🩹[Patch]: Workflow improvements (#55)

This pull request introduces several significant improvements to the
GitHub Actions workflows, action implementation, and supporting test
infrastructure. The most important changes include a complete overhaul
of the release automation, enhancements to the action's prescript
functionality, updates to workflow dependencies for improved security
and reproducibility, and expanded test scripts for better validation and
maintainability.

**Workflow and Release Automation Updates:**

* Replaces `.github/workflows/Auto-Release.yml` and
`.github/release.yml` with a new `.github/workflows/Release.yml`
workflow that is more targeted, triggers only on relevant changes, and
uses a pinned version of the `PSModule/Release-GHRepository` action for
deterministic releases.

* Changes Dependabot update schedule from weekly to daily and introduces
a cooldown period, improving dependency management responsiveness.

**Action Implementation and Security:**

* Refactors the action's execution logic to move prescript execution
into a dedicated `src/prescript.ps1` script, which safely handles both
inline scripts and file paths. Updates references in `action.yml` to use
this new script and pins all GitHub Actions to specific commit SHAs for
security and reproducibility.

**Linter and Workflow Improvements:**

* Updates linter workflow to use pinned versions of `actions/checkout`
and `super-linter/super-linter`, disables certain validations for
performance, and removes the `.github/linters/.jscpd.json` configuration
file as duplicate code checks are now disabled.

* Adds an exclusion for the `PSAvoidUsingWriteHost` rule in PowerShell
Script Analyzer configuration, reflecting intentional usage for GitHub
Actions output.

**Documentation and Test Infrastructure:**

* Enhances the `README.md` documentation for action inputs and outputs,
improving formatting and clarity for users.

* Adds new PowerShell test scripts (`tests/Prescript.ps1`,
`tests/Show-Status.ps1`, `tests/Test-ActionResults.ps1`) to validate
prescript execution, action status reporting, and aggregate test results
with summary reporting. Updates test configuration to explicitly set
code coverage paths.

---

**Detailed list of most important changes:**

**1. Workflow and Release Automation**
- Replaces legacy auto-release workflows with a new, more secure and
targeted `Release.yml` workflow, using pinned action versions and
triggering only on relevant file changes.
- Dependabot now checks for updates daily with a 7-day cooldown,
improving dependency freshness.

**2. Action Implementation and Security**
- Moves prescript execution to a new `src/prescript.ps1` script that
safely handles both inline and file-based scripts, and updates
`action.yml` to use this script.
- Pins all third-party GitHub Actions in workflows and action
implementation to specific commit SHAs for enhanced security and
reproducibility.

**3. Linter and Workflow Improvements**
- Updates linter workflow to use pinned versions and disables duplicate
code checks and certain validations for performance; removes
`.jscpd.json` as it is no longer needed.
- Excludes `PSAvoidUsingWriteHost` in PowerShell linting to accommodate
intentional usage in GitHub Actions.

**4. Documentation and Test Infrastructure**
- Improves documentation for action inputs and outputs in `README.md`,
providing clearer descriptions and formatting.
- Adds new test scripts for prescript validation, action status display,
and aggregate action results, and updates test configuration for code
coverage.

Author: MariusStorhaug

.github/dependabot.yml

@@ -11,4 +11,6 @@ updates:
       - dependencies
       - github-actions
     schedule:
-      interval: weekly
+      interval: daily
+    cooldown:
+      default-days: 7

.github/linters/.jscpd.json

@@ -50,6 +50,7 @@
         }
     }
     ExcludeRules = @(
+        'PSAvoidUsingWriteHost',        # Write-Host is intentionally used for GitHub Actions workflow commands and test output.
         'PSMissingModuleManifestField', # This rule is not applicable until the module is built.
         'PSUseToExportFieldsInManifest'
     )

.github/linters/.powershell-psscriptanalyzer.psd1

@@ -19,14 +19,17 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Checkout repo
-        uses: actions/checkout@v6
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
         with:
           fetch-depth: 0
+          persist-credentials: false
 
       - name: Lint code base
-        uses: super-linter/super-linter@latest
+        uses: super-linter/super-linter@d5b0a2ab116623730dd094f15ddc1b6b25bf7b99 # v8.3.2
         env:
           GITHUB_TOKEN: ${{ github.token }}
+          VALIDATE_BIOME_FORMAT: false
+          VALIDATE_JSCPD: false
           VALIDATE_JSON_PRETTIER: false
           VALIDATE_MARKDOWN_PRETTIER: false
           VALIDATE_YAML_PRETTIER: false

.github/release.yml

@@ -0,0 +1,37 @@
+name: Release
+
+run-name: "Release - [${{ github.event.pull_request.title }} #${{ github.event.pull_request.number }}] by @${{ github.actor }}"
+
+on:
+  pull_request:
+    branches:
+      - main
+    types:
+      - closed
+      - opened
+      - reopened
+      - synchronize
+      - labeled
+    paths:
+      - 'action.yml'
+      - 'src/**'
+
+concurrency:
+  group: ${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: true
+
+permissions:
+  contents: write # Required to create releases
+  pull-requests: write # Required to create comments on the PRs
+
+jobs:
+  Release:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout Code
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        with:
+          persist-credentials: false
+
+      - name: Release
+        uses: PSModule/Release-GHRepository@88c70461c8f16cc09682005bcf3b7fca4dd8dc1a # v2.0.1

.github/workflows/Action-Test.yml

@@ -285,7 +285,7 @@ runs:
   using: composite
   steps:
     - name: Invoke-Pester (init)
-      uses: PSModule/GitHub-Script@v1
+      uses: PSModule/GitHub-Script@0097f3bbe3f413f3b577b9bcc600727b0ca3201a # v1.7.10
       env:
         PSMODULE_INVOKE_PESTER_INPUT_Path: ${{ inputs.Path }}
         PSMODULE_INVOKE_PESTER_INPUT_Run_Path: ${{ inputs.Run_Path }}
@@ -341,7 +341,7 @@ runs:
         Name: Invoke-Pester
         Script: |
           # Invoke-Pester (init)
-          ${{ github.action_path }}/scripts/init.ps1
+          ${{ github.action_path }}/src/init.ps1
 
     - name: Invoke-Pester (exec)
       shell: pwsh
@@ -355,14 +355,15 @@ runs:
         PSMODULE_INVOKE_PESTER_INPUT_StepSummary_ShowConfiguration: ${{ inputs.StepSummary_ShowConfiguration }}
         PSMODULE_INVOKE_PESTER_INPUT_Debug: ${{ inputs.Debug }}
         PSMODULE_INVOKE_PESTER_INPUT_Verbose: ${{ inputs.Verbose }}
+        PSMODULE_INVOKE_PESTER_INPUT_Prescript: ${{ inputs.Prescript }}
       id: test
       run: |
         # Invoke-Pester (exec)
-        ${{ inputs.Prescript }}
-        ${{ github.action_path }}/scripts/exec.ps1
+        ${{ github.action_path }}/src/prescript.ps1
+        ${{ github.action_path }}/src/exec.ps1
 
     - name: Upload test results - [${{ steps.test.outputs.TestSuiteName }}-TestResults]
-      uses: actions/upload-artifact@v5
+      uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v6.0.0
       if: ${{ steps.test.outputs.TestResultEnabled == 'true' && (success() || failure()) }}
       with:
         name: ${{ steps.test.outputs.TestSuiteName }}-TestResults
@@ -371,7 +372,7 @@ runs:
         if-no-files-found: error
 
     - name: Upload code coverage report - [${{ steps.test.outputs.TestSuiteName }}-CodeCoverage]
-      uses: actions/upload-artifact@v5
+      uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v6.0.0
       if: ${{ steps.test.outputs.CodeCoverageEnabled == 'true' && (success() || failure()) }}
       with:
         name: ${{ steps.test.outputs.TestSuiteName }}-CodeCoverage
@@ -398,4 +399,4 @@ runs:
         PSMODULE_INVOKE_PESTER_INTERNAL_TotalCount: ${{ steps.test.outputs.TotalCount }}
       run: |
         # Status
-        ${{ github.action_path }}/scripts/status.ps1
+        ${{ github.action_path }}/src/status.ps1