fix(build): use draft releases to enable VSIX asset upload before publishing #335
Description
Problem
The attest-and-upload job fails with HTTP 422 when uploading the VSIX to a GitHub release:
HTTP 422: Cannot upload assets to an immutable release.
(https://uploads.github.com/repos/microsoft/hve-core/releases/280547821/assets?label=&name=hve-core-2.0.0.vsix)
Root Cause
The release-please-action publishes the release immediately upon creation. By the time the extension-package-release job completes and attest-and-upload attempts to upload the VSIX, the release is already published and immutable.
Current workflow timeline:
sequenceDiagram
participant RP as release-please
participant EP as extension-package
participant AU as attest-upload
participant GH as GitHub Release
RP->>GH: Create release (published)
Note over GH: Release is now IMMUTABLE
RP->>EP: trigger (release_created=true)
EP->>EP: Build VSIX
EP->>AU: trigger (artifact ready)
AU->>GH: Upload VSIX
GH-->>AU: HTTP 422 (immutable)
Solution
Configure release-please to create draft releases, then publish the release after the VSIX upload completes.
Fixed workflow timeline:
sequenceDiagram
participant RP as release-please
participant EP as extension-package
participant AU as attest-upload
participant GH as GitHub Release
RP->>GH: Create release (DRAFT)
Note over GH: Release accepts uploads
RP->>EP: trigger (release_created=true)
EP->>EP: Build VSIX
EP->>AU: trigger (artifact ready)
AU->>GH: Upload VSIX
GH-->>AU: 200 OK
AU->>GH: Publish release (draft=false)
Note over GH: Release is now published
Implementation
1. Update release-please-config.json
Add "draft": true to the package configuration:
{
"$schema": "https://raw.githubusercontent.com/googleapis/release-please/main/schemas/config.json",
"packages": {
".": {
"release-type": "node",
"package-name": "hve-core",
"draft": true,
// ... existing config
}
}
}2. Update .github/workflows/main.yml
Add a step to publish the release after VSIX upload in the attest-and-upload job:
- name: Upload VSIX to GitHub Release
env:
GH_TOKEN: ${{ github.token }}
run: |
VSIX_FILE=$(find dist -name '*.vsix' | head -1)
if [ -z "$VSIX_FILE" ]; then
echo "::error::No VSIX file found in dist/"
exit 1
fi
gh release upload "${{ needs.release-please.outputs.tag_name }}" "$VSIX_FILE" --clobber -R "${{ github.repository }}"
- name: Publish GitHub Release
env:
GH_TOKEN: ${{ github.token }}
run: |
gh release edit "${{ needs.release-please.outputs.tag_name }}" --draft=false -R "${{ github.repository }}"Acceptance Criteria
- Release-please creates draft releases instead of published releases
- VSIX file uploads successfully to the draft release
- Release is published after VSIX upload completes
- Build provenance attestation still works with draft releases
- Existing release tag and changelog generation remain unchanged
References
- GitHub API: Releases
- release-please configuration
- Failed workflow run: v2.0.0 release