Add GitHub Actions for PowerShell module CI/CD pipeline including dependency resolution, building, testing, static analysis, and release processes

Author: marko-stanojevic

.github/actions/github-codeQL/action.yml

@@ -0,0 +1,16 @@
+name: CodeQL Analysis
+description: Initialize and run CodeQL analysis
+runs:
+  using: composite
+  steps:
+    - name: Checkout repository
+      uses: actions/checkout@v6
+    - name: Initialize CodeQL
+      uses: github/codeql-action/init@v4
+      with:
+        languages: actions
+        build-mode: none
+    - name: Perform CodeQL Analysis
+      uses: github/codeql-action/analyze@v4
+      with:
+        category: "/language:${{matrix.language}}"

.github/actions/ps-build/action.yml

@@ -0,0 +1,105 @@
+name: Build PowerShell Module
+description: Build module, generate help, and upload artifacts
+inputs:
+  module-list:
+    description: Comma-separated list of PowerShell modules to cache
+    required: true
+  release-type:
+    description: Type of release (Release, Prerelease, Debug)
+    default: Debug
+    required: false
+outputs:
+  build-version:
+    description: Semantic build version
+    value: ${{ steps.compute.outputs.build-version }}
+  release-version:
+    description: Release version from GitVersion
+    value: ${{ steps.gitversion.outputs.majorMinorPatch }}
+runs:
+  using: composite
+  steps:
+    - name: Checkout repository
+      uses: actions/checkout@v6
+      with:
+        repository: ${{ github.repository }}
+        fetch-depth: 0
+
+    - name: Install GitVersion tool
+      uses: gittools/actions/gitversion/setup@d0139503a9321f76b4a417dfdc8aebcec24decdd #v4.2.0
+      with:
+        versionSpec: '6.5.1'
+
+    - name: Get semantic build version
+      id: gitversion
+      uses: gittools/actions/gitversion/execute@d0139503a9321f76b4a417dfdc8aebcec24decdd #v4.2.0
+      with:
+        configFilePath: GitVersion.yml
+        disableShallowCloneCheck: true
+
+    - name: Restore cached PowerShell modules
+      uses: potatoqualitee/psmodulecache@ee5e9494714abf56f6efbfa51527b2aec5c761b8 #v6.2.1
+      with:
+        modules-to-cache: ${{ inputs.module-list }}
+        shell: pwsh
+        updatable: false
+
+    - name: Determine build version
+      id: compute
+      shell: pwsh
+      run: |
+        switch ('${{ inputs.release-type }}') {
+            'Release' {
+                $buildVersion = '${{ steps.gitversion.outputs.semVer }}'.Split('-', 2)[0]
+            }
+            'Prerelease' {
+                $buildVersion = '${{ steps.gitversion.outputs.semVer }}'.Split('-', 2)[0] + '-Prerelease'
+            }
+            'Debug' {
+                $buildVersion = '${{ steps.gitversion.outputs.semVer }}'
+            }
+        }
+        echo "build-version=$buildVersion" >> $env:GITHUB_OUTPUT
+
+    - name: Run build via Invoke-Build
+      shell: pwsh
+      run: |
+        Set-StrictMode -Version Latest
+        [void] (Import-Module InvokeBuild)
+        $requestParam = @{
+            SemanticVersion = '${{ steps.compute.outputs.build-version }}'
+            Task            = 'Build'
+        }
+        Invoke-Build @requestParam
+
+    - name: Run Export-CommandHelp via Invoke-Build
+      shell: pwsh
+      run: |
+        Set-StrictMode -off
+        [void] (Import-Module InvokeBuild)
+        $requestParam = @{
+            SemanticVersion = '${{ steps.gitversion.outputs.majorMinorPatch }}'
+            Task            = 'Export-CommandHelp'
+        }
+        Invoke-Build @requestParam
+
+    - name: Upload build artifacts
+      uses: actions/upload-artifact@v6
+      if: (!cancelled())
+      with:
+        name: build-v${{ steps.gitversion.outputs.majorMinorPatch }}
+        path: build
+        if-no-files-found: warn
+
+    - name: Commit generated help
+      if: ${{ github.ref_name == 'main' && github.event_name == 'push' }}
+      shell: bash
+      run: |
+        git add docs/help
+        if git diff --cached --quiet; then
+          echo "No help changes to commit"
+          exit 0
+        fi
+        git config user.name  "github-actions[bot]"
+        git config user.email "github-actions[bot]@users.noreply.github.com"
+        git commit -m "Update PowerShell help for release v${{ steps.gitversion.outputs.majorMinorPatch }}"
+        git push origin HEAD:main

.github/actions/ps-code-injection/action.yml

@@ -0,0 +1,39 @@
+name: Run InjectionHunter
+description: Execute code injection analysis and publish results
+inputs:
+  module-list:
+    description: Comma-separated list of PowerShell modules to cache
+    required: true
+runs:
+  using: composite
+  steps:
+    - name: Checkout repository
+      uses: actions/checkout@v6
+      with:
+        repository: ${{ github.repository }}
+
+    - name: Install and cache PowerShell modules
+      uses: potatoqualitee/psmodulecache@ee5e9494714abf56f6efbfa51527b2aec5c761b8 #v6.2.1
+      with:
+        modules-to-cache: ${{ inputs.module-list }}
+        shell: pwsh
+        updatable: false
+
+    - name: Run Code Injection Analysis via Invoke-Build
+      shell: pwsh
+      run: |
+        Set-StrictMode -Version Latest
+        Invoke-Build -Task Invoke-InjectionHunter
+
+    - name: Publish Code Injection Analysis Results
+      uses: EnricoMi/publish-unit-test-result-action@27d65e188ec43221b20d26de30f4892fad91df2f #v2.22.0
+      if: (!cancelled())
+      with:
+        check_run: false
+        check_name: ">> Report: InjectionHunter"
+        check_run_annotations	: all tests, skipped tests
+        job_summary: true
+        comment_title: InjectionHunter Report
+        comment_mode: off
+        files: |
+          test-results/code-injection.xml

.github/actions/ps-release/action.yml

@@ -0,0 +1,90 @@
+name: Release PowerShell Module
+description: Create GitHub release and optionally publish to PSGallery
+inputs:
+  release-type:
+    description: Release type
+    required: true
+  release-version:
+    description: Release version
+    required: true
+  publish-psgallery:
+    description: Publish to PowerShell Gallery
+    required: true
+  publish-nugetorg:
+    description: Publish to NuGet.org (not implemented)
+    required: true
+  module-list:
+    description: Comma-separated list of PowerShell modules to cache
+    required: true
+runs:
+  using: composite
+  steps:
+    - name: Checkout repository
+      uses: actions/checkout@v6
+      with:
+        repository: ${{ github.repository }}
+
+    - name: Restore cached PowerShell modules
+      uses: potatoqualitee/psmodulecache@ee5e9494714abf56f6efbfa51527b2aec5c761b8 #v6.2.1
+      with:
+        modules-to-cache: ${{ inputs.module-list }}
+        shell: pwsh
+        updatable: false
+
+    - name: Restore build artifacts
+      uses: actions/download-artifact@v4
+      with:
+        name: build-v${{ inputs.release-version }}
+        path: build
+
+    - name: Display structure of downloaded files
+      shell: bash
+      run: ls -R build
+
+    - name: Generate release notes
+      shell: pwsh
+      id: generate_release_notes
+      env:
+        GITHUB_TOKEN: ${{ github.token }}
+      run: |
+        git fetch --tags
+        $previousTag = (git tag --sort=-v:refname)[0]
+        $uri = "https://api.github.com/repos/${{ github.repository }}/releases/generate-notes"
+        $body = @{
+          tag_name = "v${{ inputs.release-version }}"
+          target_commitish = "main"
+          previous_tag_name = $previousTag
+        }
+        $requestParams = @{
+          Method      = 'Post'
+          Uri         = $uri
+          Headers     = @{
+            Authorization = "Bearer ${{ env.GITHUB_TOKEN }}"
+            Accept        = 'application/vnd.github+json'
+          }
+          Body        = ($body | ConvertTo-Json -Depth 3)
+          ContentType = 'application/json'
+        }
+        $result = Invoke-RestMethod @requestParams
+        Write-Output 'releaseNotes<<EOF' >> $env:GITHUB_OUTPUT
+        Write-Output ($result.body.ToString()) >> $env:GITHUB_OUTPUT
+        Write-Output 'EOF' >> $env:GITHUB_OUTPUT
+
+    - name: Create release
+      uses: ncipollo/release-action@v1
+      with:
+        name: Release v${{ inputs.release-version }}
+        tag: v${{ inputs.release-version }}
+        body: ${{ steps.generate_release_notes.outputs.releaseNotes }}
+        prerelease: ${{ inputs.release-type == 'Prerelease' }}
+        allowUpdates: true
+
+    - name: Publish build package to PSGallery
+      if: ${{ inputs.publish-psgallery == 'true' && env.PSGALLERY_API_KEY != '' }}
+      shell: pwsh
+      env:
+        PSGALLERY_API_KEY: ${{ env.PSGALLERY_API_KEY }}
+      run: |
+        Set-StrictMode -Version Latest
+        [void] (Import-Module InvokeBuild)
+        Invoke-Build -NugetApiKey ${{ env.PSGALLERY_API_KEY }} -Task Publish

.github/actions/ps-resolve-dependencies/action.yml

@@ -0,0 +1,38 @@
+name: Resolve PowerShell Dependencies
+description: Resolve module dependencies from requirements.psd1 and output a comma-separated list
+outputs:
+  module-list:
+    description: Comma-separated list of modules to cache
+    value: ${{ steps.resolve.outputs.module-list }}
+runs:
+  using: composite
+  steps:
+    - name: Checkout repository
+      uses: actions/checkout@v6
+      with:
+        repository: ${{ github.repository }}
+    - name: Resolve module dependencies
+      id: resolve
+      shell: pwsh
+      run: |
+        $moduleRequirements = Import-PowerShellDataFile -Path './requirements.psd1'
+        $moduleList = foreach ($module in $moduleRequirements.GetEnumerator()) {
+            $moduleName = $module.Key
+            $moduleInfo = $module.Value
+
+            $name = if ($moduleInfo.Repository -and $moduleInfo.Repository -ne 'PSGallery') {
+                "$($moduleInfo.Repository)\$moduleName"
+            }
+            else {
+                $moduleName
+            }
+
+            if ($moduleInfo.Version -and $moduleInfo.Version -ne 'latest') {
+                "$name`:$($moduleInfo.Version)"
+            }
+            else {
+                $name
+            }
+        }
+        $moduleList = $moduleList | Sort-Object | Join-String -Separator ','
+        "module-list=$moduleList" | Out-File -FilePath $env:GITHUB_OUTPUT -Append

.github/actions/ps-static-code-analysis/action.yml

@@ -0,0 +1,39 @@
+name: Run PSScriptAnalyzer
+description: Execute static code analysis and publish results
+inputs:
+  module-list:
+    description: Comma-separated list of PowerShell modules to cache
+    required: true
+runs:
+  using: composite
+  steps:
+    - name: Checkout repository
+      uses: actions/checkout@v6
+      with:
+        repository: ${{ github.repository }}
+
+    - name: Install and cache PowerShell modules
+      uses: potatoqualitee/psmodulecache@ee5e9494714abf56f6efbfa51527b2aec5c761b8 #v6.2.1
+      with:
+        modules-to-cache: ${{ inputs.module-list }}
+        shell: pwsh
+        updatable: false
+
+    - name: Run Static Code Analysis via Invoke-Build
+      shell: pwsh
+      run: |
+        Set-StrictMode -Version Latest
+        Invoke-Build -Task Invoke-PSScriptAnalyzer
+
+    - name: Publish Static Code Analysis Results
+      uses: EnricoMi/publish-unit-test-result-action@27d65e188ec43221b20d26de30f4892fad91df2f #v2.22.0
+      if: (!cancelled())
+      with:
+        check_run: false
+        check_name: ">> Report: PSScriptAnalyzer"
+        check_run_annotations	: all tests, skipped tests
+        job_summary: true
+        comment_title: PSScriptAnalyzer Report
+        comment_mode: off
+        files: |
+          test-results/static-code-analysis.xml