From e8642baa7c865b371d119077d432af8385cbbc05 Mon Sep 17 00:00:00 2001 From: Emmeline Hoops <108825895+chaosdinosaur@users.noreply.github.com> Date: Thu, 12 Feb 2026 23:54:10 +0000 Subject: [PATCH 1/4] refactor(scripts): replace inline CI pattern with CIHelpers and add test cleanup MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit - Replace inline $env:GITHUB_ACTIONS check and ::error:: output with Write-CIAnnotation in Test-ActionVersionConsistency.ps1 - Standardize entry point guard to $script:SkipMain pattern - Add CIHelpers module cleanup in AfterAll for Generate-PrReference and Get-VerifiedDownload test files 🔧 - Generated by Copilot --- .../Test-ActionVersionConsistency.ps1 | 93 +++++++------------ .../dev-tools/Generate-PrReference.Tests.ps1 | 5 + .../tests/lib/Get-VerifiedDownload.Tests.ps1 | 1 - 3 files changed, 41 insertions(+), 58 deletions(-) diff --git a/scripts/security/Test-ActionVersionConsistency.ps1 b/scripts/security/Test-ActionVersionConsistency.ps1 index bc577b99..91c13871 100644 --- a/scripts/security/Test-ActionVersionConsistency.ps1 +++ b/scripts/security/Test-ActionVersionConsistency.ps1 @@ -75,6 +75,9 @@ $ErrorActionPreference = 'Stop' # Import CIHelpers for workflow command escaping Import-Module (Join-Path $PSScriptRoot '../lib/Modules/CIHelpers.psm1') -Force +# Support dot-sourcing for Pester tests +$script:SkipMain = $env:HVE_SKIP_MAIN -eq '1' + function Write-ConsistencyLog { param( [Parameter(Mandatory = $true)] @@ -354,73 +357,49 @@ function Export-ConsistencyReport { #region Main Execution -function Invoke-ActionVersionConsistencyCheck { - [CmdletBinding()] - [OutputType([void])] - param( - [Parameter(Mandatory = $false)] - [string]$Path = '.github/workflows', - - [Parameter(Mandatory = $false)] - [ValidateSet('Table', 'Json', 'Sarif')] - [string]$Format = 'Table', - - [Parameter(Mandatory = $false)] - [string]$OutputPath, - - [Parameter(Mandatory = $false)] - [switch]$FailOnMismatch, +try { + if (-not $script:SkipMain) { + Write-ConsistencyLog 'Starting GitHub Actions version consistency analysis...' -Level Info + Write-ConsistencyLog "Scanning path: $Path" -Level Info - [Parameter(Mandatory = $false)] - [switch]$FailOnMissingComment - ) + # Scan for violations + $result = Get-ActionVersionViolations -WorkflowPath $Path - Write-ConsistencyLog 'Starting GitHub Actions version consistency analysis...' -Level Info - Write-ConsistencyLog "Scanning path: $Path" -Level Info + $violations = $result.Violations + $mismatchCount = @($violations | Where-Object { $_.ViolationType -eq 'VersionMismatch' }).Count + $missingCount = @($violations | Where-Object { $_.ViolationType -eq 'MissingVersionComment' }).Count - $result = Get-ActionVersionViolations -WorkflowPath $Path + Write-ConsistencyLog "Scanned $($result.TotalActions) SHA-pinned actions" -Level Info + Write-ConsistencyLog "Found $mismatchCount version mismatches" -Level $(if ($mismatchCount -gt 0) { 'Warning' } else { 'Info' }) + Write-ConsistencyLog "Found $missingCount missing version comments" -Level $(if ($missingCount -gt 0) { 'Warning' } else { 'Info' }) - $violations = $result.Violations - $mismatchCount = @($violations | Where-Object { $_.ViolationType -eq 'VersionMismatch' }).Count - $missingCount = @($violations | Where-Object { $_.ViolationType -eq 'MissingVersionComment' }).Count + # Export report + Export-ConsistencyReport -Violations $violations -Format $Format -OutputPath $OutputPath -TotalActions $result.TotalActions - Write-ConsistencyLog "Scanned $($result.TotalActions) SHA-pinned actions" -Level Info - Write-ConsistencyLog "Found $mismatchCount version mismatches" -Level $(if ($mismatchCount -gt 0) { 'Warning' } else { 'Info' }) - Write-ConsistencyLog "Found $missingCount missing version comments" -Level $(if ($missingCount -gt 0) { 'Warning' } else { 'Info' }) + # Determine exit code + $exitCode = 0 - Export-ConsistencyReport -Violations $violations -Format $Format -OutputPath $OutputPath -TotalActions $result.TotalActions - - $failed = $false - - if ($FailOnMismatch -and $mismatchCount -gt 0) { - Write-ConsistencyLog "Failing due to $mismatchCount version mismatch(es) (-FailOnMismatch enabled)" -Level Error - $failed = $true - } + if ($FailOnMismatch -and $mismatchCount -gt 0) { + Write-ConsistencyLog "Failing due to $mismatchCount version mismatch(es) (-FailOnMismatch enabled)" -Level Error + $exitCode = 1 + } - if ($FailOnMissingComment -and $missingCount -gt 0) { - Write-ConsistencyLog "Failing due to $missingCount missing version comment(s) (-FailOnMissingComment enabled)" -Level Error - $failed = $true - } + if ($FailOnMissingComment -and $missingCount -gt 0) { + Write-ConsistencyLog "Failing due to $missingCount missing version comment(s) (-FailOnMissingComment enabled)" -Level Error + $exitCode = 1 + } - if ($failed) { - throw 'Version consistency violations detected' - } + if ($exitCode -eq 0 -and $violations.Count -eq 0) { + Write-ConsistencyLog 'All SHA-pinned actions have consistent version comments!' -Level Success + } - if ($violations.Count -eq 0) { - Write-ConsistencyLog 'All SHA-pinned actions have consistent version comments!' -Level Success + exit $exitCode } } - -if ($MyInvocation.InvocationName -ne '.') { - try { - Invoke-ActionVersionConsistencyCheck -Path $Path -Format $Format -OutputPath $OutputPath -FailOnMismatch:$FailOnMismatch -FailOnMissingComment:$FailOnMissingComment - exit 0 - } - catch { - Write-Error -ErrorAction Continue "Test-ActionVersionConsistency failed: $($_.Exception.Message)" - Write-CIAnnotation -Message $_.Exception.Message -Level Error - exit 1 - } +catch { + Write-ConsistencyLog "Version consistency analysis failed: $($_.Exception.Message)" -Level Error + Write-CIAnnotation -Message $_.Exception.Message -Level Error + exit 1 } -#endregion Main Execution +#endregion diff --git a/scripts/tests/dev-tools/Generate-PrReference.Tests.ps1 b/scripts/tests/dev-tools/Generate-PrReference.Tests.ps1 index 2488bbf9..cb353777 100644 --- a/scripts/tests/dev-tools/Generate-PrReference.Tests.ps1 +++ b/scripts/tests/dev-tools/Generate-PrReference.Tests.ps1 @@ -4,6 +4,11 @@ BeforeAll { . $PSScriptRoot/../../dev-tools/Generate-PrReference.ps1 + +} + +AfterAll { + Remove-Module CIHelpers -Force -ErrorAction SilentlyContinue } Describe 'Test-GitAvailability' { diff --git a/scripts/tests/lib/Get-VerifiedDownload.Tests.ps1 b/scripts/tests/lib/Get-VerifiedDownload.Tests.ps1 index 3767c4cc..f8337351 100644 --- a/scripts/tests/lib/Get-VerifiedDownload.Tests.ps1 +++ b/scripts/tests/lib/Get-VerifiedDownload.Tests.ps1 @@ -5,7 +5,6 @@ BeforeAll { . $PSScriptRoot/../../lib/Get-VerifiedDownload.ps1 } - Describe 'Get-FileHashValue' { It 'Returns uppercase hash string for valid file' { $tempFile = New-TemporaryFile From 1a177b4849bf46c3c0be147b581d80e62da8cdea Mon Sep 17 00:00:00 2001 From: Bill Berry Date: Thu, 12 Feb 2026 18:13:32 -0800 Subject: [PATCH 2/4] refactor(scripts): replace SkipMain with standard dot-source guard pattern MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit - extract Invoke-ActionVersionConsistency function with full param block - replace HVE_SKIP_MAIN env var with MyInvocation.InvocationName guard - add Remove-Module CIHelpers cleanup to test AfterAll block 🔧 - Generated by Copilot --- .../Test-ActionVersionConsistency.ps1 | 99 ++++++++++++------- .../Test-ActionVersionConsistency.Tests.ps1 | 1 + 2 files changed, 62 insertions(+), 38 deletions(-) diff --git a/scripts/security/Test-ActionVersionConsistency.ps1 b/scripts/security/Test-ActionVersionConsistency.ps1 index 91c13871..599db445 100644 --- a/scripts/security/Test-ActionVersionConsistency.ps1 +++ b/scripts/security/Test-ActionVersionConsistency.ps1 @@ -75,9 +75,6 @@ $ErrorActionPreference = 'Stop' # Import CIHelpers for workflow command escaping Import-Module (Join-Path $PSScriptRoot '../lib/Modules/CIHelpers.psm1') -Force -# Support dot-sourcing for Pester tests -$script:SkipMain = $env:HVE_SKIP_MAIN -eq '1' - function Write-ConsistencyLog { param( [Parameter(Mandatory = $true)] @@ -355,51 +352,77 @@ function Export-ConsistencyReport { } } -#region Main Execution +function Invoke-ActionVersionConsistency { + <# + .SYNOPSIS + Orchestrates the version consistency analysis. + #> + [CmdletBinding()] + param( + [Parameter(Mandatory = $false)] + [string]$Path = '.github/workflows', -try { - if (-not $script:SkipMain) { - Write-ConsistencyLog 'Starting GitHub Actions version consistency analysis...' -Level Info - Write-ConsistencyLog "Scanning path: $Path" -Level Info + [Parameter(Mandatory = $false)] + [ValidateSet('Table', 'Json', 'Sarif')] + [string]$Format = 'Table', - # Scan for violations - $result = Get-ActionVersionViolations -WorkflowPath $Path + [Parameter(Mandatory = $false)] + [string]$OutputPath, - $violations = $result.Violations - $mismatchCount = @($violations | Where-Object { $_.ViolationType -eq 'VersionMismatch' }).Count - $missingCount = @($violations | Where-Object { $_.ViolationType -eq 'MissingVersionComment' }).Count + [Parameter(Mandatory = $false)] + [switch]$FailOnMismatch, - Write-ConsistencyLog "Scanned $($result.TotalActions) SHA-pinned actions" -Level Info - Write-ConsistencyLog "Found $mismatchCount version mismatches" -Level $(if ($mismatchCount -gt 0) { 'Warning' } else { 'Info' }) - Write-ConsistencyLog "Found $missingCount missing version comments" -Level $(if ($missingCount -gt 0) { 'Warning' } else { 'Info' }) + [Parameter(Mandatory = $false)] + [switch]$FailOnMissingComment + ) - # Export report - Export-ConsistencyReport -Violations $violations -Format $Format -OutputPath $OutputPath -TotalActions $result.TotalActions + Write-ConsistencyLog 'Starting GitHub Actions version consistency analysis...' -Level Info + Write-ConsistencyLog "Scanning path: $Path" -Level Info - # Determine exit code - $exitCode = 0 + # Scan for violations + $result = Get-ActionVersionViolations -WorkflowPath $Path - if ($FailOnMismatch -and $mismatchCount -gt 0) { - Write-ConsistencyLog "Failing due to $mismatchCount version mismatch(es) (-FailOnMismatch enabled)" -Level Error - $exitCode = 1 - } + $violations = $result.Violations + $mismatchCount = @($violations | Where-Object { $_.ViolationType -eq 'VersionMismatch' }).Count + $missingCount = @($violations | Where-Object { $_.ViolationType -eq 'MissingVersionComment' }).Count - if ($FailOnMissingComment -and $missingCount -gt 0) { - Write-ConsistencyLog "Failing due to $missingCount missing version comment(s) (-FailOnMissingComment enabled)" -Level Error - $exitCode = 1 - } + Write-ConsistencyLog "Scanned $($result.TotalActions) SHA-pinned actions" -Level Info + Write-ConsistencyLog "Found $mismatchCount version mismatches" -Level $(if ($mismatchCount -gt 0) { 'Warning' } else { 'Info' }) + Write-ConsistencyLog "Found $missingCount missing version comments" -Level $(if ($missingCount -gt 0) { 'Warning' } else { 'Info' }) - if ($exitCode -eq 0 -and $violations.Count -eq 0) { - Write-ConsistencyLog 'All SHA-pinned actions have consistent version comments!' -Level Success - } + # Export report + Export-ConsistencyReport -Violations $violations -Format $Format -OutputPath $OutputPath -TotalActions $result.TotalActions - exit $exitCode + # Determine exit code + $exitCode = 0 + + if ($FailOnMismatch -and $mismatchCount -gt 0) { + Write-ConsistencyLog "Failing due to $mismatchCount version mismatch(es) (-FailOnMismatch enabled)" -Level Error + $exitCode = 1 } -} -catch { - Write-ConsistencyLog "Version consistency analysis failed: $($_.Exception.Message)" -Level Error - Write-CIAnnotation -Message $_.Exception.Message -Level Error - exit 1 + + if ($FailOnMissingComment -and $missingCount -gt 0) { + Write-ConsistencyLog "Failing due to $missingCount missing version comment(s) (-FailOnMissingComment enabled)" -Level Error + $exitCode = 1 + } + + if ($exitCode -eq 0 -and $violations.Count -eq 0) { + Write-ConsistencyLog 'All SHA-pinned actions have consistent version comments!' -Level Success + } + + return $exitCode } -#endregion +#region Main Execution +if ($MyInvocation.InvocationName -ne '.') { + try { + $exitCode = Invoke-ActionVersionConsistency @PSBoundParameters + exit $exitCode + } + catch { + Write-Error -ErrorAction Continue "Test-ActionVersionConsistency failed: $($_.Exception.Message)" + Write-CIAnnotation -Message $_.Exception.Message -Level Error + exit 1 + } +} +#endregion Main Execution diff --git a/scripts/tests/security/Test-ActionVersionConsistency.Tests.ps1 b/scripts/tests/security/Test-ActionVersionConsistency.Tests.ps1 index b9fd640c..e6eb1ec4 100644 --- a/scripts/tests/security/Test-ActionVersionConsistency.Tests.ps1 +++ b/scripts/tests/security/Test-ActionVersionConsistency.Tests.ps1 @@ -27,6 +27,7 @@ BeforeAll { AfterAll { Restore-CIEnvironment + Remove-Module CIHelpers -Force -ErrorAction SilentlyContinue } Describe 'Write-ConsistencyLog' -Tag 'Unit' { From 895d9fbe856df84d5f7b5a69b5c530bfe06ca5b7 Mon Sep 17 00:00:00 2001 From: Bill Berry Date: Thu, 12 Feb 2026 18:32:35 -0800 Subject: [PATCH 3/4] fix(scripts): prevent pipeline pollution from Export-ConsistencyReport MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit - pipe Export-ConsistencyReport to Out-Host inside Invoke-ActionVersionConsistency - prevents Write-Output json from contaminating function return value 🐛 - Generated by Copilot --- scripts/security/Test-ActionVersionConsistency.ps1 | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/scripts/security/Test-ActionVersionConsistency.ps1 b/scripts/security/Test-ActionVersionConsistency.ps1 index 599db445..93f627f3 100644 --- a/scripts/security/Test-ActionVersionConsistency.ps1 +++ b/scripts/security/Test-ActionVersionConsistency.ps1 @@ -390,8 +390,8 @@ function Invoke-ActionVersionConsistency { Write-ConsistencyLog "Found $mismatchCount version mismatches" -Level $(if ($mismatchCount -gt 0) { 'Warning' } else { 'Info' }) Write-ConsistencyLog "Found $missingCount missing version comments" -Level $(if ($missingCount -gt 0) { 'Warning' } else { 'Info' }) - # Export report - Export-ConsistencyReport -Violations $violations -Format $Format -OutputPath $OutputPath -TotalActions $result.TotalActions + # Export report (pipe to Out-Host to prevent pipeline pollution of return value) + Export-ConsistencyReport -Violations $violations -Format $Format -OutputPath $OutputPath -TotalActions $result.TotalActions | Out-Host # Determine exit code $exitCode = 0 From 8217d2af8806cad446df761e57bbf202a3cc087b Mon Sep 17 00:00:00 2001 From: Bill Berry Date: Thu, 12 Feb 2026 18:46:53 -0800 Subject: [PATCH 4/4] fix(scripts): add OutputType attribute to Invoke-ActionVersionConsistency MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit 🔧 - Generated by Copilot --- scripts/security/Test-ActionVersionConsistency.ps1 | 1 + 1 file changed, 1 insertion(+) diff --git a/scripts/security/Test-ActionVersionConsistency.ps1 b/scripts/security/Test-ActionVersionConsistency.ps1 index 93f627f3..854c78b7 100644 --- a/scripts/security/Test-ActionVersionConsistency.ps1 +++ b/scripts/security/Test-ActionVersionConsistency.ps1 @@ -357,6 +357,7 @@ function Invoke-ActionVersionConsistency { .SYNOPSIS Orchestrates the version consistency analysis. #> + [OutputType([int])] [CmdletBinding()] param( [Parameter(Mandatory = $false)]