salesforcecli · madhur310 · May 22, 2026 · May 26, 2026 · May 26, 2026 · May 26, 2026
diff --git a/.github/actions/vscode/publish-vsix/action.yml b/.github/actions/vscode/publish-vsix/action.yml
@@ -0,0 +1,147 @@
+name: "Publish VSIX"
+description: "Publishes VSIX files to a marketplace with dry-run support"
+
+inputs:
+  vsix-path:
+    description: "Path to the VSIX file to publish"
+    required: true
+  publish-tool:
+    description: "Publishing tool to use"
+    required: true
+  pre-release:
+    description: "Publish as pre-release version"
+    required: false
+    default: "false"
+  dry-run:
+    description: "Run in dry-run mode"
+    required: false
+    default: "false"
+
+runs:
+  using: composite
+  steps:
+    - name: Validate inputs
+      shell: bash
+      run: |
+        # Validate VSIX path exists
+        if [ ! -f "${{ inputs.vsix-path }}" ]; then
+          echo "❌ Error: VSIX file not found at ${{ inputs.vsix-path }}"
+          exit 1
+        fi
+
+        # Validate VSIX file extension
+        if [[ ! "${{ inputs.vsix-path }}" =~ \.vsix$ ]]; then
+          echo "❌ Error: File must have .vsix extension"
+          exit 1
+        fi
+
+        # Validate publish tool
+        if [[ ! "${{ inputs.publish-tool }}" =~ ^(ovsx|vsce)$ ]]; then
+          echo "❌ Error: Invalid publish tool: ${{ inputs.publish-tool }}"
+          exit 1
+        fi
+
+        echo "✅ Input validation passed"
+
+    - name: Audit publish attempt
+      shell: bash
+      run: |
+        # Create audit log entry
+        AUDIT_LOG="/tmp/publish_audit.log"
+        TIMESTAMP=$(date -u +"%Y-%m-%dT%H:%M:%SZ")
+        ACTOR="${{ github.actor }}"
+        REPO="${{ github.repository }}"
+        RUN_ID="${{ github.run_id }}"
+        WORKFLOW="${{ github.workflow }}"
+
+        # Get file info for audit
+        FILE_SIZE=$(stat -c%s "${{ inputs.vsix-path }}" 2>/dev/null || stat -f%z "${{ inputs.vsix-path }}" 2>/dev/null || echo "unknown")
+        FILE_HASH=$(sha256sum "${{ inputs.vsix-path }}" 2>/dev/null | cut -d' ' -f1 || echo "unknown")
+
+        # Log audit information
+        echo "[$TIMESTAMP] PUBLISH_ATTEMPT: actor=$ACTOR, repo=$REPO, run_id=$RUN_ID, workflow=$WORKFLOW, tool=${{ inputs.publish-tool }}, file=${{ inputs.vsix-path }}, size=$FILE_SIZE, hash=$FILE_HASH, pre_release=${{ inputs.pre-release }}, dry_run=${{ inputs.dry-run }}" >> "$AUDIT_LOG"
+
+        # Also log to GitHub Actions output for visibility
+        echo "🔍 AUDIT: Publish attempt logged - $TIMESTAMP"
+        echo "  Actor: $ACTOR"
+        echo "  Repository: $REPO"
+        echo "  Run ID: $RUN_ID"
+        echo "  Workflow: $WORKFLOW"
+        echo "  Tool: ${{ inputs.publish-tool }}"
+        echo "  File: ${{ inputs.vsix-path }}"
+        echo "  Size: $FILE_SIZE bytes"
+        echo "  Hash: $FILE_HASH"
+        echo "  Pre-release: ${{ inputs.pre-release }}"
+        echo "  Dry-run: ${{ inputs.dry-run }}"
+
+    - name: Publish VSIX
+      shell: bash
+      run: |
+        echo "Publishing ${{ inputs.vsix-path }}"
+
+        # Calculate marketplace name based on publish tool
+        if [ "${{ inputs.publish-tool }}" = "ovsx" ]; then
+          MARKETPLACE_NAME="Open VSX Registry"
+          TOKEN_ENV="OVSX_PAT"
+        else
+          MARKETPLACE_NAME="Visual Studio Marketplace"
+          TOKEN_ENV="VSCE_PERSONAL_ACCESS_TOKEN"
+        fi
+
+        PRE_RELEASE_FLAG=""
+        if [ "${{ inputs.pre-release }}" = "true" ]; then
+          PRE_RELEASE_FLAG="--pre-release"
+          echo "Would publish as pre-release version"
+        fi
+
+        # Mask token in logs for security
+        TOKEN_MASK="***"
+
+        if [ "${{ inputs.dry-run }}" = "true" ]; then
+          echo "🔍 DRY RUN MODE - Would publish to $MARKETPLACE_NAME:"
+          echo "  VSIX: ${{ inputs.vsix-path }}"
+          echo "  Pre-release: ${{ inputs.pre-release }}"
+
+          if [ "${{ inputs.publish-tool }}" = "ovsx" ]; then
+            echo "  Command: npx ovsx publish \"${{ inputs.vsix-path }}\" -p $TOKEN_MASK $PRE_RELEASE_FLAG"
+          else
+            echo "  Command: npx @vscode/vsce publish --packagePath \"${{ inputs.vsix-path }}\" --skip-duplicate $PRE_RELEASE_FLAG"
+          fi
+          echo "✅ Dry run completed - no actual publish performed"
+        else
+          echo "Publishing VSIX: ${{ inputs.vsix-path }}"
+
+          # Verify token is available
+          if [ -z "${!TOKEN_ENV}" ]; then
+            echo "❌ Error: $TOKEN_ENV environment variable is not set"
+            exit 1
+          fi
+
+          if [ "${{ inputs.publish-tool }}" = "vsce" ]; then
+            export VSCE_PAT="${!TOKEN_ENV}"  # ensure the expected env var is set
+            npx @vscode/vsce publish --packagePath "${{ inputs.vsix-path }}" --skip-duplicate $PRE_RELEASE_FLAG
+          else
+            npx ovsx publish "${{ inputs.vsix-path }}" -p "${!TOKEN_ENV}" --skip-duplicate $PRE_RELEASE_FLAG
+          fi
+
+          echo "✅ Successfully published to $MARKETPLACE_NAME"
+        fi
+
+    - name: Audit publish result
+      shell: bash
+      if: inputs.dry-run != 'true'
+      run: |
+        # Log the result of the publish attempt
+        AUDIT_LOG="/tmp/publish_audit.log"
+        TIMESTAMP=$(date -u +"%Y-%m-%dT%H:%M:%SZ")
+        ACTOR="${{ github.actor }}"
+        REPO="${{ github.repository }}"
+        RUN_ID="${{ github.run_id }}"
+
+        if [ $? -eq 0 ]; then
+          echo "[$TIMESTAMP] PUBLISH_SUCCESS: actor=$ACTOR, repo=$REPO, run_id=$RUN_ID, tool=${{ inputs.publish-tool }}, file=${{ inputs.vsix-path }}" >> "$AUDIT_LOG"
+          echo "✅ AUDIT: Publish successful - $TIMESTAMP"
+        else
+          echo "[$TIMESTAMP] PUBLISH_FAILURE: actor=$ACTOR, repo=$REPO, run_id=$RUN_ID, tool=${{ inputs.publish-tool }}, file=${{ inputs.vsix-path }}" >> "$AUDIT_LOG"
+          echo "❌ AUDIT: Publish failed - $TIMESTAMP"
+        fi
diff --git a/.github/workflows/vscode-ci-template.yml b/.github/workflows/vscode-ci-template.yml
@@ -0,0 +1,215 @@
+name: CI
+
+# Reusable CI workflow template for VS Code extension repositories
+#
+# Usage from consuming repository:
+#   jobs:
+#     ci:
+#       uses: salesforcecli/github-workflows/.github/workflows/vscode/ci-template.yml@main
+#       with:
+#         lint-command: 'npm run lint'
+#         compile-command: 'npm run compile'
+#         test-command: 'npm run test'
+#         test-coverage-command: 'npm run test:coverage'
+#
+# Features:
+#   - Tests across multiple OS (Ubuntu, Windows)
+#   - Tests across Node.js versions (lts/-1, lts/*, current)
+#   - Coverage collection and reporting
+#   - Parallel test execution
+#   - Artifact upload for coverage reports
+
+on:
+  workflow_call:
+    inputs:
+      lint-command:
+        description: 'Command to run linting'
+        required: false
+        default: 'npm run lint'
+        type: string
+      compile-command:
+        description: 'Command to compile'
+        required: false
+        default: 'npm run compile'
+        type: string
+      test-command:
+        description: 'Command to run tests (without coverage)'
+        required: false
+        default: 'npm run test'
+        type: string
+      test-coverage-command:
+        description: 'Command to run tests with coverage'
+        required: false
+        default: 'npm run test:coverage'
+        type: string
+      coverage-report-command:
+        description: 'Command to merge coverage reports'
+        required: false
+        default: 'npm run test:coverage:report'
+        type: string
+  workflow_dispatch:
+    inputs:
+      lint-command:
+        description: 'Command to run linting'
+        required: false
+        default: 'npm run lint'
+        type: string
+
+# Add explicit permissions for security
+permissions:
+  contents: read
+  pull-requests: read
+  actions: read
+
+jobs:
+  test:
+    name: Test
+    strategy:
+      matrix:
+        os: [ubuntu-latest, windows-latest]
+        node-version: ['lts/-1', 'lts/*', 'current']
+      fail-fast: false
+
+    runs-on: ${{ matrix.os }}
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v6
+        with:
+          persist-credentials: false
+          submodules: false
+
+      - name: Setup Node.js ${{ matrix.node-version }}
+        uses: actions/setup-node@v6
+        with:
+          node-version: ${{ matrix.node-version }}
+          cache: 'npm'
+
+      - name: Install dependencies
+        uses: salesforcecli/github-workflows/.github/actions/npmInstallWithRetries@main
+
+      - name: Run linting
+        run: ${{ inputs.lint-command }}
+
+      - name: Compile project
+        run: ${{ inputs.compile-command }}
+
+      - name: Run tests with coverage (lts/current)
+        if: ${{ matrix.node-version != 'lts/-1' }}
+        run: ${{ inputs.test-coverage-command }}
+
+      - name: Run tests (lts/-1, no coverage)
+        if: ${{ matrix.node-version == 'lts/-1' }}
+        env:
+          # Old-LTS defaults to ~4 GB old-space, which is too low for heavy stdlib suites.
+          # Keep this scoped to lts/-1 and non-coverage runs only.
+          NODE_OPTIONS: --max-old-space-size=6144
+        run: ${{ inputs.test-command }}
+
+      - name: Merge coverage reports
+        if: ${{ matrix.node-version != 'lts/-1' }}
+        run: ${{ inputs.coverage-report-command }}
+
+      - name: Determine Node Label
+        id: node-label
+        shell: bash
+        env:
+          NODE_VERSION: ${{ matrix.node-version }}
+        run: |
+          if [ "$NODE_VERSION" = "lts/*" ]; then
+            echo "value=lts" >> $GITHUB_OUTPUT
+          elif [ "$NODE_VERSION" = "lts/-1" ]; then
+            echo "value=lts-1" >> $GITHUB_OUTPUT
+          elif [ "$NODE_VERSION" = "current" ]; then
+            echo "value=current" >> $GITHUB_OUTPUT
+          else
+            echo "value=$NODE_VERSION" >> $GITHUB_OUTPUT
+          fi
+
+      - name: Upload coverage report
+        if: ${{ matrix.node-version != 'lts/-1' }}
+        uses: actions/upload-artifact@v7
+        with:
+          name: coverage-report-${{ matrix.os }}-${{ steps.node-label.outputs.value }}
+          path: ./coverage
+
+  test-quality:
+    name: Test Quality
+    needs: test
+    strategy:
+      matrix:
+        os: [ubuntu-latest]
+        node-version: ['lts/*']
+      fail-fast: false
+
+    runs-on: ${{ matrix.os }}
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v6
+        with:
+          persist-credentials: false
+          submodules: false
+
+      - name: Setup Node.js ${{ matrix.node-version }}
+        uses: actions/setup-node@v6
+        with:
+          node-version: ${{ matrix.node-version }}
+          cache: 'npm'
+
+      - name: Install dependencies
+        uses: salesforcecli/github-workflows/.github/actions/npmInstallWithRetries@main
+
+      - name: Run quality tests
+        run: npm run test:quality
+
+  package:
+    name: Package
+    needs: test
+    if: ${{ needs.test.result == 'success' }}
+    uses: salesforcecli/github-workflows/.github/workflows/vscode-package.yml@feat/add-vscode-extension-ci
+    with:
+      branch: ${{ github.head_ref || github.ref_name }}
+      artifact-name: vsix-packages
+      dry-run: false
+
+  ci-complete:
+    name: CI Complete
+    runs-on: ubuntu-latest
+    needs: [test, package]
+    if: always()
+    steps:
+      - name: Check all jobs result
+        env:
+          TEST_RESULT: ${{ needs.test.result }}
+          PACKAGE_RESULT: ${{ needs.package.result }}
+        run: |
+          if [[ "$TEST_RESULT" != "success" ]]; then
+            echo "Test job(s) failed"
+            exit 1
+          fi
+          if [[ "$PACKAGE_RESULT" != "success" ]]; then
+            echo "Package job failed"
+            exit 1
+          fi
+          echo "All jobs succeeded"
+
+  slack-notify:
+    name: CI Failed Notification
+    needs: [test, package]
+    runs-on: ubuntu-latest
+    if: always() && github.event_name == 'push' && (needs.test.result == 'failure' || needs.package.result == 'failure')
+    steps:
+      - name: Notify Slack
+        uses: slackapi/slack-github-action@v3.0.3
+        with:
+          payload: |
+            {
+              "text": "❌ CI Pipeline Failed",
+              "event": "CI workflow failed, run: ${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }}",
+              "repo": "${{ github.repository }}",
+              "test_result": "${{ needs.test.result }}",
+              "package_result": "${{ needs.package.result }}",
+              "branch": "${{ github.ref_name }}",
+              "commit": "${{ github.sha }}"
+            }
+        env:
+          SLACK_WEBHOOK_URL: ${{ secrets.IDEE_MAIN_SLACK_WEBHOOK }}