ci(lint): enhance PSScriptAnalyzer settings and suppress false positives; improve error handling in scripts

This commit is contained in:
Simone
2026-05-13 19:06:50 +02:00
committed by Simone
parent 032d6f200e
commit 2ac26dbd00
11 changed files with 42 additions and 24 deletions
+25 -5
View File
@@ -23,7 +23,25 @@
# Plural nouns in internal helpers (Get-GuestDiagnostics, Remove-OldJobDirs, etc.)
# are intentional — they describe collections, not single objects.
'PSUseSingularNouns'
'PSUseSingularNouns',
# PSAvoidUsingPlainTextForPassword fires as a false positive on *CredentialTarget params
# (Windows Credential Manager target strings, not passwords). Real plain-text password
# usage in template setup scripts is already caught by PSAvoidUsingConvertToSecureStringWithPlainText
# with targeted SuppressMessage attributes where intentional.
'PSAvoidUsingPlainTextForPassword',
# These scripts use [switch]$VerifyArtifact = $true for opt-out patterns.
# Removing the default would silently change script behaviour.
'PSAvoidDefaultValueSwitchParameter',
# Stop-Vm is an intentional internal name in a VMware-only CI environment;
# Hyper-V is not installed on the CI host so there is no real cmdlet to shadow.
'PSAvoidOverwritingBuiltInCmdlets',
# Advisory rule only. Params may be declared for external callers, future use,
# or accepted-but-ignored forwarding. Not a safety issue.
'PSReviewUnusedParameter'
)
# ── Rule-specific configuration ──────────────────────────────────────────────
@@ -33,9 +51,11 @@
Enable = $true
}
# All state-changing functions must support -WhatIf / ShouldProcess
# ShouldProcess/WhatIf support is not required for one-shot deployment scripts
# and internal CI helper functions; adding it to all state-changing functions
# would be invasive with no operational benefit in this environment.
PSUseShouldProcessForStateChangingFunctions = @{
Enable = $true
Enable = $false
}
# Credentials must flow as [PSCredential], not plain strings
@@ -43,9 +63,9 @@
Enable = $true
}
# No plain-text passwords in params or variables
# Covered by ExcludeRules above (false positives on *CredentialTarget params).
PSAvoidUsingPlainTextForPassword = @{
Enable = $true
Enable = $false
}
# ConvertTo-SecureString -AsPlainText only acceptable during template setup;
+1 -1
View File
@@ -306,7 +306,7 @@ try {
try {
Invoke-RestMethod -Uri $url -Method Post -Body $body `
-ContentType 'application/json' -TimeoutSec 10
} catch { }
} catch { Write-Verbose "Webhook POST failed (non-critical): $_" }
} -ArgumentList $WebhookUrl, $warnBody
}
+1 -1
View File
@@ -117,7 +117,7 @@ for ($i = 1; $i -le $Iterations; $i++) {
Write-Host "[bench] Cloning..."
$sw = [System.Diagnostics.Stopwatch]::StartNew()
$r = Invoke-Vmrun -VmrunPath $VmrunPath -Operation clone `
$null = Invoke-Vmrun -VmrunPath $VmrunPath -Operation clone `
-Arguments @($TemplatePath, $cloneVmx, 'linked', '-snapshot', $SnapshotName) `
-ThrowOnError
$t.clone = [math]::Round($sw.Elapsed.TotalSeconds, 2)
+3 -3
View File
@@ -89,7 +89,7 @@ function Format-Elapsed {
}
}
function Run-Test {
function Invoke-Test {
param(
[string] $JobId,
[string] $Mode,
@@ -164,11 +164,11 @@ $baselineResult = $null
$guestCloneResult = $null
if (-not $SkipBaseline) {
$baselineResult = Run-Test -JobId $BaselineJobId -Mode "BASELINE (host-side zip)" -CommonParams $commonParams
$baselineResult = Invoke-Test -JobId $BaselineJobId -Mode "BASELINE (host-side zip)" -CommonParams $commonParams
}
if (-not $SkipGuestClone) {
$guestCloneResult = Run-Test -JobId $GuestCloneJobId -Mode "GUEST CLONE (-UseGitClone)" -UseGitClone -CommonParams $commonParams
$guestCloneResult = Invoke-Test -JobId $GuestCloneJobId -Mode "GUEST CLONE (-UseGitClone)" -UseGitClone -CommonParams $commonParams
}
# ────────────────────────────────────────────────────────────────────────────
+1 -1
View File
@@ -329,7 +329,7 @@ function New-WinIsoNoPrompt {
$fsi.VolumeName = $label
$fsi.ChooseImageDefaultsForMediaType(13)
# 5+ GB ISO needs explicit large-volume defaults if available.
try { $fsi.UDFRevision = 0x102 } catch {}
try { $fsi.UDFRevision = 0x102 } catch { Write-Verbose "UDF revision not supported on this IMAPI version." }
Write-Host " Adding ISO tree (this takes a few minutes for 5+ GB)..." -ForegroundColor Yellow
$fsi.Root.AddTree($letter, $false)
+1 -1
View File
@@ -329,7 +329,7 @@ function New-WinIsoNoPrompt {
$fsi.VolumeName = $label
$fsi.ChooseImageDefaultsForMediaType(13)
# 5+ GB ISO needs explicit large-volume defaults if available.
try { $fsi.UDFRevision = 0x102 } catch {}
try { $fsi.UDFRevision = 0x102 } catch { Write-Verbose "UDF revision not supported on this IMAPI version." }
Write-Host " Adding ISO tree (this takes a few minutes for 5+ GB)..." -ForegroundColor Yellow
$fsi.Root.AddTree($letter, $false)
@@ -867,7 +867,6 @@ else {
$vsInstallerUrl = 'https://aka.ms/vs/stable/vs_buildtools.exe'
$vsInstallerPath = 'C:\CI\vs_BuildTools.exe'
$vsResultPath = 'C:\CI\vs_result.txt'
$vsLogPath = 'C:\CI\vs_log.txt'
Write-Host "Downloading VS Build Tools installer..."
Remove-Item $vsInstallerPath -ErrorAction SilentlyContinue # remove any stale/corrupt copy
@@ -867,7 +867,6 @@ else {
$vsInstallerUrl = 'https://aka.ms/vs/stable/vs_buildtools.exe'
$vsInstallerPath = 'C:\CI\vs_BuildTools.exe'
$vsResultPath = 'C:\CI\vs_result.txt'
$vsLogPath = 'C:\CI\vs_log.txt'
Write-Host "Downloading VS Build Tools installer..."
Remove-Item $vsInstallerPath -ErrorAction SilentlyContinue # remove any stale/corrupt copy
+3 -3
View File
@@ -438,7 +438,7 @@ try {
-Authentication Basic -ErrorAction Stop
Remove-PSSession $probe -ErrorAction SilentlyContinue
return $true
} catch { }
} catch { Write-Verbose "WinRM probe attempt failed." }
}
return $false
}
@@ -481,7 +481,7 @@ try {
if ($session) {
try {
Invoke-Command -Session $session -ScriptBlock { Restart-Computer -Force } -ErrorAction SilentlyContinue
} catch { }
} catch { Write-Verbose "Reboot command sent; session may have already dropped." }
Remove-PSSession $session -ErrorAction SilentlyContinue
}
@@ -597,7 +597,7 @@ try {
try {
Invoke-Command -Session $session -ScriptBlock { Restart-Computer -Force } -ErrorAction SilentlyContinue
}
catch { }
catch { Write-Verbose "Reboot command sent; session may have already dropped." }
Remove-PSSession $session -ErrorAction SilentlyContinue
$session = $null
+3 -3
View File
@@ -438,7 +438,7 @@ try {
-Authentication Basic -ErrorAction Stop
Remove-PSSession $probe -ErrorAction SilentlyContinue
return $true
} catch { }
} catch { Write-Verbose "WinRM probe attempt failed." }
}
return $false
}
@@ -481,7 +481,7 @@ try {
if ($session) {
try {
Invoke-Command -Session $session -ScriptBlock { Restart-Computer -Force } -ErrorAction SilentlyContinue
} catch { }
} catch { Write-Verbose "Reboot command sent; session may have already dropped." }
Remove-PSSession $session -ErrorAction SilentlyContinue
}
@@ -597,7 +597,7 @@ try {
try {
Invoke-Command -Session $session -ScriptBlock { Restart-Computer -Force } -ErrorAction SilentlyContinue
}
catch { }
catch { Write-Verbose "Reboot command sent; session may have already dropped." }
Remove-PSSession $session -ErrorAction SilentlyContinue
$session = $null
+2 -2
View File
@@ -37,6 +37,8 @@
.EXAMPLE
.\Validate-SetupState.ps1 -VMIPAddress 192.168.79.129 -Remediate
#>
[Diagnostics.CodeAnalysis.SuppressMessageAttribute('PSAvoidUsingConvertToSecureStringWithPlainText', '',
Justification = 'Template setup script: plain-text password required to bootstrap WinRM credential chain before Credential Manager is available.')]
[CmdletBinding()]
param(
[Parameter(Mandatory)] [string] $VMIPAddress,
@@ -273,8 +275,6 @@ try {
Write-Host ''
$failed = 0
$deployCnt = 0
$setupCnt = 0
$inSetup = $false
foreach ($r in $checks) {