does anyone use devcontainers to provide isolation to their pulumi codebase? I had a notion of doing this but was unsure of the best way to do it. it would be awesome to use cgr.dev/chainguard/pulumi:latest as an image.

We have done (are doing) some work around devcontainers to help simplify/streamline Pulumi provider development, but this is different/distinct from what you’re talking about, I believe. I personally haven’t used a devcontainer to run my Pulumi programs, but it’s certainly an interesting idea worth exploring.

I like the idea of running

pulumi up

in an isolated environment. A distroless container that only knows about pulumi such as Chainguard here is very appealing. I realize this image from Chainguard is more suited to automated deployments but I really like the idea of devcontainer -> pulumi deployment (or wherever) as that gives a full sbom on the provisioning toolchain, bypasses errors in user environments, and hopefully some protection from insecure vscode extensions.

Yep, totally get it