Skip to content

feat: Package the extension. #79

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 11 commits into from
Oct 20, 2025
Merged

feat: Package the extension. #79

merged 11 commits into from
Oct 20, 2025

Conversation

@Artmann
Copy link
Member

@Artmann Artmann commented Oct 17, 2025
edited by coderabbitai bot
Loading

Fixes #

Summary by CodeRabbit

  • Chores
    • Added an automated packaging workflow that builds and produces downloadable VS Code extension packages labeled with version and branch, and uploads them as artifacts.
    • Packaging now emits a product-specific VSIX filename that includes the version and sanitized branch for easier identification.
    • Job summary reports the packaged version and branch and includes VSIX installation instructions.

@coderabbitai
Copy link
Contributor

coderabbitai bot commented Oct 17, 2025
edited
Loading

Caution

Review failed

The pull request is closed.

📝 Walkthrough

Walkthrough

A GitHub Actions workflow named "CD" automates building and packaging a VS Code extension. It triggers on pushes to main, pull requests targeting main, and manual dispatch. On ubuntu-latest it checks out the repo, sets up Node.js 22.x (with npm cache and registry), runs npm ci, installs @vscode/vsce globally, reads version from package.json, derives and sanitizes the branch/PR ref, runs the package script (which now produces vscode-deepnote-insiders.vsix), renames the VSIX to include version and sanitized branch, uploads the VSIX as an artifact, and writes a job summary with the packaged version, branch, and installation instructions.

Sequence Diagram(s)

sequenceDiagram
    autonumber
    participant GH as GitHub (trigger)
    participant R as Actions runner (ubuntu-latest)
    participant Repo as Repository
    participant Node as Node 22.x env
    participant Art as Artifact storage / Job Summary

    Note over GH,R #D6EAF8: Triggers: push(main), pull_request(main), workflow_dispatch

    GH->>R: start "CD" job (package)
    R->>Repo: actions/checkout
    R->>Node: setup-node (22.x, npm cache, registry)
    R->>Node: npm ci
    R->>Node: npm install -g @vscode/vsce
    R->>Repo: read package.json -> extract version
    R->>Repo: determine branch or PR ref -> sanitize for filename
    R->>Node: npm run package (outputs vscode-deepnote-insiders.vsix)
    Node-->>R: .vsix (dist/)
    R->>R: rename .vsix -> includes version + sanitized-branch
    R->>Art: upload-artifact (name includes version+branch)
    R->>Art: add-job-summary (version, branch, install instructions)
    Note over Art,R #E9F7EF: Artifact + summary available in workflow UI
Loading

Suggested reviewers

  • andyjakubowski
  • saltenasl

Pre-merge checks

✅ Passed checks (3 passed)
Check name Status Explanation
Description Check ✅ Passed Check skipped - CodeRabbit’s high-level summary is enabled.
Title Check ✅ Passed The title "feat: Package the extension." accurately and directly describes the primary change in this PR. The changeset adds a GitHub Actions workflow for building and packaging a VS Code extension, and updates the package script with a new VSIX filename. Both changes are squarely focused on extension packaging infrastructure, making the title a clear and concise summary of the work. The title follows conventional commit format and provides sufficient clarity for someone scanning PR history.
Docstring Coverage ✅ Passed No functions found in the changes. Docstring coverage check skipped.
📜 Recent review details

Configuration used: CodeRabbit UI

Review profile: ASSERTIVE

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 16998f3 and ad65f80.

⛔ Files ignored due to path filters (1)
  • package-lock.json is excluded by !**/package-lock.json
📒 Files selected for processing (2)
  • .github/workflows/package.yml (1 hunks)
  • package.json (1 hunks)

Comment @coderabbitai help to get the list of available commands and usage tips.

@codecov
Copy link

codecov bot commented Oct 17, 2025
edited
Loading

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 71%. Comparing base (ab8a5e8) to head (ad65f80).
⚠️ Report is 1 commits behind head on main.
✅ All tests successful. No failed tests found.

Additional details and impacted files 
@@          Coverage Diff          @@
##            main     #79   +/-   ##
=====================================
  Coverage     71%     71%           
=====================================
  Files        523     523           
  Lines      39001   39001           
  Branches    4905    4905           
=====================================
  Hits       27834   27834           
  Misses      9542    9542           
  Partials    1625    1625
🚀 New features to boost your workflow:
  • 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

coderabbitai[bot]
coderabbitai bot requested changes Oct 17, 2025
View reviewed changes
Copy link
Contributor

@coderabbitai coderabbitai bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 1

📜 Review details

Configuration used: CodeRabbit UI

Review profile: ASSERTIVE

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 953a32a and eb50220.

📒 Files selected for processing (1)
  • .github/workflows/package.yml (1 hunks)
🧰 Additional context used
🪛 actionlint (1.7.8)
.github/workflows/package.yml

55-55: "github.head_ref" is potentially untrusted. avoid using it directly in inline scripts. instead, pass it through an environment variable. see https://docs.github.com/en/actions/reference/security/secure-use#good-practices-for-mitigating-script-injection-attacks for more details

(expression)

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (3)
  • GitHub Check: Build & Test
  • GitHub Check: Lint & Format
  • GitHub Check: Build & Package Extension
🔇 Additional comments (1)
.github/workflows/package.yml (1)

70-75: No changes required; review comment is factually incorrect.

The hardcoded filename ms-toolsai-jupyter-insiders.vsix in the workflow is correct. The npm run package script explicitly outputs to this name via the -o flag in package.json line 2129: vsce package -o ms-toolsai-jupyter-insiders.vsix. The mv command will succeed without modification.

Likely an incorrect or invalid review comment.

coderabbitai[bot]
coderabbitai bot requested changes Oct 17, 2025
View reviewed changes
Copy link
Contributor

@coderabbitai coderabbitai bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 1

📜 Review details

Configuration used: CodeRabbit UI

Review profile: ASSERTIVE

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 953a32a and eb50220.

📒 Files selected for processing (1)
  • .github/workflows/package.yml (1 hunks)
🧰 Additional context used
🪛 actionlint (1.7.8)
.github/workflows/package.yml

55-55: "github.head_ref" is potentially untrusted. avoid using it directly in inline scripts. instead, pass it through an environment variable. see https://docs.github.com/en/actions/reference/security/secure-use#good-practices-for-mitigating-script-injection-attacks for more details

(expression)

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (3)
  • GitHub Check: Build & Test
  • GitHub Check: Lint & Format
  • GitHub Check: Build & Package Extension
🔇 Additional comments (1)
.github/workflows/package.yml (1)

70-75: No changes needed—the VSIX filename is explicitly set in the build command.

The vsce package command in package.json uses the -o ms-toolsai-jupyter-insiders.vsix flag, which guarantees that exact output filename. The comment accurately describes what the package script produces, and the mv command will succeed. The filename is not a guess or copy-paste artifact.

Likely an incorrect or invalid review comment.

coderabbitai[bot]
coderabbitai bot requested changes Oct 17, 2025
View reviewed changes
Copy link
Contributor

@coderabbitai coderabbitai bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 1

♻️ Duplicate comments (1)
.github/workflows/package.yml (1)

56-68: Fix script injection vulnerability with github.head_ref.

Line 61 directly interpolates untrusted user input (github.head_ref) into the shell script, enabling script injection attacks. Pass it through an environment variable first (as flagged by actionlint).

      - name: Extract and sanitize branch name
        id: branch-name
+       env:
+         HEAD_REF: ${{ github.head_ref }}
        run: |
          # Get branch name from ref
          if [[ "${{ github.event_name }}" == "pull_request" ]]; then
-           BRANCH="${{ github.head_ref }}"
+           BRANCH="$HEAD_REF"
          else
            BRANCH="${GITHUB_REF#refs/heads/}"
          fi
          # Sanitize branch name for filename (replace / with -)
          SAFE_BRANCH=$(echo "$BRANCH" | sed 's/\//-/g')
          echo "branch=$SAFE_BRANCH" >> $GITHUB_OUTPUT
          echo "Branch name: $BRANCH (sanitized: $SAFE_BRANCH)"
📜 Review details

Configuration used: CodeRabbit UI

Review profile: ASSERTIVE

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between eb50220 and d8d45b0.

📒 Files selected for processing (1)
  • .github/workflows/package.yml (1 hunks)
🧰 Additional context used
🪛 actionlint (1.7.8)
.github/workflows/package.yml

58-58: "github.head_ref" is potentially untrusted. avoid using it directly in inline scripts. instead, pass it through an environment variable. see https://docs.github.com/en/actions/reference/security/secure-use#good-practices-for-mitigating-script-injection-attacks for more details

(expression)

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (2)
  • GitHub Check: Build & Package Extension
  • GitHub Check: Build & Test
🔇 Additional comments (1)
.github/workflows/package.yml (1)

73-78: The hardcoded filename is correct—no issue here.

The package script explicitly invokes vsce package -o ms-toolsai-jupyter-insiders.vsix, so the mv command will find and rename the file without failure. The filename is the configured build artifact, not a misplaced reference.

Likely an incorrect or invalid review comment.

coderabbitai[bot]
coderabbitai bot requested changes Oct 17, 2025
View reviewed changes
Copy link
Contributor

@coderabbitai coderabbitai bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 1

♻️ Duplicate comments (1)
.github/workflows/package.yml (1)

43-44: Consider alternatives to global vsce installation.

Installing @vscode/vsce globally reduces CI reproducibility and makes the version implicit. Two better approaches:

Option 1 (minimal): Use npx:

-      - name: Install vsce
-        run: npm install -g @vscode/vsce
-
       - name: Package extension
-        run: npm run package
+        run: npx @vscode/vsce package

Option 2 (recommended): Add to devDependencies in package.json, then update npm script:

-      - name: Install vsce
-        run: npm install -g @vscode/vsce
-
       - name: Package extension
         run: npm run package

(and update package.json to have "package": "vsce package" in scripts)

📜 Review details

Configuration used: CodeRabbit UI

Review profile: ASSERTIVE

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between d8d45b0 and 095adec.

⛔ Files ignored due to path filters (2)
  • icon.png is excluded by !**/*.png
  • package-lock.json is excluded by !**/package-lock.json
📒 Files selected for processing (1)
  • .github/workflows/package.yml (1 hunks)
🔇 Additional comments (1)
.github/workflows/package.yml (1)

53-68: Good: script injection mitigation properly applied.

The branch name extraction correctly uses environment variables to avoid direct shell interpolation of github.head_ref, and sanitization uses printf safely. This addresses the prior actionlint security findings.

coderabbitai[bot]
coderabbitai bot previously approved these changes Oct 17, 2025
View reviewed changes
@Artmann Artmann marked this pull request as ready for review October 17, 2025 14:45
@Artmann Artmann enabled auto-merge (squash) October 17, 2025 14:45
jamesbhobbs
jamesbhobbs reviewed Oct 20, 2025
View reviewed changes
jamesbhobbs
jamesbhobbs reviewed Oct 20, 2025
View reviewed changes
jamesbhobbs
jamesbhobbs approved these changes Oct 20, 2025
View reviewed changes
Copy link
Contributor

@jamesbhobbs jamesbhobbs left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I have quibbles but the workflow looks fine, I haven't tested the packaging works, I assume the author did.

@Artmann Artmann merged commit 1ab2214 into main Oct 20, 2025
12 of 13 checks passed
@Artmann Artmann deleted the chris/package-the-extension branch October 20, 2025 17:29
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@coderabbitai coderabbitai[bot] coderabbitai[bot] approved these changes

@jamesbhobbs jamesbhobbs jamesbhobbs approved these changes

@saltenasl saltenasl Awaiting requested review from saltenasl

@andyjakubowski andyjakubowski Awaiting requested review from andyjakubowski

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@Artmann @jamesbhobbs