test: add install tests for vs code extension VSCODE-703

.github/workflows/actions/build-and-package/action.yaml

@@ -0,0 +1,172 @@
+name: Check Build and Package
+description: Run checks, build and package VSIX, sign it, and run security scans (Ubuntu only)
+inputs:
+  SEGMENT_KEY:
+    description: Segment analytics key
+    required: true
+  ARTIFACTORY_HOST:
+    description: Artifactory host for signing
+    required: true
+  ARTIFACTORY_PASSWORD:
+    description: Artifactory password for signing
+    required: true
+  ARTIFACTORY_USERNAME:
+    description: Artifactory username for signing
+    required: true
+  GARASIGN_PASSWORD:
+    description: Garasign password for signing
+    required: true
+  GARASIGN_USERNAME:
+    description: Garasign username for signing
+    required: true
+  SNYK_TOKEN:
+    description: Snyk token for security scanning
+    required: true
+  JIRA_API_TOKEN:
+    description: Jira API token for vulnerability tickets
+    required: true
+
+runs:
+  using: "composite"
+  steps:
+    - name: Setup pnpm
+      uses: pnpm/action-setup@v4
+
+    - name: Setup Node.js Environment
+      uses: actions/setup-node@v4
+      with:
+        node-version: 22.15.1
+        cache: pnpm
+
+    - name: Install Deps Ubuntu
+      run: sudo apt-get update -y && sudo apt-get -y install libkrb5-dev libsecret-1-dev net-tools libstdc++6 gnome-keyring
+      shell: bash
+
+    # Default Python (3.12) doesn't have support for distutils because of
+    # which the dep install fails constantly on macos
+    # https://github.com/nodejs/node-gyp/issues/2869
+    - uses: actions/setup-python@v5
+      with:
+        python-version: "3.11"
+
+    - name: Run node-gyp bug workaround script
+      run: |
+        curl -sSfLO https://raw.githubusercontent.com/mongodb-js/compass/42e6142ae08be6fec944b80ff6289e6bcd11badf/.evergreen/node-gyp-bug-workaround.sh && bash node-gyp-bug-workaround.sh
+      shell: bash
+
+    - name: Set SEGMENT_KEY
+      env:
+        SEGMENT_KEY: ${{ inputs.SEGMENT_KEY }}
+      run: |
+        echo "SEGMENT_KEY=${SEGMENT_KEY}" >> $GITHUB_ENV
+      shell: bash
+
+    - name: Validate SEGMENT_KEY
+      run: |
+        if [ -z "${SEGMENT_KEY}" ]; then
+          echo "SEGMENT_KEY is not set or is empty"
+          exit 1
+        fi
+      shell: bash
+
+    - name: Install Dependencies
+      shell: bash
+      run: |
+        # Retry npm ci up to 3 times to handle transient network errors
+        for i in 1 2 3; do
+          pnpm install --frozen-lockfile && break || {
+            if [ $i -eq 3 ]; then
+              echo "pnpm install failed after 3 attempts"
+              exit 1
+            fi
+            echo "pnpm install failed, retrying in 10 seconds... (attempt $i/3)"
+            sleep 10
+          }
+        done
+
+    - name: Compile
+      run: pnpm run compile
+      shell: bash
+
+    - name: Run Checks
+      run: pnpm run check
+      shell: bash
+
+    - name: Build .vsix
+      env:
+        NODE_OPTIONS: "--require ./scripts/no-npm-list-fail.js --max_old_space_size=4096"
+      # NOTE: --githubBranch is "The GitHub branch used to infer relative links in README.md."
+      run: |
+        pnpm exec vsce package --githubBranch main
+      shell: bash
+
+    - name: Check .vsix filesize
+      run: pnpm run check-vsix-size
+      shell: bash
+
+    - name: Sign .vsix
+      env:
+        ARTIFACTORY_PASSWORD: ${{ inputs.ARTIFACTORY_PASSWORD }}
+        ARTIFACTORY_USERNAME: ${{ inputs.ARTIFACTORY_USERNAME }}
+        GARASIGN_PASSWORD: ${{ inputs.GARASIGN_PASSWORD }}
+        GARASIGN_USERNAME: ${{ inputs.GARASIGN_USERNAME }}
+      run: |
+        set -e
+        FILE_TO_SIGN=$(find . -maxdepth 1 -name '*.vsix' -print -quit)
+        if [ -z "$FILE_TO_SIGN" ]; then
+          echo "Error: No .vsix file found in the current directory." >&2
+          exit 1
+        fi
+        node scripts/sign-vsix.js "${FILE_TO_SIGN}"
+        ls *.vsix.sig
+      shell: bash
+
+    - name: Prepare artifact upload
+      shell: bash
+      run: |
+        echo "Files to be uploaded:"
+        ls -lh *.vsix *.vsix.sig
+        echo ""
+        echo "VSIX checksum (SHA256):"
+        sha256sum *.vsix
+
+    - name: Upload artifacts
+      uses: actions/upload-artifact@v4
+      with:
+        name: VSIX Package
+        path: |
+          *.vsix
+          *.vsix.sig
+
+    - name: Run Snyk Test
+      shell: bash
+      env:
+        SNYK_TOKEN: ${{ inputs.SNYK_TOKEN }}
+      run: |
+        pnpm run snyk-test
+
+    - name: Create Jira Tickets
+      if: >
+        (
+          github.event_name == 'push' && github.ref == 'refs/heads/main' ||
+          github.event_name == 'workflow_dispatch' ||
+          github.event_name == 'schedule'
+        )
+      shell: bash
+      env:
+        JIRA_API_TOKEN: ${{ inputs.JIRA_API_TOKEN }}
+        JIRA_BASE_URL: "https://jira.mongodb.org"
+        JIRA_PROJECT: "VSCODE"
+        JIRA_VULNERABILITY_BUILD_INFO: "- [GitHub Run|https://github.com/mongodb-js/vscode/actions/runs/${{github.run_id}}/jobs/${{github.job}}]"
+      run: |
+        pnpm run create-vulnerability-tickets > /dev/null
+
+    - name: Generate Vulnerability Report (Fail on >= High)
+      continue-on-error: ${{ github.event_name == 'pull_request' }}
+      shell: bash
+      run: |
+        # The standard output is suppressed since Github Actions logs are
+        # available for everyone with read access to the repo, which is everyone that is
+        # logged in for public repos.
+        # This command is only here to fail on failures for `main` and tags.
+        pnpm run generate-vulnerability-report > /dev/null