From 9f8ff2d40af7e7d91c4bead5678e56a7d4757b0c Mon Sep 17 00:00:00 2001 From: Allen Greaves Date: Fri, 13 Feb 2026 12:07:25 -0800 Subject: [PATCH 1/2] fix(workflows): add draft release with manual tag bridge MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit - set draft: true in release-please-config.json for mutable uploads - add manual tag creation step with version-anchoring for release-please - improve error handling with specific duplicate-tag detection - add contents: write permission for tag creation API call 🔧 - Generated by Copilot --- .github/workflows/main.yml | 30 +++++++++++++++++++++++++++++- release-please-config.json | 1 + 2 files changed, 30 insertions(+), 1 deletion(-) diff --git a/.github/workflows/main.yml b/.github/workflows/main.yml index b683bb4b..5d5fc0fa 100644 --- a/.github/workflows/main.yml +++ b/.github/workflows/main.yml @@ -79,7 +79,7 @@ jobs: minor: ${{ steps.release.outputs.minor }} patch: ${{ steps.release.outputs.patch }} permissions: - contents: read + contents: write steps: - name: Generate GitHub App Token id: app-token @@ -96,6 +96,34 @@ jobs: config-file: release-please-config.json manifest-file: .release-please-manifest.json + # Bridge: GitHub does not create git tags for draft releases, but + # release-please needs the tag to anchor version calculations for + # subsequent release PRs. Without it, release-please scans the full + # commit history, may find an old breaking change, and proposes a + # wrong major bump. The force-tag-creation config option (release-please + # v17.2.0+) would handle this natively, but v4.4.0 of the action + # bundles v17.1.3. Remove this step once the action upgrades past + # v17.2.0. See: https://github.com/googleapis/release-please/pull/2423 + - name: Create git tag for draft release + if: ${{ steps.release.outputs.release_created == 'true' }} + env: + GH_TOKEN: ${{ steps.app-token.outputs.token }} + run: | + TAG="${{ steps.release.outputs.tag_name }}" + echo "Creating tag $TAG at ${{ github.sha }}" + if ! OUTPUT=$(gh api "repos/${{ github.repository }}/git/refs" \ + --method POST \ + -f ref="refs/tags/$TAG" \ + -f sha="${{ github.sha }}" 2>&1); then + if echo "$OUTPUT" | grep -qi "Reference already exists"; then + echo "::warning::Tag $TAG already exists, skipping" + else + echo "::error::Failed to create tag $TAG" + echo "$OUTPUT" >&2 + exit 1 + fi + fi + extension-package-release: name: Package VS Code Extensions (Release) needs: [release-please] diff --git a/release-please-config.json b/release-please-config.json index 7ccd1668..cf1d013c 100644 --- a/release-please-config.json +++ b/release-please-config.json @@ -1,5 +1,6 @@ { "$schema": "https://raw.githubusercontent.com/googleapis/release-please/main/schemas/config.json", + "draft": true, "release-search-depth": 800, "commit-search-depth": 1000, "force-tag-creation": true, From 15b8764eb21c4486043ba85dd2c2b2b78984133b Mon Sep 17 00:00:00 2001 From: Bill Berry Date: Fri, 13 Feb 2026 13:06:17 -0800 Subject: [PATCH 2/2] fix(build): override markdown-it to 14.1.1 for ReDoS patch MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit - add markdown-it 14.1.1 override to resolve GHSA-38c4-r59v-3vqw - patch fixes ReDoS in linkify.mjs regex (CVE-2026-2327) - follows existing undici override pattern for transitive vulns 🔒 - Generated by Copilot --- package-lock.json | 6 +++--- package.json | 1 + 2 files changed, 4 insertions(+), 3 deletions(-) diff --git a/package-lock.json b/package-lock.json index 539ac7c9..a4cb1f24 100644 --- a/package-lock.json +++ b/package-lock.json @@ -2142,9 +2142,9 @@ } }, "node_modules/markdown-it": { - "version": "14.1.0", - "resolved": "https://registry.npmjs.org/markdown-it/-/markdown-it-14.1.0.tgz", - "integrity": "sha512-a54IwgWPaeBCAAsv13YgmALOF1elABB08FxO9i+r4VFk5Vl4pKokRPeX8u5TCgSsPi6ec1otfLjdOpVcgbpshg==", + "version": "14.1.1", + "resolved": "https://registry.npmjs.org/markdown-it/-/markdown-it-14.1.1.tgz", + "integrity": "sha512-BuU2qnTti9YKgK5N+IeMubp14ZUKUUw7yeJbkjtosvHiP0AZ5c8IAgEMk79D0eC8F23r4Ac/q8cAIFdm2FtyoA==", "dev": true, "license": "MIT", "dependencies": { diff --git a/package.json b/package.json index ab5d7f22..03090e55 100644 --- a/package.json +++ b/package.json @@ -34,6 +34,7 @@ "markdownlint-cli2": "^0.20.0" }, "overrides": { + "markdown-it": "14.1.1", "undici": "7.18.2" }, "repository": {