Skip to content

feat(vscode-plugin): publish to Marketplace via Azure OIDC instead of VSCE_PAT#792

Merged
theoephraim merged 3 commits into
mainfrom
vscode-marketplace-oidc-publishing
Jun 16, 2026
Merged

feat(vscode-plugin): publish to Marketplace via Azure OIDC instead of VSCE_PAT#792
theoephraim merged 3 commits into
mainfrom
vscode-marketplace-oidc-publishing

Conversation

@theoephraim

@theoephraim theoephraim commented Jun 16, 2026
edited
Loading

Copy link
Copy Markdown
Member

What & why

The last release failed to publish the VS Code extension because the VSCE_PAT was invalid/expired (Azure DevOps PATs expire). This switches Marketplace publishing to Microsoft Entra workload identity federation (OIDC) — short-lived tokens, no PAT to rotate.

Changes

  • publish:vsce now passes --azure-credential, so vsce authenticates via @azure/identity instead of a PAT.
  • Release workflow (release.yaml):
    • A gated step loads AZURE_CLIENT_ID / AZURE_TENANT_ID from 1Password via varlock (dmno-dev/varlock-action, OP_CI_TOKEN injected from the GitHub secret of the same name), only when the release actually publishes the extension (new plan.includes-vscode output).
    • azure/login@v2 (OIDC) authenticates before bumpy runs the publish.
    • VSCE_PAT removed from the publish step. OVSX_PAT stays — Open VSX is a separate registry not covered by Azure OIDC.
  • .env.schema for the extension package resolves the Azure ids from 1Password. In CI the injected OP_TOKEN is used; locally it falls back to 1Password desktop app auth (allowAppAuth=not($VARLOCK_IS_CI)). Azure ids are referenced by item id for rename stability.
  • Added varlock + @varlock/1password-plugin workspace devDeps so the schema resolves.

Verification

Resolved the full schema locally (via 1Password app auth) — both Azure ids resolve correctly and OP_TOKEN is optional locally. The patch changeset cuts 0.2.3, which on merge exercises the new OIDC publish path end-to-end and unsticks the Marketplace (currently stranded at 0.2.1 after 0.2.2's publish failed).

Before merging — one-time setup required

  • Azure app registration + GitHub OIDC federated credential, and that identity added to the varlock Marketplace publisher as Contributor (done).
  • 1Password VarlockCI vault item with azure-identity-client-id / azure-identity-tenant-id (done).
  • The old VSCE_PAT secret can be deleted; no AZURE_* GitHub secrets are needed (sourced from 1Password).

Also: OVSX_PAT moved to 1Password

Open VSX still needs a token (not covered by Azure OIDC), but it no longer lives in GitHub secrets — OVSX_PAT is now in the VarlockCI vault and loaded via the same varlock step. The manual fallback workflow (vscode-release.yaml) was also switched to OIDC + varlock and no longer references the dead VSCE_PAT or secrets.OVSX_PAT.

The ovsx-pat value already lives on the vscode-marketplace-publishing item (verified resolving). After merge, the OVSX_PAT GitHub secret can be deleted.

@theoephraim
feat(vscode-plugin): publish to Marketplace via Azure OIDC instead of…
118260b 
… VSCE_PAT

- publish:vsce uses --azure-credential (vsce authenticates via @azure/identity)
- release workflow loads AZURE_CLIENT_ID/AZURE_TENANT_ID from 1Password via varlock
  (OP_TOKEN injected from OP_CI_TOKEN), gated to vscode-extension publishes only,
  then azure/login (OIDC) authenticates before bumpy runs the publish
- drop VSCE_PAT from the release step (OVSX_PAT stays for Open VSX)
- add .env.schema + workspace devDeps (varlock, @varlock/1password-plugin)
@theoephraim
rename OP_TOKEN -> OP_CI_TOKEN to match repo convention
30d60de 
Use the existing OP_CI_TOKEN name end-to-end (schema var + workflow env) instead
of remapping the secret, matching the encryption-binary-swift schema.
@theoephraim theoephraim force-pushed the vscode-marketplace-oidc-publishing branch from 17e67f9 to 225c684 Compare June 16, 2026 22:02
@github-actions

github-actions Bot commented Jun 16, 2026
edited
Loading

Copy link
Copy Markdown
Contributor

bumpy-frog

The changes in this PR will be included in the next version bump.

patch Patch releases

  • env-spec-language 0.2.2 → 0.2.3

Bump files in this PR

Click here if you want to add another bump file to this PR

This comment is maintained by bumpy.

@theoephraim
move OVSX_PAT into 1Password via varlock
b1cece7 
- add OVSX_PAT to the vscode-plugin .env.schema (sourced from VarlockCI vault)
- release.yaml: loaded by the existing varlock step into the job env; drop
  OVSX_PAT from the bumpy publish step
- vscode-release.yaml (manual fallback): switch to OIDC + varlock too — load
  publishing secrets from 1Password, azure/login for vsce --azure-credential,
  and drop the dead VSCE_PAT / secrets.OVSX_PAT references
@theoephraim theoephraim force-pushed the vscode-marketplace-oidc-publishing branch from 225c684 to b1cece7 Compare June 16, 2026 22:12
@theoephraim theoephraim merged commit 9353eb9 into main Jun 16, 2026
23 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

core:varlock core:vscode-plugin maintainer

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@theoephraim