FROM mcr.microsoft.com/devcontainers/python:3.13

# jq is used by .devcontainer/welcome.sh + post-start.sh to parse
# `revos auth status --json`.
# It usually ships in the base image via common-debian.sh, but install
# explicitly so this gate doesn't silently break on a future base bump.
RUN apt-get update -q \
    && apt-get install -y --no-install-recommends jq \
    && rm -rf /var/lib/apt/lists/*

# Pre-install dbt so it's available before VS Code extensions activate
# (cryptography<47 avoids Illegal instruction on ARM)
RUN pip install --quiet dbt-bigquery "cryptography<47"

# Google Cloud CLI
RUN curl -fsSL https://packages.cloud.google.com/apt/doc/apt-key.gpg \
      | gpg --dearmor -o /usr/share/keyrings/cloud.google.gpg \
    && echo "deb [signed-by=/usr/share/keyrings/cloud.google.gpg] https://packages.cloud.google.com/apt cloud-sdk main" \
      > /etc/apt/sources.list.d/google-cloud-sdk.list \
    && apt-get update -q \
    && apt-get install -y --no-install-recommends google-cloud-cli \
    && rm -rf /var/lib/apt/lists/*

# GitHub CLI
RUN curl -fsSL https://cli.github.com/packages/githubcli-archive-keyring.gpg \
      | gpg --dearmor -o /usr/share/keyrings/githubcli-archive-keyring.gpg \
    && echo "deb [arch=$(dpkg --print-architecture) signed-by=/usr/share/keyrings/githubcli-archive-keyring.gpg] https://cli.github.com/packages stable main" \
      > /etc/apt/sources.list.d/github-cli.list \
    && apt-get update -q \
    && apt-get install -y --no-install-recommends gh \
    && rm -rf /var/lib/apt/lists/*
