diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
index 8bcb260a7..c807d005b 100644
--- a/.github/workflows/build.yml
+++ b/.github/workflows/build.yml
@@ -17,10 +17,42 @@ concurrency:
   cancel-in-progress: ${{ github.event_name == 'pull_request' }}
 
 jobs:
+  # Run unit tests before building the application
+
+  run-unit-tests:
+    name: Run unit tests
+    runs-on: ubuntu-latest
+    steps:
+      # Checkout repository code
+      - name: Checkout code
+        uses: actions/checkout@v4
+
+      # Verify CSP line exists in target TypeScript file
+      - name: Check CSP configuration in webClientServer.ts
+        run: |
+          TARGET_FILE="patched-vscode/src/vs/server/node/webClientServer.ts"
+          REQUIRED_TEXT="'connect-src \'self\' ws: wss: https://main.vscode-cdn.net http://localhost:* https://localhost:* https://login.microsoftonline.com/ https://update.code.visualstudio.com https://*.vscode-unpkg.net/ https://default.exp-tas.com/vscode/ab https://vscode-sync.trafficmanager.net https://vscode-sync-insiders.trafficmanager.net https://*.gallerycdn.vsassets.io https://marketplace.visualstudio.com https://*.blob.core.windows.net https://az764295.vo.msecnd.net  https://code.visualstudio.com https://*.gallery.vsassets.io https://*.rel.tunnels.api.visualstudio.com wss://*.rel.tunnels.api.visualstudio.com https://*.servicebus.windows.net/ https://vscode.blob.core.windows.net https://vscode.search.windows.net https://vsmarketplacebadges.dev https://vscode.download.prss.microsoft.com https://download.visualstudio.microsoft.com https://*.vscode-unpkg.net https://open-vsx.org;'"
+
+          if [ ! -f "$TARGET_FILE" ]; then
+            echo "❌ FAIL: Target file $TARGET_FILE does not exist."
+            exit 1
+          fi
+
+          if grep -F "$REQUIRED_TEXT" "$TARGET_FILE" > /dev/null; then
+            echo "✅ PASS: Required CSP text exists."
+          else
+            echo "❌ FAIL: Required CSP text NOT found in $TARGET_FILE"
+            exit 1
+          fi
+
+
+
   # The main job for building the application
   build:
     name: Build sagemaker-code-editor
     runs-on: ubuntu-latest
+    # Ensure unit tests pass before building
+    needs: run-unit-tests 
     timeout-minutes: 180
     env:
       # Environment variable to optimize the build process
@@ -128,3 +160,16 @@ jobs:
         with:
           name: npm-package
           path: sagemaker-code-editor-${{ env.VERSION }}.tar.gz
+  # Run end-to-end tests after the build is complete
+  run-e2e-tests:
+    name: Run e2e tests
+    runs-on: ubuntu-latest
+    needs: build  # Ensure e2e tests run after build
+    steps:
+      # Checkout repository code
+      - name: Checkout code
+        uses: actions/checkout@v4
+
+      # Output placeholder message for e2e tests
+      - name: Hudson's test of e2e test
+        run: echo "Hudson's test of e2e test"
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index 799a4d624..2c3fb2617 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -11,7 +11,7 @@ on:
         type: string
       # This input allows you to specify which branch to create the release from.
       source_branch:
-        description: 'The branch to find the latest successful build artifact on.'
+        description: 'The branch to find the artifact on and to tag for the release.'
         required: true
         type: string
         # We default to 'main' to make the most common case easy.
@@ -28,13 +28,19 @@ jobs:
       contents: write
 
     steps:
-      # Step 1: Check out the repository code.
-      # This is necessary for the release action to create a Git tag in your repository.
+      # Step 1: Check out the repository code FROM THE SPECIFIED SOURCE BRANCH.
       - name: Checkout code
         uses: actions/checkout@v4
         with:
           ref: ${{ github.event.inputs.source_branch }}
 
+      # Step 2: Explicitly get the commit SHA of the checked-out branch HEAD.
+      # This ensures we are using the correct commit for tagging.
+      - name: Get commit SHA
+        id: get_sha
+        run: echo "sha=$(git rev-parse HEAD)" >> $GITHUB_OUTPUT
+
+      # Step 3: Delete existing tag if you want to re-run the release.
       - name: Delete existing tag (if any)
         uses: actions/github-script@v7
         with:
@@ -50,31 +56,29 @@ jobs:
             } catch (e) {
               console.log(`Tag ${tag} does not exist or already deleted.`);
             }
-      # Step 2: Download the build artifact from your 'Build' workflow.
-      # This finds the latest successful run on the specified branch and downloads the artifact.
+
+      # Step 4: Download the build artifact from your 'Build' workflow.
       - name: Download artifact from build workflow
         uses: dawidd6/action-download-artifact@v6
         with:
           # IMPORTANT: This must match the 'name:' field in your build.yaml file.
           workflow: build.yml
-          # Use the branch from the manual input instead of hardcoding 'main'.
+          # Use the branch from the manual input.
           branch: ${{ github.event.inputs.source_branch }}
                  
           # Tell the action to look for artifacts created by a 'pull_request' event.
           event: pull_request
           allow_forks: true
 
-          
           # We use a wildcard (*) because the artifact name from the build workflow
-          # contains a dynamic commit SHA (e.g., vscode-reh-web-linux-x64-0.0.0-dev-...).
+          # contains a dynamic commit SHA.
           name: npm-package
           # The path where the downloaded artifact will be saved.
           path: ./release-assets
           # Ensure we only get the artifact from a successful run.
           workflow_conclusion: success
 
-      # Step 3: Prepare the release assets by renaming the artifact.
-      # This takes the downloaded file and gives it a clean, versioned name.
+      # Step 5: Prepare the release assets by renaming the artifact.
       - name: Prepare release assets
         id: prepare_assets
         run: |
@@ -91,7 +95,7 @@ jobs:
           VERSION_NUM="${VERSION_TAG#v}"
           
           # Create the new, clean filename for the release.
-          # This is the standardized name that your conda-forge recipe will expect.
+
           NEW_FILENAME="code-editor${VERSION_NUM}.tar.gz"
           
           # Rename the file.
@@ -100,8 +104,10 @@ jobs:
           echo "Renamed artifact to $NEW_FILENAME"
           # Set the new filename as an output for the next step.
           echo "filename=./release-assets/$NEW_FILENAME" >> $GITHUB_OUTPUT
-      # Step 4: Create the GitHub Release and upload the prepared asset.
-      # This action creates the tag, the release, and uploads your .tar.gz file.
+
+
+      # Step 6: Create the GitHub Release using the CORRECT commit SHA.
+
       - name: Create GitHub Release
         uses: softprops/action-gh-release@v2
         with:
@@ -111,8 +117,11 @@ jobs:
           tag_name: ${{ github.event.inputs.version }}
           # Path to the file(s) to upload as release assets.
           files: ${{ steps.prepare_assets.outputs.filename }}
-          # Set to 'false' to publish immediately, or 'true' to create a draft.
+          # Set to 'false' to publish immediately.
           draft: false
-          # Automatically generate release notes from commits since the last release.
+          # Set to false as we are not using auto-generated notes.
           generate_release_notes: false
-          
+          # CRITICAL: Force the tag to be created on the commit we explicitly got in Step 2.
+          # This overrides any incorrect metadata from the downloaded artifact.
+          target_commitish: ${{ steps.get_sha.outputs.sha }}
+