Lint PowerShell scripts

.github/workflows/after-release.yml

@@ -75,7 +75,7 @@ jobs:
           git rev-parse --verify --quiet "remotes/origin/${branchName}" | Out-Null
 
           if ($LASTEXITCODE -eq 0) {
-            Write-Host "Branch ${branchName} already exists."
+            Write-Output "Branch ${branchName} already exists."
             exit 0
           }
 
@@ -84,8 +84,8 @@ jobs:
           git commit -m "Update CHANGELOG`n`nUpdate CHANGELOG and samples for v${env:RELEASE_VERSION}."
           git push -u origin $branchName
 
-          "branch-name=${branchName}" >> $env:GITHUB_OUTPUT
-          "updated-version=true" >> $env:GITHUB_OUTPUT
+          "branch-name=${branchName}" >> ${env:GITHUB_OUTPUT}
+          "updated-version=true" >> ${env:GITHUB_OUTPUT}
 
       - name: Create pull request
         if: steps.push-changes.outputs.updated-version == 'true'

.github/workflows/build.yml

@@ -117,8 +117,8 @@ jobs:
         $manifest = (Get-Content "./.config/dotnet-tools.json" | Out-String | ConvertFrom-Json)
         $dotnetSignVersion = $manifest.tools.sign.version
         $dotnetValidateVersion = $manifest.tools.'dotnet-validate'.version
-        "dotnet-sign-version=${dotnetSignVersion}" >> $env:GITHUB_OUTPUT
-        "dotnet-validate-version=${dotnetValidateVersion}" >> $env:GITHUB_OUTPUT
+        "dotnet-sign-version=${dotnetSignVersion}" >> ${env:GITHUB_OUTPUT}
+        "dotnet-validate-version=${dotnetValidateVersion}" >> ${env:GITHUB_OUTPUT}
 
   validate-packages:
     needs: build
@@ -190,19 +190,22 @@ jobs:
       env:
         AZURE_CLIENT_ID: ${{ secrets.SIGN_CLI_APPLICATION_ID }}
         AZURE_CLIENT_SECRET: ${{ secrets.SIGN_CLI_SECRET }}
+        AZURE_KEY_VAULT_CERTIFICATE: ${{ secrets.SIGN_CLI_CERT_NAME }}
+        AZURE_KEY_VAULT_URL: ${{ secrets.SIGN_CLI_VAULT_URI }}
         AZURE_TENANT_ID: ${{ secrets.SIGN_CLI_TENANT_ID }}
+        VERBOSITY: ${{ runner.debug == '1' && 'Debug' || 'Warning' }}
       run: |
         ./sign code azure-key-vault `
           **/*.nupkg `
-          --base-directory "${{ github.workspace }}/packages" `
-          --file-list "${{ github.workspace }}/signing-config/filelist.txt" `
+          --base-directory "${env:GITHUB_WORKSPACE}/packages" `
+          --file-list "${env:GITHUB_WORKSPACE}/signing-config/filelist.txt" `
           --application-name "Polly" `
           --publisher-name "App vNext" `
           --description "Polly" `
-          --description-url "https://github.com/${{ github.repository }}" `
-          --azure-key-vault-certificate "${{ secrets.SIGN_CLI_CERT_NAME }}" `
-          --azure-key-vault-url "${{ secrets.SIGN_CLI_VAULT_URI }}" `
-          --verbosity "${{ runner.debug == '1' && 'Debug' || 'Warning' }}"
+          --description-url "https://github.com/${env:GITHUB_REPOSITORY}" `
+          --azure-key-vault-certificate ${env:AZURE_KEY_VAULT_CERTIFICATE} `
+          --azure-key-vault-url ${env:AZURE_KEY_VAULT_URL} `
+          --verbosity "${env:VERBOSITY}"
         if ($LASTEXITCODE -ne 0) {
           Write-Output "::error::Failed to sign NuGet packages"
           exit 1
@@ -348,7 +351,9 @@ jobs:
         dotnet-version: ${{ needs.build.outputs.dotnet-sdk-version }}
 
     - name: Push signed NuGet packages to NuGet.org
-      run: dotnet nuget push "*.nupkg" --api-key ${{ secrets.NUGET_TOKEN }} --skip-duplicate --source https://api.nuget.org/v3/index.json
+      env:
+        NUGET_TOKEN: ${{ secrets.NUGET_TOKEN }}
+      run: dotnet nuget push "*.nupkg" --api-key "${NUGET_TOKEN}" --skip-duplicate --source https://api.nuget.org/v3/index.json
 
     - name: Generate GitHub application token
       id: generate-application-token

.github/workflows/dependabot-approve.yml

@@ -2,14 +2,16 @@ name: dependabot-approve
 
 on: pull_request_target
 
-permissions:
-  contents: read
+permissions: {}
 
 jobs:
   review:
     runs-on: ubuntu-latest
     if: github.event.repository.fork == false && github.event.pull_request.user.login == 'dependabot[bot]'
 
+    permissions:
+      contents: read
+
     steps:
 
       - name: Get dependabot metadata
@@ -22,7 +24,7 @@ jobs:
         with:
           application_id: ${{ secrets.POLLY_REVIEWER_BOT_APP_ID }}
           application_private_key: ${{ secrets.POLLY_REVIEWER_BOT_KEY }}
-          permissions: "contents:write, pull_requests:write, workflows:write"
+          permissions: 'contents:write, pull_requests:write, workflows:write'
 
       - name: Checkout code
         uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2

.github/workflows/dependency-review.yml

@@ -7,14 +7,16 @@ on:
       - release/*
       - dotnet-vnext
 
-permissions:
-  contents: read
+permissions: {}
 
 jobs:
   dependency-review:
     runs-on: ubuntu-latest
     if: github.event.repository.fork == false
 
+    permissions:
+      contents: read
+
     steps:
 
       - name: Checkout code

.github/workflows/gh-pages.yml

@@ -12,15 +12,17 @@ on:
       - dotnet-vnext
   workflow_dispatch:
 
-permissions:
-  contents: read
+permissions: {}
 
 jobs:
 
   build-docs:
     runs-on: ubuntu-latest
     timeout-minutes: 20
 
+    permissions:
+      contents: read
+
     steps:
 
     - name: Checkout code

.github/workflows/lint.yml

@@ -0,0 +1,72 @@
+name: lint
+
+on:
+  push:
+    branches:
+      - main
+      - release/*
+    paths-ignore:
+      - '**/*.gitattributes'
+      - '**/*.gitignore'
+      - '**/*.md'
+  pull_request:
+    branches:
+      - main
+      - release/*
+      - dotnet-vnext
+  workflow_dispatch:
+
+permissions: {}
+
+jobs:
+  lint:
+    runs-on: ubuntu-latest
+
+    env:
+      FORCE_COLOR: 3
+      POWERSHELL_YAML_VERSION: '0.4.12'
+      PSSCRIPTANALYZER_VERSION: '1.23.0'
+      TERM: xterm
+
+    permissions:
+      contents: read
+
+    steps:
+
+    - name: Checkout code
+      uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+      with:
+        filter: 'tree:0'
+        show-progress: false
+
+    - name: Add actionlint problem matcher
+      run: echo "::add-matcher::.github/actionlint-matcher.json"
+
+    - name: Lint workflows
+      uses: docker://rhysd/actionlint@sha256:887a259a5a534f3c4f36cb02dca341673c6089431057242cdc931e9f133147e9 # v1.7.7
+      with:
+        args: -color
+
+    - name: Lint PowerShell in workflows
+      uses: martincostello/lint-actions-powershell@5942e3350ee5bd8f8933cec4e1185d13f0ea688f # v1.0.0
+      with:
+        powershell-yaml-version: ${{ env.POWERSHELL_YAML_VERSION }}
+        psscriptanalyzer-version: ${{ env.PSSCRIPTANALYZER_VERSION }}
+        treat-warnings-as-errors: true
+
+    - name: Lint PowerShell scripts
+      shell: pwsh
+      run: |
+        $settings = @{
+          IncludeDefaultRules = $true
+          Severity = @("Error", "Warning")
+        }
+        $issues = Invoke-ScriptAnalyzer -Path ${env:GITHUB_WORKSPACE} -Recurse -ReportSummary -Settings $settings
+        foreach ($issue in $issues) {
+          $severity = $issue.Severity.ToString()
+          $level = $severity.Contains("Error") ? "error" : $severity.Contains("Warning") ? "warning" : "notice"
+          Write-Output "::${level} file=$($issue.ScriptName),line=$($issue.Line),title=PSScriptAnalyzer::$($issue.Message)"
+        }
+        if ($issues.Count -gt 0) {
+          exit 1
+        }

.github/workflows/nuget-packages-published.yml

@@ -75,7 +75,7 @@ jobs:
             exit 0
           }
 
-          "published=true" >> $env:GITHUB_OUTPUT
+          "published=true" >> ${env:GITHUB_OUTPUT}
 
   notify-release:
     runs-on: [ ubuntu-latest ]

.github/workflows/on-push-do-docs.yml

@@ -49,48 +49,49 @@ jobs:
 
           $GitStatus = (git status --porcelain)
           if ([string]::IsNullOrEmpty($GitStatus)) {
-            Write-Host "No changes to commit."
+            Write-Output "No changes to commit."
             exit 0
           }
 
           $TimeStamp = Get-Date -Format "yyyy-MM-dd-HH-mm"
           $BranchName = "docs/update-docs-$TimeStamp"
-          "branchName=$BranchName" >> $env:GITHUB_OUTPUT
+          "branchName=$BranchName" >> ${env:GITHUB_OUTPUT}
 
           $GitEmail = "138034000+polly-updater-bot[bot]@users.noreply.github.com"
           $GitUser = "polly-updater-bot[bot]"
 
           git config user.email $GitEmail | Out-Null
           git config user.name $GitUser | Out-Null
-          git remote set-url "${{ github.server_url }}/${{ github.repository }}.git" | Out-Null
+          git remote set-url "${env:GITHUB_SERVER_URL}/${env:GITHUB_REPOSITORY}.git" | Out-Null
           git fetch origin | Out-Null
           git rev-parse --verify --quiet ("remotes/origin/" + $BranchName) | Out-Null
 
           if ($LASTEXITCODE -eq 0) {
-            Write-Host "Branch $BranchName already exists."
+            Write-Output "Branch $BranchName already exists."
             exit 0
           }
 
           git checkout -b $BranchName
           git add .
           git commit -m "Update the code-snippets in the documentation"
           git push -u origin $BranchName
-          "updated-docs=true" >> $env:GITHUB_OUTPUT
+          "updated-docs=true" >> ${env:GITHUB_OUTPUT}
 
       - name: Create pull request
         if: steps.update-docs.outputs.updated-docs == 'true'
         uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7.0.1
+        env:
+          BRANCH_NAME: ${{ steps.update-docs.outputs.branchName }}
         with:
           github-token: ${{ steps.generate-application-token.outputs.token }}
           script: |
             const { repo, owner } = context.repo;
-            const workflowUrl = `${{ github.server_url }}/${owner}/${repo}/actions/runs/${process.env.GITHUB_RUN_ID}`;
-            const branchName = "${{ steps.update-docs.outputs.branchName }}";
-            const result = await github.rest.pulls.create({
+            const workflowUrl = `${process.env.GITHUB_SERVER_URL}/${owner}/${repo}/actions/runs/${process.env.GITHUB_RUN_ID}`;
+            await github.rest.pulls.create({
               title: 'Update the code-snippets in the documentation',
               owner,
               repo,
-              head: branchName,
+              head: process.env.BRANCH_NAME,
               base: 'main',
               body: [
                 'This PR updates the code-snippets in the documentation.',

.github/workflows/stale.yml

@@ -5,9 +5,7 @@ on:
     - cron: '30 1 * * *'
   workflow_dispatch:
 
-permissions:
-  issues: read
-  pull-requests: read
+permissions: {}
 
 jobs:
   stale:

.github/workflows/update-dotnet-sdk.yml

@@ -5,12 +5,13 @@ on:
     - cron:  '0 12 * * WED'
   workflow_dispatch:
 
-permissions:
-  contents: read
+permissions: {}
 
 jobs:
   update-dotnet-sdk:
     uses: martincostello/update-dotnet-sdk/.github/workflows/update-dotnet-sdk.yml@758e92b362c4164925583874878423a794cce239 # v3.4.1
+    permissions:
+      contents: read
     with:
       labels: "dependencies,.NET"
       update-nuget-packages: false
@@ -32,4 +33,5 @@ jobs:
     - name: Add security label
       env:
         GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-      run: gh pr edit "${{ needs.update-dotnet-sdk.outputs.pull-request-html-url }}" --add-label security
+        PR_URL: ${{ needs.update-dotnet-sdk.outputs.pull-request-html-url }}
+      run: gh pr edit "${PR_URL}" --add-label security