Skip to content

🩹[Patch]: Remove deprecated release.yml and rename Auto-Release to Release-GHRepository #60

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
MariusStorhaug wants to merge 6 commits into
base: main
Choose a base branch
from
+13 −37
Open

🩹[Patch]: Remove deprecated release.yml and rename Auto-Release to Release-GHRepository #60

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
6 commits
Select commit Hold shift + click to select a range
a2500df
Remove deprecated release.yml configuration
MariusStorhaug Jan 22, 2026
f5a4cd4
🩹 [Patch]: Fix typo in IncrementalPrerelease description in action.yml
MariusStorhaug Jan 25, 2026
151cf81
feat: Implement automated release process with GitHub Actions
MariusStorhaug Jan 25, 2026
45b52e8
Disable JSCPD linter and remove configuration file
MariusStorhaug Jan 25, 2026
1c03ca3
Rename Auto-Release to Release-GHRepository
MariusStorhaug Jan 25, 2026
3b4309d
Fix version comment to use patch level
MariusStorhaug Jan 25, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
10 changes: 0 additions & 10 deletions .github/linters/.jscpd.json
View file
Open in desktop

This file was deleted.

18 changes: 0 additions & 18 deletions .github/release.yml
View file
Open in desktop

This file was deleted.

1 change: 1 addition & 0 deletions .github/workflows/Linter.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -29,6 +29,7 @@ jobs:
env:
GITHUB_TOKEN: ${{ github.token }}
VALIDATE_BIOME_FORMAT: false
VALIDATE_JSCPD: false
VALIDATE_JSON_PRETTIER: false
VALIDATE_MARKDOWN_PRETTIER: false
VALIDATE_YAML_PRETTIER: false
13 changes: 8 additions & 5 deletions .github/workflows/Auto-Release.yml → .github/workflows/Release.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,6 +1,6 @@
name: Auto-Release
name: Release

run-name: "Auto-Release - [${{ github.event.pull_request.title }} #${{ github.event.pull_request.number }}] by @${{ github.actor }}"
run-name: "Release - [${{ github.event.pull_request.title }} #${{ github.event.pull_request.number }}] by @${{ github.actor }}"

on:
pull_request:
Expand All @@ -12,6 +12,9 @@ on:
- reopened
- synchronize
- labeled
paths:
- 'action.yml'
- 'src/**'

concurrency:
group: ${{ github.workflow }}-${{ github.ref }}
Expand All @@ -22,15 +25,15 @@ permissions:
pull-requests: write

jobs:
Auto-Release:
Release:
runs-on: ubuntu-latest
steps:
- name: Checkout Code
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
with:
persist-credentials: false

- name: Auto-Release
uses: PSModule/Auto-Release@eabd533035e2cb9822160f26f2eda584bd012356 # v1.9.5
- name: Release
uses: PSModule/Release-GHRepository@88c70461c8f16cc09682005bcf3b7fca4dd8dc1a # v2.0.1
with:
IncrementalPrerelease: false
8 changes: 4 additions & 4 deletions action.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -22,7 +22,7 @@
required: false
default: 'true'
IncrementalPrerelease:
description: Control wether to automatically increment the prerelease number. If disabled, the action will ensure only one prerelease exists for a given branch.
description: Control whether to automatically increment the prerelease number. If disabled, the action will ensure only one prerelease exists for a given branch.
required: false
default: 'true'
DatePrereleaseFormat:
Expand Down Expand Up @@ -102,7 +102,7 @@
PSMODULE_PUBLISH_PSMODULE_INPUT_PatchLabels: ${{ inputs.PatchLabels }}
PSMODULE_PUBLISH_PSMODULE_INPUT_VersionPrefix: ${{ inputs.VersionPrefix }}
PSMODULE_PUBLISH_PSMODULE_INPUT_WhatIf: ${{ inputs.WhatIf }}
run: ${{ github.action_path }}/scripts/init.ps1
run: ${{ github.action_path }}/src/init.ps1

Check warning

Code scanning / CodeQL

Code injection Medium

Potential code injection in
${ github.action_path }
Loading
, which may be controlled by an external user.

Copilot Autofix

AI about 3 hours ago

In general, to fix this kind of issue in GitHub Actions, do not interpolate expressions like ${{ ... }} directly into the run: script body. Instead, assign the value to an environment variable using the env: block, then reference it using the shell’s native syntax (e.g. $VAR in bash, $env:VAR in PowerShell). This removes the expression evaluation from the command line construction and prevents an attacker from smuggling shell metacharacters through GitHub’s expression substitution.

For this specific case, we will stop using ${{ github.action_path }}/src/*.ps1 directly in run: and instead expose github.action_path through an environment variable (for example, ACTION_PATH) and use that variable inside the PowerShell command. Since this is a composite action using shell: pwsh, we will call PowerShell with -File pointing at $env:ACTION_PATH/src/init.ps1 (and similarly for publish.ps1 and cleanup.ps1). Concretely:

  • On the “Initialize Publish Context” step, add ACTION_PATH: ${{ github.action_path }} to env: and change run: to something like pwsh -File "$env:ACTION_PATH/src/init.ps1".
  • On the “Publish Module” step, likewise add ACTION_PATH and change the run: line to use it.
  • On the “Cleanup Prereleases” step, do the same.

These are all in action.yml, within the runs.steps section around lines 88–135 in your snippet. No new external dependencies or imports are required; we only adjust the workflow YAML to follow the safe environment-variable pattern.

Suggested changeset 1
action.yml

Autofix patch

Autofix patch
Run the following command in your local git repository to apply this patch
cat << 'EOF' | git apply
diff --git a/action.yml b/action.yml
--- a/action.yml
+++ b/action.yml
@@ -90,6 +90,7 @@
       shell: pwsh
       working-directory: ${{ inputs.WorkingDirectory }}
       env:
+        ACTION_PATH: ${{ github.action_path }}
         PSMODULE_PUBLISH_PSMODULE_INPUT_Name: ${{ inputs.Name }}
         PSMODULE_PUBLISH_PSMODULE_INPUT_AutoCleanup: ${{ inputs.AutoCleanup }}
         PSMODULE_PUBLISH_PSMODULE_INPUT_AutoPatching: ${{ inputs.AutoPatching }}
@@ -102,7 +103,7 @@
         PSMODULE_PUBLISH_PSMODULE_INPUT_PatchLabels: ${{ inputs.PatchLabels }}
         PSMODULE_PUBLISH_PSMODULE_INPUT_VersionPrefix: ${{ inputs.VersionPrefix }}
         PSMODULE_PUBLISH_PSMODULE_INPUT_WhatIf: ${{ inputs.WhatIf }}
-      run: ${{ github.action_path }}/src/init.ps1
+      run: pwsh -File "$env:ACTION_PATH/src/init.ps1"
 
     - name: Download module artifact
       if: env.PUBLISH_CONTEXT_ShouldPublish == 'true' || inputs.WhatIf == 'true'
@@ -116,6 +117,7 @@
       shell: pwsh
       working-directory: ${{ inputs.WorkingDirectory }}
       env:
+        ACTION_PATH: ${{ github.action_path }}
         PSMODULE_PUBLISH_PSMODULE_INPUT_Name: ${{ inputs.Name }}
         PSMODULE_PUBLISH_PSMODULE_INPUT_ModulePath: ${{ inputs.ModulePath }}
         PSMODULE_PUBLISH_PSMODULE_INPUT_APIKey: ${{ inputs.APIKey }}
@@ -123,12 +125,13 @@
         PSMODULE_PUBLISH_PSMODULE_INPUT_UsePRBodyAsReleaseNotes: ${{ inputs.UsePRBodyAsReleaseNotes }}
         PSMODULE_PUBLISH_PSMODULE_INPUT_UsePRTitleAsReleaseName: ${{ inputs.UsePRTitleAsReleaseName }}
         PSMODULE_PUBLISH_PSMODULE_INPUT_UsePRTitleAsNotesHeading: ${{ inputs.UsePRTitleAsNotesHeading }}
-      run: ${{ github.action_path }}/src/publish.ps1
+      run: pwsh -File "$env:ACTION_PATH/src/publish.ps1"
 
     - name: Cleanup Prereleases
       if: env.PUBLISH_CONTEXT_ShouldCleanup == 'true' || inputs.WhatIf == 'true'
       shell: pwsh
       working-directory: ${{ inputs.WorkingDirectory }}
       env:
+        ACTION_PATH: ${{ github.action_path }}
         PSMODULE_PUBLISH_PSMODULE_INPUT_WhatIf: ${{ inputs.WhatIf }}
-      run: ${{ github.action_path }}/src/cleanup.ps1
+      run: pwsh -File "$env:ACTION_PATH/src/cleanup.ps1"
EOF
@@ -90,6 +90,7 @@
shell: pwsh
working-directory: ${{ inputs.WorkingDirectory }}
env:
ACTION_PATH: ${{ github.action_path }}
PSMODULE_PUBLISH_PSMODULE_INPUT_Name: ${{ inputs.Name }}
PSMODULE_PUBLISH_PSMODULE_INPUT_AutoCleanup: ${{ inputs.AutoCleanup }}
PSMODULE_PUBLISH_PSMODULE_INPUT_AutoPatching: ${{ inputs.AutoPatching }}
@@ -102,7 +103,7 @@
PSMODULE_PUBLISH_PSMODULE_INPUT_PatchLabels: ${{ inputs.PatchLabels }}
PSMODULE_PUBLISH_PSMODULE_INPUT_VersionPrefix: ${{ inputs.VersionPrefix }}
PSMODULE_PUBLISH_PSMODULE_INPUT_WhatIf: ${{ inputs.WhatIf }}
run: ${{ github.action_path }}/src/init.ps1
run: pwsh -File "$env:ACTION_PATH/src/init.ps1"

- name: Download module artifact
if: env.PUBLISH_CONTEXT_ShouldPublish == 'true' || inputs.WhatIf == 'true'
@@ -116,6 +117,7 @@
shell: pwsh
working-directory: ${{ inputs.WorkingDirectory }}
env:
ACTION_PATH: ${{ github.action_path }}
PSMODULE_PUBLISH_PSMODULE_INPUT_Name: ${{ inputs.Name }}
PSMODULE_PUBLISH_PSMODULE_INPUT_ModulePath: ${{ inputs.ModulePath }}
PSMODULE_PUBLISH_PSMODULE_INPUT_APIKey: ${{ inputs.APIKey }}
@@ -123,12 +125,13 @@
PSMODULE_PUBLISH_PSMODULE_INPUT_UsePRBodyAsReleaseNotes: ${{ inputs.UsePRBodyAsReleaseNotes }}
PSMODULE_PUBLISH_PSMODULE_INPUT_UsePRTitleAsReleaseName: ${{ inputs.UsePRTitleAsReleaseName }}
PSMODULE_PUBLISH_PSMODULE_INPUT_UsePRTitleAsNotesHeading: ${{ inputs.UsePRTitleAsNotesHeading }}
run: ${{ github.action_path }}/src/publish.ps1
run: pwsh -File "$env:ACTION_PATH/src/publish.ps1"

- name: Cleanup Prereleases
if: env.PUBLISH_CONTEXT_ShouldCleanup == 'true' || inputs.WhatIf == 'true'
shell: pwsh
working-directory: ${{ inputs.WorkingDirectory }}
env:
ACTION_PATH: ${{ github.action_path }}
PSMODULE_PUBLISH_PSMODULE_INPUT_WhatIf: ${{ inputs.WhatIf }}
run: ${{ github.action_path }}/src/cleanup.ps1
run: pwsh -File "$env:ACTION_PATH/src/cleanup.ps1"
Copilot is powered by AI and may make mistakes. Always verify output.

- name: Download module artifact
if: env.PUBLISH_CONTEXT_ShouldPublish == 'true' || inputs.WhatIf == 'true'
Expand All @@ -123,12 +123,12 @@
PSMODULE_PUBLISH_PSMODULE_INPUT_UsePRBodyAsReleaseNotes: ${{ inputs.UsePRBodyAsReleaseNotes }}
PSMODULE_PUBLISH_PSMODULE_INPUT_UsePRTitleAsReleaseName: ${{ inputs.UsePRTitleAsReleaseName }}
PSMODULE_PUBLISH_PSMODULE_INPUT_UsePRTitleAsNotesHeading: ${{ inputs.UsePRTitleAsNotesHeading }}
run: ${{ github.action_path }}/scripts/publish.ps1
run: ${{ github.action_path }}/src/publish.ps1

Check warning

Code scanning / CodeQL

Code injection Medium

Potential code injection in
${ github.action_path }
Loading
, which may be controlled by an external user.

Copilot Autofix

AI about 3 hours ago

Copilot could not generate an autofix suggestion

Copilot could not generate an autofix suggestion for this alert. Try pushing a new commit or if the problem persists contact support.

Comment on lines 123 to +126
Copy link

Copilot AI Jan 25, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The Publish Module step is configured to run when either PUBLISH_CONTEXT_ShouldPublish == 'true' or inputs.WhatIf == 'true', but init.ps1 only calculates and exports PUBLISH_CONTEXT_NewVersion when ShouldPublish is true. As a result, scenarios where ShouldPublish is false (e.g., due to ignore labels or ReleaseType = 'None') but WhatIf is true will still invoke src/publish.ps1, which then exits with PUBLISH_CONTEXT_NewVersion is not set instead of performing a dry‑run. Consider restricting this step to PUBLISH_CONTEXT_ShouldPublish == 'true' only, or updating init.ps1 to compute and export PUBLISH_CONTEXT_NewVersion for WhatIf runs even when ShouldPublish is false.

Copilot uses AI. Check for mistakes.

- name: Cleanup Prereleases
if: env.PUBLISH_CONTEXT_ShouldCleanup == 'true' || inputs.WhatIf == 'true'
shell: pwsh
working-directory: ${{ inputs.WorkingDirectory }}
env:
PSMODULE_PUBLISH_PSMODULE_INPUT_WhatIf: ${{ inputs.WhatIf }}
run: ${{ github.action_path }}/scripts/cleanup.ps1
run: ${{ github.action_path }}/src/cleanup.ps1

Check warning

Code scanning / CodeQL

Code injection Medium

Potential code injection in
${ github.action_path }
Loading
, which may be controlled by an external user.

Copilot Autofix

AI about 4 hours ago

In general, to fix this class of problem in GitHub Actions, avoid interpolating expressions like ${{ ... }} directly into run: commands. Instead, assign the expression to an environment variable using the env: block, and then reference that variable using the native syntax of the shell (e.g., $VAR in bash, $env:VAR or $VAR in PowerShell). This limits where untrusted or semi-trusted data can affect command structure.

For this specific case, we should stop embedding ${{ github.action_path }} directly in the run: line and instead: (1) expose github.action_path via an env var (e.g., ACTION_PATH), and (2) call the PowerShell script using that env variable in PowerShell syntax. Since shell: pwsh is used, the simplest syntax is to call & "$env:ACTION_PATH/src/publish.ps1" and & "$env:ACTION_PATH/src/cleanup.ps1". This preserves functionality while avoiding direct expression interpolation in the run: field.

Concretely:

  • In the Publish Module step (around lines 114–126), add ACTION_PATH: ${{ github.action_path }} under env: and replace run: ${{ github.action_path }}/src/publish.ps1 with a multi-line run: script that invokes the script via $env:ACTION_PATH.
  • In the Cleanup Prereleases step (around lines 128–134), similarly add ACTION_PATH: ${{ github.action_path }} under env: and replace run: ${{ github.action_path }}/src/cleanup.ps1 with a multi-line run: block using $env:ACTION_PATH.

No new methods or external libraries are needed; only YAML and PowerShell changes within action.yml.

Suggested changeset 1
action.yml

Autofix patch

Autofix patch
Run the following command in your local git repository to apply this patch
cat << 'EOF' | git apply
diff --git a/action.yml b/action.yml
--- a/action.yml
+++ b/action.yml
@@ -123,7 +123,9 @@
         PSMODULE_PUBLISH_PSMODULE_INPUT_UsePRBodyAsReleaseNotes: ${{ inputs.UsePRBodyAsReleaseNotes }}
         PSMODULE_PUBLISH_PSMODULE_INPUT_UsePRTitleAsReleaseName: ${{ inputs.UsePRTitleAsReleaseName }}
         PSMODULE_PUBLISH_PSMODULE_INPUT_UsePRTitleAsNotesHeading: ${{ inputs.UsePRTitleAsNotesHeading }}
-      run: ${{ github.action_path }}/src/publish.ps1
+        ACTION_PATH: ${{ github.action_path }}
+      run: |
+        & "$env:ACTION_PATH/src/publish.ps1"
 
     - name: Cleanup Prereleases
       if: env.PUBLISH_CONTEXT_ShouldCleanup == 'true' || inputs.WhatIf == 'true'
@@ -131,4 +133,6 @@
       working-directory: ${{ inputs.WorkingDirectory }}
       env:
         PSMODULE_PUBLISH_PSMODULE_INPUT_WhatIf: ${{ inputs.WhatIf }}
-      run: ${{ github.action_path }}/src/cleanup.ps1
+        ACTION_PATH: ${{ github.action_path }}
+      run: |
+        & "$env:ACTION_PATH/src/cleanup.ps1"
EOF
@@ -123,7 +123,9 @@
PSMODULE_PUBLISH_PSMODULE_INPUT_UsePRBodyAsReleaseNotes: ${{ inputs.UsePRBodyAsReleaseNotes }}
PSMODULE_PUBLISH_PSMODULE_INPUT_UsePRTitleAsReleaseName: ${{ inputs.UsePRTitleAsReleaseName }}
PSMODULE_PUBLISH_PSMODULE_INPUT_UsePRTitleAsNotesHeading: ${{ inputs.UsePRTitleAsNotesHeading }}
run: ${{ github.action_path }}/src/publish.ps1
ACTION_PATH: ${{ github.action_path }}
run: |
& "$env:ACTION_PATH/src/publish.ps1"

- name: Cleanup Prereleases
if: env.PUBLISH_CONTEXT_ShouldCleanup == 'true' || inputs.WhatIf == 'true'
@@ -131,4 +133,6 @@
working-directory: ${{ inputs.WorkingDirectory }}
env:
PSMODULE_PUBLISH_PSMODULE_INPUT_WhatIf: ${{ inputs.WhatIf }}
run: ${{ github.action_path }}/src/cleanup.ps1
ACTION_PATH: ${{ github.action_path }}
run: |
& "$env:ACTION_PATH/src/cleanup.ps1"
Copilot is powered by AI and may make mistakes. Always verify output.
0 scripts/cleanup.ps1 → src/cleanup.ps1
View file
Open in desktop
File renamed without changes.
0 scripts/init.ps1 → src/init.ps1
View file
Open in desktop
File renamed without changes.
0 scripts/publish.ps1 → src/publish.ps1
View file
Open in desktop
File renamed without changes.