Skip to content

ci: publish to Marketplace in a dedicated job so failures are visible#23

Merged
SamErde merged 2 commits into
mainfrom
chore/drop-marketplace-continue-on-error
Jul 6, 2026
Merged

ci: publish to Marketplace in a dedicated job so failures are visible#23
SamErde merged 2 commits into
mainfrom
chore/drop-marketplace-continue-on-error

Conversation

@SamErde

@SamErde SamErde commented Jul 6, 2026

Copy link
Copy Markdown
Owner

What

Makes a VS Code Marketplace publish failure fail the workflow visibly, without breaking the rest of the release flow.

  • Removes the temporary continue-on-error: true guard (and its stale "expected while pending" scaffolding) that masked Marketplace failures — it was only needed while the old "Profile Extension Manager" name was rejected. 0.8.6 now publishes successfully as Personas.
  • Moves the Marketplace publish into a separate publish-marketplace job (needs: [release, package-and-publish]) that downloads the sealed .vsix from the GitHub release and runs vsce publish.

Why the dedicated job (per Codex review)

Simply dropping continue-on-error would have made a Marketplace failure fail package-and-publish, which would skip the phase-3 release-pr job (gated on package-and-publish success) and suppress the next release PR. The dedicated job avoids that:

  • A Marketplace failure fails only publish-marketplace (visible), not package-and-publish.
  • release-pr still only needs: package-and-publish, so it runs regardless of the Marketplace outcome.
  • publish-marketplace is skipped if package-and-publish failed (no sealed release / vsix), so a pre-seal failure still correctly blocks both publish and phase 3.

Safety

  • The GitHub Release is sealed in phase 2 and remains the source of truth; a Marketplace failure is non-destructive and recoverable (re-run the job, or gh release download the vsix + vsce publish).
  • Pure CI change — no releasable commit, so release-please won't cut a release from it.

🤖 Generated with Claude Code

Summary by CodeRabbit

  • Chores
    • Updated the release publishing workflow by moving Marketplace publishing into its own dedicated phase.
    • Marketplace publishing now runs from the published VSIX artifacts and errors are handled normally (no longer silently tolerated), making failures easier to notice.
    • Clarified that the release-pr step is independent of the Marketplace publish outcome.

The continue-on-error guard was a temporary workaround for the Marketplace
rejecting the old "Profile Extension Manager" display name (too similar to an
existing extension). The extension now publishes as "Personas" and 0.8.6
published successfully, so the guard is no longer needed: a Marketplace publish
failure should fail the workflow so it is visible.

The GitHub Release is sealed in the prior step, so a failure here remains
non-destructive and manually recoverable (see the retained comment above the step).

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Copilot AI review requested due to automatic review settings July 6, 2026 14:23

Copilot AI left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR updates the release workflow so that a VS Code Marketplace publish failure is no longer masked during releases. It removes a previously-temporary continue-on-error guard and its associated “expected failure” scaffolding now that the extension publishes successfully as Personas.

Changes:

  • Removed continue-on-error: true from the “Publish to VS Code Marketplace” step so publish failures correctly fail the workflow.
  • Removed the temporary workaround comment block and the conditional run script that emitted a warning while still failing the step.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

@coderabbitai

coderabbitai Bot commented Jul 6, 2026

Copy link
Copy Markdown

Review Change Stack

📝 Walkthrough

Walkthrough

The release-please workflow now publishes VSIX artifacts to the VS Code Marketplace in a separate job after release packaging, and the Phase 3 notes were updated to reflect that this publish step is independent of release-pr.

Changes

Workflow publish flow update

Layer / File(s) Summary
Publish marketplace job
.github/workflows/release-please.yml
Adds a publish-marketplace job that downloads released .vsix files and publishes them to the VS Code Marketplace with vsce using VSCE_PAT.
Phase 3 commentary update
.github/workflows/release-please.yml
Updates the release-pr commentary to describe the Marketplace publish job as independent and note that Phase 2 is skipped for ordinary pushes.

Estimated code review effort: 2 (Simple) | ~10 minutes

🚥 Pre-merge checks | ✅ 5
✅ Passed checks (5 passed)
Check name Status Explanation
Docstring Coverage ✅ Passed No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check ✅ Passed Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check ✅ Passed Check skipped because no linked issues were found for this pull request.
Description Check ✅ Passed Check skipped - CodeRabbit’s high-level summary is enabled.
Title check ✅ Passed The title accurately summarizes the main change: moving Marketplace publishing into its own job so failures surface clearly.
✨ Finishing Touches
📝 Generate docstrings
  • Create stacked PR
  • Commit on current branch
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Commit unit tests in branch chore/drop-marketplace-continue-on-error

Comment @coderabbitai help to get the list of available commands.

@chatgpt-codex-connector chatgpt-codex-connector Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: eccc79e74a

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

  • Open a pull request for review
  • Mark a draft as ready
  • Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

Comment thread .github/workflows/release-please.yml Outdated
Addresses the Codex review on #23. Simply removing continue-on-error made a
Marketplace-publish failure fail the package-and-publish job, which in turn
skipped the phase-3 release-pr job (gated on package-and-publish success),
suppressing the next release PR.

Move the Marketplace publish into a separate publish-marketplace job that
needs package-and-publish, downloads the sealed vsix from the GitHub release,
and publishes. A Marketplace failure now fails only its own job (visible)
without blocking release-pr, and the job is skipped entirely if
package-and-publish failed (no sealed release or vsix to publish).

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
@SamErde SamErde changed the title ci: drop continue-on-error from Marketplace publish step ci: publish to Marketplace in a dedicated job so failures are visible Jul 6, 2026
@SamErde SamErde merged commit 8b01382 into main Jul 6, 2026
6 of 7 checks passed
@SamErde SamErde deleted the chore/drop-marketplace-continue-on-error branch July 6, 2026 17:48

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In @.github/workflows/release-please.yml:
- Around line 95-99: The Download released VSIX step in release-please.yml is
interpolating needs.release.outputs.tag_name directly into the gh release
download command, which creates a template-injection risk. Update this step to
pass the tag value through an env variable and reference that variable in the
run command, following the pattern already used for GITHUB_TOKEN and GH_REPO, so
the shell script no longer contains direct ${{ }} interpolation.
🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

  • Push a commit to this branch (recommended)
  • Create a new PR with the fixes

ℹ️ Review info
⚙️ Run configuration

Configuration used: Organization UI

Review profile: ASSERTIVE

Plan: Pro Plus

Run ID: c9c0bc95-0e6e-476d-b629-5828dae14d5c

📥 Commits

Reviewing files that changed from the base of the PR and between eccc79e and 50e4232.

📒 Files selected for processing (1)
  • .github/workflows/release-please.yml

Comment on lines +95 to +99
- name: Download released VSIX
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
GH_REPO: ${{ github.repository }}
run: gh release download "${{ needs.release.outputs.tag_name }}" --pattern '*.vsix' --dir releases

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🔒 Security & Privacy | 🔵 Trivial | ⚡ Quick win

Avoid direct ${{ }} interpolation of tag_name in the run: script.

Static analysis flags this as a template-injection risk: the expression is spliced into the generated shell script before execution, so unexpected characters in tag_name could break out of the intended command. Mitigate by passing it through an env: var instead (same fix would apply to the pre-existing lines 74/78, though those are out of scope here).

🛡️ Proposed fix
       - name: Download released VSIX
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
           GH_REPO: ${{ github.repository }}
-        run: gh release download "${{ needs.release.outputs.tag_name }}" --pattern '*.vsix' --dir releases
+          TAG_NAME: ${{ needs.release.outputs.tag_name }}
+        run: gh release download "$TAG_NAME" --pattern '*.vsix' --dir releases
📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change
- name: Download released VSIX
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
GH_REPO: ${{ github.repository }}
run: gh release download "${{ needs.release.outputs.tag_name }}" --pattern '*.vsix' --dir releases
- name: Download released VSIX
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
GH_REPO: ${{ github.repository }}
TAG_NAME: ${{ needs.release.outputs.tag_name }}
run: gh release download "$TAG_NAME" --pattern '*.vsix' --dir releases
🧰 Tools
🪛 zizmor (1.26.1)

[info] 99-99: code injection via template expansion (template-injection): may expand into attacker-controllable code

(template-injection)

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/release-please.yml around lines 95 - 99, The Download
released VSIX step in release-please.yml is interpolating
needs.release.outputs.tag_name directly into the gh release download command,
which creates a template-injection risk. Update this step to pass the tag value
through an env variable and reference that variable in the run command,
following the pattern already used for GITHUB_TOKEN and GH_REPO, so the shell
script no longer contains direct ${{ }} interpolation.

Source: Linters/SAST tools

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants