ci: separate build and publish workflows

- Split build.yml into reusable build workflow and new publish.yml for publishing
- Pin GitHub Actions to specific commit SHAs for security
- Add workflow dispatch option to publish to either open-vsx or vsix archive

Contributed on behalf of STMicroelectronics

Author: ndoschek

.github/workflows/build.yml

@@ -1,6 +1,6 @@
-name: Build and Publish VS Code Extensions
+name: Build VS Code Extensions
 on:
-  workflow_dispatch:
+  workflow_call:
   push:
     branches:
       - master
@@ -10,13 +10,12 @@ on:
 env:
   NODE_OPTIONS: --max-old-space-size=8192
 jobs:
-  linux:
+  build:
     runs-on: ubuntu-latest
     env:
       GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-      OVSX_PAT: ${{ secrets.OVSX_PAT}}
     steps:
-      - uses: actions/checkout@v1
+      - uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3.6.0
       - run: |
           git submodule init
           git submodule update
@@ -30,20 +29,18 @@ jobs:
           sudo update-rc.d xvfb defaults
           sudo service xvfb start
         name: Setup Build Environment
-      - uses: actions/setup-node@v4
+      - uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4
         with:
           node-version-file: vscode/.nvmrc
-      - name: Check ovsx version
-        run: npx ovsx --version
       - name: Bundle Extensions
         run: |
           npm i
           npm run build:extensions
       - name: Package Solid Version of Extensions
         run: npm run package-vsix
-      - name: Create built-in extensions pack
-        run: npm run create-extension-pack
-      # Only publish the extensions if the workflow was manually triggered
-      - if: ${{ github.event_name == 'workflow_dispatch' }}
-        name: Publish Extensions to open-vsx.org
-        run: npm run publish:vsix
+      - name: Upload dist artifacts
+        uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
+        with:
+          name: dist
+          path: dist/
+          retention-days: 7

.github/workflows/publish.yml

@@ -0,0 +1,80 @@
+name: Publish VS Code Extensions
+on:
+  workflow_dispatch:
+    inputs:
+      publish_target:
+        description: 'Publish target'
+        required: true
+        type: choice
+        options:
+          - open-vsx
+          - archive
+env:
+  NODE_OPTIONS: --max-old-space-size=8192
+jobs:
+  build:
+    uses: ./.github/workflows/build.yml
+    secrets: inherit
+
+  publish-openvsx:
+    if: ${{ github.event.inputs.publish_target == 'open-vsx' }}
+    needs: build
+    runs-on: ubuntu-latest
+    env:
+      GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+      OVSX_PAT: ${{ secrets.OVSX_PAT }}
+    steps:
+      - uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3.6.0
+      - run: |
+          git submodule init
+          git submodule update
+        name: Checkout VS Code
+      - uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4
+        with:
+          node-version-file: vscode/.nvmrc
+      - name: Install dependencies
+        run: npm i
+      - name: Download dist artifacts
+        uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4.3.0
+        with:
+          name: dist
+          path: dist/
+      - name: Check ovsx version
+        run: npx ovsx --version
+      - name: Create built-in extensions pack
+        run: npm run create-extension-pack
+      - name: Publish Extensions to open-vsx.org
+        run: npm run publish:vsix
+
+  publish-archive:
+    if: ${{ github.event.inputs.publish_target == 'archive' }}
+    needs: build
+    runs-on: ubuntu-latest
+    env:
+      GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+    steps:
+      - uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3.6.0
+      - run: |
+          git submodule init
+          git submodule update
+        name: Checkout VS Code
+      - uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4
+        with:
+          node-version-file: vscode/.nvmrc
+      - name: Install dependencies
+        run: npm i
+      - name: Download dist artifacts
+        uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4.3.0
+        with:
+          name: dist
+          path: dist/
+      - name: Get external builtins
+        run: npm run get-external-builtins
+      - name: Compress VSIX files
+        run: npm run compress-vsix
+      - name: Upload archive artifact
+        uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
+        with:
+          name: vscode-builtin-extensions-archive
+          path: vscode-builtin-extensions-*.tar.gz
+          retention-days: 7

doc/Publishing.md

@@ -60,7 +60,9 @@ Building and packaging the built-ins is described in [Building.md](./Building.md
 
 As an alternative to publishing on open-vsx.org, you can compress all packaged `.vsix` files into a single `tar.gz` archive for self-hosting (e.g., on GitHub Releases).
 
-You can create the archive locally:
+To create an archive using GitHub Actions, use the `Publish VS Code Extensions` workflow and select `archive` as the publish target. This will build and package all extensions (including external builtins), and create a `vscode-builtin-extensions-<version>.tar.gz` archive that can be downloaded from the workflow artifacts.
+
+Alternatively, you can create the archive locally:
 
     npm run package-vsix
     npm run get-external-builtins
@@ -117,7 +119,6 @@ check out the correct version of VS Code upon `git submodule update`. The conven
 
 Publishing is done using GitHub Actions. In the vscode-builtin-extensions repo, a publish token for open-vsx.org has been set, that can be used to publish under the identity of the openvsx publish bot.
 
-Building and optionally publishing the extensions is done through the `Build and Publish VS Code Extensions` workflow.
-On any pull request and push to the `master` branch, the workflow will build and package all VS Code extensions to ensure that the build scripts still work as expected.
+On any pull request and push to the `master` branch, the `Build VS Code Extensions` workflow will build and package all VS Code extensions to ensure that the build scripts still work as expected.
 
-Triggering the workflow through the GitHub UI using the `workflow_dispatch` trigger will additionally publish the built extensions to open-vsx.
+To publish, use the `Publish VS Code Extensions` workflow and select `open-vsx` as the publish target. This will build the extensions, create the extension pack, and publish everything to open-vsx.org.