Feature: 001-merge-ci-release-workflows
Date: 2025-10-02
Workflow File: .github/workflows/workflow.yml
The unified workflow maintains the same API surface as the existing workflow.yml to ensure backward compatibility with consuming repositories.
on:
workflow_call:
# Unchanged from v4.xContract: Workflow is callable from consuming repository workflows using uses: syntax.
Example Consumer Usage:
name: Process-PSModule
on:
pull_request:
branches: [main]
types: [closed, opened, reopened, synchronize, labeled]
push:
branches: [main]
workflow_dispatch:
jobs:
Process-PSModule:
uses: PSModule/Process-PSModule/.github/workflows/workflow.yml@v5
secrets:
APIKEY: ${{ secrets.APIKEY }}All inputs remain unchanged from workflow.yml v4.x:
- Type:
string - Description: The name of the module to process. Scripts default to the repository name if nothing is specified.
- Required:
false - Default: Repository name (auto-detected)
- Type:
string - Description: The path to the settings file. Settings in the settings file take precedence over the action inputs.
- Required:
false - Default:
.github/PSModule.yml
- Type:
boolean - Description: Enable debug output.
- Required:
false - Default:
false
- Type:
boolean - Description: Enable verbose output.
- Required:
false - Default:
false
- Type:
string - Description: Specifies the version of the GitHub module to be installed. The value must be an exact version.
- Required:
false - Default:
''(latest stable)
- Type:
boolean - Description: Whether to use a prerelease version of the 'GitHub' module.
- Required:
false - Default:
false
- Type:
string - Description: The path to the root of the repo.
- Required:
false - Default:
'.'(repository root)
All secrets remain unchanged from workflow.yml v4.x:
- Description: The API key for the PowerShell Gallery.
- Required:
true(for Publish-Module job execution) - Used By: Publish-Module job
- Note: Required even in CI-only mode (job is skipped but secret must be defined)
- Description: The client ID of an Enterprise GitHub App for running tests.
- Required:
false - Used By: Test-ModuleLocal job (if Enterprise App tests are enabled)
- Description: The private key of an Enterprise GitHub App for running tests.
- Required:
false - Used By: Test-ModuleLocal job (if Enterprise App tests are enabled)
- Description: The client ID of an Organization GitHub App for running tests.
- Required:
false - Used By: Test-ModuleLocal job (if Organization App tests are enabled)
- Description: The private key of an Organization GitHub App for running tests.
- Required:
false - Used By: Test-ModuleLocal job (if Organization App tests are enabled)
- Description: The fine-grained personal access token with org access for running tests.
- Required:
false - Used By: Test-ModuleLocal job (if org-level tests are enabled)
- Description: The fine-grained personal access token with user account access for running tests.
- Required:
false - Used By: Test-ModuleLocal job (if user-level tests are enabled)
- Description: The classic personal access token for running tests.
- Required:
false - Used By: Test-ModuleLocal job (if PAT-based tests are enabled)
The workflow does not define explicit outputs. Results are communicated through:
-
Workflow Artifacts:
module: Built module artifact (from Build-Module job)site: Documentation site artifact (from Build-Site job)test-results: Test result files (from test jobs)code-coverage: Code coverage reports (from Get-CodeCoverage job)
-
GitHub Releases: Created by Publish-Module job (release mode only)
-
GitHub Pages: Deployed by Publish-Site job (release mode only)
-
Workflow Status: Success/failure status reported to PR and commit status checks
The workflow requires the following permissions:
permissions:
contents: write # to checkout the repo and create releases on the repo
pull-requests: write # to write comments to PRs
statuses: write # to update the status of the workflow from linter
pages: write # to deploy to Pages
id-token: write # to verify the deployment originates from an appropriate sourceNote: These permissions are required for full functionality (CI + Release mode). In CI-only mode, pages and id-token permissions are unused but do not cause issues.
The following jobs execute in all modes (CI-only and CI + Release):
- Get-Settings: Load and parse module settings
- Build-Module: Compile module from source
- Build-Docs: Generate module documentation
- Build-Site: Build documentation site
- Test-SourceCode: Matrix test source code (multiple OS)
- Lint-SourceCode: Matrix lint source code (multiple OS)
- Test-Module: Test built module integrity
- BeforeAll-ModuleLocal: Setup external test resources (if tests/BeforeAll.ps1 exists)
- Test-ModuleLocal: Matrix test module functionality (ubuntu, windows, macos)
- AfterAll-ModuleLocal: Teardown external test resources (if tests/AfterAll.ps1 exists)
- Get-TestResults: Aggregate and validate test results
- Get-CodeCoverage: Analyze code coverage
The following jobs execute only in CI + Release mode:
-
Publish-Module: Publish module to PowerShell Gallery
- Condition: Tests pass AND (merged PR OR push to default branch)
-
Publish-Site: Deploy documentation to GitHub Pages
- Condition: Tests pass AND Build-Site succeeds AND (merged PR OR push to default branch)
if: |
needs.Get-Settings.result == 'success' &&
needs.Get-TestResults.result == 'success' &&
needs.Get-CodeCoverage.result == 'success' &&
!cancelled() &&
(
(github.event_name == 'pull_request' && github.event.pull_request.merged == true) ||
(github.event_name == 'push' && github.ref == format('refs/heads/{0}', github.event.repository.default_branch))
)Publishes When:
- All tests pass (Get-TestResults, Get-CodeCoverage success)
- Workflow not cancelled
- Either:
- Pull request merged to default branch, OR
- Direct push to default branch
Skips When:
- Tests fail
- Workflow cancelled
- Unmerged pull request
- Manual trigger (
workflow_dispatch) - Scheduled run (
schedule) - Push to non-default branch
if: |
needs.Get-Settings.result == 'success' &&
needs.Get-TestResults.result == 'success' &&
needs.Get-CodeCoverage.result == 'success' &&
needs.Build-Site.result == 'success' &&
!cancelled() &&
(
(github.event_name == 'pull_request' && github.event.pull_request.merged == true) ||
(github.event_name == 'push' && github.ref == format('refs/heads/{0}', github.event.repository.default_branch))
)Publishes When: Same as Publish-Module, plus Build-Site must succeed
Event: github.event_name == 'pull_request' AND github.event.pull_request.merged == false
Behavior:
- ✅ Execute all CI jobs (build, test, lint)
- ❌ Skip Publish-Module
- ❌ Skip Publish-Site
- ✅ Report test results as PR status checks
- ✅ Comment on PR with test/coverage results
Exit: Workflow completes after test results
Event: github.event_name == 'pull_request' AND github.event.pull_request.merged == true
Behavior:
- ✅ Execute all CI jobs (build, test, lint)
- ✅ Execute Publish-Module (if tests pass)
- ✅ Execute Publish-Site (if tests pass and Build-Site succeeds)
- ✅ Create GitHub release
- ✅ Deploy documentation to GitHub Pages
Exit: Workflow completes after successful publish
Event: github.event_name == 'push' AND github.ref == 'refs/heads/main'
Behavior: Same as merged pull request
- ✅ Execute all CI jobs
- ✅ Execute Publish-Module (if tests pass)
- ✅ Execute Publish-Site (if tests pass)
Note: Direct pushes bypass PR validation; use with caution
Event: github.event_name == 'push' AND github.ref != 'refs/heads/main'
Behavior:
- ✅ Execute all CI jobs
- ❌ Skip Publish-Module
- ❌ Skip Publish-Site
Use Case: Feature branch validation without PR
Event: github.event_name == 'workflow_dispatch'
Behavior:
- ✅ Execute all CI jobs
- ❌ Skip Publish-Module
- ❌ Skip Publish-Site
Use Case: On-demand validation without publishing
Event: github.event_name == 'schedule'
Behavior:
- ✅ Execute all CI jobs
- ❌ Skip Publish-Module
- ❌ Skip Publish-Site
Use Case: Nightly regression testing
Impact: ✅ None - Existing behavior preserved
Changes Required: None (optional: review trigger conditions in consuming repo workflow)
Impact:
Changes Required: Migrate to workflow.yml during v5.x lifecycle
Migration Path:
- Update consuming repository workflow to call workflow.yml instead of CI.yml
- Test both PR and merge workflows
- Remove CI.yml reference from consuming repository
Impact: 🌟 Breaking Change - Major version bump (v5.0.0)
Changes:
- CI.yml deprecated (removed in v6.0.0)
- Unified workflow.yml handles all scenarios
- New conditional execution logic
Consuming repositories should validate these scenarios after migration:
- ✅ PR Opened: CI runs, no publish
- ✅ PR Synchronized: CI runs, no publish
- ✅ PR Merged: CI runs, publish succeeds
- ✅ Direct Push to Main: CI runs, publish succeeds
- ✅ Push to Feature Branch: CI runs (if configured), no publish
- ✅ Manual Trigger: CI runs, no publish
- ✅ Test Failure: Workflow fails, no publish
- ✅ Coverage Below Threshold: Workflow fails, no publish
| Process-PSModule Version | Unified Workflow | CI.yml Support | API Breaking Changes |
|---|---|---|---|
| v4.x (current) | ❌ No | ✅ Yes | N/A |
| v5.0 (this feature) | ✅ Yes | No (for workflow.yml users) | |
| v6.0 (future) | ✅ Yes | ❌ Removed | Yes (CI.yml removed) |
The unified workflow maintains API compatibility with workflow.yml v4.x while adding intelligent conditional execution. Consuming repositories using workflow.yml continue working without changes. Consumers using CI.yml should migrate during the v5.x support period.