From cf6eb5a9e1a0b31927a1e4170a0427adbab62aff Mon Sep 17 00:00:00 2001 From: Sam Erde <20478745+SamErde@users.noreply.github.com> Date: Wed, 6 May 2026 04:58:53 -0400 Subject: [PATCH 1/2] Add PSScriptAnalyzer workflow for PowerShell scripts This workflow runs PSScriptAnalyzer on the repository to check PowerShell scripts for best practices and security issues. --- .github/workflows/powershell.yml | 49 ++++++++++++++++++++++++++++++++ 1 file changed, 49 insertions(+) create mode 100644 .github/workflows/powershell.yml diff --git a/.github/workflows/powershell.yml b/.github/workflows/powershell.yml new file mode 100644 index 0000000..6ea0560 --- /dev/null +++ b/.github/workflows/powershell.yml @@ -0,0 +1,49 @@ +# This workflow uses actions that are not certified by GitHub. +# They are provided by a third-party and are governed by +# separate terms of service, privacy policy, and support +# documentation. +# +# https://github.com/microsoft/action-psscriptanalyzer +# For more information on PSScriptAnalyzer in general, see +# https://github.com/PowerShell/PSScriptAnalyzer + +name: PSScriptAnalyzer + +on: + push: + branches: [ "main" ] + pull_request: + branches: [ "main" ] + schedule: + - cron: '17 12 * * 4' + +permissions: + contents: read + +jobs: + build: + permissions: + contents: read # for actions/checkout to fetch code + security-events: write # for github/codeql-action/upload-sarif to upload SARIF results + actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status + name: PSScriptAnalyzer + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v4 + + - name: Run PSScriptAnalyzer + uses: microsoft/psscriptanalyzer-action@6b2948b1944407914a58661c49941824d149734f + with: + # Check https://github.com/microsoft/action-psscriptanalyzer for more info about the options. + # The below set up runs PSScriptAnalyzer to your entire repository and runs some basic security rules. + path: .\ + recurse: true + # Include your own basic security rules. Removing this option will run all the rules + includeRule: '"PSAvoidGlobalAliases", "PSAvoidUsingConvertToSecureStringWithPlainText"' + output: results.sarif + + # Upload the SARIF file generated in the previous step + - name: Upload SARIF results file + uses: github/codeql-action/upload-sarif@v3 + with: + sarif_file: results.sarif From 4e0b62fa1ecf05b1c03c1faa14124070581ec934 Mon Sep 17 00:00:00 2001 From: Sam Erde <20478745+SamErde@users.noreply.github.com> Date: Wed, 6 May 2026 05:32:22 -0400 Subject: [PATCH 2/2] =?UTF-8?q?=F0=9F=A4=96ci:=20guard=20SARIF=20upload=20?= =?UTF-8?q?for=20fork=20PRs?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Skip CodeQL SARIF upload on pull_request runs from forks so PSScriptAnalyzer still provides a usable CI signal without failing on unavailable security-events permissions. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> --- .github/workflows/powershell.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/.github/workflows/powershell.yml b/.github/workflows/powershell.yml index 6ea0560..9a5d5df 100644 --- a/.github/workflows/powershell.yml +++ b/.github/workflows/powershell.yml @@ -44,6 +44,7 @@ jobs: # Upload the SARIF file generated in the previous step - name: Upload SARIF results file + if: ${{ github.event_name != 'pull_request' || github.event.pull_request.head.repo.full_name == github.repository }} uses: github/codeql-action/upload-sarif@v3 with: sarif_file: results.sarif