From 9268e58df6b2a3e0cdb39a3445568e216094c682 Mon Sep 17 00:00:00 2001
From: Harold Shen <hlshen@google.com>
Date: Thu, 25 Jun 2026 13:37:16 -0400
Subject: [PATCH 1/6] add release vscode workflow; fix changelog

---
 .github/workflows/release-vscode-ext.yaml | 31 +++++++++++++++++++++++
 firebase-vscode/CHANGELOG.md              |  2 ++
 2 files changed, 33 insertions(+)
 create mode 100644 .github/workflows/release-vscode-ext.yaml

diff --git a/.github/workflows/release-vscode-ext.yaml b/.github/workflows/release-vscode-ext.yaml
new file mode 100644
index 00000000000..676f5e67c80
--- /dev/null
+++ b/.github/workflows/release-vscode-ext.yaml
@@ -0,0 +1,31 @@
+name: Release VS Code Extension
+
+on:
+  issue_comment:
+    types: [created]
+
+jobs:
+  release:
+    if: github.event.issue.pull_request && startsWith(github.event.comment.body, '/run-release')
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout PR branch
+        uses: actions/checkout@v4
+        with:
+          repository: ${{ github.event.repository.full_name }}
+          ref: refs/pull/${{ github.event.issue.number }}/head
+          fetch-depth: 0
+
+      - name: Push to trigger branch
+        run: |
+          if [[ "${{ github.event.comment.body }}" == *"--build-only"* ]]; then
+            echo "Build-only mode detected. Creating skip_publish.txt"
+            git config user.name "github-actions[bot]"
+            git config user.email "41898282+github-actions[bot]@users.noreply.github.com"
+            touch skip_publish.txt
+            git add skip_publish.txt
+            git commit -m "Build and sign only [skip-publish]"
+          fi
+          # Push current HEAD to release-trigger branch
+          # This triggers the Kokoro release pipeline
+          git push origin HEAD:refs/heads/release-trigger --force
diff --git a/firebase-vscode/CHANGELOG.md b/firebase-vscode/CHANGELOG.md
index 36db15c9626..5da311a3685 100644
--- a/firebase-vscode/CHANGELOG.md
+++ b/firebase-vscode/CHANGELOG.md
@@ -1,3 +1,5 @@
+## NEXT
+
 ## 2.4.1
 
 - Update internal `firebase-tools` dependency to 15.21.0

From cad089b41ed649a176c71a40bd4fecef97ee3b83 Mon Sep 17 00:00:00 2001
From: Harold Shen <hlshen@google.com>
Date: Thu, 25 Jun 2026 14:05:07 -0400
Subject: [PATCH 2/6] address security vulns

---
 .github/workflows/release-vscode-ext.yaml | 11 +++++++++--
 1 file changed, 9 insertions(+), 2 deletions(-)

diff --git a/.github/workflows/release-vscode-ext.yaml b/.github/workflows/release-vscode-ext.yaml
index 676f5e67c80..81938152f33 100644
--- a/.github/workflows/release-vscode-ext.yaml
+++ b/.github/workflows/release-vscode-ext.yaml
@@ -6,7 +6,12 @@ on:
 
 jobs:
   release:
-    if: github.event.issue.pull_request && startsWith(github.event.comment.body, '/run-release')
+    if: |
+      github.event.issue.pull_request &&
+      startsWith(github.event.comment.body, '/run-release') &&
+      (github.event.comment.author_association == 'OWNER' ||
+       github.event.comment.author_association == 'MEMBER' ||
+       github.event.comment.author_association == 'COLLABORATOR')
     runs-on: ubuntu-latest
     steps:
       - name: Checkout PR branch
@@ -17,8 +22,10 @@ jobs:
           fetch-depth: 0
 
       - name: Push to trigger branch
+        env:
+          COMMENT_BODY: ${{ github.event.comment.body }}
         run: |
-          if [[ "${{ github.event.comment.body }}" == *"--build-only"* ]]; then
+          if [[ "$COMMENT_BODY" == *"--build-only"* ]]; then
             echo "Build-only mode detected. Creating skip_publish.txt"
             git config user.name "github-actions[bot]"
             git config user.email "41898282+github-actions[bot]@users.noreply.github.com"

From e1ff646537912cc6c744474bc7f0034c41743e14 Mon Sep 17 00:00:00 2001
From: Harold Shen <hlshen@google.com>
Date: Thu, 25 Jun 2026 14:10:59 -0400
Subject: [PATCH 3/6] remove checkout flow

---
 .github/workflows/release-vscode-ext.yaml | 44 ++++++++++++++---------
 1 file changed, 27 insertions(+), 17 deletions(-)

diff --git a/.github/workflows/release-vscode-ext.yaml b/.github/workflows/release-vscode-ext.yaml
index 81938152f33..1b491032aed 100644
--- a/.github/workflows/release-vscode-ext.yaml
+++ b/.github/workflows/release-vscode-ext.yaml
@@ -4,6 +4,11 @@ on:
   issue_comment:
     types: [created]
 
+permissions:
+  contents: write
+  pull-requests: read
+  issues: read
+
 jobs:
   release:
     if: |
@@ -14,25 +19,30 @@ jobs:
        github.event.comment.author_association == 'COLLABORATOR')
     runs-on: ubuntu-latest
     steps:
-      - name: Checkout PR branch
-        uses: actions/checkout@v4
-        with:
-          repository: ${{ github.event.repository.full_name }}
-          ref: refs/pull/${{ github.event.issue.number }}/head
-          fetch-depth: 0
-
-      - name: Push to trigger branch
+      - name: Trigger Kokoro via API
         env:
+          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
           COMMENT_BODY: ${{ github.event.comment.body }}
         run: |
+          PR_NUM="${{ github.event.issue.number }}"
+          echo "Fetching SHA for PR $PR_NUM..."
+          SHA=$(gh pr view "$PR_NUM" --json headRefOid -q .headRefOid)
+          echo "PR Head SHA is $SHA"
+          
           if [[ "$COMMENT_BODY" == *"--build-only"* ]]; then
-            echo "Build-only mode detected. Creating skip_publish.txt"
-            git config user.name "github-actions[bot]"
-            git config user.email "41898282+github-actions[bot]@users.noreply.github.com"
-            touch skip_publish.txt
-            git add skip_publish.txt
-            git commit -m "Build and sign only [skip-publish]"
+            TARGET_BRANCH="release-trigger-build-only"
+          else
+            TARGET_BRANCH="release-trigger"
+          fi
+          echo "Target branch is $TARGET_BRANCH"
+          
+          # Try to update the branch ref (force-push equivalent via API)
+          if gh api -X PATCH "/repos/${{ github.repository }}/git/refs/heads/$TARGET_BRANCH" \
+            -f sha="$SHA" -f force=true >/dev/null 2>&1; then
+            echo "Successfully updated ref refs/heads/$TARGET_BRANCH to $SHA"
+          else
+            echo "Ref refs/heads/$TARGET_BRANCH not found. Creating it..."
+            gh api -X POST "/repos/${{ github.repository }}/git/refs" \
+              -f ref="refs/heads/$TARGET_BRANCH" -f sha="$SHA" >/dev/null
+            echo "Successfully created ref refs/heads/$TARGET_BRANCH at $SHA"
           fi
-          # Push current HEAD to release-trigger branch
-          # This triggers the Kokoro release pipeline
-          git push origin HEAD:refs/heads/release-trigger --force

From 62576e0e48a12bd93677f470d0c970cef28ce2d7 Mon Sep 17 00:00:00 2001
From: Harold Shen <hlshen@google.com>
Date: Thu, 25 Jun 2026 15:36:42 -0400
Subject: [PATCH 4/6] format

---
 .github/workflows/release-vscode-ext.yaml | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/.github/workflows/release-vscode-ext.yaml b/.github/workflows/release-vscode-ext.yaml
index 1b491032aed..b2a988778aa 100644
--- a/.github/workflows/release-vscode-ext.yaml
+++ b/.github/workflows/release-vscode-ext.yaml
@@ -28,14 +28,14 @@ jobs:
           echo "Fetching SHA for PR $PR_NUM..."
           SHA=$(gh pr view "$PR_NUM" --json headRefOid -q .headRefOid)
           echo "PR Head SHA is $SHA"
-          
+
           if [[ "$COMMENT_BODY" == *"--build-only"* ]]; then
             TARGET_BRANCH="release-trigger-build-only"
           else
             TARGET_BRANCH="release-trigger"
           fi
           echo "Target branch is $TARGET_BRANCH"
-          
+
           # Try to update the branch ref (force-push equivalent via API)
           if gh api -X PATCH "/repos/${{ github.repository }}/git/refs/heads/$TARGET_BRANCH" \
             -f sha="$SHA" -f force=true >/dev/null 2>&1; then

From 967d07baffcc4f4a41d70a47effbd1a3953aa21e Mon Sep 17 00:00:00 2001
From: Harold Shen <hlshen@google.com>
Date: Fri, 26 Jun 2026 14:08:14 -0400
Subject: [PATCH 5/6] change branch name

---
 .github/workflows/release-vscode-ext.yaml | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/.github/workflows/release-vscode-ext.yaml b/.github/workflows/release-vscode-ext.yaml
index b2a988778aa..6e4f9bd243e 100644
--- a/.github/workflows/release-vscode-ext.yaml
+++ b/.github/workflows/release-vscode-ext.yaml
@@ -30,9 +30,9 @@ jobs:
           echo "PR Head SHA is $SHA"
 
           if [[ "$COMMENT_BODY" == *"--build-only"* ]]; then
-            TARGET_BRANCH="release-trigger-build-only"
+            TARGET_BRANCH="vscode-release-trigger-build-only"
           else
-            TARGET_BRANCH="release-trigger"
+            TARGET_BRANCH="vscode-release-trigger"
           fi
           echo "Target branch is $TARGET_BRANCH"
 

From be2a487005962bcb3d155606bc7635de65b1b00b Mon Sep 17 00:00:00 2001
From: Harold Shen <hlshen@google.com>
Date: Fri, 26 Jun 2026 14:50:09 -0400
Subject: [PATCH 6/6] remove collaborator

---
 .github/workflows/release-vscode-ext.yaml | 1 -
 1 file changed, 1 deletion(-)

diff --git a/.github/workflows/release-vscode-ext.yaml b/.github/workflows/release-vscode-ext.yaml
index 6e4f9bd243e..723dfca2757 100644
--- a/.github/workflows/release-vscode-ext.yaml
+++ b/.github/workflows/release-vscode-ext.yaml
@@ -16,7 +16,6 @@ jobs:
       startsWith(github.event.comment.body, '/run-release') &&
       (github.event.comment.author_association == 'OWNER' ||
        github.event.comment.author_association == 'MEMBER' ||
-       github.event.comment.author_association == 'COLLABORATOR')
     runs-on: ubuntu-latest
     steps:
       - name: Trigger Kokoro via API