Context
Follow-up from PR #1379 (SHA staleness validator). The Test-PSModulePins.ps1 checker now flags any Install-Module PSScriptAnalyzer call missing a -RequiredVersion pin. Across the repo's GitHub Actions workflows, ~9 install sites currently install PSScriptAnalyzer without a pinned version.
Scope
- Audit all
.github/workflows/*.yml install sites for PSScriptAnalyzer.
- Add
-RequiredVersion 1.25.0 (matching the manifest entry in scripts/security/tool-checksums.json) to each call.
- Verify
npm run lint:version-consistency and Test-PSModulePins.ps1 are clean afterward.
Acceptance Criteria
- All workflow install sites pin
PSScriptAnalyzer to the manifest-declared version.
- Supply-chain pin checker exits 0 with no warnings for
PSScriptAnalyzer.
- A single follow-up PR scoped only to this hardening sweep.
References
Context
Follow-up from PR #1379 (SHA staleness validator). The
Test-PSModulePins.ps1checker now flags anyInstall-Module PSScriptAnalyzercall missing a-RequiredVersionpin. Across the repo's GitHub Actions workflows, ~9 install sites currently installPSScriptAnalyzerwithout a pinned version.Scope
.github/workflows/*.ymlinstall sites forPSScriptAnalyzer.-RequiredVersion 1.25.0(matching the manifest entry inscripts/security/tool-checksums.json) to each call.npm run lint:version-consistencyandTest-PSModulePins.ps1are clean afterward.Acceptance Criteria
PSScriptAnalyzerto the manifest-declared version.PSScriptAnalyzer.References