Skip to content

Spike: source module test data from a GitHub Environment#36

Closed
MariusStorhaug wants to merge 4 commits into
mainfrom
spike/environment-testdata
Closed

Spike: source module test data from a GitHub Environment#36
MariusStorhaug wants to merge 4 commits into
mainfrom
spike/environment-testdata

Conversation

@MariusStorhaug

Copy link
Copy Markdown
Owner

Spike: use Process-PSModule with a GitHub Actions Environment

Proves that the Process-PSModule reusable workflow can source module test
secrets and variables from a GitHub Actions Environment instead of a
caller-built TestData blob.

What changed

  • Caller pins PSModule/Process-PSModule@spike/environment-support (adds an
    optional Environment input) and passes Environment: Testing.
  • The TestData secret is intentionally dropped so the environment is the only
    possible source.
  • tests/Environment.Tests.ps1 asserts TEST_ENV_SECRET / TEST_ENV_VARIABLE,
    which exist only in the Testing environment (not at repo level).
  • A src/ file is touched so the module build + local test jobs actually run.

Why the environment binding lives in the reusable workflow

A job that calls a reusable workflow cannot set environment: (workflow_call has
no environment keyword), so the caller cannot read environment-scoped
secrets/variables. Instead, the BeforeAll/Test/AfterAll-ModuleLocal jobs inside
the reusable workflow bind to the environment and expose toJSON(secrets) /
toJSON(vars) to the tests via Import-TestData.

Expected result

Test-ModuleLocal passes Environment.Tests.ps1, confirming the environment
secret (masked) and variable reached the Pester tests.

- Pin the Process-PSModule reusable workflow to spike/environment-support,
  which adds an optional Environment input to the module test jobs.
- Pass Environment: Testing and drop the caller-built TestData blob. A job that
  calls a reusable workflow cannot set an environment, so the caller cannot read
  environment-scoped secrets/variables itself; the binding happens inside the
  reusable workflow jobs.
- Environment.Tests.ps1 now asserts TEST_ENV_SECRET / TEST_ENV_VARIABLE, which
  exist only in the Testing environment (not at repo level), proving the values
  were sourced from the environment.
- Touch src/ so the change matches the ^src/ important-file pattern and the
  module build + local test jobs run.
@github-actions

github-actions Bot commented Jul 11, 2026

Copy link
Copy Markdown

Super-linter summary

Language Validation result
CHECKOV Pass ✅
GITHUB_ACTIONS Pass ✅
GITLEAKS Pass ✅
GIT_MERGE_CONFLICT_MARKERS Pass ✅
MARKDOWN Pass ✅
NATURAL_LANGUAGE Pass ✅
POWERSHELL Pass ✅
PRE_COMMIT Pass ✅
SPELL_CODESPELL Pass ✅
TRIVY Pass ✅
YAML Pass ✅

All files and directories linted successfully

For more information, see the GitHub Actions workflow run

Powered by Super-linter

…sted probe

Cross-owner (personal -> org) cannot use secrets: inherit, so pass APIKey explicitly
and prove environment VARIABLES end-to-end; skip the env secret assertion with a
cross-owner note. Add env-probe-mid.yml for a 3-level nested inherit + env-binding
probe mirroring caller -> workflow.yml -> Test-ModuleLocal.
@MariusStorhaug

Copy link
Copy Markdown
Owner Author

Spike results — using Process-PSModule with a GitHub Actions Environment

Question: can the Process-PSModule reusable workflow consume a GitHub Environment
(environment-scoped secrets and variables)? Answer: yes — with one owner-scope caveat for secrets.

How it works

  • A job that calls a reusable workflow cannot set environment: (workflow_call has no
    environment keyword), so the caller cannot read environment-scoped values itself.
  • The spike adds an Environment input to Process-PSModule (spike/environment-support) and
    binds the BeforeAll/Test/AfterAll-ModuleLocal jobs to it via environment: ${{ inputs.Environment }}.
    Those jobs then expose toJSON(secrets) / toJSON(vars) to the module tests through Import-TestData.

Findings (all proven on live runs)

Data Reaches module tests? Requirement
Environment variables ✅ yes just the Environment binding (the vars context enumerates repo + env variables in a reusable workflow)
Environment secrets ✅ yes, same-org only secrets: inherit at every call hop and the environment: binding
Environment secrets, cross-owner (this repo) ❌ no secrets: inherit only works within the same org/enterprise; personal → org can't inherit

Evidence

  • This pipeline (Process-PSModule run 29155331204): green. Test-Environment asserts
    TEST_ENV_VARIABLE (env-scoped, not defined at repo level) and it passes on Linux/Windows/macOS —
    proving environment variables reach the tests. The env secret test is -Skipped because
    MariusStorhaug (personal) → PSModule (org) is cross-owner.
  • env-probe run 29155005388 (isolated): a DIRECT job sees the env secret via toJSON(secrets);
    a reusable job with no secrets: inherit does not; a reusable job with secrets: inherit
    does (named + enumerable).
  • env-probe run 29155329253 (3-level nested, mirroring caller → workflow.yml → Test-ModuleLocal):
    the leaf job shows secrets keys: APIKEY, github_token, TEST_ENV_SECRET, TEST_SECRET — the env secret
    flows through nested secrets: inherit + env binding.

Notes

  • This aligns with open issue Replace duplicated test-secret blocks with secrets: inherit in ModuleLocal workflows PSModule/Process-PSModule#322 (adopt secrets: inherit in the ModuleLocal
    workflows) — that change is exactly what unlocks environment secrets.
  • Trade-off: secrets: inherit exposes all repo/org secrets to the test jobs; the spike filters
    plumbing keys (github_token, APIKey, TestData, GITHUB_/RUNNER_/ACTIONS_) before exposing.
  • Spike branches: PSModule/Process-PSModule@spike/environment-support, MariusTestModule@spike/environment-testdata.
    Temporary env-probe*.yml workflows and the Testing environment can be deleted after review.

@MariusStorhaug MariusStorhaug deleted the spike/environment-testdata branch July 11, 2026 14:48
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant