Update Build and Release Pipeline

Author: JustinGrote

.github/workflows/build.yml

@@ -1,13 +1,16 @@
 # yaml-language-server: $schema=https://json.schemastore.org/github-workflow.json
-name: Build
+name: 👷 Build
 
 on:
   push:
+    branches:
+      - main
+    tags:
+      - 'v*.*.*' # Match tags like v2024.06.0
   pull_request:
     branches:
       - main
-  tags:
-    - 'v*'
+
 permissions:
   contents: read
   packages: read
@@ -30,7 +33,13 @@ jobs:
           cache: pnpm
       - name: 🕒 Version
         shell: pwsh
-        run: pnpm version --no-git-tag-version $(Get-Date -Format 'yyyy.M.0-ci.${{ github.run_number }}')
+        run: |
+          if ('${{ github.ref_type }}' -eq 'tag') {
+            $version = '${{ github.ref_name }}'.TrimStart('v')
+          } else {
+            $version = $(Get-Date -Format 'yyyy.M.0-ci.${{ github.run_number }}')
+          }
+          pnpm version --no-git-tag-version $version
       - name: 🚚 Restore Packages (CI)
         run: pnpm install --frozen-lockfile
       - name: 💄 Prettier Formatting Check
@@ -43,45 +52,49 @@ jobs:
         run: pnpm test
       - name: 📦 Package
         run: pnpm package
-      - name: ⬆️ Upload Artifact
+      - name: 🚚 Upload VSIX Build Artifact
         uses: actions/upload-artifact@v6
         with:
           name: github-actions-enhanced-vsix
           path: github-actions-enhanced-*.vsix
-  # publish:
-  #   name: 🚀 Publish to VSCode Marketplace
-  #   needs: build
-  #   runs-on: ubuntu-latest
-  #   if: startsWith(github.ref, 'refs/tags/v')
-  #   steps:
-  #     - name: 🤖 Azure Login - Federated Token
-  #       if: github.event_name != 'pull_request'
-  #       shell: pwsh
-  #       run: |
-  #         $token = $env:ACTIONS_ID_TOKEN_REQUEST_TOKEN
-  #         $uri = $env:ACTIONS_ID_TOKEN_REQUEST_URL
-  #         $irmParams = @{
-  #           Uri = $uri
-  #           Authentication = 'Bearer'
-  #           Token = (ConvertTo-SecureString -AsPlainText $token)
-  #           Body = @{audience = 'api://AzureADTokenExchange' }
-  #         }
-  #         $jwtResponse = Invoke-Restmethod @irmParams
-  #         $fedToken = $jwtResponse.value
-  #         if (-not $fedToken) {
-  #           throw "Federated token not found in response: $($jwtResponse | ConvertTo-Json -Depth 10)"
-  #         }
 
-  #         $azLoginParams = @(
-  #           '--service-principal',
-  #           '-u', '${{ secrets.AZURE_CLIENT_ID }}',
-  #           '-t', '${{ secrets.AZURE_TENANT_ID }}',
-  #           '--federated-token', $fedToken
-  #         )
-  #         & az login @azLoginParams
-  #     - name: ⬇️ Download Build Artifact
-  #       uses: actions/download-artifact@v6
-  #       with:
-  #         name: github-actions-enhanced-vsix
-  #     - name: 🚀 Publish to VSCode Marketplace
-  #       run: npx vsce publish --azure-credential --packagePath github-actions-enhanced-*.vsix
+  draft_release:
+    name: 📝 Create Draft Release on Tag
+    if: github.ref_type == 'tag'
+    needs: build
+    runs-on: ubuntu-latest
+    steps:
+      - name: ✔️ Verify Tag is in CalVer Format and Current
+        shell: pwsh
+        run: |
+          $tag = "${{ github.ref_name }}"
+          if ($tag -notmatch '^v\d{4}\.\d{2}\.') {
+            throw "Tag '$tag' does not match CalVer format (e.g. v2026.02.1)"
+          }
+
+          $tagYear = [int]$tag.Substring(1, 4)
+          $tagMonth = [int]$tag.Substring(6, 2)
+          $now = Get-Date
+          $currentYear = $now.Year
+          $currentMonth = $now.Month
+
+          if ($tagYear -gt $currentYear -or ($tagYear -eq $currentYear -and $tagMonth -gt $currentMonth)) {
+            throw "Tag year/month ($tagYear.$tagMonth) exceeds current year/month ($currentYear.$currentMonth)"
+          }
+
+          Write-Host "✔️ Tag '$tag' is valid CalVer format with valid year/month"
+
+      - name: 📥 Download all Build Artifacts
+        uses: actions/download-artifact@v6
+        with:
+          path: release-artifacts
+          pattern: github-actions-enhanced-*
+
+      - name: 📝 Generate Draft Release
+        uses: softprops/action-gh-release@v2
+        with:
+          draft: true
+          generate_release_notes: true
+          tag_name: ${{ github.ref_name }}
+          files: release-artifacts/**
+          fail_on_unmatched_files: true

.github/workflows/release.yml

@@ -0,0 +1,47 @@
+# All releases are done from published GitHub releases to support immutable releases
+name: 🚀 Release
+on:
+  release:
+    types: [published]
+permissions:
+  contents: read
+  packages: write
+jobs:
+  publish:
+    name: 🚀 Publish to VS Code Marketplace
+    environment: VS Code Marketplace
+    runs-on: ubuntu-latest
+    steps:
+      - name: 🤖 Azure Login - Federated Token
+        if: github.event_name != 'pull_request'
+        shell: pwsh
+        run: |
+          $token = $env:ACTIONS_ID_TOKEN_REQUEST_TOKEN
+          $uri = $env:ACTIONS_ID_TOKEN_REQUEST_URL
+          $irmParams = @{
+            Uri = $uri
+            Authentication = 'Bearer'
+            Token = (ConvertTo-SecureString -AsPlainText $token)
+            Body = @{audience = 'api://AzureADTokenExchange' }
+          }
+          $jwtResponse = Invoke-Restmethod @irmParams
+          $fedToken = $jwtResponse.value
+          if (-not $fedToken) {
+            throw "Federated token not found in response: $($jwtResponse | ConvertTo-Json -Depth 10)"
+          }
+
+          $azLoginParams = @(
+            '--service-principal',
+            '-u', '${{ secrets.AZURE_CLIENT_ID }}',
+            '-t', '${{ secrets.AZURE_TENANT_ID }}',
+            '--federated-token', $fedToken
+          )
+          & az login @azLoginParams
+      - name: 📥 Get VSIX Release Asset
+        uses: dsaltares/[email protected]
+        with:
+          version: ${{ github.event.release.tag_name }}
+          file: ^github-actions-enhanced-.*\.vsix$
+          regex: true
+      - name: 🚀 Publish to VS Code Marketplace
+        run: npx vsce publish --azure-identity github-actions-enhanced-*.vsix