From 5de71fb0b61e50877ea3633d210e7d29220c11d3 Mon Sep 17 00:00:00 2001 From: Marius Storhaug Date: Fri, 27 Jun 2025 10:50:33 +0200 Subject: [PATCH 1/6] =?UTF-8?q?=F0=9F=AA=B2=20[Fix]:=20Ensure=20Prerelease?= =?UTF-8?q?=20input=20defaults=20to=20false=20in=20tests=20(#58)?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit ## Description This pull request includes a small change to the `.github/workflows/Action-Test.yml` file. The change ensures that the `Prerelease` input defaults to `false` if not explicitly provided. ## Type of change - [ ] 📖 [Docs] - [x] 🪲 [Fix] - [ ] 🩹 [Patch] - [ ] ⚠️ [Security fix] - [ ] 🚀 [Feature] - [ ] 🌟 [Breaking change] ## Checklist - [x] I have performed a self-review of my own code - [x] I have commented my code, particularly in hard-to-understand areas --- .github/workflows/Action-Test-Prerelease.yml | 26 ++++++++++++++++++++ .github/workflows/Action-Test.yml | 7 +----- .github/workflows/TestWorkflow.yml | 24 ++++++++++++++++++ 3 files changed, 51 insertions(+), 6 deletions(-) create mode 100644 .github/workflows/Action-Test-Prerelease.yml diff --git a/.github/workflows/Action-Test-Prerelease.yml b/.github/workflows/Action-Test-Prerelease.yml new file mode 100644 index 0000000..eb1c725 --- /dev/null +++ b/.github/workflows/Action-Test-Prerelease.yml @@ -0,0 +1,26 @@ +name: Action-Test-Prerelease + +run-name: "Action-Test - [${{ github.event.pull_request.title }} #${{ github.event.pull_request.number }}] by @${{ github.actor }}" + +on: + workflow_dispatch: + +concurrency: + group: ${{ github.workflow }}-${{ github.ref }} + cancel-in-progress: true + +permissions: + contents: read + pull-requests: read + +jobs: + ActionTest: + uses: ./.github/workflows/TestWorkflow.yml + secrets: inherit + strategy: + fail-fast: false + matrix: + os: [ubuntu-latest, macos-latest, windows-latest] + with: + runs-on: ${{ matrix.os }} + Prerelease: true diff --git a/.github/workflows/Action-Test.yml b/.github/workflows/Action-Test.yml index a19cc64..fbaa046 100644 --- a/.github/workflows/Action-Test.yml +++ b/.github/workflows/Action-Test.yml @@ -1,14 +1,10 @@ +# checkov:skip=CKV_GHA_7:Using tag references for better readability and maintenance name: Action-Test run-name: "Action-Test - [${{ github.event.pull_request.title }} #${{ github.event.pull_request.number }}] by @${{ github.actor }}" on: workflow_dispatch: - inputs: - Prerelease: - type: boolean - default: false - description: Use the prerelease version of GitHub PowerShell module. pull_request: schedule: - cron: '0 0 * * *' @@ -31,4 +27,3 @@ jobs: os: [ubuntu-latest, macos-latest, windows-latest] with: runs-on: ${{ matrix.os }} - Prerelease: ${{ inputs.Prerelease }} diff --git a/.github/workflows/TestWorkflow.yml b/.github/workflows/TestWorkflow.yml index 28d7292..18aa01f 100644 --- a/.github/workflows/TestWorkflow.yml +++ b/.github/workflows/TestWorkflow.yml @@ -407,6 +407,14 @@ jobs: Get-GitHubUser | Format-Table -AutoSize | Out-String } + LogGroup 'Get-GitHubOrganization' { + Get-GitHubOrganization | Out-String + } + + LogGroup 'Get-GitHubRepository' { + Get-GitHubRepository | Out-String + } + ActionTestWithUSERFGPAT: name: WithUserFGPAT runs-on: ${{ inputs.runs-on }} @@ -425,6 +433,14 @@ jobs: Get-GitHubUser | Format-Table -AutoSize | Out-String } + LogGroup 'Get-GitHubOrganization' { + Get-GitHubOrganization | Out-String + } + + LogGroup 'Get-GitHubRepository' { + Get-GitHubRepository | Out-String + } + ActionTestWithORGFGPAT: name: WithOrgFGPAT runs-on: ${{ inputs.runs-on }} @@ -443,6 +459,14 @@ jobs: Get-GitHubUser | Format-Table -AutoSize | Out-String } + LogGroup 'Get-GitHubOrganization' { + Get-GitHubOrganization | Out-String + } + + LogGroup 'Get-GitHubRepository' { + Get-GitHubRepository | Out-String + } + ActionTestWithGitHubAppEnt: name: GitHubAppEnt runs-on: ${{ inputs.runs-on }} From 19dcf65fc295daffbddc5ea5283a288a7eb3a0f3 Mon Sep 17 00:00:00 2001 From: Marius Storhaug Date: Fri, 27 Jun 2025 15:43:23 +0200 Subject: [PATCH 2/6] =?UTF-8?q?=F0=9F=A9=B9=20[Patch]:=20Add=20output=20fo?= =?UTF-8?q?r=20`GitHubRepos`=20from=20`PSModule`=20(#59)?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit ## Description This pull request updates GitHub Actions workflows to improve functionality and maintainability. The changes include removing a redundant comment from the `Action-Test` workflow and modifying the `TestWorkflow` to specify the repository owner explicitly in multiple job configurations. Updates to GitHub Actions workflows: * [`.github/workflows/Action-Test.yml`](diffhunk://#diff-a12ae5c885b0673c0ff6f70c2670886907590d624626e07da4c52e01aeaf56a4L1): Removed a redundant comment related to skipping a Checkov rule for tag references. * [`.github/workflows/TestWorkflow.yml`](diffhunk://#diff-242a265d6d6bfff6094c9285345022d0e6d7ddde58504dfc80249fafbd89ba2cL415-R415): Updated the `Get-GitHubRepository` command in three job configurations (`ActionTestWithUSERFGPAT`, `ActionTestWithORGFGPAT`, and `ActionTestWithGitHubAppEnt`) to include the `-Owner PSModule` parameter for specifying the repository owner explicitly. [[1]](diffhunk://#diff-242a265d6d6bfff6094c9285345022d0e6d7ddde58504dfc80249fafbd89ba2cL415-R415) [[2]](diffhunk://#diff-242a265d6d6bfff6094c9285345022d0e6d7ddde58504dfc80249fafbd89ba2cL441-R441) [[3]](diffhunk://#diff-242a265d6d6bfff6094c9285345022d0e6d7ddde58504dfc80249fafbd89ba2cL467-R467) ## Type of change - [ ] 📖 [Docs] - [x] 🪲 [Fix] - [ ] 🩹 [Patch] - [ ] ⚠️ [Security fix] - [ ] 🚀 [Feature] - [ ] 🌟 [Breaking change] ## Checklist - [x] I have performed a self-review of my own code - [x] I have commented my code, particularly in hard-to-understand areas --- .github/workflows/Action-Test.yml | 1 - .github/workflows/TestWorkflow.yml | 11 ++++++++--- 2 files changed, 8 insertions(+), 4 deletions(-) diff --git a/.github/workflows/Action-Test.yml b/.github/workflows/Action-Test.yml index fbaa046..77b6918 100644 --- a/.github/workflows/Action-Test.yml +++ b/.github/workflows/Action-Test.yml @@ -1,4 +1,3 @@ -# checkov:skip=CKV_GHA_7:Using tag references for better readability and maintenance name: Action-Test run-name: "Action-Test - [${{ github.event.pull_request.title }} #${{ github.event.pull_request.number }}] by @${{ github.actor }}" diff --git a/.github/workflows/TestWorkflow.yml b/.github/workflows/TestWorkflow.yml index 18aa01f..71831dc 100644 --- a/.github/workflows/TestWorkflow.yml +++ b/.github/workflows/TestWorkflow.yml @@ -10,6 +10,11 @@ on: required: false type: boolean default: false + Owner: + description: The owner of the repository + required: false + type: string + default: PSModule secrets: TEST_USER_PAT: description: Personal Access Token for the test user @@ -412,7 +417,7 @@ jobs: } LogGroup 'Get-GitHubRepository' { - Get-GitHubRepository | Out-String + Get-GitHubRepository -Owner '${{ inputs.Owner }}' | Out-String } ActionTestWithUSERFGPAT: @@ -438,7 +443,7 @@ jobs: } LogGroup 'Get-GitHubRepository' { - Get-GitHubRepository | Out-String + Get-GitHubRepository -Owner '${{ inputs.Owner }}' | Out-String } ActionTestWithORGFGPAT: @@ -464,7 +469,7 @@ jobs: } LogGroup 'Get-GitHubRepository' { - Get-GitHubRepository | Out-String + Get-GitHubRepository -Owner '${{ inputs.Owner }}' | Out-String } ActionTestWithGitHubAppEnt: From 8afae8641a1675f6ea7f0fd4374e78f40535c6a1 Mon Sep 17 00:00:00 2001 From: Marius Storhaug Date: Tue, 1 Jul 2025 20:04:27 +0200 Subject: [PATCH 3/6] =?UTF-8?q?=F0=9F=A9=B9=20[Patch]:=20Update=20test=20t?= =?UTF-8?q?o=20connect=20a=20GitHub=20App=20using=20`Connect-GitHubApp`=20?= =?UTF-8?q?(#60)?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit ## Description This pull request updates the `.github/workflows/TestWorkflow.yml` file to improve the organization and output formatting of GitHub-related logs in the workflow scripts. The most important changes include switching from `Format-Table` to `Format-List` for better readability, restructuring log groups for clarity, and replacing specific installation token-based connections with a streamlined `Connect-GitHubApp` command. ### Improvements to output formatting: * Changed the output formatting from `Format-Table` to `Format-List` for `Get-GitHubApp` and `Get-GitHubConfig` commands to enhance readability. [[1]](diffhunk://#diff-242a265d6d6bfff6094c9285345022d0e6d7ddde58504dfc80249fafbd89ba2cL491-R507) [[2]](diffhunk://#diff-242a265d6d6bfff6094c9285345022d0e6d7ddde58504dfc80249fafbd89ba2cL522-R542) ### Workflow restructuring: * Replaced the token-based connection logic (`New-GitHubAppInstallationAccessToken` and `Connect-GitHub`) with a simplified `Connect-GitHubApp` command to connect to all installations of the app. [[1]](diffhunk://#diff-242a265d6d6bfff6094c9285345022d0e6d7ddde58504dfc80249fafbd89ba2cL491-R507) [[2]](diffhunk://#diff-242a265d6d6bfff6094c9285345022d0e6d7ddde58504dfc80249fafbd89ba2cL522-R542) * Added new log groups for `Contexts` (`Get-GitHubContext -ListAvailable`) and `GitHubConfig` (`Get-GitHubConfig`) to improve clarity and organization of workflow logs. [[1]](diffhunk://#diff-242a265d6d6bfff6094c9285345022d0e6d7ddde58504dfc80249fafbd89ba2cL491-R507) [[2]](diffhunk://#diff-242a265d6d6bfff6094c9285345022d0e6d7ddde58504dfc80249fafbd89ba2cL522-R542) ## Type of change - [ ] 📖 [Docs] - [ ] 🪲 [Fix] - [x] 🩹 [Patch] - [ ] ⚠️ [Security fix] - [ ] 🚀 [Feature] - [ ] 🌟 [Breaking change] ## Checklist - [x] I have performed a self-review of my own code - [x] I have commented my code, particularly in hard-to-understand areas --- .github/workflows/TestWorkflow.yml | 36 ++++++++++++++++++------------ 1 file changed, 22 insertions(+), 14 deletions(-) diff --git a/.github/workflows/TestWorkflow.yml b/.github/workflows/TestWorkflow.yml index 71831dc..a81d233 100644 --- a/.github/workflows/TestWorkflow.yml +++ b/.github/workflows/TestWorkflow.yml @@ -488,19 +488,23 @@ jobs: Prerelease: ${{ inputs.Prerelease }} Script: | LogGroup 'Get-GitHubApp' { - Get-GitHubApp | Format-Table -AutoSize | Out-String + Get-GitHubApp | Format-List | Out-String } LogGroup 'Get-GitHubAppInstallation' { Get-GitHubAppInstallation | Format-Table -AutoSize | Out-String } - LogGroup 'Do something as an installation' { - Get-GithubAppInstallation | New-GitHubAppInstallationAccessToken | ForEach-Object { - Connect-GitHub -Token $_.token -Silent - Get-GitHubContext | Format-Table -AutoSize | Out-String - Get-GitHubGitConfig | Format-Table -AutoSize | Out-String - } + LogGroup 'Connect to all installations of the app' { + Connect-GitHubApp + } + + LogGroup 'Contexts' { + Get-GitHubContext -ListAvailable | Format-Table -AutoSize | Out-String + } + + LogGroup 'GitHubConfig' { + Get-GitHubConfig | Format-List | Out-String } ActionTestWithGitHubAppOrg: @@ -519,19 +523,23 @@ jobs: Prerelease: ${{ inputs.Prerelease }} Script: | LogGroup 'Get-GitHubApp' { - Get-GitHubApp | Format-Table -AutoSize | Out-String + Get-GitHubApp | Format-List | Out-String } LogGroup 'Get-GitHubAppInstallation' { Get-GitHubAppInstallation | Format-Table -AutoSize | Out-String } - LogGroup 'Do something as an installation' { - Get-GithubAppInstallation | New-GitHubAppInstallationAccessToken | ForEach-Object { - Connect-GitHub -Token $_.token -Silent - Get-GitHubContext | Format-Table -AutoSize | Out-String - Get-GitHubGitConfig | Format-Table -AutoSize | Out-String - } + LogGroup 'Connect to all installations of the app' { + Connect-GitHubApp + } + + LogGroup 'Contexts' { + Get-GitHubContext -ListAvailable | Format-Table -AutoSize | Out-String + } + + LogGroup 'GitHubConfig' { + Get-GitHubConfig | Format-List | Out-String } ActionTestPreserveCredentialsFalse: From cc12067a4d039aa268fe451fe9047bfecfaf2f81 Mon Sep 17 00:00:00 2001 From: Marius Storhaug Date: Tue, 1 Jul 2025 22:25:24 +0200 Subject: [PATCH 4/6] =?UTF-8?q?=F0=9F=AA=B2=20[Fix]:=20Fix=20debug=20and?= =?UTF-8?q?=20verbose=20inputs=20(#61)?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit This pull request introduces updates to improve debug and verbose output handling across the GitHub PowerShell-based action. The changes ensure consistent configuration of debug and verbose preferences and enhance clarity in documentation and workflow files. ### Debug and Verbose Output Handling Updates: * [`.github/workflows/TestWorkflow.yml`](diffhunk://#diff-242a265d6d6bfff6094c9285345022d0e6d7ddde58504dfc80249fafbd89ba2cL412-R412): Added the `-Debug` parameter to the `Get-GitHubUser` command to enable debug output during the workflow execution. * [`action.yml`](diffhunk://#diff-1243c5424efaaa19bd8e813c5e6f6da46316e63761421b3e5f5c8ced9a36e6b6L27-R31): Updated the descriptions for `Debug` and `Verbose` inputs to clarify that they enable debug and verbose output for the entire action. Additionally, configured `$DebugPreference` and `$VerbosePreference` based on input values to set PowerShell preferences dynamically. [[1]](diffhunk://#diff-1243c5424efaaa19bd8e813c5e6f6da46316e63761421b3e5f5c8ced9a36e6b6L27-R31) [[2]](diffhunk://#diff-1243c5424efaaa19bd8e813c5e6f6da46316e63761421b3e5f5c8ced9a36e6b6R95-R96) * [`scripts/info.ps1`](diffhunk://#diff-82c586f67d16e32953b47a962c269d0a484f8aa660d71ad354e91fd2d4334cd9L63-L64): Removed redundant `$DebugPreference` and `$VerbosePreference` configuration from the `end` block, as these preferences are now set globally in the action runner. * [`scripts/outputs.ps1`](diffhunk://#diff-ee715ca93229232e95883bf00629fd14e3bf174cdc17b723c4cc5d70e6a60a58L6-L7): Removed hardcoded `$DebugPreference` and `$VerbosePreference` settings to align with the new dynamic configuration approach. ### Documentation Updates: * [`README.md`](diffhunk://#diff-b335630551682c19a781afebcf4d07bf978fb1f8ac04c6bf87428ed5106870f5L18-R19): Improved descriptions for `Debug` and `Verbose` inputs to specify that they enable output for the entire action, enhancing clarity for users. --- .github/workflows/TestWorkflow.yml | 2 +- README.md | 4 ++-- action.yml | 6 ++++-- scripts/info.ps1 | 2 -- scripts/outputs.ps1 | 2 -- 5 files changed, 7 insertions(+), 9 deletions(-) diff --git a/.github/workflows/TestWorkflow.yml b/.github/workflows/TestWorkflow.yml index a81d233..a0efac8 100644 --- a/.github/workflows/TestWorkflow.yml +++ b/.github/workflows/TestWorkflow.yml @@ -409,7 +409,7 @@ jobs: Prerelease: ${{ inputs.Prerelease }} Script: | LogGroup 'Get-GitHubUser' { - Get-GitHubUser | Format-Table -AutoSize | Out-String + Get-GitHubUser -Debug | Format-Table -AutoSize | Out-String } LogGroup 'Get-GitHubOrganization' { diff --git a/README.md b/README.md index 1033cf2..28d87ad 100644 --- a/README.md +++ b/README.md @@ -15,8 +15,8 @@ To get started with your own GitHub PowerShell based action, [create a new repos | `Token` | Log in using an Installation Access Token (IAT). | false | `${{ github.token }}` | | `ClientID` | Log in using a GitHub App, with the App's Client ID and Private Key. | false | | | `PrivateKey` | Log in using a GitHub App, with the App's Client ID and Private Key. | false | | -| `Debug` | Enable debug output. | false | `'false'` | -| `Verbose` | Enable verbose output. | false | `'false'` | +| `Debug` | Enable debug output for the whole action. | false | `'false'` | +| `Verbose` | Enable verbose output for the whole action. | false | `'false'` | | `Version` | Specifies the exact version of the GitHub module to install. | false | | | `Prerelease` | Allow prerelease versions if available. | false | `'false'` | | `ErrorView` | Configure the PowerShell `$ErrorView` variable. You can use full names ('NormalView', 'CategoryView', 'ConciseView', 'DetailedView'). It matches on partials. | false | `'NormalView'` | diff --git a/action.yml b/action.yml index 431813c..eb5fa1f 100644 --- a/action.yml +++ b/action.yml @@ -24,11 +24,11 @@ inputs: description: Log in using a GitHub App, using the App's Client ID and Private Key. required: false Debug: - description: Enable debug output. + description: Enable debug output for the whole action. required: false default: 'false' Verbose: - description: Enable verbose output. + description: Enable verbose output for the whole action. required: false default: 'false' Version: @@ -92,6 +92,8 @@ runs: run: | # ${{ inputs.Name }} $ErrorView = $env:PSMODULE_GITHUB_SCRIPT_INPUT_ErrorView + $DebugPreference = $env:PSMODULE_GITHUB_SCRIPT_INPUT_Debug -eq 'true' ? 'Continue' : 'SilentlyContinue' + $VerbosePreference = $env:PSMODULE_GITHUB_SCRIPT_INPUT_Verbose -eq 'true' ? 'Continue' : 'SilentlyContinue' try { ${{ github.action_path }}/scripts/init.ps1 ${{ github.action_path }}/scripts/info.ps1 diff --git a/scripts/info.ps1 b/scripts/info.ps1 index 30b2ba0..ba5874a 100644 --- a/scripts/info.ps1 +++ b/scripts/info.ps1 @@ -60,6 +60,4 @@ process { end { Write-Debug "[$scriptName] - End" - $DebugPreference = $env:PSMODULE_GITHUB_SCRIPT_INPUT_Debug -eq 'true' ? 'Continue' : 'SilentlyContinue' - $VerbosePreference = $env:PSMODULE_GITHUB_SCRIPT_INPUT_Verbose -eq 'true' ? 'Continue' : 'SilentlyContinue' } diff --git a/scripts/outputs.ps1 b/scripts/outputs.ps1 index 0c4fd70..d5ca5a1 100644 --- a/scripts/outputs.ps1 +++ b/scripts/outputs.ps1 @@ -3,8 +3,6 @@ [CmdletBinding()] param() -$DebugPreference = 'SilentlyContinue' -$VerbosePreference = 'SilentlyContinue' $scriptName = $MyInvocation.MyCommand.Name Write-Debug "[$scriptName] - Start" From d7819cb81ac6f1b9794990668b02d0163be4c69f Mon Sep 17 00:00:00 2001 From: Copilot <198982749+Copilot@users.noreply.github.com> Date: Sat, 19 Jul 2025 01:56:56 +0200 Subject: [PATCH 5/6] =?UTF-8?q?=F0=9F=9A=80=20Add=20KeyVaultKeyReference?= =?UTF-8?q?=20parameter=20for=20GitHub=20App=20authentication=20(#63)?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit This PR adds support for authenticating GitHub Apps using Azure KeyVault key references, enabling secure private key storage in Azure KeyVault instead of GitHub secrets. ## Changes Made ### 🔧 Core Implementation - **action.yml**: Added new `KeyVaultKeyReference` input parameter with proper description and environment variable mapping - **scripts/init.ps1**: - Added validation logic ensuring mutual exclusion between `PrivateKey` and `KeyVaultKeyReference` - Added requirement validation that `ClientID` must be provided with exactly one key parameter - Implemented new authentication path: `Connect-GitHub -ClientID -KeyVaultKeyReference ` - Updated module status reporting to include KeyVault key reference status ### 📚 Documentation - **README.md**: - Added `KeyVaultKeyReference` to inputs documentation table - Added comprehensive Example 5 demonstrating Azure KeyVault authentication workflow - Updated example numbering consistently - Included note about required `azure/login` action for KeyVault authentication ## Usage Example ```yaml jobs: Run-Script: runs-on: ubuntu-latest steps: - name: Login to Azure uses: azure/login@v1 with: creds: ${{ secrets.AZURE_CREDENTIALS }} - name: Run script uses: PSModule/GitHub-Script@v1 with: ClientID: ${{ secrets.CLIENT_ID }} KeyVaultKeyReference: ${{ secrets.KEYVAULT_KEY_REFERENCE }} Script: | LogGroup "Get-GitHubApp" { Get-GitHubApp } ``` ## Validation The implementation includes comprehensive validation: - ✅ Mutual exclusion: Only one of `PrivateKey` or `KeyVaultKeyReference` can be provided - ✅ Requirement validation: `ClientID` must be provided with exactly one key parameter - ✅ Error handling for invalid input combinations - ✅ PowerShell and YAML syntax validation - ✅ Integration testing with 6/6 test scenarios passing ## Authentication Flow The action now supports three authentication methods: 1. **Token**: `Token` parameter (existing) 2. **GitHub App with Private Key**: `ClientID` + `PrivateKey` (existing) 3. **GitHub App with KeyVault**: `ClientID` + `KeyVaultKeyReference` (new) Fixes #62. --- 💬 Share your feedback on Copilot coding agent for the chance to win a $200 gift card! Click [here](https://survey.alchemer.com/s3/8343779/Copilot-Coding-agent) to start the survey. --------- Co-authored-by: copilot-swe-agent[bot] <198982749+Copilot@users.noreply.github.com> Co-authored-by: MariusStorhaug <17722253+MariusStorhaug@users.noreply.github.com> Co-authored-by: Marius Storhaug --- .github/workflows/Action-Test-Prerelease.yml | 1 + .github/workflows/Action-Test.yml | 1 + .github/workflows/TestWorkflow.yml | 102 +++++++++++++++++++ README.md | 33 +++++- action.yml | 4 + scripts/init.ps1 | 36 +++++-- 6 files changed, 167 insertions(+), 10 deletions(-) diff --git a/.github/workflows/Action-Test-Prerelease.yml b/.github/workflows/Action-Test-Prerelease.yml index eb1c725..89122f0 100644 --- a/.github/workflows/Action-Test-Prerelease.yml +++ b/.github/workflows/Action-Test-Prerelease.yml @@ -12,6 +12,7 @@ concurrency: permissions: contents: read pull-requests: read + id-token: write jobs: ActionTest: diff --git a/.github/workflows/Action-Test.yml b/.github/workflows/Action-Test.yml index 77b6918..7aaed5b 100644 --- a/.github/workflows/Action-Test.yml +++ b/.github/workflows/Action-Test.yml @@ -15,6 +15,7 @@ concurrency: permissions: contents: read pull-requests: read + id-token: write jobs: ActionTest: diff --git a/.github/workflows/TestWorkflow.yml b/.github/workflows/TestWorkflow.yml index a0efac8..579c6cc 100644 --- a/.github/workflows/TestWorkflow.yml +++ b/.github/workflows/TestWorkflow.yml @@ -37,10 +37,14 @@ on: TEST_APP_ORG_PRIVATE_KEY: description: Private Key for the test GitHub App for the organization required: true + KEYVAULT_KEY_REFERENCE: + description: Azure KeyVault key reference URL for GitHub App authentication + required: true permissions: contents: read pull-requests: read + id-token: write jobs: ActionTestBasic: @@ -542,6 +546,104 @@ jobs: Get-GitHubConfig | Format-List | Out-String } + ActionTestWithKeyVaultKeyReference: + name: WithKeyVaultKeyReference + environment: azure + runs-on: ${{ inputs.runs-on }} + steps: + # Need to check out as part of the test, as its a local action + - name: Checkout repo + uses: actions/checkout@v4 + + # Login to Azure to enable KeyVault access + - name: Login to Azure + uses: azure/login@v2 + with: + client-id: ${{ vars.AZURE_CLIENT_ID }} + tenant-id: ${{ vars.AZURE_TENANT_ID }} + subscription-id: ${{ vars.AZURE_SUBSCRIPTION_ID }} + allow-no-subscriptions: true + + - name: Action-Test + uses: ./ + with: + ClientID: ${{ secrets.TEST_APP_ORG_CLIENT_ID }} + KeyVaultKeyReference: 'https://psmodule-test-vault.vault.azure.net/keys/psmodule-org-app/569ae34250e64adca6a2b2d159d454a5' + Prerelease: ${{ inputs.Prerelease }} + Script: | + LogGroup 'Context details' { + Get-GitHubContext | Select-Object * | Out-String + } + + LogGroup 'Get-GitHubApp' { + Get-GitHubApp | Format-List | Out-String + } + + LogGroup 'Get-GitHubAppInstallation' { + Get-GitHubAppInstallation | Format-Table -AutoSize | Out-String + } + + LogGroup 'Connect to all installations of the app' { + Connect-GitHubApp + } + + LogGroup 'Contexts' { + Get-GitHubContext -ListAvailable | Format-Table -AutoSize | Out-String + } + + LogGroup 'GitHubConfig' { + Get-GitHubConfig | Format-List | Out-String + } + + ActionTestWithKeyVaultKeyReferenceLatest: + name: WithKeyVaultKeyReferenceLatest + environment: azure + runs-on: ${{ inputs.runs-on }} + steps: + # Need to check out as part of the test, as its a local action + - name: Checkout repo + uses: actions/checkout@v4 + + # Login to Azure to enable KeyVault access + - name: Login to Azure + uses: azure/login@v2 + with: + client-id: ${{ vars.AZURE_CLIENT_ID }} + tenant-id: ${{ vars.AZURE_TENANT_ID }} + subscription-id: ${{ vars.AZURE_SUBSCRIPTION_ID }} + allow-no-subscriptions: true + + - name: Action-Test + uses: ./ + with: + ClientID: ${{ secrets.TEST_APP_ORG_CLIENT_ID }} + KeyVaultKeyReference: 'https://psmodule-test-vault.vault.azure.net/keys/psmodule-org-app/' + Prerelease: ${{ inputs.Prerelease }} + Script: | + LogGroup 'Context details' { + Get-GitHubContext | Select-Object * | Out-String + } + + LogGroup 'Get-GitHubApp' { + Get-GitHubApp | Format-List | Out-String + } + + LogGroup 'Get-GitHubAppInstallation' { + Get-GitHubAppInstallation | Format-Table -AutoSize | Out-String + } + + LogGroup 'Connect to all installations of the app' { + Connect-GitHubApp + } + + LogGroup 'Contexts' { + Get-GitHubContext -ListAvailable | Format-Table -AutoSize | Out-String + } + + LogGroup 'GitHubConfig' { + Get-GitHubConfig | Format-List | Out-String + } + ActionTestPreserveCredentialsFalse: name: PreserveCredentials False runs-on: ${{ inputs.runs-on }} diff --git a/README.md b/README.md index 28d87ad..d1adf3c 100644 --- a/README.md +++ b/README.md @@ -15,6 +15,7 @@ To get started with your own GitHub PowerShell based action, [create a new repos | `Token` | Log in using an Installation Access Token (IAT). | false | `${{ github.token }}` | | `ClientID` | Log in using a GitHub App, with the App's Client ID and Private Key. | false | | | `PrivateKey` | Log in using a GitHub App, with the App's Client ID and Private Key. | false | | +| `KeyVaultKeyReference` | Log in using a GitHub App, with the App's Client ID and KeyVault Key Reference. | false | | | `Debug` | Enable debug output for the whole action. | false | `'false'` | | `Verbose` | Enable verbose output for the whole action. | false | `'false'` | | `Version` | Specifies the exact version of the GitHub module to install. | false | | @@ -176,7 +177,35 @@ jobs: } ``` -#### Example 5: Using outputs from the script +#### Example 5: Run a GitHub PowerShell script with a GitHub App using a Client ID and KeyVault Key Reference + +Runs a script that uses the GitHub PowerShell module with a GitHub App authenticated via Azure KeyVault. This example retrieves the GitHub App details. + +> [!NOTE] +> This authentication method requires the `azure/login` action to authenticate with Azure first. The KeyVault Key Reference should be a URL pointing to the private key stored in Azure KeyVault. + +```yaml +jobs: + Run-Script: + runs-on: ubuntu-latest + steps: + - name: Login to Azure + uses: azure/login@v1 + with: + creds: ${{ secrets.AZURE_CREDENTIALS }} + + - name: Run script + uses: PSModule/GitHub-Script@v1 + with: + ClientID: ${{ secrets.CLIENT_ID }} + KeyVaultKeyReference: ${{ secrets.KEYVAULT_KEY_REFERENCE }} + Script: | + LogGroup "Get-GitHubApp" { + Get-GitHubApp + } +``` + +#### Example 6: Using outputs from the script Runs a script that uses the GitHub PowerShell module and outputs the result. @@ -201,7 +230,7 @@ Runs a script that uses the GitHub PowerShell module and outputs the result. Write-GitHubNotice -Message $result.Zen -Title 'GitHub Zen' ``` -#### Example 6: Run a script with credential cleanup +#### Example 7: Run a script with credential cleanup Runs a script with `PreserveCredentials` set to `false` to automatically disconnect GitHub credentials after execution. diff --git a/action.yml b/action.yml index eb5fa1f..a4614ec 100644 --- a/action.yml +++ b/action.yml @@ -23,6 +23,9 @@ inputs: PrivateKey: description: Log in using a GitHub App, using the App's Client ID and Private Key. required: false + KeyVaultKeyReference: + description: Log in using a GitHub App, using the App's Client ID and KeyVault Key Reference. + required: false Debug: description: Enable debug output for the whole action. required: false @@ -80,6 +83,7 @@ runs: PSMODULE_GITHUB_SCRIPT_INPUT_Token: ${{ inputs.Token }} PSMODULE_GITHUB_SCRIPT_INPUT_ClientID: ${{ inputs.ClientID }} PSMODULE_GITHUB_SCRIPT_INPUT_PrivateKey: ${{ inputs.PrivateKey }} + PSMODULE_GITHUB_SCRIPT_INPUT_KeyVaultKeyReference: ${{ inputs.KeyVaultKeyReference }} PSMODULE_GITHUB_SCRIPT_INPUT_Debug: ${{ inputs.Debug }} PSMODULE_GITHUB_SCRIPT_INPUT_Verbose: ${{ inputs.Verbose }} PSMODULE_GITHUB_SCRIPT_INPUT_Version: ${{ inputs.Version }} diff --git a/scripts/init.ps1 b/scripts/init.ps1 index 2cd7566..76663fd 100644 --- a/scripts/init.ps1 +++ b/scripts/init.ps1 @@ -78,15 +78,28 @@ process { $providedToken = -not [string]::IsNullOrEmpty($env:PSMODULE_GITHUB_SCRIPT_INPUT_Token) $providedClientID = -not [string]::IsNullOrEmpty($env:PSMODULE_GITHUB_SCRIPT_INPUT_ClientID) $providedPrivateKey = -not [string]::IsNullOrEmpty($env:PSMODULE_GITHUB_SCRIPT_INPUT_PrivateKey) + $providedKeyVaultKeyReference = -not [string]::IsNullOrEmpty($env:PSMODULE_GITHUB_SCRIPT_INPUT_KeyVaultKeyReference) + + # Validate mutual exclusion of PrivateKey and KeyVaultKeyReference + if ($providedPrivateKey -and $providedKeyVaultKeyReference) { + throw 'Only one of PrivateKey or KeyVaultKeyReference can be provided.' + } + + # Validate that if ClientID is provided, exactly one of PrivateKey or KeyVaultKeyReference is also provided + if ($providedClientID -and -not ($providedPrivateKey -or $providedKeyVaultKeyReference)) { + throw 'When ClientID is provided, either PrivateKey or KeyVaultKeyReference must also be provided.' + } + $moduleStatus = [pscustomobject]@{ - Name = $Name - Version = [string]::IsNullOrEmpty($Version) ? 'latest' : $Version - Prerelease = $Prerelease - 'Already installed' = $null -ne $alreadyInstalled - 'Already imported' = $null -ne $alreadyImported - 'Provided Token' = $providedToken - 'Provided ClientID' = $providedClientID - 'Provided PrivateKey' = $providedPrivateKey + Name = $Name + Version = [string]::IsNullOrEmpty($Version) ? 'latest' : $Version + Prerelease = $Prerelease + 'Already installed' = $null -ne $alreadyInstalled + 'Already imported' = $null -ne $alreadyImported + 'Provided Token' = $providedToken + 'Provided ClientID' = $providedClientID + 'Provided PrivateKey' = $providedPrivateKey + 'Provided KeyVaultKeyReference' = $providedKeyVaultKeyReference } if ($showInit) { Write-Output 'Module status:' @@ -101,6 +114,13 @@ process { Silent = (-not $showInit) } Connect-GitHub @params + } elseif ($providedClientID -and $providedKeyVaultKeyReference) { + $params = @{ + ClientID = $env:PSMODULE_GITHUB_SCRIPT_INPUT_ClientID + KeyVaultKeyReference = $env:PSMODULE_GITHUB_SCRIPT_INPUT_KeyVaultKeyReference + Silent = (-not $showInit) + } + Connect-GitHub @params } elseif ($providedToken) { $params = @{ Token = $env:PSMODULE_GITHUB_SCRIPT_INPUT_Token From 53dd5b965c27774368be1b4fa1b49f6b54bc088f Mon Sep 17 00:00:00 2001 From: Marius Storhaug Date: Tue, 22 Jul 2025 13:16:14 +0200 Subject: [PATCH 6/6] =?UTF-8?q?=F0=9F=A9=B9=20[Patch]:=20Add=20logging=20f?= =?UTF-8?q?or=20GitHub=20event=20data=20in=20info=20script=20(#64)?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit ## Description This pull request adds a new logging group to the `scripts/info.ps1` file for better visibility into event-related information. ### Logging Improvements: * [`scripts/info.ps1`](diffhunk://#diff-82c586f67d16e32953b47a962c269d0a484f8aa660d71ad354e91fd2d4334cd9R54-R57): Added a new log group labeled 'Event Information' that retrieves and formats GitHub event data using `Get-GitHubEventData`. ## Type of change - [ ] 📖 [Docs] - [ ] 🪲 [Fix] - [x] 🩹 [Patch] - [ ] ⚠️ [Security fix] - [ ] 🚀 [Feature] - [ ] 🌟 [Breaking change] ## Checklist - [x] I have performed a self-review of my own code - [x] I have commented my code, particularly in hard-to-understand areas --- scripts/info.ps1 | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/scripts/info.ps1 b/scripts/info.ps1 index ba5874a..77539b9 100644 --- a/scripts/info.ps1 +++ b/scripts/info.ps1 @@ -51,6 +51,10 @@ process { Get-GitHubConfig | Format-List | Out-String } + LogGroup ' - Event Information' { + Get-GitHubEventData | Format-List | Out-String + } + $fenceEnd = '┗' + ('━' * ($fenceStart.Length - 2)) + '┛' Write-Output $fenceEnd } catch {