Fix CI: add GH_TOKEN to test jobs and fix zizmor template-injection finding

Author: MariusStorhaug

.github/workflows/Action-Test.yml

@@ -1,6 +1,6 @@
 name: Action-Test
 
-run-name: "Action-Test - [${{ github.event.pull_request.title }} #${{ github.event.pull_request.number }}] by @${{ github.actor }}"
+run-name: 'Action-Test - [${{ github.event.pull_request.title }} #${{ github.event.pull_request.number }}] by @${{ github.actor }}'
 
 on:
   workflow_dispatch:
@@ -43,6 +43,8 @@ jobs:
       - name: Resolve-PSModuleVersion
         id: resolve
         uses: ./
+        env:
+          GH_TOKEN: ${{ github.token }}
         with:
           Settings: |
             {
@@ -61,11 +63,16 @@ jobs:
 
       - name: Verify - Patch bump
         shell: pwsh
+        env:
+          RESOLVE_CREATE_RELEASE: ${{ steps.resolve.outputs.CreateRelease }}
+          RESOLVE_VERSION: ${{ steps.resolve.outputs.Version }}
+          RESOLVE_RELEASE_TYPE: ${{ steps.resolve.outputs.ReleaseType }}
+          RESOLVE_FULL_VERSION: ${{ steps.resolve.outputs.FullVersion }}
         run: |
-          $createRelease = '${{ steps.resolve.outputs.CreateRelease }}'
-          $version = '${{ steps.resolve.outputs.Version }}'
-          $releaseType = '${{ steps.resolve.outputs.ReleaseType }}'
-          $fullVersion = '${{ steps.resolve.outputs.FullVersion }}'
+          $createRelease = $env:RESOLVE_CREATE_RELEASE
+          $version = $env:RESOLVE_VERSION
+          $releaseType = $env:RESOLVE_RELEASE_TYPE
+          $fullVersion = $env:RESOLVE_FULL_VERSION
 
           if ($createRelease -ne 'true') {
               Write-Error "Expected CreateRelease='true', got '$createRelease'"
@@ -111,6 +118,8 @@ jobs:
       - name: Resolve-PSModuleVersion
         id: resolve
         uses: ./
+        env:
+          GH_TOKEN: ${{ github.token }}
         with:
           Settings: |
             {
@@ -129,11 +138,16 @@ jobs:
 
       - name: Verify - Minor bump
         shell: pwsh
+        env:
+          RESOLVE_CREATE_RELEASE: ${{ steps.resolve.outputs.CreateRelease }}
+          RESOLVE_VERSION: ${{ steps.resolve.outputs.Version }}
+          RESOLVE_RELEASE_TYPE: ${{ steps.resolve.outputs.ReleaseType }}
+          RESOLVE_FULL_VERSION: ${{ steps.resolve.outputs.FullVersion }}
         run: |
-          $createRelease = '${{ steps.resolve.outputs.CreateRelease }}'
-          $version = '${{ steps.resolve.outputs.Version }}'
-          $releaseType = '${{ steps.resolve.outputs.ReleaseType }}'
-          $fullVersion = '${{ steps.resolve.outputs.FullVersion }}'
+          $createRelease = $env:RESOLVE_CREATE_RELEASE
+          $version = $env:RESOLVE_VERSION
+          $releaseType = $env:RESOLVE_RELEASE_TYPE
+          $fullVersion = $env:RESOLVE_FULL_VERSION
 
           if ($createRelease -ne 'true') {
               Write-Error "Expected CreateRelease='true', got '$createRelease'"
@@ -179,6 +193,8 @@ jobs:
       - name: Resolve-PSModuleVersion
         id: resolve
         uses: ./
+        env:
+          GH_TOKEN: ${{ github.token }}
         with:
           Settings: |
             {
@@ -197,11 +213,16 @@ jobs:
 
       - name: Verify - Major bump
         shell: pwsh
+        env:
+          RESOLVE_CREATE_RELEASE: ${{ steps.resolve.outputs.CreateRelease }}
+          RESOLVE_VERSION: ${{ steps.resolve.outputs.Version }}
+          RESOLVE_RELEASE_TYPE: ${{ steps.resolve.outputs.ReleaseType }}
+          RESOLVE_FULL_VERSION: ${{ steps.resolve.outputs.FullVersion }}
         run: |
-          $createRelease = '${{ steps.resolve.outputs.CreateRelease }}'
-          $version = '${{ steps.resolve.outputs.Version }}'
-          $releaseType = '${{ steps.resolve.outputs.ReleaseType }}'
-          $fullVersion = '${{ steps.resolve.outputs.FullVersion }}'
+          $createRelease = $env:RESOLVE_CREATE_RELEASE
+          $version = $env:RESOLVE_VERSION
+          $releaseType = $env:RESOLVE_RELEASE_TYPE
+          $fullVersion = $env:RESOLVE_FULL_VERSION
 
           if ($createRelease -ne 'true') {
               Write-Error "Expected CreateRelease='true', got '$createRelease'"
@@ -245,6 +266,8 @@ jobs:
       - name: Resolve-PSModuleVersion
         id: resolve
         uses: ./
+        env:
+          GH_TOKEN: ${{ github.token }}
         with:
           Settings: |
             {
@@ -263,11 +286,16 @@ jobs:
 
       - name: Verify - Auto-patch
         shell: pwsh
+        env:
+          RESOLVE_CREATE_RELEASE: ${{ steps.resolve.outputs.CreateRelease }}
+          RESOLVE_VERSION: ${{ steps.resolve.outputs.Version }}
+          RESOLVE_RELEASE_TYPE: ${{ steps.resolve.outputs.ReleaseType }}
+          RESOLVE_FULL_VERSION: ${{ steps.resolve.outputs.FullVersion }}
         run: |
-          $createRelease = '${{ steps.resolve.outputs.CreateRelease }}'
-          $version = '${{ steps.resolve.outputs.Version }}'
-          $releaseType = '${{ steps.resolve.outputs.ReleaseType }}'
-          $fullVersion = '${{ steps.resolve.outputs.FullVersion }}'
+          $createRelease = $env:RESOLVE_CREATE_RELEASE
+          $version = $env:RESOLVE_VERSION
+          $releaseType = $env:RESOLVE_RELEASE_TYPE
+          $fullVersion = $env:RESOLVE_FULL_VERSION
 
           if ($createRelease -ne 'true') {
               Write-Error "Expected CreateRelease='true', got '$createRelease'"
@@ -314,6 +342,8 @@ jobs:
       - name: Resolve-PSModuleVersion
         id: resolve
         uses: ./
+        env:
+          GH_TOKEN: ${{ github.token }}
         with:
           Settings: |
             {
@@ -332,9 +362,12 @@ jobs:
 
       - name: Verify - Ignore label
         shell: pwsh
+        env:
+          RESOLVE_CREATE_RELEASE: ${{ steps.resolve.outputs.CreateRelease }}
+          RESOLVE_RELEASE_TYPE: ${{ steps.resolve.outputs.ReleaseType }}
         run: |
-          $createRelease = '${{ steps.resolve.outputs.CreateRelease }}'
-          $releaseType = '${{ steps.resolve.outputs.ReleaseType }}'
+          $createRelease = $env:RESOLVE_CREATE_RELEASE
+          $releaseType = $env:RESOLVE_RELEASE_TYPE
 
           if ($createRelease -ne 'false') {
               Write-Error "Expected CreateRelease='false', got '$createRelease'"
@@ -392,10 +425,14 @@ jobs:
 
       - name: Verify - None release type
         shell: pwsh
+        env:
+          RESOLVE_CREATE_RELEASE: ${{ steps.resolve.outputs.CreateRelease }}
+          RESOLVE_VERSION: ${{ steps.resolve.outputs.Version }}
+          RESOLVE_RELEASE_TYPE: ${{ steps.resolve.outputs.ReleaseType }}
         run: |
-          $createRelease = '${{ steps.resolve.outputs.CreateRelease }}'
-          $version = '${{ steps.resolve.outputs.Version }}'
-          $releaseType = '${{ steps.resolve.outputs.ReleaseType }}'
+          $createRelease = $env:RESOLVE_CREATE_RELEASE
+          $version = $env:RESOLVE_VERSION
+          $releaseType = $env:RESOLVE_RELEASE_TYPE
 
           if ($createRelease -ne 'false') {
               Write-Error "Expected CreateRelease='false', got '$createRelease'"