Script refactoring

martincostello · martincostello · commit 6fe440c41a43 · 2025-02-17T11:25:00.000Z
- Use `${env:}` format to access environment variables for consistency.
- Avoid interpolation.
- Remove redundant quoting.
- Use single quotes in YAML.
- Refactor permissions.
diff --git a/.github/workflows/approve-and-merge.yml b/.github/workflows/approve-and-merge.yml
@@ -5,15 +5,18 @@ on:
     branches: [ main, dotnet-vnext ]
 
 env:
+  POWERSHELL_YAML_VERSION: '0.4.12'
   REVIEWER_LOGIN: ${{ vars.REVIEWER_USER_NAME }}
 
-permissions:
-  contents: read
+permissions: {}
 
 jobs:
   review-pull-request:
     runs-on: ubuntu-latest
-    if: ${{ github.event.pull_request.user.login == vars.UPDATER_COMMIT_USER_NAME }}
+    if: github.event.pull_request.user.login == vars.UPDATER_COMMIT_USER_NAME
+
+    permissions:
+      contents: read
 
     steps:
 
@@ -23,31 +26,33 @@ jobs:
       with:
         application_id: ${{ secrets.REVIEWER_APPLICATION_ID }}
         application_private_key: ${{ secrets.REVIEWER_APPLICATION_PRIVATE_KEY }}
-        permissions: "contents:write, pull_requests:write"
+        permissions: 'contents:write, pull_requests:write'
 
     - name: Install powershell-yaml
       shell: pwsh
-      run: Install-Module -Name powershell-yaml -Force -MaximumVersion "0.4.7"
+      run: Install-Module -Name powershell-yaml -Force -MaximumVersion ${env:POWERSHELL_YAML_VERSION}
 
     - name: Check which dependencies were updated
       id: check-dependencies
       env:
         # This list of trusted package prefixes needs to stay in sync with include-nuget-packages in the update-dotnet-sdk workflow.
-        INCLUDE_NUGET_PACKAGES: "Microsoft.AspNetCore.,Microsoft.EntityFrameworkCore.,Microsoft.Extensions.,Microsoft.NET.Test.Sdk"
+        INCLUDE_NUGET_PACKAGES: 'Microsoft.AspNetCore.,Microsoft.EntityFrameworkCore.,Microsoft.Extensions.,Microsoft.NET.Test.Sdk'
         GH_TOKEN: ${{ steps.generate-application-token.outputs.token }}
+        PR_NUMBER: ${{ github.event.pull_request.number }}
+        UPDATER_COMMIT_USER_NAME: ${{ vars.UPDATER_COMMIT_USER_NAME }}
       shell: pwsh
       run: |
         # Replicate the logic in the dependabot/fetch-metadata action.
         # See https://github.com/dependabot/fetch-metadata/blob/aea2135c95039f05c64436f1d14638c300e10b2b/src/dependabot/update_metadata.ts#L29-L68.
         # Query the GitHub API to get the commits in the pull request.
         $commits = gh api `
-          /repos/${{ github.repository }}/pulls/${{ github.event.pull_request.number }}/commits `
+          "/repos/${env:GITHUB_REPOSITORY}/pulls/${env:PR_NUMBER}/commits" `
           --jq '.[] | { author: .author.login, message: .commit.message }' | ConvertFrom-Json
 
         # We should only approve pull requests that only contain commits from
         # the GitHub user we expected and only commits that contain the metadata
         # we need to determine what dependencies were updated by the other workflow.
-        $expectedUser = "${{ vars.UPDATER_COMMIT_USER_NAME }}"
+        $expectedUser = "${env:UPDATER_COMMIT_USER_NAME}"
         $onlyDependencyUpdates = $True
         $onlyChangesFromUser = $True
 
@@ -82,7 +87,7 @@ jobs:
         # Did we find at least one dependency?
         $isPatch = $dependencies.Length -gt 0
         $onlyTrusted = $dependencies.Length -gt 0
-        $trustedPackages = $env:INCLUDE_NUGET_PACKAGES.Split(',')
+        $trustedPackages = ${env:INCLUDE_NUGET_PACKAGES}.Split(',')
 
         foreach ($dependency in $dependencies) {
           $isPatch = $isPatch -And $dependency.Type -eq "version-update:semver-patch"
@@ -98,31 +103,35 @@ jobs:
         # Microsoft-published NuGet packages that were made by the GitHub
         # login we expect to make those changes in the other workflow.
         $isTrusted = (($onlyTrusted -And $isPatch) -And $onlyChangesFromUser) -And $onlyDependencyUpdates
-        "is-trusted-update=$isTrusted" >> $env:GITHUB_OUTPUT
+        "is-trusted-update=$isTrusted" >> ${env:GITHUB_OUTPUT}
 
     - name: Checkout code
       uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+      with:
+        filter: 'tree:0'
+        show-progress: false
 
       # As long as it's not already approved, approve the pull request and enable auto-merge.
       # Our CI tests coupled with required statuses should ensure that the changes compile
       # and that the application is still functional after the update; any bug that might be
       # introduced by the update should be caught by the tests. If that happens, the build
       # workflow will fail and the preconditions for the auto-merge to happen won't be met.
     - name: Approve pull request and enable auto-merge
-      if: ${{ steps.check-dependencies.outputs.is-trusted-update == 'true' }}
+      if: steps.check-dependencies.outputs.is-trusted-update == 'true'
       env:
         GH_TOKEN: ${{ steps.generate-application-token.outputs.token }}
+        PR_NUMBER: ${{ github.event.pull_request.number }}
         PR_URL: ${{ github.event.pull_request.html_url }}
       shell: pwsh
       run: |
-        $approvals = gh api /repos/${{ github.repository }}/pulls/${{ github.event.pull_request.number }}/reviews | ConvertFrom-Json
-        $approvals = $approvals | Where-Object { $_.user.login -eq $env:REVIEWER_LOGIN }
+        $approvals = gh api "/repos/${env:GITHUB_REPOSITORY}/pulls/${env:PR_NUMBER}/reviews" | ConvertFrom-Json
+        $approvals = $approvals | Where-Object { $_.user.login -eq ${env:REVIEWER_LOGIN} }
         $approvals = $approvals | Where-Object { $_.state -eq "APPROVED" }
 
         if ($approvals.Length -eq 0) {
-          gh pr checkout "$env:PR_URL"
-          gh pr review --approve "$env:PR_URL"
-          gh pr merge --auto --squash "$env:PR_URL"
+          gh pr checkout ${env:PR_URL}
+          gh pr review --approve ${env:PR_URL}
+          gh pr merge --auto --squash ${env:PR_URL}
         }
         else {
           Write-Output "PR already approved.";
@@ -134,23 +143,24 @@ jobs:
     # automatically if there's an unexpected change introduced. Any existing review
     # approvals that were made by the bot are also dismissed so human approval is required.
     - name: Disable auto-merge and dismiss approvals
-      if: ${{ steps.check-dependencies.outputs.is-trusted-update != 'true' }}
+      if: steps.check-dependencies.outputs.is-trusted-update != 'true'
       env:
         GH_TOKEN: ${{ steps.generate-application-token.outputs.token }}
+        PR_NUMBER: ${{ github.event.pull_request.number }}
         PR_URL: ${{ github.event.pull_request.html_url }}
       shell: pwsh
       run: |
-        $approvals = gh api /repos/${{ github.repository }}/pulls/${{ github.event.pull_request.number }}/reviews | ConvertFrom-Json
-        $approvals = $approvals | Where-Object { $_.user.login -eq $env:REVIEWER_LOGIN }
+        $approvals = gh api "/repos/${env:GITHUB_REPOSITORY}/pulls/${env:PR_NUMBER}/reviews" | ConvertFrom-Json
+        $approvals = $approvals | Where-Object { $_.user.login -eq ${env:REVIEWER_LOGIN} }
         $approvals = $approvals | Where-Object { $_.state -eq "APPROVED" }
 
         if ($approvals.Length -gt 0) {
-          gh pr checkout "$env:PR_URL"
-          gh pr merge --disable-auto "$env:PR_URL"
+          gh pr checkout ${env:PR_URL}
+          gh pr merge --disable-auto ${env:PR_URL}
           foreach ($approval in $approvals) {
             gh api `
               --method PUT `
-              /repos/${{ github.repository }}/pulls/${{ github.event.pull_request.number }}/reviews/$($approval.id)/dismissals `
+              "/repos/${env:GITHUB_REPOSITORY}/pulls/${env:PR_NUMBER}/reviews/$($approval.id)/dismissals" `
               -f message='Cannot approve as other changes have been introduced.' `
               -f event='DISMISS'
           }
diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
@@ -155,4 +155,6 @@ jobs:
         dotnet-version: ${{ needs.build.outputs.dotnet-sdk-version }}
 
     - name: Push NuGet packages to NuGet.org
-      run: dotnet nuget push "*.nupkg" --api-key ${{ secrets.NUGET_TOKEN }} --skip-duplicate --source https://api.nuget.org/v3/index.json
+      run: dotnet nuget push "*.nupkg" --api-key ${env:NUGET_API_KEY} --skip-duplicate --source https://api.nuget.org/v3/index.json
+      env:
+        NUGET_API_KEY: ${{ secrets.NUGET_TOKEN }}
diff --git a/.github/workflows/bump-version.yml b/.github/workflows/bump-version.yml
@@ -77,7 +77,7 @@ jobs:
 
           "" >> $properties
 
-          "version=${updatedVersion}" >> $env:GITHUB_OUTPUT
+          "version=${updatedVersion}" >> ${env:GITHUB_OUTPUT}
 
       - name: Push changes to GitHub
         id: push-changes
@@ -113,9 +113,9 @@ jobs:
           git commit -m "Bump version`n`nBump version to ${env:NEXT_VERSION} for the next release."
           git push -u origin $branchName
 
-          "branch-name=${branchName}" >> $env:GITHUB_OUTPUT
-          "updated-version=true" >> $env:GITHUB_OUTPUT
-          "version=${env:NEXT_VERSION}" >> $env:GITHUB_OUTPUT
+          "branch-name=${branchName}" >> ${env:GITHUB_OUTPUT}
+          "updated-version=true" >> ${env:GITHUB_OUTPUT}
+          "version=${env:NEXT_VERSION}" >> ${env:GITHUB_OUTPUT}
 
       - name: Create pull request
         if: steps.push-changes.outputs.updated-version == 'true'
diff --git a/.github/workflows/dependabot-approve.yml b/.github/workflows/dependabot-approve.yml
@@ -2,13 +2,15 @@ name: dependabot-approve
 
 on: pull_request_target
 
-permissions:
-  contents: read
+permissions: {}
 
 jobs:
   dependabot:
     runs-on: ubuntu-latest
-    if: ${{ github.event.pull_request.user.login == 'dependabot[bot]' }}
+    if: github.event.pull_request.user.login == 'dependabot[bot]'
+
+    permissions:
+      contents: read
 
     steps:
 
@@ -22,7 +24,7 @@ jobs:
         with:
           application_id: ${{ secrets.REVIEWER_APPLICATION_ID }}
           application_private_key: ${{ secrets.REVIEWER_APPLICATION_PRIVATE_KEY }}
-          permissions: "contents:write, pull_requests:write"
+          permissions: 'contents:write, pull_requests:write'
 
       - name: Checkout code
         uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
diff --git a/.github/workflows/dependency-review.yml b/.github/workflows/dependency-review.yml
@@ -4,13 +4,15 @@ on:
   pull_request:
     branches: [ main, dotnet-vnext ]
 
-permissions:
-  contents: read
+permissions: {}
 
 jobs:
   dependency-review:
     runs-on: ubuntu-latest
 
+    permissions:
+      contents: read
+
     steps:
 
       - name: Checkout code
diff --git a/.github/workflows/lint.yml b/.github/workflows/lint.yml
@@ -14,8 +14,7 @@ on:
       - dotnet-nightly
   workflow_dispatch:
 
-permissions:
-  contents: read
+permissions: {}
 
 env:
   FORCE_COLOR: 3
@@ -27,6 +26,9 @@ jobs:
   lint:
     runs-on: ubuntu-latest
 
+    permissions:
+      contents: read
+
     steps:
 
     - name: Checkout code
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
@@ -38,7 +38,7 @@ jobs:
           $properties = Join-Path "." "Directory.Build.props"
           $xml = [xml](Get-Content $properties)
           $version = $xml.SelectSingleNode('Project/PropertyGroup/VersionPrefix').InnerText
-          "version=${version}" >> $env:GITHUB_OUTPUT
+          "version=${version}" >> ${env:GITHUB_OUTPUT}
 
       - name: Create release
         uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7.0.1
diff --git a/.github/workflows/update-docs.yml b/.github/workflows/update-docs.yml
@@ -24,7 +24,7 @@ jobs:
         with:
           application_id: ${{ secrets.UPDATER_APPLICATION_ID }}
           application_private_key: ${{ secrets.UPDATER_APPLICATION_PRIVATE_KEY }}
-          permissions: "contents:write, pull_requests:write"
+          permissions: 'contents:write, pull_requests:write'
 
       - name: Checkout code
         uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
@@ -42,12 +42,14 @@ jobs:
         env:
           DOTNET_CLI_TELEMETRY_OPTOUT: true
           DOTNET_NOLOGO: true
+          UPDATER_COMMIT_USER_EMAIL: ${{ vars.UPDATER_COMMIT_USER_EMAIL }}
+          UPDATER_COMMIT_USER_NAME: ${{ vars.UPDATER_COMMIT_USER_NAME }}
         run: |
           $ErrorActionPreference = "Stop"
           $ProgressPreference = "SilentlyContinue"
 
           dotnet tool restore
-          dotnet mdsnippets "$env:GITHUB_WORKSPACE" --exclude-directories ./artifacts
+          dotnet mdsnippets ${env:GITHUB_WORKSPACE} --exclude-directories ./artifacts
 
           if ($LASTEXITCODE -ne 0) {
             Write-Output "Failed to update documentation."
@@ -60,11 +62,11 @@ jobs:
             exit 0
           }
 
-          $branchName = "update-docs/$($env:GITHUB_SHA)"
+          $branchName = "update-docs/${env:GITHUB_SHA}"
 
-          git config user.email "${{ vars.UPDATER_COMMIT_USER_EMAIL }}" | Out-Null
-          git config user.name "${{ vars.UPDATER_COMMIT_USER_NAME }}" | Out-Null
-          git remote set-url "${{ github.server_url }}/${{ github.repository }}.git" | Out-Null
+          git config user.email "${env:UPDATER_COMMIT_USER_EMAIL}" | Out-Null
+          git config user.name "${env:UPDATER_COMMIT_USER_NAME}" | Out-Null
+          git remote set-url "${env:GITHUB_SERVER_URL}/${env:GITHUB_REPOSITORY}.git" | Out-Null
           git fetch origin | Out-Null
           git rev-parse --verify --quiet "remotes/origin/$branchName" | Out-Null
 
@@ -78,8 +80,8 @@ jobs:
           git commit -m "Update documentation`n`nUpdate examples in documentation." -s
           git push -u origin $branchName
 
-          "branchName=$branchName" >> $env:GITHUB_OUTPUT
-          "updated-docs=true" >> $env:GITHUB_OUTPUT
+          "branchName=$branchName" >> ${env:GITHUB_OUTPUT}
+          "updated-docs=true" >> ${env:GITHUB_OUTPUT}
 
       - name: Create pull request
         uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7.0.1
diff --git a/.github/workflows/update-dotnet-sdk.yml b/.github/workflows/update-dotnet-sdk.yml
@@ -5,15 +5,16 @@ on:
     - cron:  '00 19 * * TUE'
   workflow_dispatch:
 
-permissions:
-  contents: read
+permissions: {}
 
 jobs:
   update-sdk:
     uses: martincostello/update-dotnet-sdk/.github/workflows/update-dotnet-sdk.yml@758e92b362c4164925583874878423a794cce239 # v3.4.1
+    permissions:
+      contents: read
     with:
-      include-nuget-packages: "Microsoft.AspNetCore.,Microsoft.EntityFrameworkCore.,Microsoft.Extensions.,Microsoft.NET.Test.Sdk"
-      labels: "dependencies,.NET"
+      include-nuget-packages: 'Microsoft.AspNetCore.,Microsoft.EntityFrameworkCore.,Microsoft.Extensions.,Microsoft.NET.Test.Sdk'
+      labels: 'dependencies,.NET'
       user-email: ${{ vars.UPDATER_COMMIT_USER_EMAIL }}
       user-name: ${{ vars.UPDATER_COMMIT_USER_NAME }}
     secrets:
diff --git a/build.ps1 b/build.ps1
@@ -44,36 +44,36 @@ else {
 
 if ($installDotNetSdk -eq $true) {
 
-    $env:DOTNET_INSTALL_DIR = Join-Path "$(Convert-Path "$PSScriptRoot")" ".dotnetcli"
-    $sdkPath = Join-Path $env:DOTNET_INSTALL_DIR "sdk" $dotnetVersion
+    ${env:DOTNET_INSTALL_DIR} = Join-Path $PSScriptRoot ".dotnetcli"
+    $sdkPath = Join-Path ${env:DOTNET_INSTALL_DIR} "sdk" $dotnetVersion
 
     if (!(Test-Path $sdkPath)) {
-        if (!(Test-Path $env:DOTNET_INSTALL_DIR)) {
-            mkdir $env:DOTNET_INSTALL_DIR | Out-Null
+        if (!(Test-Path ${env:DOTNET_INSTALL_DIR})) {
+            mkdir ${env:DOTNET_INSTALL_DIR} | Out-Null
         }
         [Net.ServicePointManager]::SecurityProtocol = [Net.ServicePointManager]::SecurityProtocol -bor "Tls12"
 
         if (($PSVersionTable.PSVersion.Major -ge 6) -And !$IsWindows) {
-            $installScript = Join-Path $env:DOTNET_INSTALL_DIR "install.sh"
+            $installScript = Join-Path ${env:DOTNET_INSTALL_DIR} "install.sh"
             Invoke-WebRequest "https://dot.net/v1/dotnet-install.sh" -OutFile $installScript -UseBasicParsing
             chmod +x $installScript
-            & $installScript --version "$dotnetVersion" --install-dir "$env:DOTNET_INSTALL_DIR" --no-path
+            & $installScript --version "$dotnetVersion" --install-dir ${env:DOTNET_INSTALL_DIR} --no-path
         }
         else {
-            $installScript = Join-Path $env:DOTNET_INSTALL_DIR "install.ps1"
+            $installScript = Join-Path ${env:DOTNET_INSTALL_DIR} "install.ps1"
             Invoke-WebRequest "https://dot.net/v1/dotnet-install.ps1" -OutFile $installScript -UseBasicParsing
-            & $installScript -Version "$dotnetVersion" -InstallDir "$env:DOTNET_INSTALL_DIR" -NoPath
+            & $installScript -Version "$dotnetVersion" -InstallDir ${env:DOTNET_INSTALL_DIR} -NoPath
         }
     }
 }
 else {
-    $env:DOTNET_INSTALL_DIR = Split-Path -Path (Get-Command dotnet).Path
+    ${env:DOTNET_INSTALL_DIR} = Split-Path -Path (Get-Command dotnet).Path
 }
 
-$dotnet = Join-Path "$env:DOTNET_INSTALL_DIR" "dotnet"
+$dotnet = Join-Path ${env:DOTNET_INSTALL_DIR} "dotnet"
 
 if ($installDotNetSdk -eq $true) {
-    $env:PATH = "$env:DOTNET_INSTALL_DIR;$env:PATH"
+    ${env:PATH} = "${env:DOTNET_INSTALL_DIR};${env:PATH}"
 }
 
 function DotNetPack {
@@ -98,7 +98,7 @@ function DotNetTest {
 
     $additionalArgs = @()
 
-    if (![string]::IsNullOrEmpty($env:GITHUB_SHA)) {
+    if (![string]::IsNullOrEmpty(${env:GITHUB_SHA})) {
         $additionalArgs += "--logger"
         $additionalArgs += "GitHubActions;report-warnings=false"
     }
