🩹[Patch]: Configure Dependabot and rename Auto-Release to Release-GHRepository #15
Conversation
There was a problem hiding this comment.
Pull request overview
Configures Dependabot to check GitHub Actions updates daily while delaying newly released versions for 7 days, and updates workflows to use pinned GitHub Action SHAs.
Changes:
- Switch Dependabot
github-actionsupdate interval from weekly to daily. - Add a 7-day Dependabot cooldown for newly released versions.
- Pin GitHub Actions used in workflows to specific commit SHAs (instead of floating tags like
latest).
Reviewed changes
Copilot reviewed 4 out of 4 changed files in this pull request and generated 1 comment.
| File | Description |
|---|---|
.github/dependabot.yml |
Adjusts Dependabot schedule to daily and adds a 7-day cooldown. |
.github/workflows/Linter.yml |
Pins actions/checkout and super-linter to commit SHAs. |
.github/workflows/Auto-Release.yml |
Pins actions/checkout and PSModule/Auto-Release to commit SHAs. |
.github/workflows/Action-Test.yml |
Pins actions/checkout and actions/upload-artifact to commit SHAs. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| interval: daily | ||
| cooldown: | ||
| default-days: 7 |
There was a problem hiding this comment.
The PR description says only .github/dependabot.yml was updated, but this PR also changes multiple workflow files to pin GitHub Actions to specific commit SHAs. Please update the PR description/title to include these workflow changes (or split them into a separate PR) so reviewers understand the full scope.
MariusStorhaug
changed the title
MariusStorhaug
changed the title
MariusStorhaug
changed the title
MariusStorhaug
changed the title
There was a problem hiding this comment.
Pull request overview
Copilot reviewed 6 out of 6 changed files in this pull request and generated 2 comments.
Comments suppressed due to low confidence (1)
action.yml:53
- The composite action requires an
inputs.GITHUB_TOKEN, but theactions/download-artifactstep is using${{ github.token }}instead. This can lead to confusing/incorrect behavior if callers pass a PAT or a token with different permissions than the workflow token. Use the provided input token consistently for thegithub-tokeninput (or drop the input if it’s not intended to be used here).
uses: actions/download-artifact@018cc2cf5baa6db3ef3c5f8a56943fffe632ef53 # v6.0.0
with:
name: ${{ inputs.ArtifactName }}
path: ${{ steps.workflow_run_id.outputs.Path }}
github-token: ${{ github.token }}
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| - name: Upload Artifact | ||
| uses: actions/upload-artifact@v5 | ||
| uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v6.0.0 | ||
| with: |
There was a problem hiding this comment.
This change upgrades actions/upload-artifact from @v5 to the SHA for v6.0.0 (major version bump), not just pinning. If the major upgrade is intentional, please confirm compatibility (inputs/outputs/defaults) or keep it pinned to a v5.x SHA to avoid unexpected workflow behavior changes.
|
|
||
| - name: Action-Test | ||
| uses: ./ |
There was a problem hiding this comment.
In the Action-Test step invocation, the required GITHUB_TOKEN input is later set to ${{ GITHUB.TOKEN }}, which is not a valid GitHub Actions context and will evaluate to empty at runtime. Use ${{ github.token }} (or ${{ secrets.GITHUB_TOKEN }}) for this input so the composite action can authenticate.
![github-advanced-security[bot]](https://avatars.githubusercontent.com/in/57789?s=60&v=4){kind=small}
| run: | | ||
| # Download-CIArtifact | ||
| ${{ github.action_path }}/scripts/main.ps1 | ||
| ${{ github.action_path }}/src/main.ps1 |
Check warning
Code scanning / CodeQL
Code injection Medium
Show autofix suggestion
Hide autofix suggestion
Copilot Autofix
AI about 11 hours ago
In general, to fix this class of problem in GitHub Actions, you should avoid using ${{ ... }} expressions directly inside run: script content. Instead, assign the expression to an environment variable in the env: section, then reference that variable using the shell’s own syntax ($VAR for PowerShell/Bash, %VAR% for CMD, etc.). This prevents the workflow expression language from being mixed into executable script content.
For this specific action, we can add an environment variable, for example PSMODULE_DOWNLOAD_CIARTIFACT_ACTION_PATH, set to ${{ github.action_path }} in the env: block of the step, and then change the run: body to use $env:PSMODULE_DOWNLOAD_CIARTIFACT_ACTION_PATH concatenated with '/src/main.ps1'. In PowerShell, paths should be quoted and joined safely; using Join-Path avoids any odd characters in the path being interpreted as part of a command. Concretely, in action.yml within the “Get Workflow Run ID” step, we will: (1) add an env: entry PSMODULE_DOWNLOAD_CIARTIFACT_ACTION_PATH: ${{ github.action_path }}, and (2) replace the current run: line $${{ github.action_path }}/src/main.ps1 with a small PowerShell snippet such as & (Join-Path $env:PSMODULE_DOWNLOAD_CIARTIFACT_ACTION_PATH 'src/main.ps1'). This preserves behavior (invoking the same script) while removing the direct use of ${{ github.action_path }} in the script body.
| @@ -41,9 +41,10 @@ | ||
| PSMODULE_DOWNLOAD_CIARTIFACT_INPUT_Path: ${{ inputs.Path }} | ||
| PSMODULE_DOWNLOAD_CIARTIFACT_INPUT_WorkflowID: ${{ inputs.WorkflowID }} | ||
| PSMODULE_DOWNLOAD_CIARTIFACT_INPUT_WorkflowRunID: ${{ inputs.WorkflowRunID }} | ||
| PSMODULE_DOWNLOAD_CIARTIFACT_ACTION_PATH: ${{ github.action_path }} | ||
| run: | | ||
| # Download-CIArtifact | ||
| ${{ github.action_path }}/src/main.ps1 | ||
| & (Join-Path $env:PSMODULE_DOWNLOAD_CIARTIFACT_ACTION_PATH 'src/main.ps1') | ||
|
|
||
| - name: Download Artifact | ||
| uses: actions/download-artifact@018cc2cf5baa6db3ef3c5f8a56943fffe632ef53 # v6.0.0 |
There was a problem hiding this comment.
Pull request overview
Copilot reviewed 6 out of 7 changed files in this pull request and generated no new comments.
Comments suppressed due to low confidence (2)
action.yml:55
- This step uses
actions/download-artifactwithgithub-token: ${{ github.token }}, but the action also requires an explicitGITHUB_TOKENinput and uses that token for thegh apicalls. If callers provide a PAT (or a token with different permissions) via theGITHUB_TOKENinput, it won’t be used for the artifact download, which can cause unexpected permission failures. Use the same provided token for both (or clarify via naming/docs if the input token is intended only forgh).
uses: actions/download-artifact@018cc2cf5baa6db3ef3c5f8a56943fffe632ef53 # v6.0.0
with:
name: ${{ inputs.ArtifactName }}
path: ${{ steps.workflow_run_id.outputs.Path }}
github-token: ${{ github.token }}
run-id: ${{ steps.workflow_run_id.outputs.RunID }}
.github/workflows/Release.yml:17
- This workflow changes the trigger from
pull_request_targettopull_request(and also adds apathsfilter). That’s a significant behavioral/security change and isn’t described in the PR description (which focuses on Dependabot schedule + action pinning). Please confirm this is intentional and update the PR description accordingly; also note thatpull_requestworkflows won’t have write permissions for forked PRs, so the release job may fail in those cases.
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
MariusStorhaug
changed the title
MariusStorhaug
changed the title
There was a problem hiding this comment.
Pull request overview
Copilot reviewed 7 out of 8 changed files in this pull request and generated no new comments.
Comments suppressed due to low confidence (2)
.github/workflows/Release.yml:38
- PR description says the release workflow was updated to pin
PSModule/Auto-Release@..., but the workflow now usesPSModule/Release-GHRepository@.... Either update the PR description or switch the workflow back so the documentation matches the actual action being used.
action.yml:54 - The action requires a
GITHUB_TOKENinput and uses it for thegh apicalls, but the artifact download step uses${{ github.token }}instead of${{ inputs.GITHUB_TOKEN }}. This can fail in scenarios where callers pass a PAT/custom token because the defaultgithub.tokenmay not have the needed access. Use the provided input token consistently for theactions/download-artifactgithub-tokenas well.
uses: actions/download-artifact@018cc2cf5baa6db3ef3c5f8a56943fffe632ef53 # v6.0.0
with:
name: ${{ inputs.ArtifactName }}
path: ${{ steps.workflow_run_id.outputs.Path }}
github-token: ${{ github.token }}
run-id: ${{ steps.workflow_run_id.outputs.RunID }}
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
🩹 [Patch]: Rename Auto-Release to Release-GHRepository
This PR updates the workflow to use the renamed release action.
Changed
PSModule/Release-GHRepository@v2instead of the deprecatedPSModule/Auto-Release@v1.9.5Summary
The
PSModule/Auto-Releaseaction has been renamed toPSModule/Release-GHRepository. This change updates the workflow configuration to reference the new action name and version.