feat: better securing release workflows and github actions

[edelauna]

Related GitHub Issue

Closes: #

Description

Adds GitHub environment references and ref guards to the release publish workflows so marketplace credentials are exposed through narrower, auditable release paths.

Key changes:

• Stable extension publishing now targets the marketplace-production environment.
• Pre-release extension publishing now targets the marketplace-prerelease environment.
• Manual stable publishes are rejected unless the workflow is run from main.
• Pre-release publishes are rejected unless the workflow is run from main, preventing manual dispatch from arbitrary feature branches.

The intended live GitHub environment setup is:

• marketplace-production: required reviewer gate for stable marketplace publishing.
• marketplace-prerelease: no required reviewer gate, preserving automatic pre-release publishing from protected main.

Test Procedure

• Parsed the updated workflow YAML files locally.
• Ran git diff --check.
• Verified the live GitHub environments exist:
  • marketplace-production with the Admins team as required reviewers.
  • marketplace-prerelease with no required reviewers.

Pre-Submission Checklist

• Issue Linked: This PR is linked to an approved GitHub Issue (see "Related GitHub Issue" above).
• Scope: My changes are focused on the linked issue (one major feature/fix per PR).
• Self-Review: I have performed a thorough self-review of my code.
• Testing: New and/or updated tests have been added to cover my changes (if applicable).
• Documentation Impact: I have considered if my changes require documentation updates (see "Documentation Updates" section below).
• Contribution Guidelines: I have read and agree to the Contributor Guidelines.

Screenshots / Videos

N/A

Documentation Updates

• No documentation updates are required.

Additional Notes

After this merges, move marketplace publish tokens into environment-scoped secrets:

• Move production VSCE_PAT and OVSX_PAT into marketplace-production.
• Optionally use a separate pre-release VSCE_PAT in marketplace-prerelease.
• Delete repository-level marketplace publish PATs once environment-scoped secrets are in place.

Get in Touch

Summary by CodeRabbit

• Chores
  • Enhanced release pipeline with additional validation controls to improve the reliability and consistency of stable and pre-release builds.

[coderabbitai]

📝 Walkthrough

Walkthrough

This PR adds environment deployments and ref validation to two marketplace publish workflows. The stable publish job is restricted to the marketplace-production environment, and the nightly prerelease job to marketplace-prerelease. Both workflows now validate that publishing can only occur from the main branch, failing the workflow step if triggered from other refs.

Changes

Marketplace Publish Environment and Ref Validation

Layer / File(s)	Summary
Environment assignments for publish jobs .github/workflows/marketplace-publish.yml, .github/workflows/nightly-publish.yml	The publish-stable job is assigned to marketplace-production environment and publish-prerelease to marketplace-prerelease environment.
Ref validation for main-branch enforcement .github/workflows/marketplace-publish.yml, .github/workflows/nightly-publish.yml	Both workflows add a "Validate publish ref" step that enforces GITHUB_REF_NAME must equal main, exiting with failure status if the condition is not met.

Estimated Code Review Effort

🎯 2 (Simple) | ⏱️ ~8 minutes

Poem

🐰 In workflows we hop, with environments neat,
Protecting our publishes, keeping releases sweet!
From main branch alone shall the packages flow,
With validations in place, we control every show.

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title accurately describes the main change: adding GitHub environment references and ref guards to secure release workflows for marketplace credential exposure.
Description check	✅ Passed	The description covers implementation details, test procedures, and design rationale, though the Related GitHub Issue section is incomplete (missing issue number).
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch chore/reference-release-environments

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.

📢 Thoughts on this report? Let us know!

[coderabbitai]

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (1)

.github/workflows/marketplace-publish.yml (1)

40-49: ⚠️ Potential issue | 🟡 Minor | ⚡ Quick win

Add version/tag safety for workflow_dispatch publishes

Validate release tag only runs on push events (if: github.event_name == 'push'), so workflow_dispatch skips any tag/version validation. While manual publishes are restricted to run from main (Validate publish ref, lines 33-38), the workflow still reads src/package.json’s version and creates/updates a GitHub release for v${package_version} (lines 102-133) without preventing prerelease versions (e.g., -beta, -rc) from being treated as “stable”.

Add the same prerelease/stable-format check for workflow_dispatch (or document that prerelease versions are intentionally allowed for manual stable publishes).

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/marketplace-publish.yml around lines 40 - 49, The current
"Validate release tag" step only runs for push events and never validates manual
workflow_dispatch publishes or blocks prerelease versions; update its condition
to run for both push and workflow_dispatch (e.g., check github.event_name for
push OR workflow_dispatch) and extend the logic that reads
package_version/tag_version to also validate prerelease format: when running
under workflow_dispatch ensure package_version does not contain prerelease
identifiers (e.g., a hyphen like "-beta" or "-rc") or otherwise enforce the same
tag_version match rules used for push; adjust the step that later
creates/updates the release (which uses v${package_version}) to rely on this
validation so prerelease versions cannot be promoted as stable unless explicitly
allowed/documented.

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Outside diff comments:
In @.github/workflows/marketplace-publish.yml:
- Around line 40-49: The current "Validate release tag" step only runs for push
events and never validates manual workflow_dispatch publishes or blocks
prerelease versions; update its condition to run for both push and
workflow_dispatch (e.g., check github.event_name for push OR workflow_dispatch)
and extend the logic that reads package_version/tag_version to also validate
prerelease format: when running under workflow_dispatch ensure package_version
does not contain prerelease identifiers (e.g., a hyphen like "-beta" or "-rc")
or otherwise enforce the same tag_version match rules used for push; adjust the
step that later creates/updates the release (which uses v${package_version}) to
rely on this validation so prerelease versions cannot be promoted as stable
unless explicitly allowed/documented.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro Plus

Run ID: 1c9f8cdd-7180-4f36-82f6-1480c577a719

📥 Commits

Reviewing files that changed from the base of the PR and between 00fc247 and 829253f.

📒 Files selected for processing (2)

• .github/workflows/marketplace-publish.yml
• .github/workflows/nightly-publish.yml