🩹[Patch]: Configure Dependabot and rename Auto-Release to Release-GHRepository #106
Conversation
There was a problem hiding this comment.
Pull request overview
This PR aims to configure Dependabot to check for updates daily while implementing a 7-day cooldown period. However, the PR includes several changes beyond what's described in the title and description.
Changes:
- Modified
.github/dependabot.ymlto use daily scheduling and attempted to add a cooldown configuration - Updated GitHub Actions to pinned versions with commit hashes (actions/checkout, super-linter/super-linter, PSModule/Auto-Release)
- Deleted
.github/release.ymlfile that configures automated release notes
Reviewed changes
Copilot reviewed 7 out of 7 changed files in this pull request and generated 2 comments.
Show a summary per file
| File | Description |
|---|---|
.github/dependabot.yml |
Changed schedule from weekly to daily and added cooldown configuration (invalid option) |
.github/workflows/Linter.yml |
Updated actions/checkout to v6.0.2 and super-linter to v8.3.2 with commit hash pinning |
.github/workflows/Auto-Release.yml |
Updated actions/checkout to v6.0.2 and PSModule/Auto-Release to v1.9.5 with commit hash pinning |
.github/workflows/Action-Test-outputs.yml |
Updated actions/checkout to v6.0.2 with commit hash pinning |
.github/workflows/Action-Test-Src-WithManifest.yml |
Updated actions/checkout to v6.0.2 with commit hash pinning |
.github/workflows/Action-Test-Src-Default.yml |
Updated actions/checkout to v6.0.2 with commit hash pinning |
.github/release.yml |
Deleted release notes configuration file (not mentioned in PR description) |
Comments suppressed due to low confidence (1)
.github/release.yml:1
- The deletion of the
.github/release.ymlfile is not mentioned in the PR description, which only references changes to.github/dependabot.yml. This file configures automatically generated release notes for GitHub releases. Its removal will affect how release notes are generated and categorized (breaking changes, new features, etc.). If this deletion is intentional, it should be documented in the PR description. If it's accidental, the file should be restored.
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| cooldown: | ||
| default-days: 7 |
There was a problem hiding this comment.
The cooldown configuration option does not exist in GitHub's Dependabot configuration schema. According to GitHub's documentation (as of my knowledge cutoff in January 2025), Dependabot supports options like schedule, open-pull-requests-limit, target-branch, reviewers, assignees, labels, milestone, versioning-strategy, commit-message, rebase-strategy, ignore, allow, insecure-external-code-execution, registries, and groups, but not cooldown. This configuration will likely be ignored or cause Dependabot to fail validation. If you want to delay updates, you should use the schedule option with interval: weekly or use the ignore option with update-types to skip certain updates temporarily.
| cooldown: | |
| default-days: 7 |
| steps: | ||
| - name: Checkout repo | ||
| uses: actions/checkout@v6 | ||
| uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 |
There was a problem hiding this comment.
The updates to GitHub Actions (actions/checkout, super-linter/super-linter, PSModule/Auto-Release) are not mentioned in the PR description. The PR description states only changes to the Dependabot configuration schedule and cooldown settings. These action updates appear to be actual dependency updates that should either be in a separate PR or explicitly mentioned in the description if they're part of demonstrating the new Dependabot configuration.
MariusStorhaug
changed the title
MariusStorhaug
changed the title
MariusStorhaug
changed the title
MariusStorhaug
changed the title
- Created a new GitHub Actions workflow (`Release.yml`) to automate the release process on pull request events. - Added a main script (`main.ps1`) to handle module name resolution and test path setup. - Introduced configuration files for module and source code tests. - Implemented test scripts for module and source code, including validation for module imports and manifest checks. - Updated test configuration to enable detailed output and code coverage. - Removed obsolete `SourceCode.Configuration.ps1` file from tests.
![github-advanced-security[bot]](https://avatars.githubusercontent.com/in/57789?s=60&v=4){kind=small}
| run: | | ||
| # Get test paths | ||
| ${{ github.action_path }}/scripts/main.ps1 | ||
| ${{ github.action_path }}/src/main.ps1 |
Check warning
Code scanning / CodeQL
Code injection Medium
Show autofix suggestion
Hide autofix suggestion
Copilot Autofix
AI about 3 hours ago
In general, to fix this class of problem in GitHub Actions, you assign the expression (${{ ... }}) to an environment variable in env: and then reference that variable using the shell’s native syntax inside the run: block. This prevents accidental interpretation of expression output as shell code and aligns with GitHub’s secure usage guidance.
Here, we should define an environment variable (for example ACTION_PATH) set to ${{ github.action_path }} in the Get test paths step, and then change the PowerShell script so it uses $env:ACTION_PATH instead of interpolating ${{ github.action_path }} directly. Concretely, in action.yml around line 276–282, add an ACTION_PATH entry under env: and modify the run: script line from ${{ github.action_path }}/src/main.ps1 to $env:ACTION_PATH/src/main.ps1. No other behavior changes: it still points to the same path; we just route the value through an environment variable and access it with PowerShell syntax.
| @@ -276,9 +276,10 @@ | ||
| env: | ||
| PSMODULE_TEST_PSMODULE_INPUT_Name: ${{ inputs.Name }} | ||
| PSMODULE_TEST_PSMODULE_INPUT_Settings: ${{ inputs.Settings }} | ||
| ACTION_PATH: ${{ github.action_path }} | ||
| run: | | ||
| # Get test paths | ||
| ${{ github.action_path }}/src/main.ps1 | ||
| $env:ACTION_PATH/src/main.ps1 | ||
|
|
||
| - name: Invoke-Pester | ||
| uses: PSModule/Invoke-Pester@882994cbe1ff07c3fc8afdac52404c940f99b331 # v4.2.2 |
There was a problem hiding this comment.
Pull request overview
Copilot reviewed 9 out of 16 changed files in this pull request and generated no new comments.
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
MariusStorhaug
changed the title
There was a problem hiding this comment.
Pull request overview
Copilot reviewed 10 out of 17 changed files in this pull request and generated 1 comment.
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| run: | | ||
| # Get test paths | ||
| ${{ github.action_path }}/scripts/main.ps1 | ||
| ${{ github.action_path }}/src/main.ps1 | ||
There was a problem hiding this comment.
The PR description focuses on workflow pinning/Dependabot/release config, but this PR also adds a new action entrypoint script (src/main.ps1) and a new Pester test suite/config under src/tests/**. Please update the PR description (or split the PR) so reviewers understand the additional functional changes to the action.
MariusStorhaug
changed the title
There was a problem hiding this comment.
Pull request overview
Copilot reviewed 10 out of 17 changed files in this pull request and generated 1 comment.
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| name: Release | ||
|
|
||
| run-name: "Release - [${{ github.event.pull_request.title }} #${{ github.event.pull_request.number }}] by @${{ github.actor }}" | ||
|
|
||
| on: |
There was a problem hiding this comment.
PR description focuses on Dependabot + renaming the release action, but this PR also adds a new internal test harness under src/ and removes .github/release.yml / .github/linters/.jscpd.json. Please update the PR description to reflect these additional changes (or split them) so reviewers know what's being shipped.
🩹 [Patch]: Rename Auto-Release to Release-GHRepository
This PR updates the workflow to use the renamed release action.
Changed
PSModule/Release-GHRepository@v2instead of the deprecatedPSModule/Auto-Release@v1.9.5Summary
The
PSModule/Auto-Releaseaction has been renamed toPSModule/Release-GHRepository. This change updates the workflow configuration to reference the new action name and version.