fix(workflows): add pre-release companion pipeline with even/odd versioning

[agreaves-ms]

fix(workflows): add pre-release companion pipeline with even/odd versioning

Description

This PR introduces an automated pre-release publishing pipeline for the VS Code extension ecosystem, using an even/odd minor version strategy. Even minor versions represent stable releases managed by release-please, while odd minor versions represent pre-releases managed by the new companion workflows. The pipeline spans the full lifecycle from version computation through marketplace publishing.

Pre-Release Pipeline

Two new workflows establish the automated pre-release flow.

The even/odd convention provides a clear separation between stable and pre-release versions without additional metadata or suffixes.

• Added prerelease.yml, triggered on push to main, which computes the next odd-minor version from .release-please-manifest.json, generates a conventional-commit changelog, force-updates the prerelease/next branch, commits version bumps across four file locations, and creates or updates a pre-release PR with the autorelease: prerelease label
• Added prerelease-release.yml, triggered on PR merge from prerelease/next, which extracts and validates the version from the PR title, creates a git tag and draft GitHub Release, packages extensions via the reusable extension-package.yml with the PreRelease channel, attests build provenance, uploads VSIX artifacts, and promotes the release from draft to published
• Both workflows use GitHub App tokens for authenticated operations and enforce odd-minor validation with modular arithmetic checks
• Breaking change detection scans commit history for BREAKING CHANGE markers and bumps the major version accordingly
• Normalized YAML indentation from 4-space to 2-space to match repository conventions

Stable Release Integration

The existing release-please pipeline in main.yml gained a reset-prerelease job that runs after a stable release. It force-updates prerelease/next to the release commit and recalculates the pre-release PR title to reflect the post-release baseline version.

Extension Publish Enhancements

extension-publish.yml received a channel input (Stable/PreRelease) that flows through to packaging and the vsce publish command with conditional --pre-release flag. Expression injection mitigations hardened the workflow by moving github.event.release.tag_name and inputs.version into env context variables. Stable version auto-detection switched from gh release view to gh release list --exclude-drafts --exclude-pre-releases to prevent pre-release tags from polluting detection.

Related Issue(s)

None

Type of Change

Select all that apply:

Code & Documentation:

• Bug fix (non-breaking change fixing an issue)
• New feature (non-breaking change adding functionality)
• Breaking change (fix or feature causing existing functionality to change)
• Documentation update

Infrastructure & Configuration:

• GitHub Actions workflow
• Linting configuration (markdown, PowerShell, etc.)
• Security configuration
• DevContainer configuration
• Dependency update

AI Artifacts:

• Reviewed contribution with prompt-builder agent and addressed all feedback
• Copilot instructions (.github/instructions/*.instructions.md)
• Copilot prompt (.github/prompts/*.prompt.md)
• Copilot agent (.github/agents/*.agent.md)
• Copilot skill (.github/skills/*/SKILL.md)

Note for AI Artifact Contributors:

• Agents: Research, indexing/referencing other project (using standard VS Code GitHub Copilot/MCP tools), planning, and general implementation agents likely already exist. Review .github/agents/ before creating new ones.
• Skills: Must include both bash and PowerShell scripts. See Skills.
• Model Versions: Only contributions targeting the latest Anthropic and OpenAI models will be accepted. Older model versions (e.g., GPT-3.5, Claude 3) will be rejected.
• See Agents Not Accepted and Model Version Requirements.

Other:

• Script/automation (.ps1, .sh, .py)
• Other (please describe):

Sample Prompts (for AI Artifact Contributions)

User Request:

Execution Flow:

Output Artifacts:

Success Indicators:

For detailed contribution requirements, see:

• Common Standards: docs/contributing/ai-artifacts-common.md - Shared standards for XML blocks, markdown quality, RFC 2119, validation, and testing
• Agents: docs/contributing/custom-agents.md - Agent configurations with tools and behavior patterns
• Prompts: docs/contributing/prompts.md - Workflow-specific guidance with template variables
• Instructions: docs/contributing/instructions.md - Technology-specific standards with glob patterns
• Skills: docs/contributing/skills.md - Task execution utilities with cross-platform scripts

Testing

Automated validation commands:

Check	Command	Status
Markdown linting	npm run lint:md	Passed
Spell checking	npm run spell-check	Passed
Frontmatter validation	npm run lint:frontmatter	Passed
Skill structure validation	npm run validate:skills	Passed
Link validation	npm run lint:md-links	Passed
PowerShell analysis	npm run lint:ps	Passed
Plugin freshness	npm run plugin:generate	Passed

Security analysis:

• Expression injection mitigations verified in extension-publish.yml: GitHub context expressions moved from inline interpolation to env blocks
• All action references use full SHA pins
• Permissions follow least-privilege: contents: read at workflow level, elevated at job level only where needed
• persist-credentials: false set on checkout steps

Diff-based assessments:

• Verified action SHA pins match existing patterns across all four workflow files
• Confirmed concurrency groups set on both new workflows
• Validated odd-minor arithmetic checks appear in both prerelease.yml (computation) and prerelease-release.yml (validation)
• Manual testing was not performed

Checklist

Required Checks

• Documentation is updated (if applicable) (N/A — no documentation changes needed for workflow additions)
• Files follow existing naming conventions
• Changes are backwards compatible (if applicable)
• Tests added for new functionality (if applicable) (N/A — workflow changes)

AI Artifact Contributions

• Used /prompt-analyze to review contribution
• Addressed all feedback from prompt-builder review
• Verified contribution follows common standards and type-specific requirements

Required Automated Checks

The following validation commands must pass before merging:

• Markdown linting: npm run lint:md
• Spell checking: npm run spell-check
• Frontmatter validation: npm run lint:frontmatter
• Skill structure validation: npm run validate:skills
• Link validation: npm run lint:md-links
• PowerShell analysis: npm run lint:ps
• Plugin freshness: npm run plugin:generate

Security Considerations

• This PR does not contain any sensitive or NDA information
• Any new dependencies have been reviewed for security issues (N/A — no new dependencies added)
• Security-related scripts follow the principle of least privilege (N/A — no security scripts modified)

Additional Notes

• YAML indentation in both new workflow files was normalized from 4-space to 2-space to match repository conventions. The original commit 87d2463 referenced "2-space indentation" but the correction had been applied only to extension-publish.yml.

[github-actions]

Dependency Review

✅ No vulnerabilities or license issues or OpenSSF Scorecard issues found.

OpenSSF Scorecard

Package	Version	Score	Details
actions/actions/checkout	de0fac2e4500dabe0009e67214ff5f5447ce83dd	🟢 6.2	Details Check Score Reason Maintained 🟢 4 5 commit(s) and 0 issue activity found in the last 90 days -- score normalized to 4 Code-Review 🟢 10 all changesets reviewed CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected Binary-Artifacts 🟢 10 no binaries found in the repo License 🟢 10 license file detected Fuzzing ⚠️ 0 project is not fuzzed Packaging ⚠️ -1 packaging workflow not detected Token-Permissions ⚠️ 0 detected GitHub workflow tokens with excessive permissions Signed-Releases ⚠️ -1 no releases found Pinned-Dependencies 🟢 3 dependency not pinned by hash detected -- score normalized to 3 Security-Policy 🟢 9 security policy file detected Branch-Protection 🟢 6 branch protection is not maximal on development and all release branches SAST 🟢 8 SAST tool detected but not run on all commits
actions/actions/create-github-app-token	29824e69f54612133e76f7eaac726eef6c875baf	🟢 5.4	Details Check Score Reason Code-Review ⚠️ 0 Found 1/11 approved changesets -- score normalized to 0 Binary-Artifacts 🟢 10 no binaries found in the repo Maintained ⚠️ 1 2 commit(s) and 0 issue activity found in the last 90 days -- score normalized to 1 Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected Token-Permissions ⚠️ 0 detected GitHub workflow tokens with excessive permissions Pinned-Dependencies 🟢 5 dependency not pinned by hash detected -- score normalized to 5 License 🟢 10 license file detected Fuzzing ⚠️ 0 project is not fuzzed Signed-Releases ⚠️ -1 no releases found Security-Policy 🟢 9 security policy file detected Branch-Protection 🟢 5 branch protection is not maximal on development and all release branches Packaging 🟢 10 packaging workflow detected SAST 🟢 10 SAST tool is run on all commits

Scanned Files

• .github/workflows/extension-publish.yml
• .github/workflows/prerelease.yml