chore(security): pin PSScriptAnalyzer to 1.25.0 and sync stale workflow version comments#1389
Conversation
… SHAs - update upload-artifact bbbca2dd... comment from v4.4.3 to v7 - update checkout de0fac2e... comment from v4.2.2 to v6.0.2 - align v6 and v6.0.1 annotations to v7 and v6.0.2 respectively - resolves Test-ActionVersionConsistency mismatches across 39 workflow files 🔒 - Generated by Copilot
Dependency Review✅ No vulnerabilities or license issues or OpenSSF Scorecard issues found.Scanned FilesNone |
Codecov Report✅ All modified and coverable lines are covered by tests. Additional details and impacted files@@ Coverage Diff @@
## main #1389 +/- ##
==========================================
- Coverage 87.63% 87.36% -0.28%
==========================================
Files 65 64 -1
Lines 10119 9851 -268
==========================================
- Hits 8868 8606 -262
+ Misses 1251 1245 -6
Flags with carried forward coverage won't be shown. Click here to find out more.
🚀 New features to boost your workflow:
|
![github-actions[bot]](https://avatars.githubusercontent.com/in/15368?s=60&v=4){kind=small}
There was a problem hiding this comment.
Advisory review — this PR is from a maintainer. Findings are informational only.
Review Summary
This is a well-scoped hygiene PR combining two related CI-security improvements: pinning PSScriptAnalyzer to 1.25.0 across all install sites, and correcting stale # vX annotation comments on SHA-pinned GitHub Actions across 39 workflow files. The changes are low-risk, the SHA pins themselves are untouched, and the testing section confirms both linters passed.
✅ Issue Alignment
- Closes #1381 — All workflow
Install-Module PSScriptAnalyzersites (.github/workflows/copilot-setup-steps.yml,.devcontainer/scripts/on-create.sh,scripts/linting/Invoke-PSScriptAnalyzer.ps1) now pin-RequiredVersion 1.25.0. Acceptance criteria are met. - Refs #1379 — The annotation sync directly addresses the
Test-ActionVersionConsistencydrift surfaced during that review thread.
⚠️ PR Template Compliance
Missing required automated-check entries. The template lists these as required before merging, but only lint:ps and lint:version-consistency are checked:
| Check | Checked |
|---|---|
npm run lint:md |
❌ |
npm run spell-check |
❌ |
npm run lint:frontmatter |
❌ |
npm run validate:skills |
❌ |
npm run lint:md-links |
❌ |
npm run plugin:generate |
❌ |
npm run docs:test |
❌ |
For a change that is entirely YAML comment edits and PowerShell version strings, most of these won't produce new failures. However, the template asks authors to confirm they passed before merging. Consider checking off the ones that were run, or marking inapplicable ones with N/A.
💡 Code Quality
on-create.shandInvoke-PSScriptAnalyzer.ps1— single-line additions of-RequiredVersion 1.25.0are correct and consistent with the existing-RequiredVersion 5.7.1pattern for Pester.copilot-setup-steps.yml— also pinsPowerShell-Yaml -RequiredVersion 0.4.7(see inline comment). The pin is correct and keeps the workflow consistent with the#Requires -Modules PowerShell-Yaml, RequiredVersion='0.4.7'directives added in PR #1379, but it is undocumented in the PR description.- A trailing blank line was appended to
copilot-setup-steps.yml(line 147). This is harmless but was not called out.
🔒 Security
No concerns. SHA pins are unchanged; only human-readable annotation comments were corrected. Pinning PSScriptAnalyzer eliminates install-time supply-chain variance as described in the linked issue.
Action Items
- (Optional) Update the PR description Additional Notes to mention the
PowerShell-Yaml -RequiredVersion 0.4.7pin added tocopilot-setup-steps.yml. - (Optional) Check off (or mark
N/A) the remaining required automated checks in the PR checklist.
There was a problem hiding this comment.
Advisory review — this PR is from a maintainer. Findings are informational only.
Review Summary
Well-scoped hygiene PR. The substantive changes — pinning PSScriptAnalyzer to 1.25.0 across all three install sites and pinning PowerShell-Yaml to 0.4.7 in the CI setup workflow — are correct, low-risk, and consistent with the security hardening goals in #1381 and #1379. No blocking issues found.
✅ Issue Alignment
- Closes #1381 — All three
Install-Module PSScriptAnalyzerinstall sites (.github/workflows/copilot-setup-steps.yml,.devcontainer/scripts/on-create.sh,scripts/linting/Invoke-PSScriptAnalyzer.ps1) now carry-RequiredVersion 1.25.0. Acceptance criteria met. - Refs #1379 — The
PowerShell-Yaml -RequiredVersion 0.4.7addition incopilot-setup-steps.ymlkeeps the CI environment consistent with the#Requiresdirective introduced in #1379.
⚠️ PR Description vs. Actual Diff
The PR title and description state that stale GitHub Actions version annotation comments were synced across 39 workflow files (e.g., # v4.4.3 → # v7, # v4.2.2 → # v6.0.2). However, the current diff contains no annotation changes — the 10 workflow files in the diff received only trailing newlines. The PR currently contains 14 changed files total, not 39.
If the annotation sync was split into a separate PR or was already merged to main, the description and title should be updated to reflect the actual scope of this PR to avoid confusion for future readers and merge reviewers.
💡 Code Quality — Inline Findings
Two advisory inline comments were added:
.devcontainer/scripts/on-create.sh(line 51) —PowerShell-Yamlis pinned incopilot-setup-steps.ymlbut not inon-create.sh, violating the environment-sync convention in the project instructions.scripts/linting/Invoke-PSScriptAnalyzer.ps1(line 55) — The install guard checks for module presence only; a pre-installed different version would bypass the1.25.0pin entirely.
🔒 Security
No concerns. SHA pins are unchanged. Pinning both PSScriptAnalyzer and PowerShell-Yaml eliminates install-time supply-chain variance as described in #1381.
Action Items (all optional)
- Update the PR title and description to remove references to annotation sync, or confirm that work is captured in a separate PR.
- Add
-RequiredVersion 0.4.7to thePowerShell-Yamlinstall inon-create.shto align withcopilot-setup-steps.yml. - Harden the version guard in
Invoke-PSScriptAnalyzer.ps1to check the specific installed version, not just presence.
…-Yaml in devcontainer - Pin PowerShell-Yaml to 0.4.7 in .devcontainer/scripts/on-create.sh so the devcontainer matches the version installed by copilot-setup-steps.yml. - In Invoke-PSScriptAnalyzer.ps1, require PSScriptAnalyzer 1.25.0 specifically when checking module availability and import with -RequiredVersion 1.25.0 so a pre-installed different version cannot bypass the pin. Refs: PR #1389 review feedback from @katriendg. 🔒 - Generated by Copilot
There was a problem hiding this comment.
Advisory review — this PR is from a maintainer. Findings are informational only.
Review Summary
The latest commit (cfae407) addresses both advisory findings raised in the previous automated review. No new issues were found. This PR is clean and ready for merge.
✅ Issue Alignment
- Closes #1381 — All three
Install-Module PSScriptAnalyzersites pin-RequiredVersion 1.25.0. Acceptance criteria met. - Refs #1379 —
PowerShell-Yaml -RequiredVersion 0.4.7is now consistent across bothcopilot-setup-steps.ymlandon-create.sh.
✅ Prior Findings Resolved
| Prior Finding | Status |
|---|---|
on-create.sh missing PowerShell-Yaml version pin |
✅ Resolved — -RequiredVersion 0.4.7 added |
Invoke-PSScriptAnalyzer.ps1 version guard checked presence only |
✅ Resolved — guard now filters by [version]'1.25.0'; import uses -RequiredVersion 1.25.0 |
| PR description referenced 39 annotation-sync files not present in diff | ✅ Resolved — "Merge Update" section explains the merge-base resolution |
🔒 Security
No concerns. SHA pins are unchanged throughout. Pinning both PSScriptAnalyzer and PowerShell-Yaml eliminates install-time supply-chain variance as described in #1381. The trailing newlines added to workflow files are POSIX-compliant and behaviorally inert.
…sion-comments # Conflicts: # .devcontainer/scripts/on-create.sh # .github/workflows/copilot-setup-steps.yml
There was a problem hiding this comment.
Advisory review — this PR is from a maintainer. Findings are informational only.
Review Summary
The latest commit addresses all findings raised in previous automated review cycles. The PR is well-scoped and clean: PSScriptAnalyzer is pinned to 1.25.0 at all three install sites, PowerShell-Yaml 0.4.7 and Pester 5.7.1 are consistently pinned in copilot-setup-steps.yml (aligning with on-create.sh), and the version-specific guard in Invoke-PSScriptAnalyzer.ps1 correctly filters by [version]'1.25.0' rather than presence alone. No blocking or significant issues found.
✅ Issue Alignment
- Closes #1381 — All three
Install-Module PSScriptAnalyzerinstall sites (.github/workflows/copilot-setup-steps.yml,.devcontainer/scripts/on-create.sh,scripts/linting/Invoke-PSScriptAnalyzer.ps1) carry-RequiredVersion 1.25.0. All acceptance criteria are met. - Refs #1379 —
PowerShell-Yaml -RequiredVersion 0.4.7andPester -RequiredVersion 5.7.1incopilot-setup-steps.ymlmaintain environment consistency with the#Requiresdirectives introduced in #1379.
✅ PR Template Compliance
All required sections are filled in. Automated checks are correctly marked N/A with justification for checks that don't apply to YAML comment and PowerShell version-string-only changes. The "Merge Update" section explains the apparent mismatch between the PR title's annotation-sync description and the actual diff.
💡 Coding Standards — Advisory Note
scripts/linting/Invoke-PSScriptAnalyzer.ps1, line 55 — The inline comment (presence-only check would allow a different installed version to bypass the pin) reads as a rationale/narrative aside. Per the repository's PowerShell instructions, comments should be brief and factual, describing behavior rather than reasoning. Consider trimming to something like # Version-specific check; presence-only check allows a mismatched installed version:
# Ensure PSScriptAnalyzer 1.25.0 is installed; presence-only check would permit a mismatched versionNon-blocking — the current comment is clear and accurate; this is purely a style note.
🔒 Security
No concerns. SHA pins are unchanged throughout. Deterministic version pinning for PSScriptAnalyzer, PowerShell-Yaml, and Pester eliminates install-time supply-chain variance as described in #1381. Trailing newlines on workflow files are POSIX-compliant and behaviorally inert.
- add logs/.gitkeep and un-ignore it so plugin:postprocess (markdownlint-cli2 JSON formatter) and other logs/-writing scripts have the directory pre-created - exclude .gitkeep from clean:logs so the keepfile survives cleanup 🛠️ - Generated by Copilot
There was a problem hiding this comment.
Advisory review — this PR is from a maintainer. Findings are informational only.
Overview
Clean, well-scoped infrastructure hygiene PR. The PSScriptAnalyzer version pinning addresses a genuine supply-chain risk, and the workflow annotation sync eliminates false-positive lint noise from Test-ActionVersionConsistency. All behavioral changes are confined to install-site hardening; the 11 workflow-file edits are comment/whitespace-only.
✅ Issue Alignment
Closes #1381. The three install sites (on-create.sh, copilot-setup-steps.yml, Invoke-PSScriptAnalyzer.ps1) are consistently addressed and the testing evidence (0 mismatches from lint:version-consistency) is appropriate.
💡 Issue #1381 estimated "~9 install sites" without a version pin; the PR closes it by addressing 3. It would help future contributors to leave a brief closing comment on #1381 confirming the pin checker is now clean — it keeps the audit trail unambiguous and resolves the apparent count discrepancy.
✅ PR Template Compliance
All required sections are filled in with substantive content. Type of Change checkboxes are consistent with the actual diff. The post-merge validation summary in the PR body is a nice touch.
💡 Minor inaccuracy in Additional Notes: the note states "copilot-setup-steps.yml also pins PowerShell-Yaml -RequiredVersion 0.4.7" — PowerShell-Yaml was already pinned in that file before this PR. The actual new addition is Pester -RequiredVersion 5.7.1 (bringing it in sync with on-create.sh). No action required; just flagging for documentation accuracy.
✅ Coding Standards
All PowerShell, bash, YAML, and JSON changes follow repo conventions. The version-specific availability check in Invoke-PSScriptAnalyzer.ps1 is the right approach — a presence-only check would allow a mismatched version to silently bypass the pin. One minor comment verbosity note is left inline.
✅ Code Quality and Security
- The
.gitignorepattern change ([Ll]ogs/*+![Ll]ogs/.gitkeep) is idiomatic and correctly handles case variants. Removing the duplicatelogs/entry at line 445 is clean. package.jsonclean:logscorrectly adds-Exclude .gitkeep. On PowerShell 7+ (which this repo requires) the-Excludeparameter with-Recurseand-Filebehaves reliably for this use case.- No new secrets, sensitive data, or breaking changes introduced. SHA pins on workflow actions are unchanged.
Overall this PR is in good shape. The hardening work is solid and the scope is well-controlled.
## Pre-Release 3.3.101 ### ✨ Features - add removed maturity tier and retire owasp-docker (#1444) - add evaluation dataset creator (#1279) - align RAI planner with guide, remove scoring, improve UX (#1287) - add PSGallery staleness check and BOM cleanup (#1379) - ISA-95 network planner agent (#1177) - auto-generate collection.md with maturity filtering (#1316) - add folder-consistency check and standardize WARN outp… (#1350) - add synth-data-generate prompt to data-science collection (#1419) - add canonical deck workflow and customer-card rendering for design thinking (#1413) - add Figma MCP integration for DT artifact export (#1222) - introduce `owasp-docker` (#1245) - replace hve-core-specific references with portable discovery-based language (#1335) - introduce `owasp-cicd` (#1246) - add secure-by-design knowledge skill (#1223) - introduce `owasp-infrastructure` (#1244) - introduce `owasp-mcp` (#1207) - add OutputPath parameter to Invoke-LinkLanguageCheck.ps1 (#1229) - add -OutputPath parameter to Validate-SkillStructure.ps1 (#1225) - add maintainer-only skip-review label guard (#1293) - add extension collections overview and integrate into getting started flow (#950) - add agentic workflows for automated issue triage, implementation, PR review, dependency review, and doc-staleness detection (#1219) - consolidate package-lock.json version sync into Update-VersionFiles.ps1 (#1240) - add standards code review agent and full review orchestrator (#1174) - standardize pytest-mock as Python mocking framework (#1170) - add Jira backlog workflows and Jira/GitLab skills (#978) - add centralized version bump script and supply-chain attestation (#1183) ### 🐛 Bug Fixes - pin PowerShell-Yaml to 0.4.7 across all install sites (#1378) - close fork-PR/workflow-file-PR secret-strip gap and normalize upload-artifact version (#1421) - replace stream-based lookahead with array indexing in list-changed-files.sh (#1376) - centralize ISO 8601 timestamp regex in CIHelpers (#1343) - update stale documentation date in release-process.md (#1363) - pin basic-ftp to 5.3.0 to resolve GHSA-rp42-5vxx-qpwr (#1374) - add bot filter to dependency PR review workflow (#1362) - resolve pip-audit findings in powerpoint, gitlab, and jira skill lock files (#1360) - standardize Timestamp JSON key casing across all lint result files (#1314) - add synchronize trigger to PR Review workflow (#1323) - standardize timestamp in Validate-SkillStructure.ps1 to use Get-StandardTimestamp (#1280) - add parallel subagent dispatch and structured JSON contracts to code-review-full (#1304) - standardize timestamp in SecurityHelpers.psm1 to use Get-StandardTimestamp (#1284) - standardize timestamps in Test-DependencyPinning.ps1 and SecurityClasses.psm1 (#1282) - derive collection artifact counts from YAML at build time (#1275) - standardize timestamp in FrontmatterValidation.psm1 to use Get-StandardTimestamp (#1285) - standardize timestamp in Markdown-Link-Check.ps1 to use Get-StandardTimestamp (#1283) - escape hyphens in Mermaid diagram on Collections page (#1262) - add summary timestamp to PSScriptAnalyzer output (#1211) - fix plugin compatibility and robustness for coding-standards code review agents (#1289) - standardize timestamp in Test-CopyrightHeaders.ps1 to use Get-StandardTimestamp (#1278) - standardize timestamp in Invoke-YamlLint.ps1 to use Get-StandardTimestamp (#1270) - standardize timestamp in Invoke-LinkLanguageCheck.ps1 to use Get-StandardTimestamp (#1264) - fix dependency-review path filters and sparse-checkout cone mode (#1259) - replace invalid bare tool names with official tool identifiers (#1198) - fix broken links and remove orphaned reference in code review docs (#1257) - exclude Python env dirs from skill validation warnings (#1255) - pin happy-dom and serialize-javascript to resolve Dependabot vulnerabilities (#1253) - remove Mermaid diagram and add missing collection cards (#1247) - disable MCP servers by default to prevent token limit errors (#1144) - sync package-lock.json after pre-release version bump (#1236) - separate mermaid node declarations and add dynamic diagram generation with tests (#1215) - replace anchor links in meeting-analyst with bold text references (#1201) - remove recursive symlinks in jira and gitlab skill directories (#1233) - validate-installation scripts now check .github/skills directory (#1010) (#1206) - resolve npm audit vulnerabilities via dependency overrides (#1200) - add post-release triggers to scorecard workflow (#1186) - add missing .md extensions to relative links in agent documentation (#1180) ### 📚 Documentation - broaden Security Review description beyond OWASP (#1385) - document maintainer advisory mode and skip-review label guard (#1386) - document ExcludePaths/OutputPath for Invoke-LinkLanguageCheck (#1383) - CLI getting-started: clarify plugin install commands as alternatives (-all vs base) (#1251) ### ♻️ Refactoring - align agent and prompt folder names to collection identifier (#1210) ### 🔧 Maintenance - pin PSScriptAnalyzer to 1.25.0 and sync stale workflow version comments (#1389) - bump lxml from 6.0.2 to 6.1.0 in /.github/skills/experimental/powerpoint (#1424) - bump @vscode/vsce from 3.7.1 to 3.9.1 in the npm-dependencies group (#1390) - bump the github-actions group across 1 directory with 7 updates (#1391) - bump follow-redirects from 1.15.11 to 1.16.0 in /docs/docusaurus (#1356) - upgrade Node.js from 20 to 24 and bump cspell to v10 (#1353) - bump basic-ftp from 5.2.0 to 5.2.1 (#1324) - update github/gh-aw-actions requirement to 536ea1bad8c6715d098a9dc1afea8d403733acfe in the github-actions group across 1 directory (#1298) - update security instruction attributions and compliance (#1294) - bump the npm-dependencies group with 2 updates (#1297) - pre-release 3.3.41 (#1252) - streamline RAI Planner phase structure and documentation (#1273) - bump happy-dom from 20.8.8 to 20.8.9 in /docs/docusaurus (#1237) - pre-release 3.3.27 (#1191) - bump pygments from 2.19.2 to 2.20.0 in /.github/skills/gitlab/gitlab (#1234) - bump path-to-regexp from 0.1.12 to 0.1.13 in /docs/docusaurus (#1226) - bump the github-actions group with 4 updates (#1231) - add missing folders and alphabetize location lists (#1193) - bump brace-expansion (#1224) - bump handlebars from 4.7.8 to 4.7.9 in /docs/docusaurus (#1217) - bump brace-expansion from 5.0.3 to 5.0.5 in /docs/docusaurus (#1213) - pre-release 3.3.10 (#1187) - bump markdownlint-cli2 from 0.21.0 to 0.22.0 in the npm-dependencies group (#1175) - bump the github-actions group with 3 updates (#1176) - pre-release 3.3.1 (#1165) --- *Managed automatically by pre-release workflow.* Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
4 participants
Pull Request
Description
Combines two related security/CI hygiene improvements into a single PR:
Install-Moduleresolves at run time.# vXcomments accurately describe the SHA-pinned action versions. The SHA pins themselves are unchanged; only the human-readable annotations were drifting from reality, whichTest-ActionVersionConsistency(npm run lint:version-consistency) was reporting as mismatches.Related Issue(s)
Closes #1381
Refs #1379
Type of Change
Code & Documentation:
Infrastructure & Configuration:
Other:
.ps1,.sh,.py)Testing
npm run lint:version-consistency—MismatchCount: 0after annotation sync (was non-zero before).actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd→v6.0.2actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f→v7.0.0copilot-setup-steps.yml,on-create.sh,Invoke-PSScriptAnalyzer.ps1) — all now request-RequiredVersion 1.25.0.Checklist
Required Checks
Required Automated Checks
npm run lint:psnpm run lint:version-consistencynpm run lint:mdΓÇö N/A (no markdown content changes; only YAML comments and PowerShell version strings)npm run spell-checkΓÇö N/A (no prose content changes)npm run lint:frontmatterΓÇö N/A (no frontmatter touched)npm run validate:skillsΓÇö N/A (no skills modified)npm run lint:md-linksΓÇö N/A (no markdown changes)npm run plugin:generateΓÇö N/A (no collections, agents, prompts, instructions, or skills modified)npm run docs:testΓÇö N/A (no docs content changes)Security Considerations
Additional Notes
Scope note: in addition to the two annotations called out by the validator (
# v4.4.3→# v7,# v4.2.2→# v6.0.2), two further annotations on the same SHAs were drifting (# v6→# v7,# v6.0.1→# v6.0.2) and were corrected in the same pass for consistency. All edits are comment-only — no SHA, no behavior change.copilot-setup-steps.ymlalso pinsPowerShell-Yaml -RequiredVersion 0.4.7alongside the PSScriptAnalyzer pin, matching the#Requires -Modules PowerShell-Yaml, RequiredVersion='0.4.7'directives introduced in #1379. A trailing newline was added to the same file; harmless and conforms to POSIX text-file convention.Merge Update
Merged
origin/main(commit3b3b8153). 27 workflow files had concurrent SHA-pin updates on main; resolved by taking main's newer SHAs since they already carried the corrected version annotations this PR was introducing. Net effect: PR's annotation-correction goal is satisfied; main's freshness is preserved. Verifiedcopilot-setup-steps.ymlretains both-RequiredVersionpins (PSScriptAnalyzer 1.25.0, PowerShell-Yaml 0.4.7). Post-merge validation:lint:yaml(48 files),lint:version-consistency(361 actions, 0 mismatches),lint:permissions(47/47) all pass.