Updates to readme (#238)

.github/workflows/build.yaml

@@ -1,10 +1,24 @@
-# CI workflow for validating action
+#
+# Repository build and analysis
+#
+
+# NOTES:
+# This workflow uses PSRule, and DevSkim.
+# You can read more about these linting tools and configuration options here:
+#   PSRule - https://aka.ms/ps-rule and https://github.com/Microsoft/PSRule.Rules.MSFT.OSS
+#   DevSkim - https://github.com/microsoft/DevSkim-Action and https://github.com/Microsoft/DevSkim
+
 name: Build
 on:
   push:
-    branches: [main, 'release/*']
+    branches: [main, 'release/*', 'dependencies/*']
   pull_request:
     branches: [main, 'release/*']
+  schedule:
+    - cron: '42 18 * * 0' # At 6:42 PM, on Sunday each week
+  workflow_dispatch:
+
+permissions: {}
 
 jobs:
   test:
@@ -72,3 +86,39 @@ jobs:
         with:
           name: PSRule-results
           path: reports/report.md
+
+  oss:
+    name: Analyze with PSRule
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+
+      - name: Run PSRule analysis
+        uses: microsoft/ps-rule@main
+        with:
+          modules: PSRule.Rules.MSFT.OSS
+          prerelease: true
+
+  devskim:
+    name: Analyze with DevSkim
+    runs-on: ubuntu-latest
+    permissions:
+      actions: read
+      contents: read
+      security-events: write
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+
+      - name: Run DevSkim scanner
+        uses: microsoft/DevSkim-Action@v1
+        with:
+          directory-to-scan: .
+
+      - name: Upload results to security tab
+        uses: github/codeql-action/upload-sarif@v3
+        with:
+          sarif_file: devskim-results.sarif

.github/workflows/dependencies.yaml

@@ -11,6 +11,8 @@ on:
     - cron: '50 1 * * 1' # At 01:50 AM, on Monday each week
   workflow_dispatch:
 
+permissions: {}
+
 env:
   WORKING_BRANCH: dependencies/powershell-bump
 

.github/workflows/release.yaml

@@ -21,14 +21,15 @@ on:
         options:
           - 'v1'
           - 'v2'
-        default: v2
-
-env:
-  RELEASE_BRANCH: ${{ inputs.major || 'v2' }}
-  LATEST_BRANCH: v2
+          - 'v3'
+        default: v3
 
 permissions: {}
 
+env:
+  RELEASE_BRANCH: ${{ inputs.major || 'v3' }}
+  LATEST_BRANCH: v3
+
 jobs:
   branch:
     name: Update release branch

.github/workflows/stale.yaml

@@ -12,6 +12,8 @@ on:
   schedule:
     - cron: '30 1 * * *' # At 1:30 AM, daily
 
+permissions: {}
+
 jobs:
   stale:
     runs-on: ubuntu-latest

README.md

@@ -31,13 +31,35 @@ To get a specific release use **(recommended)**:
   uses: microsoft/[email protected]
 ```
 
-To get the latest bits use:
+---
+
+> [!TIP]
+> The recommended approach is to pin to the latest specific release for example `microsoft/[email protected]`.
+> Pinning to a specific release reduces the risk of new releases breaking your pipeline.
+>
+> You can easily update to the latest release by changing the version number or using version updates with Dependabot.
+> To configure version updates of `github-actions` with Dependabot see [Configuring version updates][5].
+>
+> When the next release is available, bumping the version allows you to test in a feature branch before merging to main.
+
+---
+
+To get the latest bits use **(not recommended for general use or production)**:
 
 ```yaml
 - name: Run PSRule analysis
   uses: microsoft/ps-rule@main
 ```
 
+---
+
+> [!CAUTION]
+> Using `microsoft/ps-rule@main` is **not recommended** for general use or production workflows.
+> The `main` branch is under **active development and may be unstable** or include breaking changes.
+> Use `microsoft/ps-rule@main` to try latest updates before the next stable release and provide feedback.
+
+---
+
 To use the latest action with an older version of PSRule, you can use the `version` parameter.
 For example:
 
@@ -50,20 +72,8 @@ For example:
 
 For a list of changes please see the [change log][2].
 
----
-
-The recommended approach is to pin to the latest specific release.
-Pinning to a specific release reduces the risk of new releases breaking your pipeline.
-You can easily update to the latest release by changing the version number.
-At such time, you can test the new release in a feature branch before merging to main.
-
-Using `microsoft/ps-rule@main` is **not recommended** for production workflows.
-The `main` branch is under **active development and may be unstable**.
-Use `microsoft/ps-rule@main` to try latest updates ahead of a stable release and provide feedback.
-
----
-
   [2]: CHANGELOG.md
+  [5]: https://docs.github.com/code-security/dependabot/dependabot-version-updates/configuring-dependabot-version-updates#enabling-dependabot-version-updates
 
 ## Inputs