Summary
Pin the PowerShell-Yaml module to a specific version (0.4.7) at every install site across workflows, the devcontainer setup, documentation, and error messages. Today most sites call Install-Module -Name PowerShell-Yaml -Force -Scope CurrentUser without -RequiredVersion, which means CI builds and contributor environments silently float to whatever the PowerShell Gallery serves at install time. A breaking upstream release would surface as flaky or red builds with no obvious cause.
Motivation
Surfaced from review feedback on #1287 (RAI Planner alignment update) — comment r3104011635 — where the unpinned install pattern was flagged as a supply-chain and reproducibility risk.
Scope
Pin every existing Install-Module -Name PowerShell-Yaml ... invocation to -RequiredVersion 0.4.7:
.devcontainer/scripts/on-create.sh.github/workflows/ai-artifact-validation.yml.github/workflows/copilot-setup-steps.yml.github/workflows/extension-package.yml (two install sites).github/workflows/frontmatter-validation.yml.github/workflows/msdate-freshness-check.yml.github/workflows/pester-tests.yml.github/workflows/plugin-package.yml.github/workflows/plugin-validation.yml.github/workflows/release-prerelease-pr.yml.github/workflows/release-stable.yml
Update guidance and diagnostic strings to use the pinned form:
extension/PACKAGING.mdscripts/collections/README.mdscripts/plugins/README.mdscripts/linting/Invoke-MsDateFreshnessCheck.ps1scripts/linting/Modules/FrontmatterValidation.psm1
Acceptance criteria
Follow-ups (out of scope)
- Evaluate automation for keeping this pin current. Renovate already handles the
powershell-galleryV2 ecosystem, but Dependabot does not have a PowerShell Gallery datasource. A small validator or Renovate rule could enforce that every Install-Module PowerShell-Yaml site stays pinned.
🔒 - Generated by Copilot
Summary
Pin the
PowerShell-Yamlmodule to a specific version (0.4.7) at every install site across workflows, the devcontainer setup, documentation, and error messages. Today most sites callInstall-Module -Name PowerShell-Yaml -Force -Scope CurrentUserwithout-RequiredVersion, which means CI builds and contributor environments silently float to whatever the PowerShell Gallery serves at install time. A breaking upstream release would surface as flaky or red builds with no obvious cause.Motivation
Surfaced from review feedback on #1287 (RAI Planner alignment update) — comment
r3104011635— where the unpinned install pattern was flagged as a supply-chain and reproducibility risk.Scope
Pin every existing
Install-Module -Name PowerShell-Yaml ...invocation to-RequiredVersion 0.4.7:.devcontainer/scripts/on-create.sh.github/workflows/ai-artifact-validation.yml.github/workflows/copilot-setup-steps.yml.github/workflows/extension-package.yml(two install sites).github/workflows/frontmatter-validation.yml.github/workflows/msdate-freshness-check.yml.github/workflows/pester-tests.yml.github/workflows/plugin-package.yml.github/workflows/plugin-validation.yml.github/workflows/release-prerelease-pr.yml.github/workflows/release-stable.ymlUpdate guidance and diagnostic strings to use the pinned form:
extension/PACKAGING.mdscripts/collections/README.mdscripts/plugins/README.mdscripts/linting/Invoke-MsDateFreshnessCheck.ps1scripts/linting/Modules/FrontmatterValidation.psm1Acceptance criteria
Install-Module -Name PowerShell-Yamlinvocation in the repository is missing-RequiredVersion.Follow-ups (out of scope)
powershell-galleryV2ecosystem, but Dependabot does not have a PowerShell Gallery datasource. A small validator or Renovate rule could enforce that everyInstall-Module PowerShell-Yamlsite stays pinned.🔒 - Generated by Copilot