🩹[Patch]: Workflow improvements

[MariusStorhaug]

This release focuses on updating and improving the project's GitHub Actions workflows and configuration files. The main goals are to enhance security and reliability by pinning action versions, streamline release and dependency management, and clean up unused or redundant configuration files.

• Fixes 🩹[Patch]: Configure Dependabot for daily schedule with 7-day cooldown #23

Workflow and Action Updates:

• Updated all uses of actions/checkout to reference a specific commit hash (de0fac2e4500dabe0009e67214ff5f5447ce83dd) for improved security and reproducibility across workflows.
• Replaced unpinned or generic action versions with commit-pinned versions for PSModule/GitHub-Script, super-linter/super-linter, and PSModule/Invoke-Pester to ensure consistent behavior and improve security.
• Updated the linter workflow to use a pinned version of super-linter and added/adjusted validation environment variables.

Release and Dependency Management:

• Renamed .github/workflows/Auto-Release.yml to .github/workflows/Release.yml, updated the workflow name, and switched the trigger from pull_request_target to pull_request for better security. Also restricted the workflow to run only on changes to action.yml and src/**.
• Replaced the use of PSModule/Auto-Release with PSModule/Release-GHRepository in the release workflow, and updated job names accordingly.
• Changed the Dependabot update schedule from weekly to daily and added a cooldown period to manage update frequency.

Configuration Cleanup:

• Removed the .github/linters/.jscpd.json file and .github/release.yml, indicating a cleanup of unused or redundant configuration files.

Other Improvements:

• Fixed a typo in README.md for clarity.
• Updated script paths in action.yml from scripts/ to src/ to reflect directory restructuring.

[Copilot]

Pull request overview

This PR configures Dependabot to check for GitHub Actions updates daily instead of weekly, adds a 7-day cooldown period for dependency updates, and includes several GitHub Actions updates that pin actions to specific commit SHAs for enhanced security.

Changes:

• Modified Dependabot configuration to use daily checks with a 7-day cooldown period
• Updated multiple GitHub Actions to use commit SHA pinning instead of version tags
• Deleted the release configuration file

Reviewed changes

Copilot reviewed 5 out of 5 changed files in this pull request and generated no comments.

Show a summary per file

File	Description
.github/dependabot.yml	Changed schedule from weekly to daily and added cooldown configuration with 7-day default
.github/workflows/Linter.yml	Updated actions/checkout and super-linter/super-linter to use commit SHA pinning
.github/workflows/Auto-Release.yml	Updated actions/checkout and PSModule/Auto-Release to use commit SHA pinning
.github/workflows/Action-Test.yml	Updated multiple instances of actions/checkout and corrected Github-Script to GitHub-Script with commit SHA pinning
.github/release.yml	Removed the entire release notes configuration file

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[Copilot]

Pull request overview

Copilot reviewed 7 out of 7 changed files in this pull request and generated 1 comment.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[Copilot]

Pull request overview

Copilot reviewed 8 out of 12 changed files in this pull request and generated 1 comment.

Comments suppressed due to low confidence (2)

.github/workflows/Release.yml:6

• Changed from 'pull_request_target' to 'pull_request'. This is a significant security improvement as 'pull_request_target' runs in the context of the base repository with elevated permissions, which could be a security risk for untrusted PRs. The 'pull_request' event is safer as it runs with the PR's permissions.
  .github/workflows/Release.yml:17
• The 'paths' filter is applied to the 'closed' event type. This means that the workflow will only trigger when a PR is closed AND the PR includes changes to 'action.yml' or 'src/**'. However, the 'closed' event doesn't evaluate path filters - GitHub only evaluates path filters for push and pull_request events with certain activity types (opened, synchronize, reopened), but not for 'closed'. This may cause the workflow not to trigger when intended for closed PRs.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[Copilot]

Pull request overview

Copilot reviewed 8 out of 12 changed files in this pull request and generated no new comments.

Comments suppressed due to low confidence (2)

.github/workflows/Release.yml:6

• Changing from 'pull_request_target' to 'pull_request' is a significant security and functionality change. The 'pull_request' trigger runs workflows from the head branch/fork with limited permissions, which may not work correctly with the 'contents: write' permission required for releases. The 'pull_request_target' trigger runs workflows from the base branch with elevated permissions, which is typically needed for release workflows. This change may prevent the workflow from functioning correctly when triggered from forked PRs, or may cause permission errors when attempting to create releases. Consider whether this change is intentional and if it aligns with the workflow's requirements.
  .github/workflows/Release.yml:17
• Adding path filters to the release workflow may prevent releases from being triggered when changes are made to other important files like workflow files (.github/workflows/), documentation, or configuration files. Release workflows typically don't have path filters because releases should be triggered based on PR merges regardless of which files changed. Consider whether restricting releases to only 'action.yml' and 'src/**' changes is intentional, as this could prevent releases for other important changes (e.g., workflow updates, documentation, dependencies).

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[Copilot]

Pull request overview

Copilot reviewed 8 out of 12 changed files in this pull request and generated no new comments.

Comments suppressed due to low confidence (1)

.github/workflows/Release.yml:6

• The workflow trigger has been changed from pull_request_target to pull_request. This is a significant security change. The pull_request_target event runs in the context of the base repository and has access to repository secrets, while pull_request runs in the context of the fork for external contributions. This change means that PRs from forks will not have access to secrets that may be needed for the release action. Verify that this is intentional and that the Release-GHRepository action does not require access to repository secrets, or consider keeping pull_request_target if secrets are needed.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.