🩹 [Patch]: Improve security, update dependencies, and reorganize source files

[MariusStorhaug]

This patch modernizes the repository's CI/CD infrastructure by pinning dependencies to specific commits, improving security posture, fixing linter warnings, and aligning the source code structure with PSModule organization standards.

• Fixes 🩹[Patch]: Configure Dependabot for daily schedule with 7-day cooldown #18

Changed

Workflow Security Improvements

• Pinned all GitHub Actions to commit SHAs with version comments for reproducible builds
• Added persist-credentials: false to all checkout steps for improved security
• Changed Release workflow trigger from pull_request_target to pull_request for better fork handling
• Added path filters to Release workflow to only trigger on relevant file changes (action.yml, src/**)

Dependency Management

• Updated Dependabot schedule from weekly to daily with 7-day cooldown for balanced update frequency
• Updated actions/checkout to v6.0.2 (SHA: de0fac2e4500dabe0009e67214ff5f5447ce83dd)
• Updated super-linter/super-linter to v8.3.2 (SHA: d5b0a2ab116623730dd094f15ddc1b6b25bf7b99)
• Updated PSModule/GitHub-Script to v1.7.10 (SHA: 0097f3bbe3f413f3b577b9bcc600727b0ca3201a)

Action Migration

• Renamed Auto-Release.yml workflow to Release.yml
• Migrated from PSModule/Auto-Release@v1 to PSModule/Release-GHRepository@v2.0.1 (SHA: 88c70461c8f16cc09682005bcf3b7fca4dd8dc1a)

Source Reorganization

• Moved source files from scripts/ to src/ folder for consistency with other PSModule actions
• Updated action.yml to reference new source path

Linter Configuration

• Removed .jscpd.json configuration file
• Disabled VALIDATE_BIOME_FORMAT and VALIDATE_JSCPD validators in super-linter

Code Quality Fixes

• Fixed PSAvoidUsingWriteHost warnings by replacing Write-Host with Write-Output in main.ps1

Action Improvements

• Added Token input with default value ${{ github.token }} for automatic authentication
• Passed GITHUB_TOKEN environment variable to the GitHub-Script action

[Copilot]

Pull request overview

This PR aims to configure Dependabot with a daily update schedule and a 7-day cooldown period to balance timely updates with stability. However, the PR also includes GitHub Actions dependency updates that pin actions to specific commit SHAs.

Changes:

• Updated Dependabot schedule from weekly to daily
• Added cooldown configuration with 7-day default
• Pinned GitHub Actions to commit SHAs with version comments in three workflow files

Reviewed changes

Copilot reviewed 4 out of 4 changed files in this pull request and generated 1 comment.

File	Description
.github/dependabot.yml	Changed schedule interval to daily and added cooldown configuration
.github/workflows/Linter.yml	Pinned actions/checkout and super-linter/super-linter to commit SHAs
.github/workflows/Auto-Release.yml	Pinned actions/checkout and PSModule/Auto-Release to commit SHAs
.github/workflows/Action-Test.yml	Pinned actions/checkout to commit SHA

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[Copilot]

Pull request overview

Copilot reviewed 5 out of 7 changed files in this pull request and generated no new comments.

Comments suppressed due to low confidence (2)

.github/workflows/Release.yml:6

• Changing from pull_request_target to pull_request is a significant security change. The pull_request_target event runs in the context of the base repository and has access to secrets, while pull_request runs in the context of the pull request's head repository. This means that for PRs from forks, the workflow will no longer have access to repository secrets or write permissions. If this workflow needs to write releases or create comments on PRs from forks, it will fail. Consider whether this change is intentional and whether the workflow needs to handle PRs from forks.
  .github/workflows/Release.yml:6
• The PR description focuses on Dependabot configuration and action pinning, but this PR also includes significant changes such as adding new source files (src/main.ps1 and src/Helpers.psm1), changing the workflow trigger from pull_request_target to pull_request, and adding path filters. These changes are not mentioned in the PR description and represent substantial functional changes beyond dependency management configuration. The PR description should be updated to accurately reflect all changes being made.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[Copilot]

Pull request overview

Copilot reviewed 6 out of 8 changed files in this pull request and generated no new comments.

Comments suppressed due to low confidence (3)

.github/workflows/Release.yml:6

• The workflow trigger has been changed from pull_request_target to pull_request. This is a significant security change:

• pull_request_target runs in the context of the base branch with access to repository secrets, which is safer for workflows that need write permissions
• pull_request runs in the context of the PR branch, which could allow malicious code from a fork to execute with write permissions

Given that this workflow has contents: write and pull-requests: write permissions, changing to pull_request could create a security vulnerability if the workflow processes user-controlled input or executes code from the PR. Consider whether pull_request_target is more appropriate for this use case, or ensure that the workflow and the PSModule/Auto-Release action properly validate and sanitize all inputs.
.github/workflows/Release.yml:17

• The paths filter includes 'src/**' but the action also depends on src/Helpers.psm1 which is imported by src/main.ps1. While this is covered by the src/** pattern, you should verify that all necessary files that could affect the action's behavior are included in this filter. Consider whether changes to workflow files, dependencies, or the README should also trigger a release.
  .github/workflows/Release.yml:34
• Setting persist-credentials: false while the workflow has contents: write permissions and uses GITHUB_TOKEN may cause issues if the PSModule/Auto-Release action needs to push commits, create tags, or perform other Git operations. The persist-credentials: false setting prevents the checkout action from configuring Git credentials, which means Git operations will fail unless the action configures credentials itself using the GITHUB_TOKEN.

Verify that the PSModule/Auto-Release action handles authentication independently, or consider removing persist-credentials: false to allow the checkout action to configure credentials automatically.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[Copilot]

Pull request overview

Copilot reviewed 6 out of 8 changed files in this pull request and generated no new comments.

Comments suppressed due to low confidence (3)

.github/workflows/Release.yml:6

• The workflow trigger has been changed from pull_request_target to pull_request. This is a significant change in how the workflow executes:

• pull_request_target runs in the context of the base repository with write permissions and access to secrets, even for PRs from forks
• pull_request runs in the context of the PR's head ref with read-only permissions for fork PRs

Given that this workflow has contents: write permissions and creates releases, verify that the new PSModule/Release-GHRepository@v2 action is designed to work with the pull_request trigger. The action may fail when attempting to create releases or tags if it doesn't have the necessary permissions, especially for PRs from forks.
.github/workflows/Release.yml:17

• The added paths filter restricts the Release workflow to only trigger when 'action.yml' or 'src/**' files are changed. However, this may prevent releases for other important changes such as:

• Documentation updates (README.md)
• Workflow file updates (.github/workflows/)
• Dependency updates (package.json, if applicable)
• Other configuration files

Consider whether all changes that warrant a release are covered by these path filters, or if the path filter should be broader or removed entirely to ensure all merged PRs trigger the release process as intended.
.github/workflows/Release.yml:34

• The persist-credentials: false setting disables persisting the GitHub token in the local git config. This is generally a good security practice, but it may prevent the Release-GHRepository action from performing git operations that require authentication (such as creating tags or pushing changes).

The workflow explicitly provides GITHUB_TOKEN via the env section on line 39, but if the action relies on git credentials being available in the checkout (rather than using the token directly via the GitHub API), this could cause the release process to fail.

Please verify that the PSModule/Release-GHRepository@v2 action is compatible with persist-credentials: false, or remove this setting if git operations are required.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[Copilot]

Pull request overview

Copilot reviewed 7 out of 8 changed files in this pull request and generated 1 comment.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.