refactor(scripts): replace raw GITHUB_OUTPUT with Set-CIOutput in Package-Extension#391
Merged
WilliamBerryiii merged 2 commits intomainfrom Feb 3, 2026
Merged
Conversation
Contributor
Dependency Review✅ No vulnerabilities or license issues or OpenSSF Scorecard issues found.Scanned FilesNone |
Codecov Report✅ All modified and coverable lines are covered by tests. Additional details and impacted files@@ Coverage Diff @@
## main #391 +/- ##
==========================================
- Coverage 61.49% 61.28% -0.21%
==========================================
Files 17 17
Lines 3111 3110 -1
==========================================
- Hits 1913 1906 -7
- Misses 1198 1204 +6
Flags with carried forward coverage won't be shown. Click here to find out more.
🚀 New features to boost your workflow:
|
Contributor
There was a problem hiding this comment.
Pull request overview
This PR refactors Package-Extension.ps1 to replace inline GitHub Actions output file writes with the shared CIHelpers module's Set-CIOutput function, improving consistency and security through automatic escaping of special characters.
Changes:
- Replaced conditional
$env:GITHUB_OUTPUTfile writes with threeSet-CIOutputcalls - Removed platform-specific conditional logic in favor of module-based abstraction
- Leveraged existing
CIHelpersmodule security features for injection prevention
a5c42f9 to
a413f57
Compare
- add GitHub Actions environment context tests for Set-CIOutput validation - add tests for version, vsix-file, and pre-release output variables - add error handling test for vsce command failure - add local environment context test - refactor Local Context to use Clear-MockGitHubEnvironment for consistency 🧪 - Generated by Copilot
a413f57 to
435791a
Compare
katriendg
approved these changes
Feb 3, 2026
WilliamBerryiii
added a commit
that referenced
this pull request
Feb 4, 2026
🤖 I have created a release *beep* *boop* --- ## [2.1.0](hve-core-v2.0.1...hve-core-v2.1.0) (2026-02-04) ### ✨ Features * add PowerShell script to validate copyright headers ([#370](#370)) ([92fce72](92fce72)) * **docs:** Replace deprecated chat.modeFilesLocations with chat.agentFilesLocations ([#413](#413)) ([67fb2ab](67fb2ab)) * **scripts:** add CIHelpers module for CI platform abstraction ([#348](#348)) ([23e7a7e](23e7a7e)) * **scripts:** add SecurityHelpers and CIHelpers modules ([#354](#354)) ([b93d990](b93d990)) * **workflow:** add copilot-setup-steps.yml for Coding Agent environment ([#398](#398)) ([085a38b](085a38b)) ### 🐛 Bug Fixes * **build:** increase release-please search depths to prevent 250-commit window issue ([#342](#342)) ([4bb857d](4bb857d)) * **build:** patch @isaacs/brace-expansion critical vulnerability ([#404](#404)) ([292ef51](292ef51)) * **ci:** disable errexit during spell check exit code capture ([#356](#356)) ([ed6ed46](ed6ed46)) * **ci:** exclude extension/README.md from frontmatter validation ([#362](#362)) ([e0d7378](e0d7378)) * exclude test fixtures from markdown link checker ([#345](#345)) ([58147f9](58147f9)) * **extension:** resolve path resolution issues in Windows/WSL environments ([#407](#407)) ([8529725](8529725)) * **linting:** use Write-Error instead of Write-Host for error output ([#377](#377)) ([2ca766b](2ca766b)) * **scripts:** apply CI output escaping to infrastructure scripts ([#369](#369)) ([251021e](251021e)) * **scripts:** apply CI output escaping to linting scripts ([#367](#367)) ([fdd75ed](fdd75ed)) * **scripts:** apply CI output escaping to security scripts ([#368](#368)) ([1237c9a](1237c9a)) * **scripts:** ensure reliable array count operations in linting and security scripts ([#395](#395)) ([de43e73](de43e73)) * **scripts:** standardize PowerShell requirements header block ([#385](#385)) ([6e26282](6e26282)) ### 📚 Documentation * add doc-ops agent to CUSTOM-AGENTS reference ([#358](#358)) ([15f7185](15f7185)) * add memory agent to CUSTOM-AGENTS.md ([#359](#359)) ([d92c4e1](d92c4e1)) * add missing agents to extension README ([#357](#357)) ([d58541c](d58541c)) * add task-reviewer agent to CUSTOM-AGENTS.md ([#363](#363)) ([0efb722](0efb722)) * **contributing:** add copyright header guidelines ([#382](#382)) ([881a567](881a567)) * **scripts:** update README.md with missing directory sections ([#355](#355)) ([ac2966f](ac2966f)) ### ♻️ Refactoring * **scripts:** align linting and tests with CIHelpers ([#401](#401)) ([3587e6a](3587e6a)) * **scripts:** extract Invoke-PackageExtension for testability ([#343](#343)) ([858a1be](858a1be)) * **scripts:** extract orchestration function for Prepare-Extension testability ([#344](#344)) ([9fd4bd1](9fd4bd1)) * **scripts:** replace raw GITHUB_OUTPUT with Set-CIOutput in Package-Extension ([#391](#391)) ([74a30bb](74a30bb)) * **security:** move DependencyViolation and ComplianceReport to shared module ([#378](#378)) ([1dd31ad](1dd31ad)) ### 🔧 Maintenance * add copyright headers to PowerShell scripts ([#381](#381)) ([d19c9b3](d19c9b3)) * add copyright headers to shell scripts ([#380](#380)) ([284b456](284b456)) * **deps-dev:** bump cspell from 9.6.1 to 9.6.2 in the npm-dependencies group ([#387](#387)) ([23c2b9f](23c2b9f)) * **workflows:** simplify Copilot setup steps workflow triggers ([#414](#414)) ([492a7b1](492a7b1)) --- This PR was generated with [Release Please](https://github.com/googleapis/release-please). See [documentation](https://github.com/googleapis/release-please#release-please). --------- Co-authored-by: hve-core-release-please[bot] <254602402+hve-core-release-please[bot]@users.noreply.github.com> Co-authored-by: Bill Berry <wberry@microsoft.com>
This was referenced Feb 4, 2026
This was referenced Feb 13, 2026
This was referenced Feb 14, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Pull Request
Description
Refactors
Package-Extension.ps1to use the existingCIHelpersmodule instead of rawGITHUB_OUTPUTfile writes. This change:Set-CIOutputcallsCIHelpersmoduleThe
CIHelpers.psm1module handles injection prevention by escaping%,\r,\n,::,[,], and;characters in output values.Related Issue(s)
Fixes #350
Type of Change
Select all that apply:
Code & Documentation:
Infrastructure & Configuration:
AI Artifacts:
prompt-builderagent and addressed all feedback.github/instructions/*.instructions.md).github/prompts/*.prompt.md).github/agents/*.agent.md)Other:
.ps1,.sh,.py)Testing
Set-CIOutputcorrectly outputs values forversion,vsix-file, andpre-releaseChecklist
Required Checks
Required Automated Checks
The following validation commands must pass before merging:
npm run lint:mdnpm run spell-checknpm run lint:frontmatternpm run lint:md-linksnpm run lint:psSecurity Considerations
Security Analysis:
The refactoring improves security by leveraging
CIHelpersmodule's built-in escaping functions:ConvertTo-GitHubActionsEscaped: Escapes%,\r,\n,::to prevent workflow command injectionConvertTo-AzureDevOpsEscaped: Escapes%,\r,\n,[,],;to prevent logging command injectionTest coverage for injection prevention exists in
CIHelpers.Tests.ps1(lines 192-209 for Azure DevOps, lines 340-400 for GitHub Actions).Additional Notes
$PreRelease.IsPresentboolean auto-converts to"True"/"False"string, matching original behaviorCIHelpersmodule was already imported at line 73 ofPackage-Extension.ps1Set-CIOutputis a no-op when not running in CI environments (both$env:GITHUB_OUTPUTand$env:TF_BUILDare absent)