ci: publish to Marketplace in a dedicated job so failures are visible#23
Conversation
The continue-on-error guard was a temporary workaround for the Marketplace rejecting the old "Profile Extension Manager" display name (too similar to an existing extension). The extension now publishes as "Personas" and 0.8.6 published successfully, so the guard is no longer needed: a Marketplace publish failure should fail the workflow so it is visible. The GitHub Release is sealed in the prior step, so a failure here remains non-destructive and manually recoverable (see the retained comment above the step). Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
There was a problem hiding this comment.
Pull request overview
This PR updates the release workflow so that a VS Code Marketplace publish failure is no longer masked during releases. It removes a previously-temporary continue-on-error guard and its associated “expected failure” scaffolding now that the extension publishes successfully as Personas.
Changes:
- Removed
continue-on-error: truefrom the “Publish to VS Code Marketplace” step so publish failures correctly fail the workflow. - Removed the temporary workaround comment block and the conditional
runscript that emitted a warning while still failing the step.
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
📝 WalkthroughWalkthroughThe release-please workflow now publishes VSIX artifacts to the VS Code Marketplace in a separate job after release packaging, and the Phase 3 notes were updated to reflect that this publish step is independent of ChangesWorkflow publish flow update
Estimated code review effort: 2 (Simple) | ~10 minutes 🚥 Pre-merge checks | ✅ 5✅ Passed checks (5 passed)
✨ Finishing Touches📝 Generate docstrings
🧪 Generate unit tests (beta)
Comment |
There was a problem hiding this comment.
💡 Codex Review
Here are some automated review suggestions for this pull request.
Reviewed commit: eccc79e74a
ℹ️ About Codex in GitHub
Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you
- Open a pull request for review
- Mark a draft as ready
- Comment "@codex review".
If Codex has suggestions, it will comment; otherwise it will react with 👍.
Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".
Addresses the Codex review on #23. Simply removing continue-on-error made a Marketplace-publish failure fail the package-and-publish job, which in turn skipped the phase-3 release-pr job (gated on package-and-publish success), suppressing the next release PR. Move the Marketplace publish into a separate publish-marketplace job that needs package-and-publish, downloads the sealed vsix from the GitHub release, and publishes. A Marketplace failure now fails only its own job (visible) without blocking release-pr, and the job is skipped entirely if package-and-publish failed (no sealed release or vsix to publish). Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
There was a problem hiding this comment.
Actionable comments posted: 1
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
Inline comments:
In @.github/workflows/release-please.yml:
- Around line 95-99: The Download released VSIX step in release-please.yml is
interpolating needs.release.outputs.tag_name directly into the gh release
download command, which creates a template-injection risk. Update this step to
pass the tag value through an env variable and reference that variable in the
run command, following the pattern already used for GITHUB_TOKEN and GH_REPO, so
the shell script no longer contains direct ${{ }} interpolation.
🪄 Autofix (Beta)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration
Configuration used: Organization UI
Review profile: ASSERTIVE
Plan: Pro Plus
Run ID: c9c0bc95-0e6e-476d-b629-5828dae14d5c
📒 Files selected for processing (1)
.github/workflows/release-please.yml
| - name: Download released VSIX | ||
| env: | ||
| GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} | ||
| GH_REPO: ${{ github.repository }} | ||
| run: gh release download "${{ needs.release.outputs.tag_name }}" --pattern '*.vsix' --dir releases |
There was a problem hiding this comment.
🔒 Security & Privacy | 🔵 Trivial | ⚡ Quick win
Avoid direct ${{ }} interpolation of tag_name in the run: script.
Static analysis flags this as a template-injection risk: the expression is spliced into the generated shell script before execution, so unexpected characters in tag_name could break out of the intended command. Mitigate by passing it through an env: var instead (same fix would apply to the pre-existing lines 74/78, though those are out of scope here).
🛡️ Proposed fix
- name: Download released VSIX
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
GH_REPO: ${{ github.repository }}
- run: gh release download "${{ needs.release.outputs.tag_name }}" --pattern '*.vsix' --dir releases
+ TAG_NAME: ${{ needs.release.outputs.tag_name }}
+ run: gh release download "$TAG_NAME" --pattern '*.vsix' --dir releases📝 Committable suggestion
‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.
| - name: Download released VSIX | |
| env: | |
| GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
| GH_REPO: ${{ github.repository }} | |
| run: gh release download "${{ needs.release.outputs.tag_name }}" --pattern '*.vsix' --dir releases | |
| - name: Download released VSIX | |
| env: | |
| GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
| GH_REPO: ${{ github.repository }} | |
| TAG_NAME: ${{ needs.release.outputs.tag_name }} | |
| run: gh release download "$TAG_NAME" --pattern '*.vsix' --dir releases |
🧰 Tools
🪛 zizmor (1.26.1)
[info] 99-99: code injection via template expansion (template-injection): may expand into attacker-controllable code
(template-injection)
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
In @.github/workflows/release-please.yml around lines 95 - 99, The Download
released VSIX step in release-please.yml is interpolating
needs.release.outputs.tag_name directly into the gh release download command,
which creates a template-injection risk. Update this step to pass the tag value
through an env variable and reference that variable in the run command,
following the pattern already used for GITHUB_TOKEN and GH_REPO, so the shell
script no longer contains direct ${{ }} interpolation.
Source: Linters/SAST tools
What
Makes a VS Code Marketplace publish failure fail the workflow visibly, without breaking the rest of the release flow.
continue-on-error: trueguard (and its stale "expected while pending" scaffolding) that masked Marketplace failures — it was only needed while the old "Profile Extension Manager" name was rejected. 0.8.6 now publishes successfully as Personas.publish-marketplacejob (needs: [release, package-and-publish]) that downloads the sealed.vsixfrom the GitHub release and runsvsce publish.Why the dedicated job (per Codex review)
Simply dropping
continue-on-errorwould have made a Marketplace failure failpackage-and-publish, which would skip the phase-3release-prjob (gated onpackage-and-publishsuccess) and suppress the next release PR. The dedicated job avoids that:publish-marketplace(visible), notpackage-and-publish.release-prstill onlyneeds: package-and-publish, so it runs regardless of the Marketplace outcome.publish-marketplaceis skipped ifpackage-and-publishfailed (no sealed release / vsix), so a pre-seal failure still correctly blocks both publish and phase 3.Safety
gh release downloadthe vsix +vsce publish).🤖 Generated with Claude Code
Summary by CodeRabbit