Skip to content

Fix conda image git builds (os-provided) and refresh dev container lock files.#1922

Merged
abdurriq merged 4 commits into
mainfrom
copilot/upgrade-dev-container-lock-files
Jul 1, 2026
Merged

Fix conda image git builds (os-provided) and refresh dev container lock files.#1922
abdurriq merged 4 commits into
mainfrom
copilot/upgrade-dev-container-lock-files

Conversation

Copilot AI commented Jun 30, 2026

Copy link
Copy Markdown
Contributor

Summary

This PR does two related things:

  1. Fixes broken git source builds on the conda-based images (anaconda, miniconda) by switching the git feature from a source-based install (latest + ppa: false) to the OS-provided package (os-provided).
  2. Refreshes all pinned dev container feature references by regenerating every devcontainer-lock.json, bumping git (1.3.5 → 1.3.7) and oryx (2.0.0 → 2.0.1).

Root cause: why git fails to build on conda images

Since git 2.51.0 (Aug 2025), building git from source has been broken on the anaconda and miniconda images, it only discovered now because it used to fail silently so far until changed recently. The failure is an iconv symbol mismatch caused by conda's presence on PATH at build time.

The conda environment ships both the iconv header and a GNU libiconv library:

  • /opt/conda/include/iconv.h (~9.1K) — the header Git's ./configure detects.
  • /opt/conda/lib/libiconv.so → libiconv.so.2.6.1 — GNU libiconv, whose symbols are libiconv_open / libiconv_close.

The conda Dockerfile prepends conda to PATH before the git feature runs:

# src/miniconda/.devcontainer/Dockerfile
ENV LANG=C.UTF-8 \
    LC_ALL=C.UTF-8 \
    PATH=/opt/conda/bin:$PATH

So the build breaks like this:

  1. Git's configure/Makefile finds conda's /opt/conda/include/iconv.h, which is a separate iconv header, and therefore sets NEEDS_LIBICONV.
  2. With NEEDS_LIBICONV set, Git emits calls to the GNU libiconv symbol names libiconv_open / libiconv_close.
  3. But the git feature doesn't know about conda, so the link line never adds -L/opt/conda/lib -liconv.
  4. Git ends up linking against system glibc, which provides iconv as built-ins (not those symbol names) → undefined reference to libiconv_open/libiconv_close.

base-debian never sees /opt/conda, so it links cleanly against glibc — which is why only the conda images are affected.

Fix

Pin the git feature to os-provided for anaconda and miniconda. This installs the distro-packaged git instead of compiling from source, sidestepping the conda iconv.h / glibc mismatch entirely. An inline comment documents why the override exists so it isn't accidentally reverted:

// This is only anaconda and miniconda specific setting for git feature config.
// As the git installation from source has been broken for these images since the
// advent of git 2.51.0 in Aug, 2025.
"ghcr.io/devcontainers/features/git:1": {
    "version": "os-provided"
}

Changes

1. Conda image git fix (anaconda, miniconda)

  • Changed the git feature config in devcontainer.json from:
    "version": "latest",
    "ppa": "false"
    to:
    "version": "os-provided"
  • Bumped image versions and updated the corresponding tag references in the READMEs:
    • anaconda: 1.3.201.3.21
    • miniconda: 1.2.81.2.9

2. Lockfile refresh (all images)

Regenerated the devcontainer-lock.json files across all images, updating the pinned feature digests:

  • ghcr.io/devcontainers/features/git:1: 1.3.51.3.7
  • ghcr.io/devcontainers/features/oryx:2: 2.0.02.0.1 (universal image only)
 "ghcr.io/devcontainers/features/git:1": {
-  "version": "1.3.5",
-  "resolved": "ghcr.io/devcontainers/features/git@sha256:27905dc196c01f77d6ba8709cb82eeaf330b3b108772e2f02d1cd0d826de1251",
-  "integrity": "sha256:27905dc196c01f77d6ba8709cb82eeaf330b3b108772e2f02d1cd0d826de1251"
+  "version": "1.3.7",
+  "resolved": "ghcr.io/devcontainers/features/git@sha256:a3e43ff91b9f5f6bd2c14bd510d43e5e698f1266dc41027ba4e04e7e45be607a",
+  "integrity": "sha256:a3e43ff91b9f5f6bd2c14bd510d43e5e698f1266dc41027ba4e04e7e45be607a"
 }

Affected images

anaconda, base-alpine, base-debian, base-ubuntu, cpp, dotnet, go, java, java-8, javascript-node, jekyll, miniconda, php, python, ruby, rust, typescript-node, universal

Note: The git/oryx lockfile refresh applies to all images above. The os-provided git override and image version bumps apply only to anaconda and miniconda.

Files changed (24 files, +69 / −65)

File Change
src/{anaconda,miniconda}/.devcontainer/devcontainer.json Pin git to os-provided + explanatory comment
src/{anaconda,miniconda}/manifest.json Bump image version
src/{anaconda,miniconda}/README.md Update patch-version tag reference
src/*/.devcontainer/devcontainer-lock.json (18 images) Refresh git (and oryx for universal) digests

Testing / Validation

  • Confirm anaconda and miniconda images build successfully with git installed via os-provided.
  • Verify git is available and functional in the built conda images.
  • Confirm all other images build with the refreshed lockfiles.

@Kaniska244

Copy link
Copy Markdown
Contributor

@copilot Refresh the lock files again by following the steps as earlier.

Copilot AI commented Jun 30, 2026

Copy link
Copy Markdown
Contributor Author

@copilot Refresh the lock files again by following the steps as earlier.

Refreshed all 18 lock files via devcontainer upgrade in e0752bf. git:1 moved to 1.3.7 across all images, and oryx:2 moved to 2.0.1 in the universal image.

@Kaniska244 Kaniska244 changed the title Regenerate devcontainer-lock.json files with updated feature references Fix conda image git builds (os-provided) and refresh dev container lock files. Jul 1, 2026
@Kaniska244 Kaniska244 marked this pull request as ready for review July 1, 2026 09:11
@Kaniska244 Kaniska244 requested a review from a team as a code owner July 1, 2026 09:11
Copilot AI review requested due to automatic review settings July 1, 2026 09:11
@devcontainers devcontainers deleted a comment from Copilot AI Jul 1, 2026

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR refreshes devcontainer lockfiles across all image folders and adjusts conda-based devcontainer configuration to avoid broken git-from-source installs by switching the git feature to use the OS-provided git.

Changes:

  • Regenerated src/*/.devcontainer/devcontainer-lock.json files, updating pinned feature digests/versions (notably ghcr.io/devcontainers/features/git:1 to 1.3.7; oryx:2 also updates in universal).
  • Updated src/anaconda/.devcontainer/devcontainer.json and src/miniconda/.devcontainer/devcontainer.json to set the git feature option version: "os-provided".
  • Bumped image versions and README tag examples for anaconda and miniconda (manifest.json + README.md).
Show a summary per file
File Description
src/universal/.devcontainer/devcontainer-lock.json Regenerated lockfile; updates git feature pin and oryx feature pin.
src/typescript-node/.devcontainer/devcontainer-lock.json Regenerated lockfile; updates git feature pin.
src/rust/.devcontainer/devcontainer-lock.json Regenerated lockfile; updates git feature pin.
src/ruby/.devcontainer/devcontainer-lock.json Regenerated lockfile; updates git feature pin.
src/python/.devcontainer/devcontainer-lock.json Regenerated lockfile; updates git feature pin.
src/php/.devcontainer/devcontainer-lock.json Regenerated lockfile; updates git feature pin.
src/miniconda/README.md Updates example tag to match the new miniconda manifest version.
src/miniconda/manifest.json Bumps miniconda image version.
src/miniconda/.devcontainer/devcontainer.json Switches git feature option to OS-provided git for miniconda devcontainer.
src/miniconda/.devcontainer/devcontainer-lock.json Regenerated lockfile; updates git feature pin.
src/jekyll/.devcontainer/devcontainer-lock.json Regenerated lockfile; updates git feature pin.
src/javascript-node/.devcontainer/devcontainer-lock.json Regenerated lockfile; updates git feature pin.
src/java/.devcontainer/devcontainer-lock.json Regenerated lockfile; updates git feature pin.
src/java-8/.devcontainer/devcontainer-lock.json Regenerated lockfile; updates git feature pin.
src/go/.devcontainer/devcontainer-lock.json Regenerated lockfile; updates git feature pin.
src/dotnet/.devcontainer/devcontainer-lock.json Regenerated lockfile; updates git feature pin.
src/cpp/.devcontainer/devcontainer-lock.json Regenerated lockfile; updates git feature pin.
src/base-ubuntu/.devcontainer/devcontainer-lock.json Regenerated lockfile; updates git feature pin.
src/base-debian/.devcontainer/devcontainer-lock.json Regenerated lockfile; updates git feature pin.
src/base-alpine/.devcontainer/devcontainer-lock.json Regenerated lockfile; updates git feature pin.
src/anaconda/README.md Updates example tag to match the new anaconda manifest version.
src/anaconda/manifest.json Bumps anaconda image version.
src/anaconda/.devcontainer/devcontainer.json Switches git feature option to OS-provided git for anaconda devcontainer.
src/anaconda/.devcontainer/devcontainer-lock.json Regenerated lockfile; updates git feature pin.

Review details

  • Files reviewed: 24/24 changed files
  • Comments generated: 4
  • Review effort level: Low

Comment thread src/typescript-node/.devcontainer/devcontainer-lock.json
Comment thread src/universal/.devcontainer/devcontainer-lock.json
Comment thread src/miniconda/.devcontainer/devcontainer.json Outdated
Comment thread src/anaconda/.devcontainer/devcontainer.json
Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com>
@abdurriq abdurriq merged commit 3100629 into main Jul 1, 2026
28 checks passed
@abdurriq abdurriq deleted the copilot/upgrade-dev-container-lock-files branch July 1, 2026 10:45
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

4 participants