🌱 Add step to publish to open-vsx

[hhpatel14]

Add a step to publish the extension to the Open VSX registry.

Backport this change to the release-8.0 branch and rerun the release workflow to catch up on publishing to the Open VSX registry. Since the v8.0.0 already published to maketplace, the step skips gracefully, logs “already published”, and proceed to the next step

CI kept using deprecated [email protected] because no local version existed. The deprecated vsce CLI lacked flag --changelog-path and stuck at v2.15.0. @vscode/vsce newer, well maintained and works with Node 20+.

Summary by CodeRabbit

• Chores

  • Streamlined release workflow: installs dependencies up‑front, verifies publisher tool version before publishing, uses no‑install behavior for publishing tools, aligns working directory for publish steps, prefers changelog when present, conditionally publishes to Open VSX for non‑prereleases, and still creates a release after publishing.

• Build

  • Added dev dependencies for VS Code and Open VSX publishing tools to support the updated release process.

[coderabbitai]

Walkthrough

Adds an explicit npm install step (npm ci) in the vscode directory to the release workflow, logs the @vscode/vsce version, changes VS Code Marketplace publish commands to use npx --no-install and to include changelog-path when artifacts/release.md exists, sets working-directory: ./vscode for publish steps, and keeps the Create Release step. Adds @vscode/vsce and ovsx as devDependencies in vscode/package.json.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

Possibly related PRs

• 🌱 Update release workflow for publishing to marketplace #736 — Modifies VS Code extension release/publish workflow and related package changes.
• 👻 Use @vscode/vsce to publish #882 — Switches release workflow to use @vscode/vsce/npx for publishing commands.

Suggested reviewers

• dymurray

Pre-merge checks and finishing touches

✅ Passed checks (3 passed)

Check name	Status	Explanation
Title Check	✅ Passed	The title succinctly and accurately describes the main change of adding a step to publish to the Open VSX registry, uses the correct 🌱 alias, and is concise enough for quick scanning while conveying the primary update.
Description Check	✅ Passed	The description clearly outlines what the change does, why it’s needed including the deprecation of the old vsce CLI, and how to backport and handle already published releases, providing sufficient context and instructions for reviewers.
Docstring Coverage	✅ Passed	No functions found in the changes. Docstring coverage check skipped.

✨ Finishing touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment

---

📜 Recent review details

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 24bce4c and 0e8ae9b.

⛔ Files ignored due to path filters (1)

• package-lock.json is excluded by !**/package-lock.json

📒 Files selected for processing (1)

• .github/workflows/release.yml (1 hunks)

🚧 Files skipped from review as they are similar to previous changes (1)

• .github/workflows/release.yml

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (1)

• GitHub Check: Lint

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 2

📜 Review details

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 22d05d0 and ad79ca3.

⛔ Files ignored due to path filters (1)

• package-lock.json is excluded by !**/package-lock.json

📒 Files selected for processing (2)

• .github/workflows/release.yml (1 hunks)
• vscode/package.json (1 hunks)

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (3)

• GitHub Check: Build (macos)
• GitHub Check: Build (linux)
• GitHub Check: Build (windows)

🔇 Additional comments (1)

vscode/package.json (1)

451-452: Keep package-lock in sync with these new devDependencies

Adding @vscode/vsce and ovsx requires updating vscode/package-lock.json; otherwise the new npm ci step will fail when it cannot resolve these packages. Please regenerate and commit the lockfile update so CI has the exact versions recorded.

[coderabbitai]

Actionable comments posted: 1

📜 Review details

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between ad79ca3 and 07cef50.

⛔ Files ignored due to path filters (1)

• package-lock.json is excluded by !**/package-lock.json

📒 Files selected for processing (2)

• .github/workflows/release.yml (1 hunks)
• vscode/package.json (1 hunks)

🚧 Files skipped from review as they are similar to previous changes (1)

• .github/workflows/release.yml

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (3)

• GitHub Check: Build (windows)
• GitHub Check: Build (linux)
• GitHub Check: Build (macos)

[coderabbitai]

⚠️ Potential issue | 🟠 Major

Pin vsce/ovsx versions for deterministic releases.

Relying on the floating "latest" tag means every npm ci can pull a different CLI, so the release workflow may suddenly break or change behavior without any PR. Please lock both packages to known-good versions (e.g., ^x.y.z) and update them intentionally via PR when needed. This keeps the publishing pipeline reproducible and auditable.

🤖 Prompt for AI Agents

In vscode/package.json around lines 451-452 the dev dependencies use floating
"latest" for @vscode/vsce and ovsx which makes releases non-deterministic;
change both entries to pinned semver ranges (e.g., ^x.y.z) referencing
known-good versions, run npm ci / install to refresh and commit the updated
lockfile (package-lock.json or yarn.lock), and open a follow-up PR when
upgrading those pinned versions in future.