🌟 [Major]: Fixed test secret inputs replaced by TestData#365
Open
Marius Storhaug (MariusStorhaug) wants to merge 11 commits into
Open
🌟 [Major]: Fixed test secret inputs replaced by TestData#365Marius Storhaug (MariusStorhaug) wants to merge 11 commits into
Marius Storhaug (MariusStorhaug) wants to merge 11 commits into
Conversation
…via TestSecrets Replaces the seven hard-coded TEST_* secrets with a single optional TestSecrets JSON input. The calling workflow decides which org/repo secrets to expose by building a JSON object with toJSON(secrets.<name>); each entry is expanded into an environment variable (multi-line safe and masked) in the BeforeAll/Test/AfterAll ModuleLocal jobs, so tests read them via $env:<name>. No secret names are hard-coded in the shared workflow and secrets: inherit is not required. Closes #52.
Copilot started reviewing on behalf of
Marius Storhaug (MariusStorhaug)
July 8, 2026 01:04
View session
Super-linter summary
All files and directories linted successfully For more information, see the GitHub Actions workflow run Powered by Super-linter |
Contributor
There was a problem hiding this comment.
Pull request overview
This PR updates the reusable Process-PSModule GitHub Actions workflow to let calling workflows pass an optional TestSecrets JSON object, which is expanded into environment variables for the *-ModuleLocal test jobs—removing the previous fixed list of TEST_* secrets and avoiding secrets: inherit.
Changes:
- Replaces the fixed seven
TEST_*secret pass-throughs with a single optionalTestSecretssecret in the top-level reusable workflow and its nested ModuleLocal workflows. - Adds a PowerShell step in
BeforeAll-ModuleLocal,Test-ModuleLocal, andAfterAll-ModuleLocalto expandTestSecretsJSON into$GITHUB_ENVand mask values. - Updates self-test workflows and Pester environment tests, and rewrites the README Secrets documentation to describe
TestSecrets.
Reviewed changes
Copilot reviewed 9 out of 9 changed files in this pull request and generated 4 comments.
Show a summary per file
| File | Description |
|---|---|
| tests/srcWithManifestTestRepo/tests/Environments/Environment.Tests.ps1 | Adds assertion that a caller-defined env var flows through from TestSecrets. |
| tests/srcTestRepo/tests/Environment.Tests.ps1 | Same validation as above for the default self-test repo. |
| README.md | Updates Secrets documentation to describe APIKey + optional TestSecrets JSON. |
| .github/workflows/workflow.yml | Declares TestSecrets and passes only that secret to ModuleLocal jobs. |
| .github/workflows/Workflow-Test-WithManifest.yml | Builds TestSecrets JSON (including a literal proving arbitrary names). |
| .github/workflows/Workflow-Test-Default.yml | Builds TestSecrets JSON (including a literal proving arbitrary names). |
| .github/workflows/Test-ModuleLocal.yml | Adds the JSON→env expansion/masking step for tests. |
| .github/workflows/BeforeAll-ModuleLocal.yml | Adds the JSON→env expansion/masking step for setup scripts. |
| .github/workflows/AfterAll-ModuleLocal.yml | Adds the JSON→env expansion/masking step for teardown scripts. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
…r-masking
A multi-line secret makes GitHub register every line (including standalone { and } braces) as its own mask, which over-masks unrelated log output (563 masked lines vs 25 on main). Use a folded (>-) block so the source stays readable but the secret value is a single line, registering one mask. Per-value protection is unchanged (the expose step still ::add-mask::es each value).
Copilot started reviewing on behalf of
Marius Storhaug (MariusStorhaug)
July 8, 2026 01:36
View session
…masking probe Self-tests no longer depend on real repository secrets; they pass known throwaway values through TestSecrets so masking can be verified conclusively. Adds a temporary MASKPROBE that will be removed after log verification.
Copilot started reviewing on behalf of
Marius Storhaug (MariusStorhaug)
July 8, 2026 01:53
View session
…er as *** in logs
Copilot started reviewing on behalf of
Marius Storhaug (MariusStorhaug)
July 8, 2026 01:59
View session
Self-tests now pass two dedicated, non-sensitive repository secrets (PSMODULE_TEST_SINGLELINE_SECRET, PSMODULE_TEST_MULTILINE_SECRET) through TestSecrets and assert the exact value and length (and multi-line integrity) in Environment.Tests.ps1. This exercises the real GitHub-secret path (masked, passed through, exposed as $env:<name>) instead of literal placeholders.
Copilot started reviewing on behalf of
Marius Storhaug (MariusStorhaug)
July 8, 2026 02:15
View session
Adds a TestVariables workflow input (symmetric to TestSecrets) that exposes caller-selected NON-SECRET values as environment variables in the module test jobs, without masking. The expose step is refactored into a shared helper that masks secrets but not variables. Self-tests prove it via a dedicated PSMODULE_TEST_VARIABLE repo variable (asserted value + length). README documents both.
Copilot started reviewing on behalf of
Marius Storhaug (MariusStorhaug)
July 8, 2026 02:40
View session
Copilot started reviewing on behalf of
Marius Storhaug (MariusStorhaug)
July 8, 2026 12:57
View session
Copilot started reviewing on behalf of
Marius Storhaug (MariusStorhaug)
July 8, 2026 13:10
View session
14 tasks
Copilot started reviewing on behalf of
Marius Storhaug (MariusStorhaug)
July 8, 2026 13:19
View session
61751d0 to
66ab9a8
Compare
Copilot started reviewing on behalf of
Marius Storhaug (MariusStorhaug)
July 8, 2026 13:25
View session
66ab9a8 to
c3c335a
Compare
Copilot started reviewing on behalf of
Marius Storhaug (MariusStorhaug)
July 8, 2026 13:32
View session
c3c335a to
38f5a98
Compare
Copilot started reviewing on behalf of
Marius Storhaug (MariusStorhaug)
July 8, 2026 13:38
View session
38f5a98 to
4dc521f
Compare
Copilot started reviewing on behalf of
Marius Storhaug (MariusStorhaug)
July 8, 2026 13:45
View session
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Module test jobs now use a
TestDataobject for optional test secrets and non-secret variables. This replaces the previous fixedTEST_*workflow secret inputs: callers that used those inputs must pass the same names insideTestData, while callers that need different names can expose them without changing the shared workflow.Breaking Changes
Removed: fixed
TEST_*workflow secret inputsThe reusable workflow no longer declares or accepts these individual test-secret inputs:
TEST_APP_ENT_CLIENT_IDTEST_APP_ENT_PRIVATE_KEYTEST_APP_ORG_CLIENT_IDTEST_APP_ORG_PRIVATE_KEYTEST_USER_ORG_FG_PATTEST_USER_USER_FG_PATTEST_USER_PATCallers using any of these inputs must move them into the
secretsmap insideTestData. The names can stay the same, so existing Pester tests can continue reading the same environment variables.New: Caller-selected
TestDataTestDatais an optional single-line JSON object withsecretsandvariablesmaps. Entries from both maps become environment variables inBeforeAll-ModuleLocal,Test-ModuleLocal, andAfterAll-ModuleLocal.Values under
secretsare masked before being exposed to the test jobs. Values undervariablesare exposed without masking for normal, non-sensitive configuration. Modules that do not need secrets or variables can omitTestDataentirely.Because the workflow does not use
secrets: inherit, only the values explicitly listed inTestDataare exposed to module tests.New: Safe
TestDatavalidation and formattingTestDatamust parse as a JSON object containing only optionalsecretsandvariablesmaps. Values in those maps must be scalar values. Keys must be safe environment-variable names matching^[A-Za-z_][A-Za-z0-9_]*$, must not be duplicated acrosssecretsandvariables, and must not override reserved variables such asPATH,CI,GITHUB_*,RUNNER_*orACTIONS_*.Pass
TestDataas a single-line value after YAML folding. The folded>-form is safe when the JSON is compact, or when every JSON content line stays at the same indentation level inside the block.Avoid normal pretty-printed JSON with nested indentation inside
>-. YAML preserves more-indented lines instead of folding them, so that shape can still produce a multi-line secret value. KeepingTestDatasingle-line after folding avoids GitHub treating line fragments as separate mask values.Use the direct quoted form for single-line secrets:
Using the JSON-encoded approach, github-advanced security will warn that all secrets available to the runner gets exposed.
Use
toJSON(vars.NAME)for variables so normal configuration values are JSON-encoded safely:For multi-line secrets, or secrets containing quotes or backslashes, base64-encode the secret and decode it in the test.
Technical Details
workflow.ymldeclares and forwards a single optionalTestDatasecret instead of the seven fixedTEST_*secrets..github/scripts/Expose-TestData.ps1contains the sharedTestDataparsing, validation, masking, and UTF-8GITHUB_ENVexport logic used by the ModuleLocal workflows.BeforeAll-ModuleLocal.yml,Test-ModuleLocal.yml, andAfterAll-ModuleLocal.ymlcall the shared helper instead of duplicating the security-sensitive exposure logic.Test-Module.ymlno longer declares or exports the obsolete fixedTEST_*secrets.pull_requestruns where repository secrets and variables are unavailable, while still running for trusted PRs, schedules, and manual dispatches.TestData, and the environment Pester tests assert the exact exposed secret and variable values.README.mddocuments the breaking migration path, theTestDatacontract, safe YAML folding, safe key names, environment-scoped value usage, the difference between masked secrets and unmasked variables, and base64 guidance for complex secret values.secrets: inheritin ModuleLocal workflows #322's duplicated fixed-secret pass-through without adopting broadsecrets: inherit.