Releases: PSModule/Process-PSModule
Release list
v6.0.1
Bump PSModule/GitHub-Script from 1.8.0 to 1.9.0 (#367)
Bumps PSModule/GitHub-Script from 1.8.0 to 1.9.0.
- Pin:
8083ec1f733f00357ee4d0db0c6056686e483bc0(# v1.9.0) - Release notes: https://github.com/PSModule/GitHub-Script/releases/tag/v1.9.0
v6.0.0
🌟 [Major]: Fixed test secret inputs replaced by TestData (#365)
Module test jobs now use a TestData object for optional test secrets and non-secret variables. This replaces the previous fixed TEST_* workflow secret inputs: callers that used those inputs must pass the same names inside TestData, while callers that need different names can expose them without changing the shared workflow.
- Fixes #52
Breaking Changes
Removed: fixed TEST_* workflow secret inputs
The reusable workflow no longer declares or accepts these individual test-secret inputs:
TEST_APP_ENT_CLIENT_IDTEST_APP_ENT_PRIVATE_KEYTEST_APP_ORG_CLIENT_IDTEST_APP_ORG_PRIVATE_KEYTEST_USER_ORG_FG_PATTEST_USER_USER_FG_PATTEST_USER_PAT
Callers using any of these inputs must move them into the secrets map inside TestData. The names can stay the same, so existing Pester tests can continue reading the same environment variables.
jobs:
Process-PSModule:
uses: PSModule/Process-PSModule/.github/workflows/workflow.yml@v5
secrets:
APIKey: ${{ secrets.APIKey }}
TestData: >-
{
"secrets": {
"TEST_USER_PAT": "${{ secrets.TEST_USER_PAT }}",
"TEST_APP_ORG_CLIENT_ID": "${{ secrets.TEST_APP_ORG_CLIENT_ID }}"
}
}$env:TEST_USER_PAT
$env:TEST_APP_ORG_CLIENT_IDNew: Caller-selected TestData
TestData is an optional single-line JSON object with secrets and variables maps. Entries from both maps become environment variables in BeforeAll-ModuleLocal, Test-ModuleLocal, and AfterAll-ModuleLocal.
TestData: >-
{
"secrets": {
"CONFLUENCE_API_TOKEN": "${{ secrets.CONFLUENCE_API_TOKEN }}"
},
"variables": {
"CONFLUENCE_SITE": ${{ toJSON(vars.CONFLUENCE_SITE) }},
"CONFLUENCE_SPACE_KEY": ${{ toJSON(vars.CONFLUENCE_SPACE_KEY) }}
}
}$env:CONFLUENCE_API_TOKEN # from the secrets map, masked in logs
$env:CONFLUENCE_SITE # from the variables map, not maskedValues under secrets are masked before being exposed to the test jobs. Values under variables are exposed without masking for normal, non-sensitive configuration. Modules that do not need secrets or variables can omit TestData entirely.
Because the workflow does not use secrets: inherit, only the values explicitly listed in TestData are exposed to module tests.
New: Safe TestData validation and formatting
TestData must parse as a JSON object containing only optional secrets and variables maps. Values in those maps must be scalar values. Keys must be safe environment-variable names matching ^[A-Za-z_][A-Za-z0-9_]*$, must not be duplicated across secrets and variables, and must not override reserved variables such as PATH, CI, GITHUB_*, RUNNER_* or ACTIONS_*.
Pass TestData as a single-line value after YAML folding. The folded >- form is safe when the JSON is compact, or when every JSON content line stays at the same indentation level inside the block.
Avoid normal pretty-printed JSON with nested indentation inside >-. YAML preserves more-indented lines instead of folding them, so that shape can still produce a multi-line secret value. Keeping TestData single-line after folding avoids GitHub treating line fragments as separate mask values.
Use the direct quoted form for single-line secrets:
"CONFLUENCE_API_TOKEN": "${{ secrets.CONFLUENCE_API_TOKEN }}"Using the JSON-encoded approach, github-advanced security will warn that all secrets available to the runner gets exposed.
"CONFLUENCE_API_TOKEN": ${{ toJSON(vars.CONFLUENCE_API_TOKEN) }}Use toJSON(vars.NAME) for variables so normal configuration values are JSON-encoded safely:
"CONFLUENCE_SITE": ${{ toJSON(vars.CONFLUENCE_SITE) }}For multi-line secrets, or secrets containing quotes or backslashes, base64-encode the secret and decode it in the test.
Technical Details
workflow.ymldeclares and forwards a single optionalTestDatasecret instead of the seven fixedTEST_*secrets..github/scripts/Expose-TestData.ps1contains the sharedTestDataparsing, validation, masking, and UTF-8GITHUB_ENVexport logic used by the ModuleLocal workflows.BeforeAll-ModuleLocal.yml,Test-ModuleLocal.yml, andAfterAll-ModuleLocal.ymlcall the shared helper instead of duplicating the security-sensitive exposure logic.Test-Module.ymlno longer declares or exports the obsolete fixedTEST_*secrets.- The fixture-backed self-test workflows skip forked
pull_requestruns where repository secrets and variables are unavailable, while still running for trusted PRs, schedules, and manual dispatches. - The parse failure path uses stable messages that do not echo the raw secret payload, and secret keys are no longer printed in logs.
- The self-test workflows pass dedicated fixture data through
TestData, and the environment Pester tests assert the exact exposed secret and variable values. README.mddocuments the breaking migration path, theTestDatacontract, safe YAML folding, safe key names, environment-scoped value usage, the difference between masked secrets and unmasked variables, and base64 guidance for complex secret values.- The diff also addresses #322's duplicated fixed-secret pass-through without adopting broad
secrets: inherit.
v5.5.9
🪲 [Fix]: Restore correct release versioning in the publish pipeline (#363)
The module publishing pipeline once again calculates and stamps the real release version before publishing, so consumer releases are versioned and tagged correctly instead of shipping the build-time placeholder. This reverts the premature Publish-PSModule major upgrade that left main in an inconsistent state.
- Relates to #326 (move version calculation ahead of the build step)
- Contains the regression introduced by #358
Fixed: Releases are versioned correctly again
Publish-PSModule is pinned back to v2.2.4, which calculates the release version (from labels and tags) and stamps it into the module manifest at publish time. On main, Build-PSModule (v4) only stamps a 999.0.0 placeholder and does not compute the real version, and Publish-PSModule v3.0.0 is publish-only — it expects the manifest to already carry the final version. With v3.0.0 in place, nothing in the pipeline computed the real version, so a real consumer release would have published and tagged 999.0.0. Reverting to v2.2.4 restores the fully consistent old pipeline: Get-Settings → Build (v4, 999.0.0) → Publish (v2.2.4, calculates + stamps).
Only the Publish-PSModule pin is reverted. The other action bumps from #358 (actions/checkout v7.0.0, super-linter v8.7.0) are left in place.
Technical Details
.github/workflows/Publish-Module.yml:PSModule/Publish-PSModulepin reverted03c0f8b… # v3.0.0→8917aed… # v2.2.4. This is the exact pin #358 replaced; nowith:inputs changed — v2.2.4 consumes the version-calculation inputs the workflow already passes, whereas v3.0.0 silently ignored them..github/workflows/Publish-Module.yml: normalized theAPIKeyaction input fromsecrets.APIKEYtosecrets.APIKeyto match theAPIKeysecret declaration and the other workflows (workflow.yml,Workflow-Test-*.yml). GitHub Actions secret names are case-insensitive, so this is a consistency-only change with no behavioral effect (flagged during Copilot review).- This is step 1 (containment) of #326. Follow-ups: release
Resolve-PSModuleVersionwith the #348 fix, then rebase and land PR #342 (Plan job + Build v5 + publish-only Publish) and re-pin the first-party actions together.
v5.5.8
[Patch]: Update GitHub Actions dependencies to latest pinned versions (#358)
Consolidates the currently-passing Dependabot GitHub Actions updates into one change, so the pipeline moves to the latest action versions in a single release instead of separate bumps. It also configures Dependabot to group future GitHub Actions updates into one pull request, so this consolidated form happens automatically from now on.
Superseded Dependabot PRs: #351, #353, #354, #355 — Dependabot closes these automatically once this merges.
⚠️ Build-PSModule v5.0.0 (#350) is intentionally excluded. v5 makesmoduleVersiona required input, which the currentBuild-Module.ymldoes not provide, so it fails CI (6 checks on #350's own PR too). Adopting it needs the "decide version before build" work in #342 and should ship with/after that PR. #350 stays open to track it.
Updated GitHub Actions
| Action | From | To | Bump |
|---|---|---|---|
| actions/checkout | v6.0.2 | v7.0.0 | Major |
| PSModule/Publish-PSModule | v2.2.4 | v3.0.0 | Major |
| super-linter/super-linter | v8.6.0 | v8.7.0 | Minor |
| super-linter/super-linter/slim | v8.6.0 | v8.7.0 | Minor |
This bundle includes two major action upgrades, so it is labelled Major and cuts a major release of Process-PSModule on merge.
Changed: Dependabot groups GitHub Actions updates
.github/dependabot.yml now groups all github-actions updates into a single grouped pull request via a groups block. The github_actions label is also corrected — it was github-actions, which does not match the repository label and was silently dropped by Dependabot.
Technical Details
-
Each bump is a cherry-pick of the original Dependabot commit, preserving authorship and the
Bump X from A to Bmessages for a clean linear history. -
All bumps touch only
uses:pins under.github/workflows/; no logic changes. -
Dependabot grouping added:
groups: github-actions: patterns: - "*"
This groups every GitHub Actions ecosystem update (all semver levels) into one PR. To keep major bumps as separate PRs for individual review, add
update-types: ["minor", "patch"]under the group — majors then continue to open on their own. -
No linked issue: this is Dependabot-driven maintenance; the superseded PRs above are the traceability.
v5.5.7
Bump PSModule/GitHub-Script from 1.7.10 to 1.8.0 (#346)
Bumps PSModule/GitHub-Script from 1.7.10 to 1.8.0.
Release notes
Sourced from PSModule/GitHub-Script's releases.
v1.8.0
🚀 [Minor]: GitHub API rate limit details now available in action logs (#89)
GitHub API rate limit consumption is now visible directly in the action logs. When enabled, rate limit details - including remaining quota, limit, used count, and reset time for all resource categories - are displayed before and after the user script runs, making it easy to see exactly how many API calls a workflow step consumed.
- Fixes #88
New: Rate limit visibility in action logs
A new
ShowRateLimitinput (default:'false') controls whether rate limit information appears in the logs. When set to'true', a Rate Limits LogGroup appears inside the Info fence before the user script, and another Rate Limits LogGroup appears inside the Outputs fence after it.- uses: PSModule/GitHub-Script@v1 with: ShowRateLimit: 'true' Script: | Get-GitHubRepository -Owner PSModule -Name GitHub-ScriptThe output includes a formatted table of all resource categories returned by
Get-GitHubRateLimit(core, search, graphql, etc.), each showingLimit,Used,Remaining,ResetsAt, andResetsIn.When the input is omitted or set to
'false'(the default), no rate limit output appears.If
ShowRateLimitis enabled butShowInfoorShowOutputis off, the corresponding fence still renders with just the rate limit content inside. For auth types that do not supportGet-GitHubRateLimit(for example GitHub App contexts), a warning is shown instead of failing.Technical Details
- Added
ShowRateLimitinput toaction.ymlwithrequired: falseanddefault: 'false'.- Added
PSMODULE_GITHUB_SCRIPT_INPUT_ShowRateLimitenvironment variable to the composite step.- Created
src/ratelimit.ps1as a helper script (no fence borders) that checks the guard and renders a singleRate LimitsLogGroup.src/ratelimit.ps1now callsGet-GitHubRateLimit -ErrorAction Stopso non-terminating errors are caught reliably in unsupported auth contexts.src/ratelimit.ps1explicitly selectsName,Limit,Used,Remaining,ResetsAt, andResetsInbefore formatting to keep columns deterministic.- Modified
src/info.ps1: adjusted the early-return guard to also considerShowRateLimit, wrapped existing LogGroups inif ($showInfo), and callsratelimit.ps1before the fence close.- Modified
src/outputs.ps1: adjusted the early-return guard to also considerShowRateLimit, wrapped existing output LogGroups inif ($result), and callsratelimit.ps1before the fence close.- The
action.ymlrun block remains in the same flow, whileinfo.ps1andoutputs.ps1invoke the helper internally.- Enabled
ShowRateLimit: trueacross all Action-Test scenarios in.github/workflows/TestWorkflow.yml, including Basic, WithScript path variants, Commands + Outputs, Matrix Creator, WithoutToken, WithPAT, WithUserFGPAT, WithOrgFGPAT, GitHubAppEnt, GitHubAppOrg + quoted inputs, WithKeyVaultKeyReference, WithKeyVaultKeyReferenceLatest, and PreserveCredentials False.
Commits
1ee97bb🚀 [Minor]: GitHub API rate limit details now available in action logs (#89)8649c46Bump azure/login from 2.3.0 to 3.0.0 (#86)e3b0111⚙️ [Maintenance]: Add afterall to codespell ignore words list (#85)2d8efc6Bump super-linter/super-linter from 8.4.0 to 8.5.0 (#84)611c5dc⚙️ [Maintenance]: Update super-linter to v8.4.0 (#83)99556fc⚙️ [Maintenance]: Align workflows across action repositories (#82)- See full diff in compare view
Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.
Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR:
@dependabot rebasewill rebase this PR@dependabot recreatewill recreate this PR, overwriting any edits that have been made to it@dependabot show <dependency name> ignore conditionswill show all of the ignore conditions of the specified dependency@dependabot ignore this major versionwill close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)@dependabot ignore this minor versionwill close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)@dependabot ignore this dependencywill close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
v5.5.6
Bump PSModule/Build-PSModule from 4.0.14 to 4.0.15 (#345)
Bumps PSModule/Build-PSModule from 4.0.14 to 4.0.15.
Release notes
Sourced from PSModule/Build-PSModule's releases.
v4.0.15
Bump actions/upload-artifact from 7.0.0 to 7.0.1 (#134)
Bumps actions/upload-artifact from 7.0.0 to 7.0.1.
Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting
@dependabot rebase.
You can trigger Dependabot actions by commenting on this PR:
@dependabot rebasewill rebase this PR@dependabot recreatewill recreate this PR, overwriting any edits that have been made to it@dependabot show <dependency name> ignore conditionswill show all of the ignore conditions of the specified dependency@dependabot ignore this major versionwill close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)@dependabot ignore this minor versionwill close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
... (truncated)
Commits
3b368feBump actions/upload-artifact from 7.0.0 to 7.0.1 (#134)- See full diff in compare view
Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.
Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR:
@dependabot rebasewill rebase this PR@dependabot recreatewill recreate this PR, overwriting any edits that have been made to it@dependabot show <dependency name> ignore conditionswill show all of the ignore conditions of the specified dependency@dependabot ignore this major versionwill close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)@dependabot ignore this minor versionwill close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)@dependabot ignore this dependencywill close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
v5.5.5
Bump PSModule/Invoke-Pester from 4.2.4 to 4.2.5 (#344)
Bumps PSModule/Invoke-Pester from 4.2.4 to 4.2.5.
Release notes
Sourced from PSModule/Invoke-Pester's releases.
v4.2.5
Bump actions/upload-artifact from 7.0.0 to 7.0.1 (#63)
Bumps actions/upload-artifact from 7.0.0 to 7.0.1.
Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting
@dependabot rebase.
You can trigger Dependabot actions by commenting on this PR:
@dependabot rebasewill rebase this PR@dependabot recreatewill recreate this PR, overwriting any edits that have been made to it@dependabot show <dependency name> ignore conditionswill show all of the ignore conditions of the specified dependency@dependabot ignore this major versionwill close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)@dependabot ignore this minor versionwill close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
... (truncated)
Commits
266d1cfBump actions/upload-artifact from 7.0.0 to 7.0.1 (#63)- See full diff in compare view
Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.
Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR:
@dependabot rebasewill rebase this PR@dependabot recreatewill recreate this PR, overwriting any edits that have been made to it@dependabot show <dependency name> ignore conditionswill show all of the ignore conditions of the specified dependency@dependabot ignore this major versionwill close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)@dependabot ignore this minor versionwill close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)@dependabot ignore this dependencywill close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
v5.5.4
Bump actions/upload-pages-artifact from 4.0.0 to 5.0.0 (#340)
Bumps actions/upload-pages-artifact from 4.0.0 to 5.0.0.
Release notes
Sourced from actions/upload-pages-artifact's releases.
v5.0.0
Changelog
- Update upload-artifact action to version 7
@Tom-van-Woudenberg(#139)- feat: add
include-hidden-filesinput@jonchurch(#137)See details of all code changes since previous release.
Commits
fc324d3Merge pull request #139 from Tom-van-Woudenberg/patch-1fe9d4b7Merge branch 'main' into patch-10ca1617Merge pull request #137 from jonchurch/include-hidden-files57f0e84Update action.yml4a90348v7 --> hash56f665aUpdate upload-artifact action to version 7f7615f5Addinclude-hidden-filesinput- See full diff in compare view
Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.
Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR:
@dependabot rebasewill rebase this PR@dependabot recreatewill recreate this PR, overwriting any edits that have been made to it@dependabot show <dependency name> ignore conditionswill show all of the ignore conditions of the specified dependency@dependabot ignore this major versionwill close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)@dependabot ignore this minor versionwill close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)@dependabot ignore this dependencywill close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
v5.5.3
Bump actions/upload-artifact from 7.0.0 to 7.0.1 (#341)
Bumps actions/upload-artifact from 7.0.0 to 7.0.1.
Release notes
Sourced from actions/upload-artifact's releases.
v7.0.1
What's Changed
- Update the readme with direct upload details by
@danwkennedyin actions/upload-artifact#795- Readme: bump all the example versions to v7 by
@danwkennedyin actions/upload-artifact#796- Include changes in typespec/ts-http-runtime 0.3.5 by
@yacaovsncin actions/upload-artifact#797Full Changelog: actions/upload-artifact@v7...v7.0.1
Commits
Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.
Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR:
@dependabot rebasewill rebase this PR@dependabot recreatewill recreate this PR, overwriting any edits that have been made to it@dependabot show <dependency name> ignore conditionswill show all of the ignore conditions of the specified dependency@dependabot ignore this major versionwill close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)@dependabot ignore this minor versionwill close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)@dependabot ignore this dependencywill close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
v5.5.2
🩹 [Patch]: Bump PSModule/Publish-PSModule to v2.2.4 (#312)
The module publishing workflow now uses the latest PSModule/Publish-PSModule action release, so publish jobs run with the newest patch-level fixes while keeping the same workflow behavior.
Changed: Module publishing dependency
The Publish-Module.yml reusable workflow now references PSModule/Publish-PSModule v2.2.4 (pinned by commit SHA) instead of v2.2.3.
- name: Publish module
uses: PSModule/Publish-PSModule@8917aed588dae1bd1aa2873b1caec1c50c20d255 # v2.2.4No workflow inputs or invocation patterns changed for consumers.
Technical Details
- Updated one dependency reference in
.github/workflows/Publish-Module.yml. - The action remains SHA-pinned with a version comment for traceability and supply-chain integrity.