🩹[Patch]: Workflow improvements

[MariusStorhaug]

This release makes several improvements and updates to GitHub Actions workflows, dependencies, and documentation. The main focus is on enhancing workflow security and maintainability by pinning action versions, updating configuration and naming, and improving documentation clarity.

• Fixes 🩹[Patch]: Configure Dependabot for daily schedule with 7-day cooldown #14

Workflow and Action Updates:

• Updated all GitHub Actions in workflow files (such as actions/checkout, actions/upload-artifact, super-linter/super-linter, and actions/download-artifact) to use pinned commit SHAs for improved security and traceability. Also added persist-credentials: false to checkout steps.
• Renamed .github/workflows/Auto-Release.yml to .github/workflows/Release.yml, updated job and workflow names, and changed the trigger from pull_request_target to pull_request with path filters for more precise release automation.
• Replaced the PSModule/Auto-Release action with PSModule/Release-GHRepository for release management.

Configuration and Linting:

• Removed the .github/linters/.jscpd.json configuration file and disabled JSCPD validation in the linter workflow, streamlining linting checks.
• Disabled several Prettier validations in the linter workflow for JSON, Markdown, and YAML files.

Dependency and Schedule Management:

• Changed the Dependabot update schedule from weekly to daily and added a cooldown period of 7 days between updates to balance update frequency.

Documentation Improvements:

• Fixed a typo in both README.md and action.yml to clarify that artifacts are "downloaded" (not "download") from workflow runs.
• Updated the script path in action.yml from scripts/main.ps1 to src/main.ps1 for consistency with the repository structure.

[Copilot]

Pull request overview

Configures Dependabot to check GitHub Actions updates daily while delaying newly released versions for 7 days, and updates workflows to use pinned GitHub Action SHAs.

Changes:

• Switch Dependabot github-actions update interval from weekly to daily.
• Add a 7-day Dependabot cooldown for newly released versions.
• Pin GitHub Actions used in workflows to specific commit SHAs (instead of floating tags like latest).

Reviewed changes

Copilot reviewed 4 out of 4 changed files in this pull request and generated 1 comment.

File	Description
.github/dependabot.yml	Adjusts Dependabot schedule to daily and adds a 7-day cooldown.
.github/workflows/Linter.yml	Pins actions/checkout and super-linter to commit SHAs.
.github/workflows/Auto-Release.yml	Pins actions/checkout and PSModule/Auto-Release to commit SHAs.
.github/workflows/Action-Test.yml	Pins actions/checkout and actions/upload-artifact to commit SHAs.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[Copilot]

Pull request overview

Copilot reviewed 6 out of 6 changed files in this pull request and generated 2 comments.

Comments suppressed due to low confidence (1)

action.yml:53

• The composite action requires an inputs.GITHUB_TOKEN, but the actions/download-artifact step is using ${{ github.token }} instead. This can lead to confusing/incorrect behavior if callers pass a PAT or a token with different permissions than the workflow token. Use the provided input token consistently for the github-token input (or drop the input if it’s not intended to be used here).

      uses: actions/download-artifact@018cc2cf5baa6db3ef3c5f8a56943fffe632ef53 # v6.0.0
      with:
        name: ${{ inputs.ArtifactName }}
        path: ${{ steps.workflow_run_id.outputs.Path }}
        github-token: ${{ github.token }}

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

In general, to fix this class of problem in GitHub Actions, you should avoid using ${{ ... }} expressions directly inside run: script content. Instead, assign the expression to an environment variable in the env: section, then reference that variable using the shell’s own syntax ($VAR for PowerShell/Bash, %VAR% for CMD, etc.). This prevents the workflow expression language from being mixed into executable script content.

For this specific action, we can add an environment variable, for example PSMODULE_DOWNLOAD_CIARTIFACT_ACTION_PATH, set to ${{ github.action_path }} in the env: block of the step, and then change the run: body to use $env:PSMODULE_DOWNLOAD_CIARTIFACT_ACTION_PATH concatenated with '/src/main.ps1'. In PowerShell, paths should be quoted and joined safely; using Join-Path avoids any odd characters in the path being interpreted as part of a command. Concretely, in action.yml within the “Get Workflow Run ID” step, we will: (1) add an env: entry PSMODULE_DOWNLOAD_CIARTIFACT_ACTION_PATH: ${{ github.action_path }}, and (2) replace the current run: line $${{ github.action_path }}/src/main.ps1 with a small PowerShell snippet such as & (Join-Path $env:PSMODULE_DOWNLOAD_CIARTIFACT_ACTION_PATH 'src/main.ps1'). This preserves behavior (invoking the same script) while removing the direct use of ${{ github.action_path }} in the script body.

[Copilot]

Pull request overview

Copilot reviewed 6 out of 7 changed files in this pull request and generated no new comments.

Comments suppressed due to low confidence (2)

action.yml:55

• This step uses actions/download-artifact with github-token: ${{ github.token }}, but the action also requires an explicit GITHUB_TOKEN input and uses that token for the gh api calls. If callers provide a PAT (or a token with different permissions) via the GITHUB_TOKEN input, it won’t be used for the artifact download, which can cause unexpected permission failures. Use the same provided token for both (or clarify via naming/docs if the input token is intended only for gh).

      uses: actions/download-artifact@018cc2cf5baa6db3ef3c5f8a56943fffe632ef53 # v6.0.0
      with:
        name: ${{ inputs.ArtifactName }}
        path: ${{ steps.workflow_run_id.outputs.Path }}
        github-token: ${{ github.token }}
        run-id: ${{ steps.workflow_run_id.outputs.RunID }}

.github/workflows/Release.yml:17

• This workflow changes the trigger from pull_request_target to pull_request (and also adds a paths filter). That’s a significant behavioral/security change and isn’t described in the PR description (which focuses on Dependabot schedule + action pinning). Please confirm this is intentional and update the PR description accordingly; also note that pull_request workflows won’t have write permissions for forked PRs, so the release job may fail in those cases.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[Copilot]

Pull request overview

Copilot reviewed 7 out of 8 changed files in this pull request and generated no new comments.

Comments suppressed due to low confidence (2)

.github/workflows/Release.yml:38

• PR description says the release workflow was updated to pin PSModule/Auto-Release@..., but the workflow now uses PSModule/Release-GHRepository@.... Either update the PR description or switch the workflow back so the documentation matches the actual action being used.
  action.yml:54
• The action requires a GITHUB_TOKEN input and uses it for the gh api calls, but the artifact download step uses ${{ github.token }} instead of ${{ inputs.GITHUB_TOKEN }}. This can fail in scenarios where callers pass a PAT/custom token because the default github.token may not have the needed access. Use the provided input token consistently for the actions/download-artifact github-token as well.

      uses: actions/download-artifact@018cc2cf5baa6db3ef3c5f8a56943fffe632ef53 # v6.0.0
      with:
        name: ${{ inputs.ArtifactName }}
        path: ${{ steps.workflow_run_id.outputs.Path }}
        github-token: ${{ github.token }}
        run-id: ${{ steps.workflow_run_id.outputs.RunID }}

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.