diff --git a/.github/workflows/vscode-extension-secure-publish.yml b/.github/workflows/vscode-extension-secure-publish.yml index c43ff8c9..6678d421 100644 --- a/.github/workflows/vscode-extension-secure-publish.yml +++ b/.github/workflows/vscode-extension-secure-publish.yml @@ -18,7 +18,7 @@ on: description: "Target registries (comma-separated: vscode-marketplace,open-vsx)" required: false type: string - default: "vscode-marketplace" + default: "vscode-marketplace,open-vsx" # Security: Minimal permissions following principle of least privilege permissions: @@ -241,12 +241,11 @@ jobs: name: Publish to Open VSX Registry runs-on: ubuntu-latest needs: [pre-publish-security] # provenance] - # Note: we are not ready to publish it to OpenVSX Registry - if: contains(github.event.inputs.target_registries, 'open-vsx') + if: github.event_name == 'release' || contains(github.event.inputs.target_registries, 'open-vsx') environment: name: open-vsx - url: https://open-vsx.org/extension/AmadeusITGroup/prompt-registry + url: https://open-vsx.org/extension/AmadeusITGroup/${{ env.EXTENSION_NAME }} permissions: contents: read @@ -265,8 +264,15 @@ jobs: - name: Verify package integrity run: | + # Verify checksums sha256sum -c checksums.txt + # Additional integrity checks + if [ ! -f "${{env.EXTENSION_NAME}}-${{ needs.pre-publish-security.outputs.version }}.vsix" ]; then + echo "Package file not found!" + exit 1 + fi + - name: Setup Node.js uses: actions/setup-node@v4 with: @@ -285,7 +291,7 @@ jobs: exit 1 fi - # Publish to Open VSX + # Publish with explicit package path ovsx publish ${{env.EXTENSION_NAME}}-${{ needs.pre-publish-security.outputs.version }}.vsix -p $OVSX_PAT # Create installation bundles diff --git a/docs/contributor-guide/releasing.md b/docs/contributor-guide/releasing.md index 3940b1a4..ab3136ce 100644 --- a/docs/contributor-guide/releasing.md +++ b/docs/contributor-guide/releasing.md @@ -54,7 +54,11 @@ These scripts update `package.json` and version references in `README.md`. - Add release notes - Publish release - **⚠️ Important:** Publishing the release triggers the CI workflow to publish to VS Code Marketplace + **Important:** Publishing the release triggers the CI workflow to publish to VS Code Marketplace and Open VSX Registry. + + Required publishing secrets: + - `VSCODE_MARKETPLACE_TOKEN` for VS Code Marketplace + - `OPEN_VSX_TOKEN` for Open VSX Registry ## Pre-release Testing