ci: add release pipelines for iii-lsp and VSCode extension

[guibeira]

Summary

• Add release workflow for iii-lsp binary (cross-platform builds via _rust-binary.yml)
• Add release workflow for iii-lsp-vscode extension (VS Code Marketplace + OpenVSX)
• Add iii-lsp and iii-lsp-vscode to create-tag.yml (supports both Cargo.toml and package.json manifests)
• Add iii-lsp to worker registry
• Add CI lint job for iii-lsp-vscode
• Add SSH→HTTPS rewrite to reusable binary workflow (needed for iii-sdk dependency)

Required secrets before first release

Secret	Purpose
VSCE_PAT	VS Code Marketplace publishing
OVSX_PAT	OpenVSX publishing

Test plan

• Trigger "Create Tag" with iii-lsp, patch bump, dry-run → verify binary builds
• Trigger "Create Tag" with iii-lsp, patch bump, real → verify GitHub Release
• Trigger "Create Tag" with iii-lsp-vscode, patch bump, dry-run → verify VSIX packages
• Trigger "Create Tag" with iii-lsp-vscode, patch bump, real → verify Marketplace + OpenVSX listings

Summary by CodeRabbit

• Chores
  • Added automated release workflows for the LSP component and VS Code extension.
  • Enhanced CI pipeline to validate VS Code extension packaging.
  • Improved support for multi-component project workflows with updated version management for different manifest types.
  • Updated credential handling in release workflows.

[coderabbitai]

Warning

Rate limit exceeded

@guibeira has exceeded the limit for the number of commits that can be reviewed per hour. Please wait 18 minutes and 48 seconds before requesting another review.

Your organization is not enrolled in usage-based pricing. Contact your admin to enable usage-based pricing to continue reviews beyond the rate limit, or try again in 18 minutes and 48 seconds.

⌛ How to resolve this issue?

After the wait time has elapsed, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

We recommend that you space out your commits to avoid hitting the rate limit.

🚦 How do rate limits work?

CodeRabbit enforces hourly rate limits for each developer per organization.

Our paid plans have higher rate limits than the trial, open-source and free plans. In all cases, we re-allow further reviews after a brief timeout.

Please see our FAQ for further information.

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 3edfc729-6ff2-4652-bd26-7031ebe89591

📥 Commits

Reviewing files that changed from the base of the PR and between 1db6782 and 73cbca6.

📒 Files selected for processing (1)

• .github/workflows/ci.yml

📝 Walkthrough

Walkthrough

Workflow enhancements adding CI/CD support for VS Code extension and LSP projects. Changes include new release workflows for iii-lsp and iii-lsp-vscode, generalized manifest-type detection (Cargo vs. Node.js), GitHub App credential migration, Git SSH-to-HTTPS URL rewriting, and CI job extension for extension packaging.

Changes

Cohort / File(s)	Summary
New Release Workflows .github/workflows/release-lsp.yml, .github/workflows/release-vscode.yml	Two new workflows handling releases for LSP binary and VS Code extension respectively, including version extraction, prerelease detection, GitHub release creation, and artifact publishing/uploading.
Git Dependency Management .github/workflows/_rust-binary.yml	Added workflow step to globally rewrite Git dependency URLs from SSH to HTTPS format before Rust toolchain setup and build execution.
CI Job Extension .github/workflows/ci.yml	Extended changes job outputs with iii-lsp-vscode path-filter condition and added new iii-lsp-vscode job to run VS Code extension packaging dry-run when files in that directory change.
Manifest Type Generalization .github/workflows/create-tag.yml	Expanded workflow to support both Cargo and Node.js projects via manifest-type detection (probing Cargo.toml vs package.json), added new worker options (iii-lsp, iii-lsp-vscode), and implemented version bumping logic for both manifest formats.
GitHub App Credentials Migration .github/workflows/release.yml	Updated GitHub App authentication from III_CI_APP_* secrets to GH_APP_* secrets in token generation and downstream workflow context passing.
Extension Dependencies iii-lsp-vscode/package.json	Added development dependencies @vscode/vsce (v3.7.1) and ovsx (v0.10.10) for extension packaging and publishing workflows.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~25 minutes

Poem

🐰 Hop, hop! New workflows now take flight,
SSH becomes HTTPS in the night,
LSP and VSCode extensions released with care,
Manifests flexible, credentials fair,
CI/CD pipelines complete and bright! 🚀

🚥 Pre-merge checks | ✅ 3

✅ Passed checks (3 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title clearly and specifically summarizes the main changes: adding release pipelines for iii-lsp Rust binary and VSCode extension, which directly reflects the core objectives.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch ci-for-publish-lsp

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

🧹 Nitpick comments (3)

.github/workflows/ci.yml (1)

94-113: Consider renaming job to reflect actual validation scope.

The job name says "Lint" but the actual step runs a packaging dry-run (vsce package --out /dev/null), not linting. Consider renaming to "Package Check" or "Build Check" for clarity. Alternatively, add actual linting (e.g., ESLint) if that's intended.

💡 Suggested name change

   iii-lsp-vscode:
-    name: "iii-lsp-vscode: Lint"
+    name: "iii-lsp-vscode: Package Check"
     needs: changes

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In @.github/workflows/ci.yml around lines 94 - 113, The job labeled
"iii-lsp-vscode: Lint" is misleading because the step runs a packaging dry-run
(`npx `@vscode/vsce` package --out /dev/null`) rather than linting; update the
job's name field (the "name" under the iii-lsp-vscode job) to something like
"iii-lsp-vscode: Package Check" or "Build/Package Check" to reflect the actual
validation, or alternatively add a lint step (e.g., run ESLint) if linting was
intended so the name remains accurate.

.github/workflows/release-lsp.yml (1)

44-53: Prerelease regex may not match all intended patterns.

The regex -([a-z]+)\.[0-9]+$ only matches lowercase prerelease labels (e.g., alpha, beta, rc). If uppercase or mixed-case labels like RC or Alpha are ever used, they won't be detected as prereleases. This matches the pattern in release-vscode.yml, so it's likely intentional, but worth noting for consistency with create-tag.yml which only offers lowercase options.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In @.github/workflows/release-lsp.yml around lines 44 - 53, The prerelease regex
only matches lowercase labels, so update the regex used on VERSION in the elif
clause (currently `-([a-z]+)\.[0-9]+$`) to allow mixed/upper-case prerelease
tokens (e.g., use a character class like [A-Za-z]+ or an equivalent
case-insensitive approach) so values like "RC" or "Alpha" are detected as
prereleases; adjust the regex in the release-lsp.yml condition that tests
VERSION and keep the dry-run branch unchanged.

.github/workflows/create-tag.yml (1)

150-159: Consider adding validation for missing version field in package.json.

If .version is missing from package.json, jq -r '.version' returns the literal string "null" rather than failing. While the provided iii-lsp-vscode/package.json has a valid version field, adding explicit validation would make the workflow more robust against future manifest issues.

💡 Suggested defensive check

           read_node_version() {
-            jq -r '.version' "$1"
+            local ver
+            ver=$(jq -r '.version // empty' "$1")
+            if [[ -z "$ver" ]]; then
+              echo "::error::No version field in $1"
+              exit 1
+            fi
+            echo "$ver"
           }

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In @.github/workflows/create-tag.yml around lines 150 - 159, The workflow's
read_node_version helper can return the literal "null" when package.json lacks
.version, so add validation after invoking read_node_version (and similarly for
read_cargo_version via MANIFEST_TYPE) to verify the returned current value is
non-empty and not "null"; if invalid, emit a clear error via workflow logging
and exit non‑zero. Locate the read_node_version function and the branch that
sets current (using MANIFEST_TYPE and read_cargo_version/read_node_version) and
insert a guard that checks current != "" && current != "null" (or use jq -e to
fail fast) and fail the job with a descriptive message if the check fails.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Nitpick comments:
In @.github/workflows/ci.yml:
- Around line 94-113: The job labeled "iii-lsp-vscode: Lint" is misleading
because the step runs a packaging dry-run (`npx `@vscode/vsce` package --out
/dev/null`) rather than linting; update the job's name field (the "name" under
the iii-lsp-vscode job) to something like "iii-lsp-vscode: Package Check" or
"Build/Package Check" to reflect the actual validation, or alternatively add a
lint step (e.g., run ESLint) if linting was intended so the name remains
accurate.

In @.github/workflows/create-tag.yml:
- Around line 150-159: The workflow's read_node_version helper can return the
literal "null" when package.json lacks .version, so add validation after
invoking read_node_version (and similarly for read_cargo_version via
MANIFEST_TYPE) to verify the returned current value is non-empty and not "null";
if invalid, emit a clear error via workflow logging and exit non‑zero. Locate
the read_node_version function and the branch that sets current (using
MANIFEST_TYPE and read_cargo_version/read_node_version) and insert a guard that
checks current != "" && current != "null" (or use jq -e to fail fast) and fail
the job with a descriptive message if the check fails.

In @.github/workflows/release-lsp.yml:
- Around line 44-53: The prerelease regex only matches lowercase labels, so
update the regex used on VERSION in the elif clause (currently
`-([a-z]+)\.[0-9]+$`) to allow mixed/upper-case prerelease tokens (e.g., use a
character class like [A-Za-z]+ or an equivalent case-insensitive approach) so
values like "RC" or "Alpha" are detected as prereleases; adjust the regex in the
release-lsp.yml condition that tests VERSION and keep the dry-run branch
unchanged.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: c1c2feb3-e447-4dd8-a266-010f24ce62c0

📥 Commits

Reviewing files that changed from the base of the PR and between b0f6adc and 9cf9981.

⛔ Files ignored due to path filters (1)

• iii-lsp-vscode/package-lock.json is excluded by !**/package-lock.json

📒 Files selected for processing (7)

• .github/workflows/_rust-binary.yml
• .github/workflows/ci.yml
• .github/workflows/create-tag.yml
• .github/workflows/release-lsp.yml
• .github/workflows/release-vscode.yml
• iii-lsp-vscode/package.json
• registry/index.json