🩹[Patch]: Workflow improvements (#15)

MariusStorhaug · web-flow · commit 239283acc7c5 · 2026-01-26T23:03:16.000+01:00
This release makes several improvements and updates to GitHub Actions
workflows, dependencies, and documentation. The main focus is on
enhancing workflow security and maintainability by pinning action
versions, updating configuration and naming, and improving documentation
clarity.

**Workflow and Action Updates:**

* Updated all GitHub Actions in workflow files (such as
`actions/checkout`, `actions/upload-artifact`,
`super-linter/super-linter`, and `actions/download-artifact`) to use
pinned commit SHAs for improved security and traceability. Also added
`persist-credentials: false` to checkout steps.
* Renamed `.github/workflows/Auto-Release.yml` to
`.github/workflows/Release.yml`, updated job and workflow names, and
changed the trigger from `pull_request_target` to `pull_request` with
path filters for more precise release automation.
* Replaced the `PSModule/Auto-Release` action with
`PSModule/Release-GHRepository` for release management.

**Configuration and Linting:**

* Removed the `.github/linters/.jscpd.json` configuration file and
disabled JSCPD validation in the linter workflow, streamlining linting
checks.
* Disabled several Prettier validations in the linter workflow for JSON,
Markdown, and YAML files.

**Dependency and Schedule Management:**

* Changed the Dependabot update schedule from weekly to daily and added
a cooldown period of 7 days between updates to balance update frequency.

**Documentation Improvements:**

* Fixed a typo in both `README.md` and `action.yml` to clarify that
artifacts are "downloaded" (not "download") from workflow runs.
* Updated the script path in `action.yml` from `scripts/main.ps1` to
`src/main.ps1` for consistency with the repository structure.
diff --git a/.github/dependabot.yml b/.github/dependabot.yml
@@ -11,4 +11,6 @@ updates:
       - dependencies
       - github-actions
     schedule:
-      interval: weekly
+      interval: daily
+    cooldown:
+      default-days: 7
diff --git a/.github/linters/.jscpd.json b/.github/linters/.jscpd.json
diff --git a/.github/workflows/Action-Test.yml b/.github/workflows/Action-Test.yml
@@ -23,10 +23,12 @@ jobs:
     steps:
       # Need to check out as part of the test, as its a local action
       - name: Checkout repo
-        uses: actions/checkout@v6
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        with:
+          persist-credentials: false
 
       - name: Upload Artifact
-        uses: actions/upload-artifact@v5
+        uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v6.0.0
         with:
           name: Docs
           path: README.md
@@ -38,7 +40,9 @@ jobs:
     steps:
       # Need to check out as part of the test, as its a local action
       - name: Checkout repo
-        uses: actions/checkout@v6
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        with:
+          persist-credentials: false
 
       - name: Action-Test
         uses: ./
diff --git a/.github/workflows/Linter.yml b/.github/workflows/Linter.yml
@@ -19,14 +19,17 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Checkout repo
-        uses: actions/checkout@v6
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
         with:
           fetch-depth: 0
+          persist-credentials: false
 
       - name: Lint code base
-        uses: super-linter/super-linter@latest
+        uses: super-linter/super-linter@d5b0a2ab116623730dd094f15ddc1b6b25bf7b99 # v8.3.2
         env:
           GITHUB_TOKEN: ${{ github.token }}
+          VALIDATE_BIOME_FORMAT: false
+          VALIDATE_JSCPD: false
           VALIDATE_JSON_PRETTIER: false
           VALIDATE_MARKDOWN_PRETTIER: false
           VALIDATE_YAML_PRETTIER: false
diff --git a/.github/workflows/Release.yml b/.github/workflows/Release.yml
@@ -1,9 +1,9 @@
-name: Auto-Release
+name: Release
 
-run-name: "Auto-Release - [${{ github.event.pull_request.title }} #${{ github.event.pull_request.number }}] by @${{ github.actor }}"
+run-name: "Release - [${{ github.event.pull_request.title }} #${{ github.event.pull_request.number }}] by @${{ github.actor }}"
 
 on:
-  pull_request_target:
+  pull_request:
     branches:
       - main
     types:
@@ -12,6 +12,9 @@ on:
       - reopened
       - synchronize
       - labeled
+    paths:
+      - 'action.yml'
+      - 'src/**'
 
 concurrency:
   group: ${{ github.workflow }}-${{ github.ref }}
@@ -22,13 +25,15 @@ permissions:
   pull-requests: write # Required to create comments on the PRs
 
 jobs:
-  Auto-Release:
+  Release:
     runs-on: ubuntu-latest
     steps:
       - name: Checkout Code
-        uses: actions/checkout@v6
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        with:
+          persist-credentials: false
 
-      - name: Auto-Release
-        uses: PSModule/Auto-Release@v1
+      - name: Release
+        uses: PSModule/Release-GHRepository@88c70461c8f16cc09682005bcf3b7fca4dd8dc1a # v2.0.1
         env:
           GITHUB_TOKEN: ${{ github.token }}
diff --git a/README.md b/README.md
@@ -11,7 +11,7 @@ As an example, terraform plans can be uploaded as artifacts in a PR CI workflow
 | - | - | - | - |
 | `Path` | The path to the artifact to download. | No | |
 | `WorkflowID` | The filename or ID of the workflow to download the artifact from. You must provide either `WorkflowID` or `WorkflowRunID`. | No | '' |
-| `WorkflowRunID` | The ID of the workflow run where the artifact will be download from. You must provide either `WorkflowID` or `WorkflowRunID`. | No | '' |
+| `WorkflowRunID` | The ID of the workflow run where the artifact will be downloaded from. You must provide either `WorkflowID` or `WorkflowRunID`. | No | '' |
 | `ArtifactName` | Name of the artifact to download. If unspecified, all artifacts for the run are downloaded. | Yes | |
 | `GITHUB_TOKEN` | The GitHub token used to authenticate with the GitHub API. | Yes | |
 | `WorkingDirectory` | The working directory where the artifact will be downloaded to. Default is the root of the repository. | No | `${{ github.workspace }}` |
diff --git a/action.yml b/action.yml
@@ -15,7 +15,7 @@ inputs:
     default: ''
   WorkflowRunID:
     description: |
-      The ID of the workflow run where the artifact will be download from.
+      The ID of the workflow run where the artifact will be downloaded from.
       You must provide either `WorkflowID` or `WorkflowRunID`.
     required: false
     default: ''
@@ -43,10 +43,10 @@ runs:
         PSMODULE_DOWNLOAD_CIARTIFACT_INPUT_WorkflowRunID: ${{ inputs.WorkflowRunID }}
       run: |
         # Download-CIArtifact
-        ${{ github.action_path }}/scripts/main.ps1
+        ${{ github.action_path }}/src/main.ps1
 
     - name: Download Artifact
-      uses: actions/download-artifact@v6
+      uses: actions/download-artifact@018cc2cf5baa6db3ef3c5f8a56943fffe632ef53 # v6.0.0
       with:
         name: ${{ inputs.ArtifactName }}
         path: ${{ steps.workflow_run_id.outputs.Path }}
diff --git a/src/main.ps1 b/src/main.ps1
