Skip to content

Phase 4: CI, lint and publishing automation#20

Merged
jochen-testingbot merged 2 commits into
masterfrom
phase4-ci-publishing
Jul 18, 2026
Merged

Phase 4: CI, lint and publishing automation#20
jochen-testingbot merged 2 commits into
masterfrom
phase4-ci-publishing

Conversation

@jochen-testingbot

@jochen-testingbot jochen-testingbot commented Jul 17, 2026

Copy link
Copy Markdown
Contributor

Final phase of MODERNIZATION.md: real CI/CD, linting, and a working CodeQL scan.

What changed

  • 4.1 — Removed the dead Jenkinsfile (pinned to node:6.6.0, which can't install the current toolchain). .travis.yml was already gone since Phase 1.
  • 4.2.github/workflows/build.yml: on every PR/push, npm cilinttestpackage → upload the .vsix artifact. This is exactly the check that would have caught the Dependabot gulp4/webpack5 breakage that shipped unnoticed.
  • 4.3.github/workflows/publish.yml: tag-triggered (v*) Marketplace publish via tfx extension publish. Needs a maintainer to add the AZURE_DEVOPS_MARKETPLACE_PAT secret; documented inline, with a note to move to Entra/OIDC before all-org PATs retire 2026-12-01.
  • 4.4 — Fixed CodeQL: github/codeql-action/*@v3 + actions/checkout@v4 (the @v1 actions were disabled by GitHub in Jan 2023, so the repo's only scan produced no signal), language javascript-typescript.
  • 4.5 — Replaced the babel-eslint .eslintrc with an ESLint 9 flat config (eslint.config.mjs): typescript-eslint for the .ts tasks, a node config for the build scripts, and a lenient config for the legacy tab scripts (slated for the SDK rewrite). Wired npm run lint and stripped the deprecated /* eslint-env */ comments.
  • 4.6 — README pipeline-usage quick-start (service connection + TBMain/TBStopTunnel YAML) and a Development/CI section.

Verification

  • npm run lint → 0 errors, npm test8 passing, npm run package → builds the vsix. All three workflow YAMLs parse. The build workflow will run on this PR itself.

Follow-up for a maintainer

The publish workflow can't run until the AZURE_DEVOPS_MARKETPLACE_PAT secret is added (and versions bumped in package.json before tagging). Everything else runs automatically.


This completes the modernization roadmap. Remaining deferred/blocked items (tracked in MODERNIZATION.md): the azure-devops-extension-sdk / React tab port, and moving the /mini secret out of the browser (blocked on a TestingBot API endpoint).

Summary by CodeRabbit

  • New Features

    • Added CI build validation to run linting, tests, and packaging on every pull request.
    • Added marketplace publishing automation for tagged releases, with manual trigger support.
    • Updated security scanning to cover JavaScript and TypeScript.
  • Documentation

    • Expanded guidance for TestingBot task setup (including tunnel control) and where to find test results.
    • Clarified build steps, development commands, and release/tag behavior.
  • Chores

    • Introduced ESLint flat-config-based linting and added an explicit lint script.
    • Removed the legacy Jenkins pipeline configuration.

- 4.1 Remove the dead Jenkinsfile (pinned to node:6.6.0). (.travis.yml was
  already removed in Phase 1.)
- 4.2 Add a GitHub Actions build workflow: on every PR/push it runs npm ci,
  lint, tests and a full package, and uploads the .vsix artifact. This is the
  check that would have caught the Dependabot gulp4/webpack5 breakage.
- 4.3 Add a tag-triggered publish workflow (tfx extension publish). Requires a
  maintainer to add the AZURE_DEVOPS_MARKETPLACE_PAT secret; documented in the
  workflow, with a note to move to Entra/OIDC before all-org PATs retire
  2026-12-01.
- 4.4 Fix the CodeQL workflow: github/codeql-action/*@V3 + actions/checkout@v4
  (the @v1 actions were disabled by GitHub in Jan 2023, so the repo's only scan
  produced no signal), language javascript-typescript.
- 4.5 Replace the babel-eslint .eslintrc with an ESLint 9 flat config
  (eslint.config.mjs): typescript-eslint for the .ts tasks, node config for the
  build scripts, a lenient config for the legacy tab scripts. Wire `npm run
  lint`; strip the deprecated /* eslint-env */ comments from the tab scripts.
- 4.6 README: pipeline-usage quick-start (service connection + TBMain/TBStopTunnel
  YAML) and a Development/CI section; note compile step in the package pipeline.

Verified locally: npm run lint (0 errors), npm test (8 passing), npm run package
(builds the vsix); all three workflow YAMLs parse.
@coderabbitai

coderabbitai Bot commented Jul 17, 2026

Copy link
Copy Markdown

Review Change Stack

📝 Walkthrough

Walkthrough

The change replaces legacy lint configuration with ESLint flat config, adds linting and Node 20 GitHub Actions build automation, modernizes CodeQL, introduces tag-based Marketplace publishing, and updates development and pipeline documentation.

Changes

CI and tooling modernization

Layer / File(s) Summary
ESLint flat configuration and lint command
eslint.config.mjs, package.json, tb-build-info/scripts/info.js
Adds scoped ESLint rules for TypeScript, Node, and legacy browser scripts, registers lint dependencies, and removes an obsolete ESLint environment directive.
Build, analysis, and publishing workflows
.github/workflows/build.yml, .github/workflows/codeql-analysis.yml, .github/workflows/publish.yml
Adds Node 20 lint/test/package automation with VSIX artifacts, updates CodeQL actions and language analysis, and publishes VSIX files on version tags or manual dispatch.
Workflow and development documentation
CLAUDE.md, MODERNIZATION.md, README.md
Documents linting, CI expectations, pipeline task usage, packaging steps, development commands, and Marketplace publishing status.

Estimated code review effort: 3 (Moderate) | ~25 minutes

Sequence Diagram(s)

sequenceDiagram
  participant GitHubActions as GitHub Actions
  participant Npm as npm
  participant Marketplace as Visual Studio Marketplace
  GitHubActions->>Npm: Run npm ci
  GitHubActions->>Npm: Run npm run package
  Npm-->>GitHubActions: Produce Packages/*.vsix
  GitHubActions->>Marketplace: Publish VSIX with marketplace PAT
Loading
🚥 Pre-merge checks | ✅ 5
✅ Passed checks (5 passed)
Check name Status Explanation
Description Check ✅ Passed Check skipped - CodeRabbit’s high-level summary is enabled.
Title check ✅ Passed The title clearly summarizes the main changes: CI, linting, and publishing automation in Phase 4.
Docstring Coverage ✅ Passed No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check ✅ Passed Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check ✅ Passed Check skipped because no linked issues were found for this pull request.

Comment @coderabbitai help to get the list of available commands.

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 5

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (1)
.github/workflows/build.yml (1)

1-41: 🚀 Performance & Scalability | 🔵 Trivial | ⚡ Quick win

Add concurrency control to cancel superseded PR builds.

Without a concurrency block, every push to a PR branch creates a new workflow run that runs to completion even if newer commits arrive. Adding a concurrency group cancels obsolete runs and saves CI minutes.

♻️ Suggested concurrency block
 on:
   push:
     branches: [ master ]
   pull_request:
     branches: [ master ]

+concurrency:
+  group: ${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: ${{ github.event_name == 'pull_request' }}
+
 permissions:
   contents: read
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/build.yml around lines 1 - 41, Add a workflow-level
concurrency configuration near the top-level metadata in the Build workflow,
using a group keyed to the workflow and ref so runs for the same PR or branch
share a group, and enable cancellation of in-progress runs. Leave the existing
build jobs and steps unchanged.
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In @.github/workflows/publish.yml:
- Line 26: Configure every actions/checkout@v4 step with persist-credentials:
false: update .github/workflows/publish.yml at lines 26-26,
.github/workflows/build.yml at lines 16-16, and
.github/workflows/codeql-analysis.yml at lines 27-27. No other workflow changes
are required.

In `@CLAUDE.md`:
- Around line 43-44: Update the CI descriptions in CLAUDE.md lines 43-44 and
README.md lines 67-68 to state that lint, tests, and the full package build run
on every PR targeting master, matching the workflow trigger; do not broaden the
workflow scope.

In `@MODERNIZATION.md`:
- Around line 23-28: Synchronize the Phase 4 status across MODERNIZATION.md:
update the executive summary entry that says real CI/CD is “PENDING — Phase 4”
and the roadmap entry that presents the ESLint refresh as future work so they
reflect the completed or mostly completed work described in the Phase 4 section.
Alternatively, if those items are not complete, change the Phase 4
heading/status to remain pending.

In `@package.json`:
- Line 9: Add an engines.node constraint in package.json requiring Node.js
version 20 or newer, while preserving the existing lint script and other package
metadata.

In `@README.md`:
- Around line 23-24: Update the TBStopTunnel@0 cleanup task in the README
example to include condition: always(), ensuring the tunnel is stopped even when
earlier test steps fail.

---

Outside diff comments:
In @.github/workflows/build.yml:
- Around line 1-41: Add a workflow-level concurrency configuration near the
top-level metadata in the Build workflow, using a group keyed to the workflow
and ref so runs for the same PR or branch share a group, and enable cancellation
of in-progress runs. Leave the existing build jobs and steps unchanged.
🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

  • Push a commit to this branch (recommended)
  • Create a new PR with the fixes

ℹ️ Review info
⚙️ Run configuration

Configuration used: Organization UI

Review profile: ASSERTIVE

Plan: Pro Plus

Run ID: c255b330-e5f9-4ec6-baa9-2862f8af2815

📥 Commits

Reviewing files that changed from the base of the PR and between 9181a78 and c950a01.

⛔ Files ignored due to path filters (2)
  • package-lock.json is excluded by !**/package-lock.json
  • tb-main/package-lock.json is excluded by !**/package-lock.json
📒 Files selected for processing (12)
  • .eslintrc
  • .github/workflows/build.yml
  • .github/workflows/codeql-analysis.yml
  • .github/workflows/publish.yml
  • CLAUDE.md
  • Jenkinsfile
  • MODERNIZATION.md
  • README.md
  • eslint.config.mjs
  • package.json
  • tb-build-info/scripts/dialog.js
  • tb-build-info/scripts/info.js
💤 Files with no reviewable changes (4)
  • Jenkinsfile
  • .eslintrc
  • tb-build-info/scripts/info.js
  • tb-build-info/scripts/dialog.js

runs-on: ubuntu-latest
environment: marketplace
steps:
- uses: actions/checkout@v4

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🔒 Security & Privacy | 🟠 Major | ⚡ Quick win

Set persist-credentials: false on all checkout steps. actions/checkout@v4 persists the GITHUB_TOKEN in .git/config by default. None of these workflows need git credentials after checkout, and leaving the token persisted expands the attack surface if a later step is compromised.

  • .github/workflows/publish.yml#L26: Add persist-credentials: false — most critical since this workflow handles a Marketplace PAT.
  • .github/workflows/build.yml#L16: Add persist-credentials: false.
  • .github/workflows/codeql-analysis.yml#L27: Add persist-credentials: false.
🧰 Tools
🪛 zizmor (1.26.1)

[warning] 26-26: credential persistence through GitHub Actions artifacts (artipacked): does not set persist-credentials: false

(artipacked)


[error] 26-26: unpinned action reference (unpinned-uses): action is not pinned to a hash (required by blanket policy)

(unpinned-uses)

📍 Affects 3 files
  • .github/workflows/publish.yml#L26-L26 (this comment)
  • .github/workflows/build.yml#L16-L16
  • .github/workflows/codeql-analysis.yml#L27-L27
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/publish.yml at line 26, Configure every
actions/checkout@v4 step with persist-credentials: false: update
.github/workflows/publish.yml at lines 26-26, .github/workflows/build.yml at
lines 16-16, and .github/workflows/codeql-analysis.yml at lines 27-27. No other
workflow changes are required.

Comment thread CLAUDE.md Outdated
Comment thread MODERNIZATION.md
Comment thread package.json
Comment thread README.md Outdated
- Set persist-credentials: false on every actions/checkout step
  (build/publish/codeql) so the GITHUB_TOKEN is not left in .git/config.
- Add engines.node >=20 to the root package.json (matches CI/runtime).
- README: add condition: always() to the TBStopTunnel example so a failed test
  step still tears the tunnel down (default succeeded() would skip it).
- Docs: say CI runs "on every PR targeting master" (CLAUDE.md, README) to match
  the workflow trigger; mark the Phase 4 CI/CD and ESLint items DONE in
  MODERNIZATION.md's top-5 actions and roadmap table.

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@MODERNIZATION.md`:
- Line 48: Update the Phase 4 CI/CD entry in MODERNIZATION.md to accurately
state that Marketplace publishing currently uses the
AZURE_DEVOPS_MARKETPLACE_PAT with tfx extension publish, while Entra/OIDC
authentication remains a future migration. Preserve the existing
completed-status context.
🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

  • Push a commit to this branch (recommended)
  • Create a new PR with the fixes

ℹ️ Review info
⚙️ Run configuration

Configuration used: Organization UI

Review profile: ASSERTIVE

Plan: Pro Plus

Run ID: 47ba735c-6491-4a5c-b7e8-c9264e41e101

📥 Commits

Reviewing files that changed from the base of the PR and between c950a01 and 7797849.

📒 Files selected for processing (7)
  • .github/workflows/build.yml
  • .github/workflows/codeql-analysis.yml
  • .github/workflows/publish.yml
  • CLAUDE.md
  • MODERNIZATION.md
  • README.md
  • package.json

Comment thread MODERNIZATION.md
3. **Replace the broken gulp 3 / webpack 1 / babel 6 toolchain** with TypeScript + webpack 5 + npm scripts (per `microsoft/azure-devops-extension-sample`) so a `.vsix` can be built at all. _(DONE — Phase 1 build, Phase 2 TypeScript.)_
4. **Stop bundling the 2019 tunnel jar** (`tb-main/tunnel/2.30.jar`, internally v2.9, vulnerable Jetty 9.4.12) — use `testingbot-tunnel-launcher` (npm, v1.1.18) to download/cache the current tunnel (v4.8) at runtime. _(DONE — Phase 2.)_
5. **Add real CI/CD** — GitHub Actions building the `.vsix` on every PR and publishing to the Marketplace on tag (tfx-cli 0.23.x, Entra/OIDC auth), replacing dead Travis/Jenkins/CodeQL v1 configs. _(PENDING — Phase 4.)_
5. **Add real CI/CD** — GitHub Actions building the `.vsix` on every PR and publishing to the Marketplace on tag (tfx-cli 0.23.x, Entra/OIDC auth), replacing dead Travis/Jenkins/CodeQL v1 configs. _(DONE — Phase 4; the build/CodeQL/lint workflows run, the tag publish workflow just needs the maintainer's Marketplace secret.)_

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

📐 Maintainability & Code Quality | 🟡 Minor | ⚡ Quick win

Document the implemented PAT authentication accurately.

The publish workflow currently passes AZURE_DEVOPS_MARKETPLACE_PAT to tfx extension publish in .github/workflows/publish.yml Lines 41-44; Entra/OIDC is a future migration, not the implemented authentication path. Update this entry to say PAT-based publishing is implemented and OIDC remains pending.

Proposed fix
-5. **Add real CI/CD** — GitHub Actions building the `.vsix` on every PR and publishing to the Marketplace on tag (tfx-cli 0.23.x, Entra/OIDC auth), replacing dead Travis/Jenkins/CodeQL v1 configs.
+5. **Add real CI/CD** — GitHub Actions building the `.vsix` on every PR and publishing to the Marketplace on tag (tfx-cli 0.23.x, PAT auth for now; Entra/OIDC migration pending), replacing dead Travis/Jenkins/CodeQL v1 configs.
📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change
5. **Add real CI/CD** — GitHub Actions building the `.vsix` on every PR and publishing to the Marketplace on tag (tfx-cli 0.23.x, Entra/OIDC auth), replacing dead Travis/Jenkins/CodeQL v1 configs. _(DONE — Phase 4; the build/CodeQL/lint workflows run, the tag publish workflow just needs the maintainer's Marketplace secret.)_
5. **Add real CI/CD** — GitHub Actions building the `.vsix` on every PR and publishing to the Marketplace on tag (tfx-cli 0.23.x, PAT auth for now; Entra/OIDC migration pending), replacing dead Travis/Jenkins/CodeQL v1 configs. _(DONE — Phase 4; the build/CodeQL/lint workflows run, the tag publish workflow just needs the maintainer's Marketplace secret.)_
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@MODERNIZATION.md` at line 48, Update the Phase 4 CI/CD entry in
MODERNIZATION.md to accurately state that Marketplace publishing currently uses
the AZURE_DEVOPS_MARKETPLACE_PAT with tfx extension publish, while Entra/OIDC
authentication remains a future migration. Preserve the existing
completed-status context.

@jochen-testingbot
jochen-testingbot merged commit 9679ae6 into master Jul 18, 2026
2 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant