refactor(workflows): rename release pipeline workflows and add marketplace automation triggers

[WilliamBerryiii]

Description

Renamed 6 release pipeline workflow files to follow a consistent release- prefix naming convention and added automated VS Code Marketplace publish triggers via GitHub release events. Updated every cross-reference across documentation, architecture diagrams, CI badges, test fixtures, and threat-model security tables. Two commits: a pure rename commit (R100 similarity) followed by a content-change commit, ensuring clean git log --follow history.

Pipeline Architecture Context

The hve-core CI/CD system is organized into orchestrator workflows (entry-point workflows that fire on events and call reusable workflows) and reusable workflows (shared building blocks invoked via workflow_call). Before this PR, release pipeline orchestrators had inconsistent names (main.yml, prerelease.yml, prerelease-release.yml, extension-publish.yml, extension-publish-prerelease.yml) that made it difficult to distinguish them from reusable workflows or understand their role in the release pipeline at a glance.

The full release flow works like this:

1. PR Validation — pr-validation.yml runs 16 parallel quality-gate jobs on every pull request.
2. Stable Release — release-stable.yml fires automatically on push to main, re-runs validation, invokes release-please, and conditionally packages + publishes a GitHub Release.
3. Marketplace Publishing — release-marketplace-stable.yml and release-marketplace-prerelease.yml fire automatically when a GitHub Release is published (new in this PR), packaging and publishing VS Code extensions to the marketplace per collection. Previously these required manual workflow_dispatch.
4. Pre-Release Management — release-prerelease-pr.yml maintains the companion pre-release PR on each push to main, while release-prerelease.yml handles the actual pre-release packaging and publishing when the prerelease/next branch merges.

Workflow Renames

All 6 release pipeline orchestrators were renamed to share a release- prefix, creating a clear namespace boundary between release orchestrators (release-*.yml), PR validation (pr-validation.yml), scheduled maintenance (weekly-*.yml, scorecard.yml), and reusable workflows (named by function: *-lint.yml, *-check.yml, *-scan.yml, *-package.yml, *-publish.yml).

Old Name	New Name	Display Name	Role
main.yml	release-stable.yml	Stable Release Pipeline	Top-level orchestrator; fires on push to main; runs validation → release-please → conditional packaging → publish
prerelease.yml	release-prerelease-pr.yml	Pre-Release PR Update	Companion PR management; fires on push to main; creates/updates the prerelease/next → main PR
prerelease-release.yml	release-prerelease.yml	Pre-Release Pipeline	Pre-release packaging and publishing; fires when the prerelease/next PR merges
extension-publish.yml	release-marketplace-stable.yml	Stable Marketplace Publish	VS Code Marketplace publishing for stable releases; fires on GitHub Release (stable) or manual dispatch
extension-publish-prerelease.yml	release-marketplace-prerelease.yml	Pre-Release Marketplace Publish	VS Code Marketplace publishing for pre-releases; fires on GitHub Release (pre-release) or manual dispatch
extension-publish-marketplace.yml	extension-marketplace-publish.yml	Extension Marketplace Publish	Reusable workflow providing the actual marketplace publish step (called by both marketplace orchestrators)

Marketplace Automation

Added release: types: [published] triggers to both marketplace publish workflows, enabling fully automated end-to-end publishing from PR merge through marketplace availability:

Trigger architecture for release-marketplace-stable.yml:

• release: types: [published] — fires when release-stable.yml creates a GitHub Release via release-please
• workflow_dispatch — retained for manual re-publishing after failures or out-of-band releases
• Release-type guard: github.event_name == 'release' && github.event.release.prerelease == false — ensures only stable releases activate this workflow, preventing pre-release events from triggering stable publishing
• Version resolution: Extracts the semantic version from github.event.release.tag_name, stripping the hve-core-v or v prefix (e.g., hve-core-v3.2.0 → 3.2.0), then feeds into the existing normalize-version step
• Even/odd convention enforcement: Validates that the minor version is even (stable channel convention); rejects odd-minor versions with an actionable error pointing to the pre-release workflow

Trigger architecture for release-marketplace-prerelease.yml:

• Same release: types: [published] trigger, but guarded with github.event.release.prerelease == true
• Same version resolution logic with the inverse convention check: validates odd minor version for pre-release channel
• Auto-detects from the latest pre-release tag when no version is specified via workflow_dispatch

Both workflows call the shared reusable workflow extension-marketplace-publish.yml for the actual publishing step, passing a collections-matrix (from extension-package.yml) and a pre-release boolean flag. This means the collection-based packaging model (one VSIX per collection) works identically whether triggered by a release event or manual dispatch.

Cross-Reference Updates

Updated all 7 documentation and configuration files referencing the renamed workflows to ensure zero stale references remain across the repository:

• .github/workflows/README.md — Updated the orchestrator workflow table (5 entries), reusable workflow job listings, CodeQL architecture section references, trigger matrix table, and the "adding new workflows" guidance section
• README.md — Updated the CI status badge URL from main.yml to release-stable.yml so the badge reflects the renamed pipeline
• docs/architecture/workflows.md — Updated the workflow inventory table (renamed 5 entries), 3 Mermaid diagram subgraph labels, the main branch pipeline section header and description text, extension publishing section prose and diagram labels, and the publishing jobs table (4 entries)
• docs/contributing/release-process.md — Updated the marketplace publishing step reference from extension-publish.yml to release-marketplace-stable.yml with the new display name
• docs/security/threat-model.md — Updated 3 references from main.yml to release-stable.yml in the workflow security tables documenting secret access, permission scopes, and CI/CD integrity controls
• extension/PACKAGING.md — Updated the packaging pipeline table with both renamed workflow files (extension-publish.yml → release-marketplace-stable.yml, main.yml → release-stable.yml)
• scripts/tests/security/Test-DependencyPinning.Tests.ps1 — Updated the test fixture path from main.yml to release-stable.yml to match the renamed workflow file

Related Issue(s)

Closes #826

Type of Change

Select all that apply:

Code & Documentation:

• Bug fix (non-breaking change fixing an issue)
• New feature (non-breaking change adding functionality)
• Breaking change (fix or feature causing existing functionality to change)
• Documentation update

Infrastructure & Configuration:

• GitHub Actions workflow
• Linting configuration (markdown, PowerShell, etc.)
• Security configuration
• DevContainer configuration
• Dependency update

AI Artifacts:

• Reviewed contribution with prompt-builder agent and addressed all feedback
• Copilot instructions (.github/instructions/*.instructions.md)
• Copilot prompt (.github/prompts/*.prompt.md)
• Copilot agent (.github/agents/*.agent.md)
• Copilot skill (.github/skills/*/SKILL.md)

Note for AI Artifact Contributors:

• Agents: Research, indexing/referencing other project (using standard VS Code GitHub Copilot/MCP tools), planning, and general implementation agents likely already exist. Review .github/agents/ before creating new ones.
• Skills: Must include both bash and PowerShell scripts. See Skills.
• Model Versions: Only contributions targeting the latest Anthropic and OpenAI models will be accepted. Older model versions (e.g., GPT-3.5, Claude 3) will be rejected.
• See Agents Not Accepted and Model Version Requirements.

Other:

• Script/automation (.ps1, .sh, .py)
• Other (please describe):

Sample Prompts (for AI Artifact Contributions)

User Request:

Execution Flow:

Output Artifacts:

Success Indicators:

For detailed contribution requirements, see:

• Common Standards: docs/contributing/ai-artifacts-common.md - Shared standards for XML blocks, markdown quality, RFC 2119, validation, and testing
• Agents: docs/contributing/custom-agents.md - Agent configurations with tools and behavior patterns
• Prompts: docs/contributing/prompts.md - Workflow-specific guidance with template variables
• Instructions: docs/contributing/instructions.md - Technology-specific standards with glob patterns
• Skills: docs/contributing/skills.md - Task execution utilities with cross-platform scripts

Testing

Automated Validation

Command	Status
npm run lint:md	Pass (0 errors)
npm run spell-check	Pass (0 issues in changed files; 1450 pre-existing across 167 files)
npm run lint:frontmatter	Pass (0 errors, 0 warnings)
npm run validate:skills	Pass (2 skills, 0 errors)
npm run lint:md-links	Pass (0 broken in changed files; 12 pre-existing across 7 files)
npm run lint:ps	Pass (0 issues)
npm run plugin:generate	Pass (no uncommitted changes)

Security Analysis

• Diff analysis confirmed no sensitive data, API keys, or credentials in changes.
• No new dependencies introduced.
• Security script modification (Test-DependencyPinning.Tests.ps1) was limited to updating a test fixture path; no privilege or scope changes.

Diff-Based Assessment

• All 13 changed files verified for cross-reference consistency.
• No stale workflow references remain in documentation.
• Commit 1 is a pure R100 rename; commit 2 contains all content changes.
• Manual testing was not performed.

Checklist

Required Checks

• Documentation is updated (if applicable)
• Files follow existing naming conventions
• Changes are backwards compatible (if applicable) (N/A — workflow renames are intentionally breaking for external references; acceptable per project conventions)
• Tests added for new functionality (if applicable)

AI Artifact Contributions

• Used /prompt-analyze to review contribution
• Addressed all feedback from prompt-builder review
• Verified contribution follows common standards and type-specific requirements

Required Automated Checks

The following validation commands must pass before merging:

• Markdown linting: npm run lint:md
• Spell checking: npm run spell-check
• Frontmatter validation: npm run lint:frontmatter
• Skill structure validation: npm run validate:skills
• Link validation: npm run lint:md-links
• PowerShell analysis: npm run lint:ps
• Plugin freshness: npm run plugin:generate

Security Considerations

• This PR does not contain any sensitive or NDA information
• Any new dependencies have been reviewed for security issues (N/A — no new dependencies)
• Security-related scripts follow the principle of least privilege

Additional Notes

• Version resolution logic is duplicated between stable and prerelease marketplace workflows. Both use the same tag-stripping pattern; a future refactor could extract this into a shared composite action.
• The if guards on release triggers ensure only the appropriate workflow activates for stable vs prerelease releases.

[github-actions]

Dependency Review

✅ No vulnerabilities or license issues or OpenSSF Scorecard issues found.

OpenSSF Scorecard

Package	Version	Score	Details
actions/actions/attest	59d89421af93a897026c735860bf21b6eb4f7b26	Unknown	Unknown
actions/actions/attest-build-provenance	a2bbfa25375fe432b6a289bc6b6cd05ecd0c4c32	Unknown	Unknown
actions/actions/checkout	de0fac2e4500dabe0009e67214ff5f5447ce83dd	🟢 6	Details Check Score Reason Maintained ⚠️ 2 3 commit(s) and 0 issue activity found in the last 90 days -- score normalized to 2 Code-Review 🟢 10 all changesets reviewed Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected Binary-Artifacts 🟢 10 no binaries found in the repo CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected Token-Permissions ⚠️ 0 detected GitHub workflow tokens with excessive permissions License 🟢 10 license file detected Fuzzing ⚠️ 0 project is not fuzzed Packaging ⚠️ -1 packaging workflow not detected Pinned-Dependencies 🟢 3 dependency not pinned by hash detected -- score normalized to 3 Signed-Releases ⚠️ -1 no releases found Security-Policy 🟢 9 security policy file detected Branch-Protection 🟢 6 branch protection is not maximal on development and all release branches SAST 🟢 8 SAST tool detected but not run on all commits
actions/actions/create-github-app-token	29824e69f54612133e76f7eaac726eef6c875baf	🟢 5.4	Details Check Score Reason Code-Review ⚠️ 0 Found 1/11 approved changesets -- score normalized to 0 Maintained ⚠️ 1 2 commit(s) and 0 issue activity found in the last 90 days -- score normalized to 1 Binary-Artifacts 🟢 10 no binaries found in the repo Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected Token-Permissions ⚠️ 0 detected GitHub workflow tokens with excessive permissions CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected Pinned-Dependencies 🟢 5 dependency not pinned by hash detected -- score normalized to 5 Fuzzing ⚠️ 0 project is not fuzzed License 🟢 10 license file detected Signed-Releases ⚠️ -1 no releases found Security-Policy 🟢 9 security policy file detected Packaging 🟢 10 packaging workflow detected Branch-Protection 🟢 5 branch protection is not maximal on development and all release branches SAST 🟢 10 SAST tool is run on all commits
actions/actions/download-artifact	70fc10c6e5e1ce46ad2ea6f2b72d43f7d47b13c3	🟢 6.2	Details Check Score Reason Code-Review 🟢 10 all changesets reviewed Maintained 🟢 10 30 commit(s) and 0 issue activity found in the last 90 days -- score normalized to 10 Packaging ⚠️ -1 packaging workflow not detected Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected Binary-Artifacts 🟢 10 no binaries found in the repo Token-Permissions ⚠️ 0 detected GitHub workflow tokens with excessive permissions CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected Pinned-Dependencies ⚠️ 1 dependency not pinned by hash detected -- score normalized to 1 Fuzzing ⚠️ 0 project is not fuzzed License 🟢 10 license file detected Signed-Releases ⚠️ -1 no releases found Security-Policy 🟢 9 security policy file detected Branch-Protection ⚠️ 0 branch protection not enabled on development/release branches SAST 🟢 10 SAST tool is run on all commits
actions/anchore/sbom-action	17ae1740179002c89186b61233e0f892c3118b11	🟢 7.9	Details Check Score Reason Code-Review 🟢 10 all changesets reviewed Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected Maintained 🟢 10 30 commit(s) and 0 issue activity found in the last 90 days -- score normalized to 10 Binary-Artifacts 🟢 9 binaries present in source code Token-Permissions 🟢 10 GitHub workflow tokens follow principle of least privilege CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected Fuzzing ⚠️ 0 project is not fuzzed License 🟢 10 license file detected Pinned-Dependencies 🟢 7 dependency not pinned by hash detected -- score normalized to 7 Branch-Protection ⚠️ -1 internal error: error during branchesHandler.setup: internal error: some github tokens can't read classic branch protection rules: https://github.com/ossf/scorecard-action/blob/main/docs/authentication/fine-grained-auth-token.md Signed-Releases ⚠️ -1 no releases found Security-Policy 🟢 10 security policy file detected Packaging 🟢 10 packaging workflow detected SAST ⚠️ 0 SAST tool is not run on all commits -- score normalized to 0
actions/googleapis/release-please-action	16a9c90856f42705d54a6fda1823352bdc62cf38	Unknown	Unknown

Scanned Files

• .github/workflows/main.yml
• .github/workflows/prerelease-release.yml
• .github/workflows/release-stable.yml