chore: PAT rotation reminders (VSCE_PAT + OVSX_PAT)

[SebTardif]

PAT Rotation Reminders

We have two publish tokens set up (see ~/.grok/skills/vsce-publish/SKILL.md for full process and observed flows):

• VSCE_PAT (for Visual Studio Marketplace / vsce): expires 2026-07-05 (set with long custom date during initial aex/publisher setup with student account). Scope: Marketplace (Manage). Name in ADO: patchloom-vscode-publish.
• OVSX_PAT (for Open VSX / ovsx): set during earlier Eclipse flow. Namespace patchloom claimed in Claiming namespace patchloom EclipseFdn/open-vsx.org#10905 (still open as of 2026-06-05).

Rotation process

1. Generate new token in the respective UI (Azure DevOps user settings for VSCE, open-vsx.org user settings for OVSX).
2. gh secret set VSCE_PAT --repo patchloom/patchloom-vscode (or OVSX_PAT).
3. (Optional but recommended) Revoke the old token in the source UI.
4. Test locally: VSCE_PAT=... npx @vscode/vsce publish --packagePath ./your.vsix (or ovsx equivalent).
5. The release workflow will pick up the new secret on next release-please run.

Important dates

• VSCE_PAT expiry: 2026-07-05
• Global "all accessible organizations" PATs deprecation warning (seen during setup): effective 2026-12-01 (see Azure UI banner).
• OVSX_PAT: check its creation date in open-vsx.org settings (usually no hard expiry but rotate yearly).

Reminder cadence: Create calendar reminders or sub-issues ~30-60 days before each date.

References

• Full setup + live observed CDP flows (including the deprecation banner and form quirks): ~/.grok/skills/vsce-publish/SKILL.md
• This repo's PAT setup session notes: data from the 2026-06 run (student account used for quick org/publisher).
• Open VSX claim: Claiming namespace patchloom EclipseFdn/open-vsx.org#10905

Once rotated, update the "Expires on" in the ADO token list and close this issue or add a new one.

Created as follow-up to initial publish setup (issue #1).