microsoft · BernieWhite · Mar 31, 2026
@@ -0,0 +1,13 @@
+{
+  "version": 1,
+  "isRoot": true,
+  "tools": {
+    "microsoft.psrule.tool": {
+      "version": "3.0.0-b0755",
+      "commands": [
+        "ps-rule"
+      ],
+      "rollForward": false
+    }
+  }
+}
@@ -7,13 +7,32 @@
 
 version: 2
 updates:
+  # Maintain dependencies for NuGet
+  - package-ecosystem: nuget
+    directory: '/'
+    schedule:
+      interval: daily
+    labels:
+      - dependencies
 
   # Maintain dependencies for GitHub Actions
-  - package-ecosystem: "github-actions"
-    directory: "/"
+  - package-ecosystem: github-actions
+    directory: '/'
+    schedule:
+      interval: daily
+    labels:
+      - dependencies
+    groups:
+      github:
+        patterns:
+          - actions/*
+          - github/*
+
+  # Maintain dependencies for .NET SDK
+  - package-ecosystem: dotnet-sdk
+    directory: /
     schedule:
-      interval: "daily"
+      interval: weekly
+      day: wednesday
     labels:
-    - "dependencies"
-    reviewers:
-    - "@microsoft/psrule"
+      - dependencies
@@ -11,7 +11,7 @@
 name: Build
 on:
   push:
-    branches: [main, "release/*", "dependencies/*"]
+    branches: [main, "release/*", "dependencies/*", "dev/v3"]
   pull_request:
     branches: [main, "release/*"]
   schedule:
@@ -40,18 +40,9 @@ jobs:
           Save-Module -Name PSRule.Rules.MSFT.OSS -Repository PSGallery -Path out/repo/;
           Register-PSRepository -SourceLocation out/repo -Name Local -InstallationPolicy Trusted;
 
-      - name: Run PSRule v1
+      - name: Run PSRule
         uses: ./
         with:
-          inputType: repository
-          modules: PSRule.Rules.MSFT.OSS
-          repository: Local
-          version: "1.11.1"
-
-      - name: Run PSRule v2
-        uses: ./
-        with:
-          inputType: repository
           modules: PSRule.Rules.MSFT.OSS
           outcome: Problem
 
@@ -74,7 +65,6 @@ jobs:
       - name: Run PSRule self analysis
         uses: ./
         with:
-          inputType: repository
           outputFormat: Markdown
           outputPath: reports/report.md
           modules: PSRule.Rules.MSFT.OSS

@@ -4,6 +4,13 @@ See [upgrade notes][upgrade-notes] for helpful information when upgrading from p
 
 [upgrade-notes]: docs/upgrade-notes.md
 
+## Next release
+
+We are currently working towards the next release of PSRule.
+PSRule v3 is currently in development and not suitable for production use.
+
+- [v3](docs/CHANGELOG-v3.md)
+
 ## Current release
 
 - [v2](docs/CHANGELOG-v2.md)

@@ -7,3 +7,4 @@ Resources:
 - [Microsoft Open Source Code of Conduct](https://opensource.microsoft.com/codeofconduct/)
 - [Microsoft Code of Conduct FAQ](https://opensource.microsoft.com/codeofconduct/faq/)
 - Contact [opencode@microsoft.com](mailto:opencode@microsoft.com) with questions or concerns
+- Employees can reach out at [aka.ms/opensource/moderation-support](https://aka.ms/opensource/moderation-support)
@@ -24,23 +24,36 @@ To get the latest stable release by major version use:
   uses: microsoft/ps-rule@v2
 ```
 
-To get a specific release use **(recommended)**:
+To get a specific release use:
 
 ```yaml
 - name: Run PSRule analysis
   uses: microsoft/ps-rule@v2.9.0
 ```
 
+To pin to a specific commit use **(recommended)**:
+
+```yaml
+- name: Run PSRule analysis
+  uses: microsoft/ps-rule@46451b8f5258c41beb5ae69ed7190ccbba84112c # v2.9.0
+```
+
 ---
 
 > [!TIP]
-> The recommended approach is to pin to the latest specific release for example `microsoft/ps-rule@v2.9.0`.
-> Pinning to a specific release reduces the risk of new releases breaking your pipeline.
+> The recommended approach is to pin a specific commit.
+> Using a specific commit provides the most secure approach to address supply chain security risks.
+> Pinning to a specific release or commit reduces the risk of new releases breaking your pipeline.
+>
+> If you are not using dependabot to automatically update version commits, pinning to a specific release is also a good option.
 >
 > You can easily update to the latest release by changing the version number or using version updates with Dependabot.
+> Dependabot supports automatically bumping specific release commits and release tags.
 > To configure version updates of `github-actions` with Dependabot see [Configuring version updates][5].
 >
 > When the next release is available, bumping the version allows you to test in a feature branch before merging to main.
+>
+> See the available releases [here](https://github.com/marketplace/actions/psrule).
 
 ---
 
@@ -81,32 +94,29 @@ For a list of changes please see the [change log][2].
 - name: Run PSRule analysis
   uses: microsoft/ps-rule@main
   with:
-    inputType: repository, inputPath                             # Optional. Determines the type of input to use for PSRule.
+    includePath: string                                          # Optional. A path containing custom rules to use for analysis.
     inputPath: string                                            # Optional. The path PSRule will look for files to validate.
     modules: string                                              # Optional. A comma separated list of modules to use for analysis.
-    source: string                                               # Optional. A path containing rules to use for analysis.
     baseline: string                                             # Optional. The name of a PSRule baseline to use.
     conventions: string                                          # Optional. A comma separated list of conventions to use.
     option: string                                               # Optional. The path to an options file.
     outcome: Fail, Pass, Error, Processed, Problem, All          # Optional. Filters output to include results with the specified outcome.
     outputFormat: None, Yaml, Json, NUnit3, Csv, Markdown, Sarif # Optional. The format to use when writing results to disk.
     outputPath: string                                           # Optional. The file path to write results to.
     path: string                                                 # Optional. The working directory PSRule is run from.
-    prerelease: boolean                                          # Optional. Determine if a pre-release module version is installed.
-    repository: string                                           # Optional. The name of the PowerShell repository where PSRule modules are installed from.
+    prerelease: boolean                                          # Not available. Determine if a pre-release module version is installed.
+    repository: string                                           # Not available. The name of the PowerShell repository where PSRule modules are installed from.
     summary: boolean                                             # Optional. Determines if a job summary is written.
     version: string                                              # Optional. The specific version of PSRule to use.
+    restore: boolean                                             # Optional. Determines if PSRule modules are restored before analysis.
 ```
 
-### `inputType`
-
-Determines the type of input to use for PSRule either `repository` or `inputPath`.
-Defaults to `repository`.
+### `includePath`
 
-When set to:
+An path containing custom rules to use for analysis.
+Defaults to `.ps-rule/`.
 
-- `repository` - The structure of the repository within `inputPath` will be analyzed.
-- `inputPath` - Supported file formats within `inputPath` will be read as objects.
+Use this option to include rules that have not been packaged as a module.
 
 ### `inputPath`
 
@@ -130,13 +140,6 @@ To install pre-release module versions, use `prerelease: true`.
 
   [3]: https://www.powershellgallery.com/packages?q=Tags%3A%22PSRule-rules%22
 
-### `source`
-
-An path containing rules to use for analysis.
-Defaults to `.ps-rule/`.
-
-Use this option to include rules that have not been packaged as a module.
-
 ### `baseline`
 
 The name of a PSRule baseline to use.
@@ -186,13 +189,17 @@ Options specified in `ps-rule.yaml` from this directory will be used unless over
 
 ### `prerelease`
 
+_Currently this option is not supported in v3 pre-release._
+
 Determine if a pre-release module versions are installed.
 When set to `true` the latest pre-release or stable module version is installed.
 
 If this input is not configured, invalid, or set to `false` only stable module versions will be installed.
 
 ### `repository`
 
+_Currently this option is not supported in v3 pre-release._
+
 The name of the PowerShell repository where PSRule modules are installed from.
 By default this is the PowerShell Gallery.
 
@@ -225,6 +232,14 @@ When set:
 - If a pre-release version is specified, `prerelease: true` must also be specified.
 - If the version is not found, an error will be thrown.
 
+### `restore`
+
+Determines if PSRule modules are restored before analysis.
+Defaults to `true`.
+
+To skip restoring modules, set `restore: false`.
+When set to `false`, the action will not attempt to restore PSRule modules before analysis.
+
 ## Using the action
 
 To use PSRule:

@@ -1,43 +1,16 @@
 # Security policy
 
-<!-- BEGIN MICROSOFT SECURITY.MD V0.0.3 BLOCK -->
+<!-- BEGIN MICROSOFT SECURITY.MD V1.0.0 BLOCK -->
 
 ## Security
 
-Microsoft takes the security of our software products and services seriously, which includes all source code repositories managed through our GitHub organizations, which include [Microsoft](https://github.com/Microsoft), [Azure](https://github.com/Azure), [DotNet](https://github.com/dotnet), [AspNet](https://github.com/aspnet), [Xamarin](https://github.com/xamarin), and [our GitHub organizations](https://opensource.microsoft.com/).
-
-If you believe you have found a security vulnerability in any Microsoft-owned repository that meets Microsoft's [Microsoft's definition of a security vulnerability](https://docs.microsoft.com/en-us/previous-versions/tn-archive/cc751383(v=technet.10)) of a security vulnerability, please report it to us as described below.
-
-## Reporting Security Issues
+Microsoft takes the security of our software products and services seriously, which
+includes all source code repositories in our GitHub organizations.
 
 **Please do not report security vulnerabilities through public GitHub issues.**
 
-Instead, please report them to the Microsoft Security Response Center (MSRC) at [https://msrc.microsoft.com/create-report](https://msrc.microsoft.com/create-report).
-
-If you prefer to submit without logging in, send email to [secure@microsoft.com](mailto:secure@microsoft.com).  If possible, encrypt your message with our PGP key; please download it from the the [Microsoft Security Response Center PGP Key page](https://www.microsoft.com/en-us/msrc/pgp-key-msrc).
-
-You should receive a response within 24 hours. If for some reason you do not, please follow up via email to ensure we received your original message. Additional information can be found at [microsoft.com/msrc](https://www.microsoft.com/msrc).
-
-Please include the requested information listed below (as much as you can provide) to help us better understand the nature and scope of the possible issue:
-
-  * Type of issue (e.g. buffer overflow, SQL injection, cross-site scripting, etc.)
-  * Full paths of source file(s) related to the manifestation of the issue
-  * The location of the affected source code (tag/branch/commit or direct URL)
-  * Any special configuration required to reproduce the issue
-  * Step-by-step instructions to reproduce the issue
-  * Proof-of-concept or exploit code (if possible)
-  * Impact of the issue, including how an attacker might exploit the issue
-
-This information will help us triage your report more quickly.
-
-If you are reporting for a bug bounty, more complete reports can contribute to a higher bounty award. Please visit our [Microsoft Bug Bounty Program](https://microsoft.com/msrc/bounty) page for more details about our active programs.
-
-## Preferred Languages
-
-We prefer all communications to be in English.
-
-## Policy
-
-Microsoft follows the principle of [Coordinated Vulnerability Disclosure](https://www.microsoft.com/en-us/msrc/cvd).
+For security reporting information, locations, contact information, and policies,
+please review the latest guidance for Microsoft repositories at
+[https://aka.ms/SECURITY.md](https://aka.ms/SECURITY.md).
 
 <!-- END MICROSOFT SECURITY.MD BLOCK -->