Add workflow to publish the extension to Open VSX #690
Description
Since SPFx Toolkit is now on Open VSX Registry -> https://open-vsx.org/extension/m365pnp/viva-connections-toolkit
So that this extension may be installed to tools like Cursor, Windsurf (formerly Codeium), VSCodium, Google Cloud Shell Editor etc.
Now we need a way to automatically publish this extension to the Open VSX Registry similar like we have for Microsoft VS Code Marketplace.
For MS VS Code Marketplace we have two pipelines that do that like this one: https://github.com/pnp/vscode-viva/blob/main/.github/workflows/release.yml
For Open VSX Registry we may one of the two options:
1. We could use the auto publish path provided by the Eclipse foundation community - this seems relatively easy as we simply need to open a PR to add our extension to the extensions list and then every time we publish to MS Marketplace it will get auto updated to Open VSX Registry. This seems the easiest path, and many extensions do it this way. I did some research and in the past it was NOT safe and was hacked. For example each extension was build during their flow, which run npm install as one of the steps, which proposed a risk of running some unwanted scripts as part of npn install post process which they did not check and it could lead of some unwanted code/functionality 'attached' to our extension and published, link to the article: https://www.koi.ai/blog/marketplace-takeover-how-we-couldve-taken-over-every-developer-using-a-vscode-fork-putting-millions-at-risk
- second option is just do it on our own. Open VSX has a CLI (similar like vsce) and we could just generate a token for the publish account, store it in secrets, and use it in a workflow we would create and maintain in our repo to publish when ever we want (either we run it manually or trigger on publish). Example: https://dev.to/diana_tang/complete-guide-publishing-vs-code-extensions-to-both-marketplaces-4d58.
Lets discuss which path we pick and execute