3030 runs-on : ubuntu-latest
3131 timeout-minutes : 20
3232
33+ # Keep minimal defaults here; we'll elevate only where allowed.
3334 permissions :
3435 contents : write
3536 pull-requests : write
3940 PSA_VERSION : " 1.24.0"
4041 SARIF_FILE : " psscriptanalyzer-results.sarif"
4142 SUMMARY_MD : " psscriptanalyzer-summary.md"
43+ PATCH_FILE : " psscriptanalyzer-autofix.patch"
4244
4345 steps :
4446 - name : 📦 Checkout Repository
@@ -103,6 +105,9 @@ jobs:
103105 Import-Module PSScriptAnalyzer -Force
104106 Write-Host ("PSScriptAnalyzer version: " + (Get-Module PSScriptAnalyzer).Version)
105107
108+ # ----------------------------
109+ # AUTO-FIX + CHANGE DETECTION
110+ # ----------------------------
106111 - name : 🧹 Auto-Fix Formatting (Indentation + Whitespace)
107112 if : steps.check_ps1.outputs.count != '0'
108113 shell : pwsh
@@ -151,8 +156,18 @@ jobs:
151156 git --no-pager diff --stat -- "**/*.ps1" || true
152157 fi
153158
154- name : 🔁 Create Auto-Fix PR (push events only, only if changed)
155- if : github.event_name == 'push' && steps.check_ps1.outputs.count != '0' && steps.detect_changes.outputs.changed == 'true'
159+ # ---------------------------------------------------------------------
160+ # TRY PR ONLY WHEN IT'S A PUSH TO THIS REPO AND NOT FROM A FORK CONTEXT
161+ # ---------------------------------------------------------------------
162+ - name : 🔁 Create Auto-Fix PR (only when permitted)
163+ id : cpr
164+ if : |
165+ github.event_name == 'push' &&
166+ steps.check_ps1.outputs.count != '0' &&
167+ steps.detect_changes.outputs.changed == 'true' &&
168+ github.repository_owner == github.actor &&
169+ !startsWith(github.ref, 'refs/heads/ci/autofix/')
170+ continue-on-error : true
156171 uses : peter-evans/create-pull-request@v6
157172 with :
158173 token : ${{ secrets.GITHUB_TOKEN }}
@@ -170,6 +185,38 @@ jobs:
170185add-paths : |
171186 **/*.ps1
172187
188+ # ---------------------------------------------------------
189+ # FALLBACK: if PR creation is blocked, export a patch artifact
190+ # ---------------------------------------------------------
191+ - name : 🧩 Create Patch Artifact (when PR cannot be created)
192+ if : |
193+ github.event_name == 'push' &&
194+ steps.check_ps1.outputs.count != '0' &&
195+ steps.detect_changes.outputs.changed == 'true' &&
196+ (steps.cpr.outcome == 'failure')
197+ shell : bash
198+ run : |
199+ set -euo pipefail
200+ cd "$GITHUB_WORKSPACE"
201+ echo "create-pull-request was not permitted. Generating patch artifact instead."
202+ git diff -- "**/*.ps1" > "$PATCH_FILE"
203+ ls -la "$PATCH_FILE"
204+
205+ name : 📦 Upload Auto-Fix Patch Artifact
206+ if : |
207+ github.event_name == 'push' &&
208+ steps.check_ps1.outputs.count != '0' &&
209+ steps.detect_changes.outputs.changed == 'true' &&
210+ (steps.cpr.outcome == 'failure')
211+ uses : actions/upload-artifact@v4
212+ with :
213+ name : psscriptanalyzer-autofix-patch
214+ path : ${{ github.workspace }}/${{ env.PATCH_FILE }}
215+ retention-days : 30
216+
217+ # ----------------------------
218+ # ANALYZE + SARIF
219+ # ----------------------------
173220 - name : 🔎 Run PSScriptAnalyzer and Export SARIF
174221 if : steps.check_ps1.outputs.count != '0'
175222 shell : pwsh
@@ -257,13 +304,11 @@ jobs:
257304 shell : bash
258305 run : |
259306 set -euo pipefail
260- echo "PWD=$(pwd)"
261307 echo "GITHUB_WORKSPACE=$GITHUB_WORKSPACE"
262308 echo "SARIF target=$GITHUB_WORKSPACE/$SARIF_FILE"
263309 ls -la "$GITHUB_WORKSPACE"
264310
265311 if [ -f "$GITHUB_WORKSPACE/$SARIF_FILE" ]; then
266- echo "SARIF exists:"
267312 ls -la "$GITHUB_WORKSPACE/$SARIF_FILE"
268313 else
269314 echo "SARIF missing — creating baseline SARIF now."
0 commit comments