by Copilot.

Security hardening

• Change chmod 777 → chmod 755 for all cache directories (pip, pylance, venv, uv, mypy) — 777 grants world-read/write/execute, which is unnecessary in a single-user devcontainer where vscode owns these directories. 755 allows the owner full access and others read/execute only. Copilot flagged 777 as an overly permissive anti-pattern.

Node.js

• Upgrade Node.js from 20.x to 24.x LTS — Node 20 reaches end-of-life in April 2026. Node 24 is the current LTS line with active support. Copilot recommended this upgrade to stay on a supported release.

Git config

• Remove core.fsmonitor=true — this enables the built-in file system monitor for git status acceleration, but it can cause high CPU usage, stale index issues, and watchman/inotify conflicts inside containers where the filesystem (overlayfs, bind mounts) doesn't support efficient native watch events. Copilot recommended removing it for container environments.

Tests and Documentation

• No code or API changes — this only affects the devcontainer build infrastructure
• Verified the Dockerfile builds successfully
• No JupyText changes needed