feat: Package the extension.

[Artmann]

Fixes #

Summary by CodeRabbit

• Chores
  • Added an automated packaging workflow that builds and produces downloadable VS Code extension packages labeled with version and branch, and uploads them as artifacts.
  • Packaging now emits a product-specific VSIX filename that includes the version and sanitized branch for easier identification.
  • Job summary reports the packaged version and branch and includes VSIX installation instructions.

[coderabbitai]

Caution

Review failed

The pull request is closed.

📝 Walkthrough

Walkthrough

A GitHub Actions workflow named "CD" automates building and packaging a VS Code extension. It triggers on pushes to main, pull requests targeting main, and manual dispatch. On ubuntu-latest it checks out the repo, sets up Node.js 22.x (with npm cache and registry), runs npm ci, installs @vscode/vsce globally, reads version from package.json, derives and sanitizes the branch/PR ref, runs the package script (which now produces vscode-deepnote-insiders.vsix), renames the VSIX to include version and sanitized branch, uploads the VSIX as an artifact, and writes a job summary with the packaged version, branch, and installation instructions.

Sequence Diagram(s)

sequenceDiagram
    autonumber
    participant GH as GitHub (trigger)
    participant R as Actions runner (ubuntu-latest)
    participant Repo as Repository
    participant Node as Node 22.x env
    participant Art as Artifact storage / Job Summary

    Note over GH,R #D6EAF8: Triggers: push(main), pull_request(main), workflow_dispatch

    GH->>R: start "CD" job (package)
    R->>Repo: actions/checkout
    R->>Node: setup-node (22.x, npm cache, registry)
    R->>Node: npm ci
    R->>Node: npm install -g @vscode/vsce
    R->>Repo: read package.json -> extract version
    R->>Repo: determine branch or PR ref -> sanitize for filename
    R->>Node: npm run package (outputs vscode-deepnote-insiders.vsix)
    Node-->>R: .vsix (dist/)
    R->>R: rename .vsix -> includes version + sanitized-branch
    R->>Art: upload-artifact (name includes version+branch)
    R->>Art: add-job-summary (version, branch, install instructions)
    Note over Art,R #E9F7EF: Artifact + summary available in workflow UI

Loading

Suggested reviewers

• andyjakubowski
• saltenasl

Pre-merge checks

✅ Passed checks (3 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title Check	✅ Passed	The title "feat: Package the extension." accurately and directly describes the primary change in this PR. The changeset adds a GitHub Actions workflow for building and packaging a VS Code extension, and updates the package script with a new VSIX filename. Both changes are squarely focused on extension packaging infrastructure, making the title a clear and concise summary of the work. The title follows conventional commit format and provides sufficient clarity for someone scanning PR history.
Docstring Coverage	✅ Passed	No functions found in the changes. Docstring coverage check skipped.

---

📜 Recent review details

Configuration used: CodeRabbit UI

Review profile: ASSERTIVE

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 16998f3 and ad65f80.

⛔ Files ignored due to path filters (1)

• package-lock.json is excluded by !**/package-lock.json

📒 Files selected for processing (2)

• .github/workflows/package.yml (1 hunks)
• package.json (1 hunks)

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 71%. Comparing base (ab8a5e8) to head (ad65f80).
⚠️ Report is 1 commits behind head on main.
✅ All tests successful. No failed tests found.

Additional details and impacted files

@@          Coverage Diff          @@
##            main     #79   +/-   ##
=====================================
  Coverage     71%     71%           
=====================================
  Files        523     523           
  Lines      39001   39001           
  Branches    4905    4905           
=====================================
  Hits       27834   27834           
  Misses      9542    9542           
  Partials    1625    1625           

🚀 New features to boost your workflow:

• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

[coderabbitai]

Actionable comments posted: 1

📜 Review details

Configuration used: CodeRabbit UI

Review profile: ASSERTIVE

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 953a32a and eb50220.

📒 Files selected for processing (1)

• .github/workflows/package.yml (1 hunks)

🧰 Additional context used

🪛 actionlint (1.7.8)

.github/workflows/package.yml

55-55: "github.head_ref" is potentially untrusted. avoid using it directly in inline scripts. instead, pass it through an environment variable. see https://docs.github.com/en/actions/reference/security/secure-use#good-practices-for-mitigating-script-injection-attacks for more details

(expression)

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (3)

• GitHub Check: Build & Test
• GitHub Check: Lint & Format
• GitHub Check: Build & Package Extension

🔇 Additional comments (1)

.github/workflows/package.yml (1)

70-75: No changes required; review comment is factually incorrect.

The hardcoded filename ms-toolsai-jupyter-insiders.vsix in the workflow is correct. The npm run package script explicitly outputs to this name via the -o flag in package.json line 2129: vsce package -o ms-toolsai-jupyter-insiders.vsix. The mv command will succeed without modification.

Likely an incorrect or invalid review comment.

[coderabbitai]

Actionable comments posted: 1

📜 Review details

Configuration used: CodeRabbit UI

Review profile: ASSERTIVE

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 953a32a and eb50220.

📒 Files selected for processing (1)

• .github/workflows/package.yml (1 hunks)

🧰 Additional context used

🪛 actionlint (1.7.8)

.github/workflows/package.yml

55-55: "github.head_ref" is potentially untrusted. avoid using it directly in inline scripts. instead, pass it through an environment variable. see https://docs.github.com/en/actions/reference/security/secure-use#good-practices-for-mitigating-script-injection-attacks for more details

(expression)

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (3)

• GitHub Check: Build & Test
• GitHub Check: Lint & Format
• GitHub Check: Build & Package Extension

🔇 Additional comments (1)

.github/workflows/package.yml (1)

70-75: No changes needed—the VSIX filename is explicitly set in the build command.

The vsce package command in package.json uses the -o ms-toolsai-jupyter-insiders.vsix flag, which guarantees that exact output filename. The comment accurately describes what the package script produces, and the mv command will succeed. The filename is not a guess or copy-paste artifact.

Likely an incorrect or invalid review comment.

[coderabbitai]

Actionable comments posted: 1

♻️ Duplicate comments (1)

.github/workflows/package.yml (1)

56-68: Fix script injection vulnerability with github.head_ref.

Line 61 directly interpolates untrusted user input (github.head_ref) into the shell script, enabling script injection attacks. Pass it through an environment variable first (as flagged by actionlint).

      - name: Extract and sanitize branch name
        id: branch-name
+       env:
+         HEAD_REF: ${{ github.head_ref }}
        run: |
          # Get branch name from ref
          if [[ "${{ github.event_name }}" == "pull_request" ]]; then
-           BRANCH="${{ github.head_ref }}"
+           BRANCH="$HEAD_REF"
          else
            BRANCH="${GITHUB_REF#refs/heads/}"
          fi
          # Sanitize branch name for filename (replace / with -)
          SAFE_BRANCH=$(echo "$BRANCH" | sed 's/\//-/g')
          echo "branch=$SAFE_BRANCH" >> $GITHUB_OUTPUT
          echo "Branch name: $BRANCH (sanitized: $SAFE_BRANCH)"

📜 Review details

Configuration used: CodeRabbit UI

Review profile: ASSERTIVE

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between eb50220 and d8d45b0.

📒 Files selected for processing (1)

• .github/workflows/package.yml (1 hunks)

🧰 Additional context used

🪛 actionlint (1.7.8)

.github/workflows/package.yml

58-58: "github.head_ref" is potentially untrusted. avoid using it directly in inline scripts. instead, pass it through an environment variable. see https://docs.github.com/en/actions/reference/security/secure-use#good-practices-for-mitigating-script-injection-attacks for more details

(expression)

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (2)

• GitHub Check: Build & Package Extension
• GitHub Check: Build & Test

🔇 Additional comments (1)

.github/workflows/package.yml (1)

73-78: The hardcoded filename is correct—no issue here.

The package script explicitly invokes vsce package -o ms-toolsai-jupyter-insiders.vsix, so the mv command will find and rename the file without failure. The filename is the configured build artifact, not a misplaced reference.

Likely an incorrect or invalid review comment.

[coderabbitai]

Actionable comments posted: 1

♻️ Duplicate comments (1)

.github/workflows/package.yml (1)

43-44: Consider alternatives to global vsce installation.

Installing @vscode/vsce globally reduces CI reproducibility and makes the version implicit. Two better approaches:

Option 1 (minimal): Use npx:

-      - name: Install vsce
-        run: npm install -g @vscode/vsce
-
       - name: Package extension
-        run: npm run package
+        run: npx @vscode/vsce package

Option 2 (recommended): Add to devDependencies in package.json, then update npm script:

-      - name: Install vsce
-        run: npm install -g @vscode/vsce
-
       - name: Package extension
         run: npm run package

(and update package.json to have "package": "vsce package" in scripts)

📜 Review details

Configuration used: CodeRabbit UI

Review profile: ASSERTIVE

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between d8d45b0 and 095adec.

⛔ Files ignored due to path filters (2)

• icon.png is excluded by !**/*.png
• package-lock.json is excluded by !**/package-lock.json

📒 Files selected for processing (1)

• .github/workflows/package.yml (1 hunks)

🔇 Additional comments (1)

.github/workflows/package.yml (1)

53-68: Good: script injection mitigation properly applied.

The branch name extraction correctly uses environment variables to avoid direct shell interpolation of github.head_ref, and sanitization uses printf safely. This addresses the prior actionlint security findings.

[jamesbhobbs]

I have quibbles but the workflow looks fine, I haven't tested the packaging works, I assume the author did.