Skip to content

🩹[Patch]: Workflow improvements #15

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
Marius Storhaug (MariusStorhaug) merged 8 commits into from
Jan 26, 2026
Merged

🩹[Patch]: Workflow improvements #15

Show file tree
Hide file tree
Changes from 5 commits
Commits
Show all changes
8 commits
Select commit Hold shift + click to select a range
09ddad5
Configure Dependabot for daily schedule with 7-day cooldown
MariusStorhaug Jan 22, 2026
9decc68
🩹 [Patch]: Update actions/download-artifact to specific version for s…
MariusStorhaug Jan 22, 2026
93b1a67
🩹 [Patch]: Fix grammar in README and action.yml for WorkflowRunID des…
MariusStorhaug Jan 25, 2026
5cea771
🩹 [Refactor]: Remove Auto-Release workflow and update main script pat…
MariusStorhaug Jan 25, 2026
087865b
fix: Add persist-credentials: false to checkout actions
MariusStorhaug Jan 25, 2026
f1ddf48
Disable JSCPD linter and remove configuration file
MariusStorhaug Jan 25, 2026
1a5f3de
Rename Auto-Release to Release-GHRepository
MariusStorhaug Jan 25, 2026
ba37d60
Fix version comment to use patch level
MariusStorhaug Jan 25, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
4 changes: 3 additions & 1 deletion .github/dependabot.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -11,4 +11,6 @@ updates:
- dependencies
- github-actions
schedule:
interval: weekly
interval: daily
cooldown:
default-days: 7
Comment thread
MariusStorhaug marked this conversation as resolved.
10 changes: 7 additions & 3 deletions .github/workflows/Action-Test.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -23,10 +23,12 @@ jobs:
steps:
# Need to check out as part of the test, as its a local action
- name: Checkout repo
uses: actions/checkout@v6
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
with:
persist-credentials: false

- name: Upload Artifact
uses: actions/upload-artifact@v5
uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v6.0.0
with:
Comment thread
MariusStorhaug marked this conversation as resolved.
name: Docs
path: README.md
Expand All @@ -38,7 +40,9 @@ jobs:
steps:
# Need to check out as part of the test, as its a local action
- name: Checkout repo
uses: actions/checkout@v6
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
with:
persist-credentials: false

- name: Action-Test
uses: ./
Comment thread
MariusStorhaug marked this conversation as resolved.
Expand Down
6 changes: 4 additions & 2 deletions .github/workflows/Linter.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -19,14 +19,16 @@ jobs:
runs-on: ubuntu-latest
steps:
- name: Checkout repo
uses: actions/checkout@v6
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
with:
fetch-depth: 0
persist-credentials: false

- name: Lint code base
uses: super-linter/super-linter@latest
uses: super-linter/super-linter@d5b0a2ab116623730dd094f15ddc1b6b25bf7b99 # v8.3.2
env:
GITHUB_TOKEN: ${{ github.token }}
VALIDATE_BIOME_FORMAT: false
VALIDATE_JSON_PRETTIER: false
VALIDATE_MARKDOWN_PRETTIER: false
VALIDATE_YAML_PRETTIER: false
19 changes: 12 additions & 7 deletions .github/workflows/Auto-Release.yml → .github/workflows/Release.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,9 +1,9 @@
name: Auto-Release
name: Release

run-name: "Auto-Release - [${{ github.event.pull_request.title }} #${{ github.event.pull_request.number }}] by @${{ github.actor }}"
run-name: "Release - [${{ github.event.pull_request.title }} #${{ github.event.pull_request.number }}] by @${{ github.actor }}"

on:
pull_request_target:
pull_request:
branches:
- main
types:
Expand All @@ -12,6 +12,9 @@ on:
- reopened
- synchronize
- labeled
paths:
- 'action.yml'
- 'src/**'

concurrency:
group: ${{ github.workflow }}-${{ github.ref }}
Expand All @@ -22,13 +25,15 @@ permissions:
pull-requests: write # Required to create comments on the PRs

jobs:
Auto-Release:
Release:
runs-on: ubuntu-latest
steps:
- name: Checkout Code
uses: actions/checkout@v6
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
with:
persist-credentials: false

- name: Auto-Release
uses: PSModule/Auto-Release@v1
- name: Release
uses: PSModule/Auto-Release@eabd533035e2cb9822160f26f2eda584bd012356 # v1.9.5
env:
GITHUB_TOKEN: ${{ github.token }}
2 changes: 1 addition & 1 deletion README.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -11,7 +11,7 @@ As an example, terraform plans can be uploaded as artifacts in a PR CI workflow
| - | - | - | - |
| `Path` | The path to the artifact to download. | No | |
| `WorkflowID` | The filename or ID of the workflow to download the artifact from. You must provide either `WorkflowID` or `WorkflowRunID`. | No | '' |
| `WorkflowRunID` | The ID of the workflow run where the artifact will be download from. You must provide either `WorkflowID` or `WorkflowRunID`. | No | '' |
| `WorkflowRunID` | The ID of the workflow run where the artifact will be downloaded from. You must provide either `WorkflowID` or `WorkflowRunID`. | No | '' |
| `ArtifactName` | Name of the artifact to download. If unspecified, all artifacts for the run are downloaded. | Yes | |
| `GITHUB_TOKEN` | The GitHub token used to authenticate with the GitHub API. | Yes | |
| `WorkingDirectory` | The working directory where the artifact will be downloaded to. Default is the root of the repository. | No | `${{ github.workspace }}` |
Expand Down
6 changes: 3 additions & 3 deletions action.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -15,7 +15,7 @@
default: ''
WorkflowRunID:
description: |
The ID of the workflow run where the artifact will be download from.
The ID of the workflow run where the artifact will be downloaded from.
You must provide either `WorkflowID` or `WorkflowRunID`.
required: false
default: ''
Expand Down Expand Up @@ -43,10 +43,10 @@
PSMODULE_DOWNLOAD_CIARTIFACT_INPUT_WorkflowRunID: ${{ inputs.WorkflowRunID }}
run: |
# Download-CIArtifact
${{ github.action_path }}/scripts/main.ps1
${{ github.action_path }}/src/main.ps1

Check warning

Code scanning / CodeQL

Code injection Medium

Potential code injection in
${ github.action_path }
Loading
, which may be controlled by an external user.

Copilot Autofix

AI 3 months ago

In general, to fix this class of problem in GitHub Actions, you should avoid using ${{ ... }} expressions directly inside run: script content. Instead, assign the expression to an environment variable in the env: section, then reference that variable using the shell’s own syntax ($VAR for PowerShell/Bash, %VAR% for CMD, etc.). This prevents the workflow expression language from being mixed into executable script content.

For this specific action, we can add an environment variable, for example PSMODULE_DOWNLOAD_CIARTIFACT_ACTION_PATH, set to ${{ github.action_path }} in the env: block of the step, and then change the run: body to use $env:PSMODULE_DOWNLOAD_CIARTIFACT_ACTION_PATH concatenated with '/src/main.ps1'. In PowerShell, paths should be quoted and joined safely; using Join-Path avoids any odd characters in the path being interpreted as part of a command. Concretely, in action.yml within the “Get Workflow Run ID” step, we will: (1) add an env: entry PSMODULE_DOWNLOAD_CIARTIFACT_ACTION_PATH: ${{ github.action_path }}, and (2) replace the current run: line $${{ github.action_path }}/src/main.ps1 with a small PowerShell snippet such as & (Join-Path $env:PSMODULE_DOWNLOAD_CIARTIFACT_ACTION_PATH 'src/main.ps1'). This preserves behavior (invoking the same script) while removing the direct use of ${{ github.action_path }} in the script body.

Suggested changeset 1
action.yml

Autofix patch

Autofix patch
Run the following command in your local git repository to apply this patch
cat << 'EOF' | git apply
diff --git a/action.yml b/action.yml
--- a/action.yml
+++ b/action.yml
@@ -41,9 +41,10 @@
         PSMODULE_DOWNLOAD_CIARTIFACT_INPUT_Path: ${{ inputs.Path }}
         PSMODULE_DOWNLOAD_CIARTIFACT_INPUT_WorkflowID: ${{ inputs.WorkflowID }}
         PSMODULE_DOWNLOAD_CIARTIFACT_INPUT_WorkflowRunID: ${{ inputs.WorkflowRunID }}
+        PSMODULE_DOWNLOAD_CIARTIFACT_ACTION_PATH: ${{ github.action_path }}
       run: |
         # Download-CIArtifact
-        ${{ github.action_path }}/src/main.ps1
+        & (Join-Path $env:PSMODULE_DOWNLOAD_CIARTIFACT_ACTION_PATH 'src/main.ps1')
 
     - name: Download Artifact
       uses: actions/download-artifact@018cc2cf5baa6db3ef3c5f8a56943fffe632ef53 # v6.0.0
EOF
@@ -41,9 +41,10 @@
PSMODULE_DOWNLOAD_CIARTIFACT_INPUT_Path: ${{ inputs.Path }}
PSMODULE_DOWNLOAD_CIARTIFACT_INPUT_WorkflowID: ${{ inputs.WorkflowID }}
PSMODULE_DOWNLOAD_CIARTIFACT_INPUT_WorkflowRunID: ${{ inputs.WorkflowRunID }}
PSMODULE_DOWNLOAD_CIARTIFACT_ACTION_PATH: ${{ github.action_path }}
run: |
# Download-CIArtifact
${{ github.action_path }}/src/main.ps1
& (Join-Path $env:PSMODULE_DOWNLOAD_CIARTIFACT_ACTION_PATH 'src/main.ps1')

- name: Download Artifact
uses: actions/download-artifact@018cc2cf5baa6db3ef3c5f8a56943fffe632ef53 # v6.0.0
Copilot is powered by AI and may make mistakes. Always verify output.

- name: Download Artifact
uses: actions/download-artifact@v6
uses: actions/download-artifact@018cc2cf5baa6db3ef3c5f8a56943fffe632ef53 # v6.0.0
with:
name: ${{ inputs.ArtifactName }}
path: ${{ steps.workflow_run_id.outputs.Path }}
Expand Down
0 scripts/main.ps1 → src/main.ps1
View file
Open in desktop
File renamed without changes.