fix(build): resolve Pinned-Dependencies alerts for vsce npm commands in extension workflows (#782)

## Description

Replaced all `npm install -g @vscode/vsce@3.7.1` commands in extension
workflows with lockfile-backed `npm ci` installs, resolving OpenSSF
Scorecard Pinned-Dependencies alerts #2–#5.

> Version pinning alone (`@3.7.1`) does not satisfy the Scorecard check
— it requires cryptographic hash verification. Moving vsce to a root
devDependency with `npm ci` provides SHA-512 integrity hashes from
`package-lock.json`, which the Scorecard recognizes as "pinned."

### Workflow Changes

Updated **extension-package.yml** and
**extension-publish-marketplace.yml** to use `npm ci` instead of `npm
install -g @vscode/vsce@3.7.1`. The marketplace workflow's `vsce
publish` invocation switched to `npx vsce publish` to resolve from the
locally installed package.

### Dependency and Script Changes

Added `@vscode/vsce@3.7.1` as a root devDependency alongside existing
tools (*cspell*, *markdownlint-cli2*, etc.), with integrity hashes
automatically generated in *package-lock.json*. Pinned the version in
`Package-Extension.ps1`'s npx fallback path to `@vscode/vsce@3.7.1` for
consistency, and updated the corresponding Pester test assertion.

### Documentation

Updated *extension/PACKAGING.md* prerequisites to instruct `npm ci` at
the repo root and `npx vsce` for CLI invocations.

## Related Issue(s)

Fixes #457

## Type of Change

Select all that apply:

**Code & Documentation:**

* [x] Bug fix (non-breaking change fixing an issue)
* [ ] New feature (non-breaking change adding functionality)
* [ ] Breaking change (fix or feature causing existing functionality to
change)
* [x] Documentation update

**Infrastructure & Configuration:**

* [x] GitHub Actions workflow
* [ ] Linting configuration (markdown, PowerShell, etc.)
* [x] Security configuration
* [ ] DevContainer configuration
* [x] Dependency update

**AI Artifacts:**

* [ ] Reviewed contribution with `prompt-builder` agent and addressed
all feedback
* [ ] Copilot instructions (`.github/instructions/*.instructions.md`)
* [ ] Copilot prompt (`.github/prompts/*.prompt.md`)
* [ ] Copilot agent (`.github/agents/*.agent.md`)
* [ ] Copilot skill (`.github/skills/*/SKILL.md`)

**Other:**

* [x] Script/automation (`.ps1`, `.sh`, `.py`)
* [ ] Other (please describe):

## Sample Prompts (for AI Artifact Contributions)

<!-- Not applicable — no AI artifact changes in this PR -->

## Testing

* **YAML linting**: `npm run lint:yaml` — 31/31 workflow files passed
actionlint
* **Markdown linting**: `npm run lint:md` on *extension/PACKAGING.md* —
0 errors
* **PowerShell analysis**: `npm run lint:ps` — all scripts passed
PSScriptAnalyzer
* **Workflow permissions**: `npm run lint:permissions` — all workflows
compliant
* **Pester tests**: `npm run test:ps -- -TestPath
"scripts/tests/extension/Package-Extension.Tests.ps1"` — 96/96 passed
(including updated `Get-VscePackageCommand` assertion)
* **Dry-run workflow**: Triggered `Publish Extension` workflow with
`dry-run: true` on the feature branch — completed successfully in 5m16s,
confirming `npm ci` + `npx vsce package` works end-to-end
* **Manual verification**: `npx vsce --version` returns `3.7.1` after
`npm ci`; zero `npm install -g @vscode/vsce` matches remain in the
repository
* Manual testing of actual marketplace publishing was not performed
(requires marketplace credentials)

## Checklist

### Required Checks

* [x] Documentation is updated (if applicable)
* [x] Files follow existing naming conventions
* [x] Changes are backwards compatible (if applicable)
* [x] Tests added for new functionality (if applicable)

### AI Artifact Contributions

<!-- Not applicable — no AI artifact changes -->

* [ ] Used `/prompt-analyze` to review contribution
* [ ] Addressed all feedback from `prompt-builder` review
* [ ] Verified contribution follows common standards and type-specific
requirements

### Required Automated Checks

The following validation commands must pass before merging:

* [x] Markdown linting: `npm run lint:md`
* [ ] Spell checking: `npm run spell-check`
* [ ] Frontmatter validation: `npm run lint:frontmatter`
* [ ] Skill structure validation: `npm run validate:skills`
* [ ] Link validation: `npm run lint:md-links`
* [x] PowerShell analysis: `npm run lint:ps`
* [ ] Plugin freshness: `npm run plugin:generate`

## Security Considerations

* [x] This PR does not contain any sensitive or NDA information
* [x] Any new dependencies have been reviewed for security issues
* [x] Security-related scripts follow the principle of least privilege

## Additional Notes

* The `extension-publish.yml` and `extension-publish-prerelease.yml`
workflows delegate to the two modified reusable workflows — no direct
changes needed in those callers.
* OpenSSF Scorecard alerts #2–#5 should resolve on the next scheduled
scan after merge, since `npm ci` is syntactically recognized as "pinned"
by the Scorecard's `isNpmUnpinnedDownload()` check.
* Adding vsce to root devDependencies means `npm ci` in extension
workflow jobs also installs other dev tools (cspell, markdownlint, etc.)
— an acceptable ~30s tradeoff for security compliance.

Co-authored-by: GitHub Copilot <copilot@github.com>
Co-authored-by: Bill Berry <WilliamBerryiii@users.noreply.github.com>
Co-authored-by: Katrien De Graeve <katriendg@users.noreply.github.com>

Author: 4 people

.github/workflows/extension-package.yml

@@ -95,7 +95,7 @@ jobs:
           node-version: "20"
 
       - name: Install dependencies
-        run: npm install -g @vscode/vsce@3.7.1
+        run: npm ci
 
       - name: Setup PowerShell
         shell: pwsh

.github/workflows/extension-publish-marketplace.yml

@@ -45,8 +45,8 @@ jobs:
         with:
           node-version: "20"
 
-      - name: Install VSCE
-        run: npm install -g @vscode/vsce@3.7.1
+      - name: Install dependencies
+        run: npm ci
 
       - name: Download VSIX artifact
         uses: actions/download-artifact@37930b1c2abaa49bbe596cd826c3c89aef350131 # v7.0.0
@@ -76,7 +76,7 @@ jobs:
           fi
 
           echo "📦 Publishing $COLLECTION_ID: $VSIX_FILE (v$VSIX_VERSION) [$CHANNEL_LABEL]"
-          vsce publish --packagePath "$VSIX_FILE" $PRE_RELEASE_FLAG --azure-credential
+          npx vsce publish --packagePath "$VSIX_FILE" $PRE_RELEASE_FLAG --azure-credential
 
       - name: Summary
         env:

extension/PACKAGING.md

@@ -37,12 +37,14 @@ This is a declarative extension: it contributes configuration and file paths, an
 
 ## Prerequisites
 
-Install the VS Code Extension Manager CLI:
+Install project dependencies (includes the VS Code Extension Manager CLI):
 
 ```bash
-npm install -g @vscode/vsce
+npm ci
 ```
 
+After installation, use `npx vsce` to invoke the CLI.
+
 Install the PowerShell-Yaml module (required for Prepare-Extension.ps1):
 
 ```powershell