feat: add VS Code installation script following spilled coffee principle

[atxtechbro]

Summary

• Created utils/install-vscode.sh for automated VS Code installation
• Follows spilled coffee principle for reproducible setup
• Supports multiple platforms (Linux and macOS)

Implementation Details

• Detects existing VS Code installations
• Uses official Microsoft repositories for Linux
• Uses Homebrew for macOS
• Sources logging.sh for consistent output
• Idempotent operation (safe to run multiple times)

Testing

• Script created and tested on Linux Mint
• Follows same pattern as existing installers (e.g., install-neovim.sh)
• Requires sudo for installation (as expected)

Definition of Done

✅ utils/install-vscode.sh script created
✅ Script handles multiple platforms (Linux/macOS)
✅ Script detects existing installations
✅ code . command will work after installation
✅ Script follows existing logging patterns
✅ Script is idempotent

Closes #1274

[amazon-q-developer]

⏳ Code review in progress. Analyzing for code quality issues and best practices. Detailed findings will be posted upon completion.

Using Amazon Q Developer for GitHub

Amazon Q Developer¹ is an AI-powered assistant that integrates directly into your GitHub workflow, enhancing your development process with intelligent features for code development, review, and transformation.

Slash Commands

Command	Description
/q <message>	Chat with the agent to ask questions or request revisions
/q review	Requests an Amazon Q powered code review
/q help	Displays usage information

Features

Agentic Chat
Enables interactive conversation with Amazon Q to ask questions about the pull request or request specific revisions. Use /q <message> in comment threads or the review body to engage with the agent directly.

Code Review
Analyzes pull requests for code quality, potential issues, and security concerns. Provides feedback and suggested fixes. Automatically triggered on new or reopened PRs (can be disabled for AWS registered installations), or manually with /q review slash command in a comment.

Customization

You can create project-specific rules for Amazon Q Developer to follow:

1. Create a .amazonq/rules folder in your project root.
2. Add Markdown files in this folder to define rules (e.g., cdk-rules.md).
3. Write detailed prompts in these files, such as coding standards or best practices.
4. Amazon Q Developer will automatically use these rules when generating code or providing assistance.

Example rule:

All Amazon S3 buckets must have encryption enabled, enforce SSL, and block public access.
All Amazon DynamoDB Streams tables must have encryption enabled.
All Amazon SNS topics must have encryption enabled and enforce SSL.
All Amazon SNS queues must enforce SSL.

Feedback

To provide feedback on Amazon Q Developer, create an issue in the Amazon Q Developer public repository.

For more detailed information, visit the Amazon Q for GitHub documentation.

Footnotes

1. Amazon Q Developer uses generative AI. You may need to verify generated code before using it in your environment. See the AWS Responsible AI Policy. ↩

[amazon-q-developer]

Thank you for adding the VS Code installation script. The implementation is well-structured and follows the repository's patterns. However, there are several important areas that need attention:

1. Security: The GPG key handling needs to be more secure using proper temporary file management
2. Error Handling: Additional error checking is needed for dependency installation and downloads
3. Cleanup: A trap handler should be added to ensure proper cleanup on script interruption
4. Version Verification: The version check could be more robust with format validation

The changes are generally well-documented and the multi-platform support is comprehensive. Please address the security concerns as a priority before merging.

[amazon-q-developer]

🛑 [Security Vulnerability]: The GPG key is downloaded and stored in an insecure manner. The temporary file is created in the current directory and could be tampered with before being installed¹. Consider using a secure temporary directory with proper permissions.

Suggested change

	elif [[ "$OSTYPE" == "linux-gnu"* ]]; then
	# Linux installation using official Microsoft repository
	if command -v apt &> /dev/null; then
	# Ubuntu/Debian/Linux Mint
	log_info "Using apt with Microsoft repository..."
	# Install dependencies
	sudo apt-get update
	sudo apt-get install -y wget gpg apt-transport-https
	# Add Microsoft GPG key using mktemp for secure temporary file handling
	TEMP_GPG=$(mktemp)
	wget -qO "$TEMP_GPG"
	gpg --dearmor < "$TEMP_GPG" > "${TEMP_GPG}.gpg"
	sudo install -D -o root -g root -m 644 "${TEMP_GPG}.gpg" /etc/apt/keyrings/packages.microsoft.gpg
	rm -f "$TEMP_GPG" "${TEMP_GPG}.gpg"

Footnotes

1. CWE-379: Creation of Temporary File in Directory with Insecure Permissions - https://cwe.mitre.org/data/definitions/379.html ↩

[amazon-q-developer]

The wget command should include error handling to detect and handle download failures. This could lead to installation proceeding with an invalid or incomplete GPG key.

[amazon-q-developer]

Consider adding a trap to handle script interruption and cleanup any temporary files. This ensures proper cleanup even if the script is interrupted.

Suggested change

	source "${SCRIPT_DIR}/logging.sh"
	# Setup cleanup trap
	cleanup() {
	rm -f packages.microsoft.gpg "${TEMP_GPG:-}" "${TEMP_GPG:-}.gpg" 2>/dev/null
	}
	trap cleanup EXIT
	log_info "Installing VS Code..."

[amazon-q-developer]

The dependency installation should include error checking. If the package manager fails to install dependencies, the script continues without proper error handling.

Suggested change

	else
	log_error "Homebrew not found"
	return 1
	# Install dependencies
	if ! sudo apt-get update; then
	log_error "Failed to update package lists"
	return 1
	fi
	if ! sudo apt-get install -y wget gpg apt-transport-https; then
	log_error "Failed to install required dependencies"
	return 1
	fi

[amazon-q-developer]

The version verification could be more robust. Consider adding a minimum version check to ensure compatibility with the dotfiles setup.

Suggested change

	else
	# Verify installation and version
	if command -v code &> /dev/null; then
	NEW_VERSION=$(code --version 2>/dev/null | head -n1)
	if [[ -z "$NEW_VERSION" ]]; then
	log_error "Failed to get VS Code version"
	return 1
	fi
	# Compare version (optional: adjust minimum version as needed)
	if ! echo "$NEW_VERSION" | grep -qE '^[0-9]+\.[0-9]+\.[0-9]+'; then
	log_error "Invalid version format: $NEW_VERSION"
	return 1
	fi
	log_success "VS Code installed successfully: $NEW_VERSION"
	log_info "You can now use 'code .' to open VS Code in the current directory"
	return 0