OIDC Marketplace publishing (no PAT, no silent skip) + selective CI + scalar docs#45
Merged
Conversation
…e CI; docs for scalars; v0.11.0 prep - release.yml: publish VSIX via Microsoft Entra OIDC in a dedicated publish-marketplace job bound to environment:release. Removes the VSCE_PAT gate that silently exit-0'd and stranded 0.9.0/0.10.0 off the Marketplace. Mints a Marketplace-scoped token from the OIDC session per the Nimblesite runbook; any failure now fails the release loudly. - ci.yml: website/docs-only PRs run a lightweight build+lint+web-test path and skip the full framework matrix, bundle-size, Playwright e2e, and Shipwright gates. Single CI job still always reports for branch protection. - docs: DateTime/Uuid/Decimal scalars + strict unknown-type codegen across language-reference, converters, cli, getting-started, README. - blog: 0.11 release post. plan doc for the OIDC remediation.
MelbourneDeveloper
force-pushed
the
fixes
branch
from
3ac495d to
5ddac2a
Compare
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Why
The VS Code Marketplace was stuck at 0.8.0 — releases 0.9.0 and 0.10.0 published to npm + GitHub Releases but never reached the Marketplace. The release workflow's publish step was gated on a
VSCE_PATsecret that isn't configured, and on a missing PAT it printed a message andexit 0, so the step went green and the miss was silent for two releases.What changed
release.yml— Marketplace publish via Microsoft Entra OIDC, no stored PAT, no silent skip.publish-marketplacejob bound toenvironment: releaseso the GitHub OIDC subject (repo:Nimblesite/typeDiagram:environment:release) matches the shared Entra app's wildcard federated credential.azure/login(OIDC,allow-no-subscriptions) → mint a Marketplace-scoped token viaaz account get-access-token --resource 499b84ac-…→vsce publish(pinned@vscode/vsce@3.9.2,--skip-duplicate,--pre-releaseonly for--suffixed tags). Follows the Nimblesite/NimblesiteDeployment runbook (which documents thatvsce --azure-credentialis buggy, so we mint the token ourselves).VSCE_PATgate and itsexit 0are gone — any failure now turns the release red.azure/login@v2.3.0,download-artifact@v4.3.0).releaseenvironment + non-secretAZURE_CLIENT_ID/AZURE_TENANT_ID. Publishernimblesiteis already an authorized member via the shared app.ci.yml— path-selective. Website/docs-only PRs run a lightweight build + lint + web-unit path and skip the full framework test matrix, bundle-size, Playwright e2e, and Shipwright gates. The singleCIjob always runs/reports, so it stays valid as a required check.Docs/site — DateTime/Uuid/Decimal scalars + strict unknown-type codegen documented across the language reference, converters, CLI, getting-started, and README; a 0.11 release blog post; and a plan doc for the remediation.
Follow-up
Merge → tag
v0.11.0→ the OIDC job publishes the VSIX as a stable Marketplace release.