[StepSecurity] Apply security best practices #149
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| on: | |
| push: | |
| branches: | |
| - main | |
| - dev | |
| pull_request: | |
| branches: | |
| - main | |
| workflow_dispatch: | |
| name: Tests | |
| permissions: | |
| contents: read | |
| jobs: | |
| windows-powershell: | |
| name: Windows PowerShell 5.1 | |
| runs-on: windows-latest | |
| env: | |
| CI: true | |
| POWERSHELL_EDITION: Desktop | |
| PS_VERSION: 5.1 | |
| steps: | |
| - name: Harden the runner (Audit all outbound calls) | |
| uses: step-security/harden-runner@20cf305ff2072d973412fa9b1e3a4f227bda3c76 # v2.14.0 | |
| with: | |
| egress-policy: audit | |
| - name: Checkout repository | |
| uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 | |
| - name: Install dependencies | |
| shell: powershell | |
| run: | | |
| Set-PSRepository -Name PSGallery -InstallationPolicy Trusted | |
| if (-not (Get-Module -ListAvailable -Name Pester)) { | |
| Install-Module -Name Pester -MinimumVersion 5.4.0 -Force -SkipPublisherCheck | |
| } | |
| if (-not (Get-Module -ListAvailable -Name PSScriptAnalyzer)) { | |
| Install-Module -Name PSScriptAnalyzer -Force -SkipPublisherCheck | |
| } | |
| - name: Run Pester tests with coverage | |
| shell: powershell | |
| run: | | |
| npm run test:coverage -- -CI | |
| - name: Upload test results | |
| if: always() | |
| uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0 | |
| with: | |
| name: test-results-windows-51 | |
| path: testResults.junit.xml | |
| - name: Upload coverage results | |
| if: always() | |
| uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0 | |
| with: | |
| name: coverage-windows-51 | |
| path: coverage.xml | |
| - name: Upload coverage to Codecov | |
| uses: codecov/codecov-action@57e3a136b779b570ffcdbf80b3bdc90e7fab3de2 # v5.1.2 | |
| with: | |
| files: ./coverage.xml | |
| flags: windows-powershell-51 | |
| name: windows-powershell-51 | |
| - name: Upload test results to Codecov | |
| if: ${{ !cancelled() }} | |
| uses: codecov/test-results-action@0fa95f0e1eeaafde2c782583b36b28ad0d8c77d3 # v1.2.1 | |
| with: | |
| token: ${{ secrets.CODECOV_TOKEN }} | |
| files: ./testResults.junit.xml | |
| - name: Validate help topics | |
| shell: powershell | |
| run: | | |
| Import-Module ./ColorScripts-Enhanced -Force | |
| Get-Help Show-ColorScript | |
| Get-Help about_ColorScripts-Enhanced | |
| pwsh-cross-platform: | |
| name: PowerShell 7.5 (${{ matrix.os }}) | |
| runs-on: ${{ matrix.os }} | |
| env: | |
| CI: true | |
| POWERSHELL_EDITION: Core | |
| PS_VERSION: 7.5 | |
| strategy: | |
| fail-fast: false | |
| matrix: | |
| os: | |
| - windows-latest | |
| - ubuntu-latest | |
| - macos-latest | |
| steps: | |
| - name: Harden the runner (Audit all outbound calls) | |
| uses: step-security/harden-runner@20cf305ff2072d973412fa9b1e3a4f227bda3c76 # v2.14.0 | |
| with: | |
| egress-policy: audit | |
| - name: Checkout repository | |
| uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 | |
| - name: Verify PowerShell version | |
| shell: pwsh | |
| run: | | |
| $PSVersionTable.PSVersion | |
| Write-Host "PowerShell $($PSVersionTable.PSVersion) detected" | |
| - name: Install dependencies | |
| shell: pwsh | |
| run: | | |
| Set-PSRepository -Name PSGallery -InstallationPolicy Trusted | |
| if (-not (Get-Module -ListAvailable -Name Pester)) { | |
| Install-Module -Name Pester -MinimumVersion 5.4.0 -Force -SkipPublisherCheck | |
| } | |
| if (-not (Get-Module -ListAvailable -Name PSScriptAnalyzer)) { | |
| Install-Module -Name PSScriptAnalyzer -Force -SkipPublisherCheck | |
| } | |
| - name: Run Pester tests with coverage | |
| shell: pwsh | |
| run: | | |
| npm run test:coverage -- -CI | |
| - name: Upload test results | |
| if: always() | |
| uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0 | |
| with: | |
| name: test-results-${{ matrix.os }}-pwsh | |
| path: testResults.junit.xml | |
| - name: Upload coverage results | |
| if: always() | |
| uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0 | |
| with: | |
| name: test-coverage-${{ matrix.os }}-pwsh | |
| path: coverage.xml | |
| - name: Upload coverage to Codecov | |
| uses: codecov/codecov-action@57e3a136b779b570ffcdbf80b3bdc90e7fab3de2 # v5.1.2 | |
| with: | |
| files: ./coverage.xml | |
| flags: pwsh-${{ matrix.os }} | |
| name: pwsh-${{ matrix.os }} | |
| - name: Upload test results to Codecov | |
| if: ${{ !cancelled() }} | |
| uses: codecov/test-results-action@0fa95f0e1eeaafde2c782583b36b28ad0d8c77d3 # v1.2.1 | |
| with: | |
| token: ${{ secrets.CODECOV_TOKEN }} | |
| files: ./testResults.junit.xml | |
| - name: Run script analyzer | |
| shell: pwsh | |
| run: | | |
| Import-Module PSScriptAnalyzer | |
| # Analyze module files (exclude Scripts folder with colorscripts) | |
| $modulePath = './ColorScripts-Enhanced' | |
| $files = Get-ChildItem -Path $modulePath -File -Recurse -Include *.ps1, *.psm1, *.psd1 | | |
| Where-Object { $_.FullName -notlike '*Scripts*' } | |
| $results = @() | |
| foreach ($file in $files) { | |
| $fileResults = Invoke-ScriptAnalyzer -Path $file.FullName -Settings './PSScriptAnalyzerSettings.psd1' -Severity 'Error','Warning' | |
| if ($fileResults) { $results += $fileResults } | |
| } | |
| if ($results) { | |
| $results | Format-Table -AutoSize | |
| throw 'ScriptAnalyzer reported findings in module files.' | |
| } | |
| - name: Validate help topics | |
| shell: pwsh | |
| run: | | |
| Import-Module ./ColorScripts-Enhanced -Force | |
| Get-Help Show-ColorScript | |
| Get-Help about_ColorScripts-Enhanced | |
| pwsh-preview: | |
| name: PowerShell 7.5 Preview (ubuntu) | |
| runs-on: ubuntu-latest | |
| container: | |
| image: mcr.microsoft.com/powershell:preview | |
| env: | |
| CI: true | |
| POWERSHELL_EDITION: Core | |
| PS_VERSION: preview | |
| steps: | |
| - name: Harden the runner (Audit all outbound calls) | |
| uses: step-security/harden-runner@20cf305ff2072d973412fa9b1e3a4f227bda3c76 # v2.14.0 | |
| with: | |
| egress-policy: audit | |
| - name: Checkout repository | |
| uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 | |
| - name: Install PowerShell module dependencies | |
| shell: pwsh | |
| run: | | |
| Set-PSRepository -Name PSGallery -InstallationPolicy Trusted | |
| if (-not (Get-Module -ListAvailable -Name Pester)) { | |
| Install-Module -Name Pester -MinimumVersion 5.4.0 -Force -SkipPublisherCheck | |
| } | |
| if (-not (Get-Module -ListAvailable -Name PSScriptAnalyzer)) { | |
| Install-Module -Name PSScriptAnalyzer -Force -SkipPublisherCheck | |
| } | |
| - name: Run smoke tests on preview build | |
| shell: pwsh | |
| run: | | |
| ./scripts/Test-Module.ps1 | |
| - name: Import module on preview build | |
| shell: pwsh | |
| run: | | |
| Import-Module ./ColorScripts-Enhanced -Force | |
| Get-ColorScriptList -AsObject | Select-Object -First 1 |