Skip to content

ci: harden lint workflow - SHA-pin Actions, fix markdownlint config ref, remove PSGallery trust mutation #179

Open
Open
ci: harden lint workflow - SHA-pin Actions, fix markdownlint config ref, remove PSGallery trust mutation#179
@daviburg

Description

@daviburg
daviburg
opened on May 19, 2026

Background

PR #171 landed the initial lint workflow but was squash-merged before a second round of Copilot review feedback could be incorporated. Three improvements remain outstanding.

Issues

1. GitHub Actions not pinned to commit SHAs

actions/checkout@v4 and dorny/paths-filter@v3 use mutable version tags. A supply-chain compromise of those repos could silently alter CI behavior.

Fix: Pin to full commit SHAs (tag retained as inline comment):

  • actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4
  • dorny/paths-filter@d1c1ffe0248fe513906c8e24db8ea791d46f8590 # v3

2. markdownlint config file not explicitly referenced

npx markdownlint-cli2@0.17.2 '**/*.md' relies on auto-discovery of .markdownlint.json. The paths-filter also references .markdownlint.jsonc which does not exist — the actual file is .markdownlint.json.

Fix:

  • Pass --config .markdownlint.json explicitly
  • Correct the paths-filter entry from .markdownlint.jsonc to .markdownlint.json

3. Set-PSRepository PSGallery -InstallationPolicy Trusted mutates runner state

This is a global state mutation. Install-Module -Force already makes the install non-interactive without it.

Fix: Remove the Set-PSRepository line.

Files to change

  • .github/workflows/lint.yml

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions