Marketplace publish via Entra ID + GitHub OIDC (no stored PAT)#9
Merged
Conversation
Replaces the long-lived VSCE_PAT secret with Microsoft Entra ID workload identity federation: GitHub mints a short-lived OIDC token per run and exchanges it for an Entra access token via `az login --federated-token`, then `vsce publish --azure-credential`. No publishing credential is ever stored in the repo. - marketplace-publish.yml: id-token: write; OIDC token-exchange flow using the preinstalled Azure CLI (no third-party action to SHA-pin); gated on AZURE_CLIENT_ID / AZURE_TENANT_ID repo variables; Open VSX still uses OVSX_PAT since it has no Entra equivalent - docs/PUBLISHING.adoc: document the one-time Entra app-registration / federated-credential setup; PAT demoted to a local-only fallback - ROADMAP.adoc: updated to reflect OIDC https://claude.ai/code/session_0111iLmV7VFMTFGigST1M1cb
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Follow-up to #8. Replaces the long-lived
VSCE_PATsecret with Microsoft Entra ID workload identity federation for VS Code Marketplace publishing — no publishing credential is stored in the repo.How it works
GitHub mints a short-lived OIDC token per workflow run (
id-token: write), exchanges it for an Entra access token viaaz login --service-principal --federated-token, then runsvsce publish --azure-credential(which picks up theazCLI session throughDefaultAzureCredential). Uses the preinstalled Azure CLI onubuntu-latest, so no third-party action needs SHA-pinning.Changes
.github/workflows/marketplace-publish.yml— addsid-token: write; OIDC token-exchange flow; gated onAZURE_CLIENT_ID/AZURE_TENANT_IDrepository variables (identifiers, not secrets). Open VSX still usesOVSX_PATbecause Open VSX has no Entra/OIDC equivalent. Missing config skips rather than fails, consistent with the existing design.docs/PUBLISHING.adoc— documents the one-time Entra setup (app registration → federated credential trustingrepo:hyperpolymath/vscode-a2ml→ grant the SP publisher rights). PAT demoted to a documented local-only fallback.ROADMAP.adoc— updated.Security tradeoff
OIDC removes the PAT leak/theft/rotation risk entirely. Cost: a one-time Entra app-registration + federated-credential setup (documented). Open VSX necessarily retains a token (hardened, short-expiry) since it offers no federation.
Remaining human step
The one-time Entra setup (app registration, federated credential, publisher-rights grant) requires tenant admin and cannot be automated — fully documented in
docs/PUBLISHING.adoc. After that, publishing is justgit push origin v0.1.0.https://claude.ai/code/session_0111iLmV7VFMTFGigST1M1cb
Generated by Claude Code