Add GitHub CLI and replace SSH auth with gh auth

[blooop]

Summary

• Add GitHub CLI (gh) to project dependencies for GitHub operations
• Replace SSH agent authentication with GitHub CLI config mount in devcontainer
• Update ty version and fix ty check command to respect ignore files
• Fix trailing comma in extensions.json

Test plan

• Verify devcontainer builds successfully
• Confirm gh CLI is available and authenticated in the container
• Ensure GitHub operations work via gh instead of SSH

🤖 Generated with Claude Code

Summary by Sourcery

Add GitHub CLI support to the devcontainer and project tooling while aligning configs and lockfiles with the new workflow.

New Features:

• Introduce GitHub CLI (gh) as a project dependency for GitHub-related operations.

Bug Fixes:

• Fix a trailing comma issue in VS Code extensions configuration.

Enhancements:

• Prepare the devcontainer image for GitHub CLI configuration by creating a dedicated gh config directory.
• Update devcontainer and editor configuration to rely on GitHub CLI-based authentication instead of SSH.
• Refresh pixi lockfile and related tooling versions to reflect the updated dependencies and configuration.

[sourcery-ai]

Reviewer's guide (collapsed on small PRs)

Reviewer's Guide

Introduces GitHub CLI as a project dependency and updates the devcontainer to use gh-based authentication and configuration, while refreshing tooling configuration (ty, extensions) and fixing minor config issues.

Sequence diagram for GitHub operations using gh instead of SSH in devcontainer

sequenceDiagram
    actor Dev as Developer
    participant VS as VSCode
    participant DC as Devcontainer
    participant GH as gh_CLI
    participant GI as GitHub

    Dev->>VS: Open project in container
    VS->>DC: Start devcontainer build
    DC->>DC: Create /home/vscode/.ssh
    DC->>DC: Create /home/vscode/.config/gh
    VS->>DC: Mount host ~/.config/gh to /home/vscode/.config/gh

    Dev->>GH: Run gh auth status
    GH->>DC: Read /home/vscode/.config/gh
    GH->>GI: Verify authentication
    GI-->>GH: Auth status response
    GH-->>Dev: Show authenticated user

    Dev->>GH: Run gh repo clone or gh pr commands
    GH->>GI: Perform GitHub API and git operations
    GI-->>GH: Operation result
    GH-->>Dev: Show success/failure

Loading

File-Level Changes

Change	Details	Files
Enable GitHub CLI usage inside the devcontainer and prepare its configuration directory for auth mounts.	Create the ~/.config/gh directory for the vscode user during image build to support GitHub CLI config mounts Retain existing SSH directory setup but shift the intended auth flow toward gh-based configuration rather than SSH agent forwarding	.devcontainer/Dockerfile
Add GitHub CLI as a managed dependency in the project environment.	Declare gh as a dependency with a minimum version constraint to ensure availability for GitHub operations Regenerate or update the lockfile to capture the new gh dependency resolution	pyproject.toml pixi.lock
Align devcontainer and editor configuration with the new tooling setup and fix minor configuration issues.	Update devcontainer configuration to rely on gh-based auth instead of SSH agent (e.g., mount gh config into the container) Fix a trailing comma and adjust VS Code extensions configuration as needed for the new workflow Update ty configuration/commands so checks properly respect ignore files	.devcontainer/devcontainer.json .vscode/extensions.json pixi.lock

---

Tips and commands

Interacting with Sourcery

• Trigger a new review: Comment @sourcery-ai review on the pull request.
• Continue discussions: Reply directly to Sourcery's review comments.
• Generate a GitHub issue from a review comment: Ask Sourcery to create an
  issue from a review comment by replying to it. You can also reply to a
  review comment with @sourcery-ai issue to create an issue from it.
• Generate a pull request title: Write @sourcery-ai anywhere in the pull
  request title to generate a title at any time. You can also comment
  @sourcery-ai title on the pull request to (re-)generate the title at any time.
• Generate a pull request summary: Write @sourcery-ai summary anywhere in
  the pull request body to generate a PR summary at any time exactly where you
  want it. You can also comment @sourcery-ai summary on the pull request to
  (re-)generate the summary at any time.
• Generate reviewer's guide: Comment @sourcery-ai guide on the pull
  request to (re-)generate the reviewer's guide at any time.
• Resolve all Sourcery comments: Comment @sourcery-ai resolve on the
  pull request to resolve all Sourcery comments. Useful if you've already
  addressed all the comments and don't want to see them anymore.
• Dismiss all Sourcery reviews: Comment @sourcery-ai dismiss on the pull
  request to dismiss all existing Sourcery reviews. Especially useful if you
  want to start fresh with a new review - don't forget to comment
  @sourcery-ai review to trigger a new review!

Customizing Your Experience

Access your dashboard to:

• Enable or disable review features such as the Sourcery-generated pull request
  summary, the reviewer's guide, and others.
• Change the review language.
• Add, remove or edit custom review instructions.
• Adjust other review settings.

Getting Help

• Contact our support team for questions or feedback.
• Visit our documentation for detailed guides and information.
• Keep in touch with the Sourcery team by following us on X/Twitter, LinkedIn or GitHub.

[sourcery-ai]

Hey - I've found 1 issue, and left some high level feedback:

• In the Dockerfile, consider setting restrictive permissions on /home/vscode/.config/gh (similar to the .ssh directory) to avoid leaving GitHub auth configuration with default/overly-permissive permissions.
• The gh dependency in pyproject.toml is pinned only with a lower bound (>=2.63.0) while other tooling dependencies have both lower and upper bounds; consider adding an upper bound for consistency and to avoid unexpected breakage from future major/minor releases.

Prompt for AI Agents

Please address the comments from this code review:

## Overall Comments
- In the Dockerfile, consider setting restrictive permissions on `/home/vscode/.config/gh` (similar to the `.ssh` directory) to avoid leaving GitHub auth configuration with default/overly-permissive permissions.
- The `gh` dependency in `pyproject.toml` is pinned only with a lower bound (`>=2.63.0`) while other tooling dependencies have both lower and upper bounds; consider adding an upper bound for consistency and to avoid unexpected breakage from future major/minor releases.

## Individual Comments

### Comment 1
<location> `pyproject.toml:23` </location>
<code_context>
 python = ">=3.10"
 shellcheck = ">=0.10.0,<0.11"
 devpod = ">=0.8.0,<0.9"
+gh = ">=2.63.0"

 [tool.pixi.feature.py310.dependencies]
</code_context>

<issue_to_address>
**suggestion:** Consider adding an upper bound to the gh version for better reproducibility.

With only a lower bound, a future `gh` release could introduce breaking changes into the dev environment without any updates here. To keep dev containers reproducible and isolated from unexpected upstream changes, consider adding an upper bound (e.g. `<3.0` or another range you’ve verified).

```suggestion
gh = ">=2.63.0,<3.0"
```
</issue_to_address>

---

Sourcery is free for open source - if you like our reviews please consider sharing them ✨

• X
• Mastodon
• LinkedIn
• Facebook

_{Help me be more useful! Please click 👍 or 👎 on each comment and I'll use the feedback to improve your reviews.}

[sourcery-ai]

suggestion: Consider adding an upper bound to the gh version for better reproducibility.

With only a lower bound, a future gh release could introduce breaking changes into the dev environment without any updates here. To keep dev containers reproducible and isolated from unexpected upstream changes, consider adding an upper bound (e.g. <3.0 or another range you’ve verified).

Suggested change

	gh = ">=2.63.0"
	gh = ">=2.63.0,<3.0"