@W-22108538: Publish b2c-vs-extension to forcedotcom/b2c-dx via attested repository_dispatch#549
Open
amit-kumar8-sf wants to merge 6 commits into
Open
@W-22108538: Publish b2c-vs-extension to forcedotcom/b2c-dx via attested repository_dispatch#549amit-kumar8-sf wants to merge 6 commits into
amit-kumar8-sf wants to merge 6 commits into
Conversation
The bundled Swagger UI assets are loaded by the extension at runtime, so the dependency belongs in `dependencies` rather than `devDependencies`.
The Visual Studio Marketplace requires the extension's repository URL to live under a Salesforce-controlled org. Point package.json#repository at forcedotcom/b2c-dx and route each release through a review PR there: - publish.yml now opens a release PR in forcedotcom/b2c-dx (CHANGELOG splice + releases/latest.json marker) instead of pushing a release directly. Merging the PR is the manual gate; the b2c-dx on-merge workflow then creates the GitHub release that fires the marketplace publish workflows. - Extension README and a new PUBLISHING.md describe the flow and the manual fallbacks (open PR by hand, re-run a workflow, publish locally). - Step is gated on B2C_DX_PUBLISH_TOKEN; missing token soft-skips with a warning so unrelated CI doesn't break during rollout. The extension's bugs URL still points to this monorepo so issues continue to land here.
…c-dx # Conflicts: # packages/b2c-vs-extension/package.json # pnpm-lock.yaml
…repository_dispatch Builds on the existing publishing-surface work and keeps the same shape: the monorepo builds the VSIX and b2c-dx publishes it. This adds a signed, verifiable handoff between the two repos so the artifact can be trusted end to end. publish.yml: - Add a top-level 'permissions: contents: read' default, so each job opts in to only what it needs. - After packaging, compute the VSIX sha256 and produce a SLSA build-provenance attestation (actions/attest-build-provenance). This is the trust anchor that b2c-dx checks before it publishes. - Expose version/sha as job outputs and grant the publish job attestations: write. - Add an isolated notify-b2c-dx job to handle cross-repo delivery: it mints a short-lived GitHub App token (scoped to b2c-dx, contents: read, ~1h) and fires a repository_dispatch (monorepo-vsx-release) carrying the version, tag, release URL, and VSIX sha256. This keeps the two repos decoupled and avoids a long-lived cross-repo PAT. The job stays skipped until the App is configured (vars.B2C_DX_APP_ID), so it rolls out safely. - Pass the workflow_dispatch 'release_type' input through an env var rather than inline, since this job holds the signing permissions. PUBLISHING.md: refresh the walkthrough to match the dispatch + attestation flow and the GitHub App credential, and note the GITHUB_TOKEN recursion behavior. Clarify that publishing from forcedotcom/b2c-dx is an open-source governance choice (public OSS lives under forcedotcom/salesforce), independent of any Marketplace technical requirement. changeset: align the wording with the same governance rationale.
charithaT07
approved these changes
Jul 6, 2026
… resolution The pull-based trigger lives entirely in forcedotcom/b2c-dx (it polls this repo's public releases and re-verifies sha256 + SLSA provenance itself), so the dormant notify-b2c-dx push job is redundant. Remove it — and the now-unused vsix_sha256 job output — so the monorepo holds no cross-repo credential wiring or dispatch surface at all: it only builds, attests, and releases. Restorable from history if an instant-push accelerator is ever prioritized. Also resolve the packaged VSIX filename once (with a count==1 guard) and reuse it for the sha256 hash, the attestation subject-path, and the release upload, instead of an `ls | head -n1` for the hash and a bare `*.vsix` glob for attest/upload. This makes the hashed bytes, the attested bytes, and the uploaded bytes provably the same file and fails closed if packaging ever emits more than one VSIX.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Changes how the
b2c-vs-extensionVSIX reaches the VS Code Marketplace and Open VSX. The monorepo continues to build the extension; it now also attests the artifact and publishes it as apublic GitHub release. Cross-repo delivery to
forcedotcom/b2c-dx(the public publishing repo) is pull-based and lives entirely in b2c-dx — it polls this repo's public releases, re-verifiesthe artifact, and opens its own review PR. This monorepo holds no cross-repo credential and fires no dispatch: the SLSA attestation is the trust anchor, not a push from here.
.github/workflows/publish.yml:permissions: contents: readdefault; the publish job opts up to only what it needs..vsixexists) and reuses that exact file for the SHA-256 hash, the SLSA build-provenanceattestation (
actions/attest-build-provenance), and the release upload — so the hashed bytes, the attested bytes, and the uploaded bytes are provably the same artifact.b2c-vs-extension@X.Y.Z) with the VSIX attached — the artifactb2c-dxdetects and independently verifies.repository_dispatch, no PAT. (An earlier revision added a dormantnotify-b2c-dxpush job; it is removed here so the monorepohas zero cross-repo dispatch surface. It is restorable from history if an instant-push accelerator is ever prioritized.)
Docs & metadata:
PUBLISHING.md: documents the build + attestation flow and the manual fallback.README.md: adds a note that marketplace publishing happens out offorcedotcom/b2c-dx.package.json: points the extension's marketplacerepository/homepageatforcedotcom/b2c-dx(issues still point here). Movesswagger-ui-distfromdevDependenciestodependencies(it's bundled at runtime; same version).
patchchangeset for the repository-URL update.The companion PR that detects the release and publishes lives in
forcedotcom/b2c-dx.Rollout note: there is no flag-day and no credential to provision on this side. Once merged, releases are built and attested here; nothing publishes until
b2c-dx's pull-based pipeline isenabled and its
validate-release-prcheck is made required. The extension still builds, attests, and releases on the monorepo in the meantime.Testing
actionlint(with shellcheck) with zero findings.gh attestation verifyflag semantics (--signer-workflow,--source-ref) against gh 2.83, and confirmed both repos are public so cross-repo attestation verification works over thepublic API.
plus a deliberate tamper test that fails closed before any PR is opened.
Dependencies
3pl-approvedis set by a maintainerpnpm test)pnpm run format)