🩹[Patch]: Workflow improvements

[MariusStorhaug]

This release primarily updates and improves the workflows, focusing on enhanced security, reliability, and maintainability. Key changes include pinning all GitHub Action dependencies to specific commit SHAs, updating and renaming the release workflow, removing unused linter configuration, and refining scheduling and validation settings.

• Fixes 🩹[Patch]: Configure Dependabot for daily schedule with 7-day cooldown #17

Workflow and Dependency Management Improvements:

• All GitHub Actions in workflow files (Action-Test.yml, Linter.yml, Release.yml) are now pinned to specific commit SHAs for improved security and reproducibility.
• The release workflow was renamed from .github/workflows/Auto-Release.yml to .github/workflows/Release.yml, with corresponding job and step name updates, and now uses the PSModule/Release-GHRepository action instead of PSModule/Auto-Release.
• The release workflow now triggers on pull_request events (instead of pull_request_target), and is further scoped to only run when files in action.yml or src/** are changed.

Linter and Validation Configuration:

• The unused .github/linters/.jscpd.json configuration file was removed, and JSCPD validation is now explicitly disabled in the linter workflow.
• Additional linter validations (such as VALIDATE_BIOME_FORMAT) are now disabled to streamline linting.

Scheduling and Workflow Behavior:

• Dependabot update checks are now scheduled to run daily (instead of weekly), with a 7-day cooldown between updates.

Other Improvements:

• Minor improvements to the action.yml metadata, including a clearer description and updating the script path for the main PowerShell script.

[Copilot]

Pull request overview

Configures GitHub Dependabot to check GitHub Actions dependencies daily and introduces a 7-day delay window before updating; additionally pins several GitHub Actions workflow dependencies to specific commit SHAs.

Changes:

• Change Dependabot schedule for github-actions from weekly to daily
• Add a Dependabot cooldown setting with default-days: 7
• Pin GitHub Actions used in workflows (checkout, linters, PSModule actions) to specific commit SHAs

Reviewed changes

Copilot reviewed 4 out of 4 changed files in this pull request and generated 1 comment.

File	Description
.github/workflows/Linter.yml	Pins actions/checkout and super-linter to specific SHAs for reproducible workflow runs.
.github/workflows/Auto-Release.yml	Pins actions/checkout and PSModule/Auto-Release to specific SHAs.
.github/workflows/Action-Test.yml	Pins actions/checkout, PSModule/GitHub-Script, and PSModule/Invoke-Pester to specific SHAs.
.github/dependabot.yml	Updates Dependabot to run daily for GitHub Actions and adds a 7-day cooldown setting.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[Copilot]

Pull request overview

Copilot reviewed 5 out of 5 changed files in this pull request and generated no new comments.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[Copilot]

Pull request overview

Copilot reviewed 5 out of 6 changed files in this pull request and generated no new comments.

Comments suppressed due to low confidence (1)

.github/workflows/Release.yml:7

• Switching this workflow from pull_request_target to pull_request means GITHUB_TOKEN write permissions (contents/pull-requests) will be downgraded to read-only on PRs from forks. If PSModule/Auto-Release needs write access (creating releases/comments), the job will fail for forked contributions. Consider adding an explicit guard to only run on same-repo PRs, or reverting to pull_request_target with appropriate hardening.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[Copilot]

Pull request overview

Copilot reviewed 6 out of 7 changed files in this pull request and generated no new comments.

Comments suppressed due to low confidence (2)

.github/workflows/Release.yml:37

• The PR description says the Release workflow pins PSModule/Auto-Release@..., but this workflow now uses PSModule/Release-GHRepository@.... Either the PR description needs updating, or the workflow/action change is unintended (and should be reverted to match the stated goal).
  .github/workflows/Release.yml:7
• Switching from pull_request_target to pull_request changes token/permission behavior: for PRs from forks, GITHUB_TOKEN won’t get write permissions even if requested, so release creation and PR commenting can fail. If you need this to work for forked PRs, consider keeping pull_request_target (with safe checkout patterns) or triggering release from a post-merge event (e.g., push to main / workflow_run).

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[Copilot]

Pull request overview

Copilot reviewed 6 out of 7 changed files in this pull request and generated 1 comment.

Comments suppressed due to low confidence (2)

.github/workflows/Release.yml:7

• The workflow trigger was changed from pull_request_target to pull_request while still requesting contents: write and pull-requests: write. For PRs from forks, GitHub will not grant write permissions on pull_request events, so the release/commenting steps will fail. If this workflow must work for fork PRs (or needs base-repo permissions), use pull_request_target (with safe checkout patterns) or gate execution explicitly to trusted contexts.
  action.yml:33
• PR description focuses on the release action rename + Dependabot scheduling, but this PR also changes the composite action implementation details (pins PSModule/GitHub-Script, changes the script entrypoint path, and adds src/main.ps1). Please update the PR description/changelog to reflect these additional behavior/implementation changes so reviewers/users aren’t surprised.

  steps:
    - name: Get-IssueFormData
      id: Get-IssueFormData
      uses: PSModule/GitHub-Script@0097f3bbe3f413f3b577b9bcc600727b0ca3201a # v1.7.10
      env:
        GITHUB_ACTION_INPUT_IssueBody: ${{ inputs.IssueBody }}
      with:
        Token: ''
        ShowOutput: true
        Script: |
          # Get-IssueFormData
          ${{ github.action_path }}/src/main.ps1

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.