infra(ide): add deployment pipeline for ide package

[andrewmelchor]

Summary

• Introduces a unified release-ide release path so IDE extension deployment is handled as one pipeline for both VS Code and Cursor.
• Extends tag-driven release tooling to support ide with ide-v*.. tags in script/release.ts.
• Adds a root release command in package.json: bun run release-ide.
• Adds a new workflow release-ide.yml that:
• Verifies tag/package version alignment.
• Builds and tests the extension once.
• Packages a single VSIX artifact.
• Publishes to VS Code Marketplace (VSCE_PAT) and OpenVSX for Cursor (OVSX_TOKEN).
• Supports manual dry-run for safe validation before live publish.-

[greptile-apps]

Greptile Summary

This PR introduces a unified IDE extension deployment pipeline, connecting tag-driven releases (ide-v*.*.*) through the existing script/release.ts tooling to a new release-ide.yml GitHub Actions workflow that builds, tests, packages, and publishes the VS Code extension to both the VS Code Marketplace and OpenVSX (Cursor).

Key changes:

• .github/workflows/release-ide.yml: New workflow triggered by ide-v*.*.* tags or manual workflow_dispatch. Builds and tests the extension, packages a single VSIX artifact, and publishes to both marketplaces. Supports a dry-run mode for safe pre-publish validation.
• package.json: Adds a release-ide convenience script (uses a dash rather than the colon used by all sibling scripts — inconsistent naming).
• script/release.ts: Registers the ide package (packages/vscode, tag prefix ide-v) in the shared PACKAGES map and updates the help text.

Issues found:

• The version verification step compares packages/vscode/package.json against itself when triggered via workflow_dispatch, making it always a no-op for manual runs — the protection only works for tag-triggered runs.
• id-token: write is granted but never consumed; the workflow uses PAT/token secrets for authentication, not OIDC federation.
• The new release-ide script name uses a dash delimiter, inconsistent with the colon pattern of every other release script (release:app, release:core, etc.).

Confidence Score: 3/5

• Safe to merge with minor fixes, but the version verification bypass on manual triggers and unnecessary OIDC permission should be addressed first.
• The core pipeline logic (tag extraction, build, test, package, publish) is sound and follows established patterns in the repo. However, the version verification step silently passes as a no-op on all workflow_dispatch runs, which could allow publishing an unverified version manually without any real check — this reduces the robustness of the release guard. Additionally, the id-token: write permission is granted without use. These are addressable with small changes before merging.
• .github/workflows/release-ide.yml — verify step no-op on manual triggers and unnecessary id-token: write permission.

Important Files Changed

Filename	Overview
.github/workflows/release-ide.yml	New CI/CD workflow for IDE extension releases; has an unnecessary id-token: write permission and a version verification step that is effectively a no-op for manual (workflow_dispatch) triggers.
package.json	Adds release-ide script, but uses a dash instead of the colon delimiter used by all other release scripts (release:app, release:core, etc.), breaking the naming convention.
script/release.ts	Adds ide entry to the PACKAGES map and updates the help text — straightforward, consistent with existing entries, no issues.

Sequence Diagram

sequenceDiagram
    participant Dev as Developer
    participant Script as script/release.ts
    participant Git as Git / Origin
    participant GHA as GitHub Actions
    participant VSIX as VSIX Package
    participant VSM as VS Code Marketplace
    participant OVSX as OpenVSX (Cursor)

    Dev->>Script: bun run release:ide
    Script->>Script: Validate clean working dir & main branch
    Script->>Git: git fetch origin --tags
    Script->>Script: Read version from packages/vscode/package.json
    Script->>Git: Check tag ide-v{version} does not exist
    Script->>Git: git tag -a ide-v{version} && git push origin ide-v{version}
    Git-->>GHA: Trigger release-ide.yml (push: ide-v*.*.*)
    GHA->>GHA: Extract version from GITHUB_REF
    GHA->>GHA: Verify tag version == package.json version
    GHA->>GHA: Setup Bun + Node.js, install deps
    GHA->>GHA: bunx turbo run build --filter=t-req-vscode...
    GHA->>GHA: Run unit tests
    GHA->>GHA: xvfb-run integration tests
    GHA->>VSIX: vsce package --no-dependencies
    GHA->>GHA: Upload VSIX artifact
    GHA->>VSM: vsce publish (VSCE_PAT)
    GHA->>OVSX: ovsx publish (OVSX_TOKEN)

Loading

_{Last reviewed commit: 0dd3218}

[greptile-apps]

_{3 files reviewed, 3 comments}

_{Edit Code Review Agent Settings | Greptile}