feat: adopt hve-core PowerShell CI infrastructure

[WilliamBerryiii]

Pull Request

Description

Modernize edge-ai's PowerShell CI infrastructure by adopting shared modules and script-based workflows from microsoft/hve-core. This replaces inline workflow logic with reusable PowerShell scripts backed by shared CI platform abstraction and file discovery modules.

What Changed

New shared modules:

• scripts/ci/Modules/CIHelpers.psm1 — CI platform abstraction layer (11 functions) supporting GitHub Actions, Azure DevOps, and local execution. Provides output setting, annotations, step summaries, and task result reporting.
• scripts/linting/Modules/LintingHelpers.psm1 — File discovery utilities (Get-ChangedFilesFromGit, Get-FilesRecursive) for changed-file detection and recursive file scanning with exclusion patterns.

New scripts:

• scripts/linting/Invoke-PSScriptAnalyzer.ps1 — Script-based PSScriptAnalyzer runner with CI annotations, changed-files-only mode, JSON results output, markdown summary, and soft-fail support.
• scripts/tests/Get-ChangedTestFiles.ps1 — Changed test file detection via git diff for incremental test runs.
• scripts/tests/pester.config.ps1 — Externalized Pester configuration factory supporting CI mode, code coverage, and tag filtering.

Upgraded scripts:

• scripts/Invoke-Pester.ps1 — Full rewrite with CI integration (-CI switch), code coverage support, changed-only mode, structured JSON output (test-summary.json, test-failures.json), recursive failure tree walking, and CI annotations for failures.

Updated workflows:

• .github/workflows/powershell-lint.yml — Replaced inline PSScriptAnalyzer logic with call to Invoke-PSScriptAnalyzer.ps1.
• .github/workflows/resource-provider-pwsh-tests.yml — Updated to use upgraded Invoke-Pester.ps1 with -CI flag.
• .github/workflows/pr-validation.yml — Added concurrency control (cancel-in-progress), added dedicated Pester test job with -CI -ChangedOnly flags and per-job least-privilege permissions.

Review Fixes

Addressed all review comments from @auyidi1 and resolved CI build failures:

Fix	File	Description
Run.Exit premature termination	scripts/tests/pester.config.ps1	Set $config.Run.Exit = $false — prevents the Pester process from exiting before post-processing (summary, annotations, artifact upload)
Pester version unbounded	scripts/Invoke-Pester.ps1	Changed to -RequiredVersion '5.7.1' — prevents silent breakage from Pester 6.x API changes
PSScriptAnalyzer version unpinned	scripts/linting/Invoke-PSScriptAnalyzer.ps1	Changed to -RequiredVersion '1.22.0' — ensures deterministic lint results across environments
Artifact upload path mismatch	.github/workflows/resource-provider-pwsh-tests.yml	Fixed upload path to ${{ inputs.working-directory }}/${{ inputs.test-results-output }}/
Missing -Path parameter	.github/workflows/resource-provider-pwsh-tests.yml	Added -Path '.' to Invoke-Pester.ps1 call
Test summary wrong file path	.github/workflows/resource-provider-pwsh-tests.yml	Fixed resultsFile path in github-script step to match actual output location
Write-CIStepSummary parameter binding	scripts/ci/Modules/CIHelpers.psm1	Added DefaultParameterSetName = 'Content' and Position = 0 to fix positional parameter binding with multiple parameter sets
PSScriptAnalyzer rule suppression	scripts/ci/Modules/CIHelpers.psm1, scripts/linting/Modules/LintingHelpers.psm1	Added [SuppressMessageAttribute] for approved patterns and comment-based help

Related Issue

Relates to hve-core PowerShell CI infrastructure adoption initiative.

Type of Change

• Bug fix (non-breaking change which fixes an issue)
• New feature (non-breaking change which adds functionality)
• Breaking change (fix or feature that would cause existing functionality to not work as expected)
• Blueprint modification or addition
• Component modification or addition
• Documentation update
• CI/CD pipeline change
• Other (please describe):

Implementation Details

Architecture

All scripts follow the hve-core pattern of shared module composition:

scripts/
├── ci/Modules/CIHelpers.psm1          # CI platform abstraction (copied from hve-core)
├── linting/
│   ├── Modules/LintingHelpers.psm1    # File discovery utilities
│   └── Invoke-PSScriptAnalyzer.ps1    # PSScriptAnalyzer runner
├── tests/
│   ├── pester.config.ps1              # Pester configuration factory
│   └── Get-ChangedTestFiles.ps1       # Changed test file detection
└── Invoke-Pester.ps1                  # Pester test runner (upgraded)

Breaking Changes

• scripts/Invoke-Pester.ps1 — Full rewrite with new parameter interface (-CI, -CodeCoverage, -ChangedOnly, -OutputPath, -Path, -ConfigPath). Old parameter interface no longer exists.
• .github/workflows/powershell-lint.yml — Inline PSScriptAnalyzer steps replaced with script call.
• .github/workflows/resource-provider-pwsh-tests.yml — Pester invocation updated to use -CI flag.

Testing Performed

• Manual validation
• Terraform plan/apply
• Blueprint deployment test
• Unit tests
• Integration tests
• Bug fix includes regression test
• PSScriptAnalyzer — 0 violations across all new/modified files

Validation performed:

• PSScriptAnalyzer run against all new and modified PowerShell files (0 violations, exit code 0)
• PowerShell module import validation (CIHelpers exports 11 functions, LintingHelpers exports 2)
• Pester configuration factory returns valid PesterConfiguration object
• Workflow YAML syntax validation

Validation Steps

1. Review the 6 new/modified PowerShell scripts for correctness
2. Verify CIHelpers.psm1 imports correctly: Import-Module ./scripts/ci/Modules/CIHelpers.psm1 -Force; Get-CIPlatform
3. Verify LintingHelpers imports: Import-Module ./scripts/linting/Modules/LintingHelpers.psm1 -Force; Get-Command -Module LintingHelpers
4. Run PSScriptAnalyzer locally: pwsh scripts/linting/Invoke-PSScriptAnalyzer.ps1
5. Run Pester locally: pwsh scripts/Invoke-Pester.ps1
6. Check workflow YAML validity in the Actions tab after merge

Checklist

• I have updated the documentation accordingly
• I have added tests to cover my changes
• All new and existing tests passed
• I have run terraform fmt on all Terraform code
• I have run terraform validate on all Terraform code
• I have run az bicep format on all Bicep code
• I have run az bicep build to validate all Bicep code
• I have checked for any sensitive data/tokens that should not be committed
• I have run MegaLinter on my code (mega-linter-runner)

Additional Notes

• CIHelpers.psm1 is a direct copy from the hve-core extension and provides cross-platform CI abstraction (GitHub Actions + Azure DevOps + local).
• The implementation follows the details spec which prescribes a simplified subset of hve-core's full feature set appropriate for edge-ai.
• Follow-on work identified: source-to-test file mapping, Codecov integration, advanced Pester features (tag filtering, parallel execution).

[auyidi1]

The title says "adopt hve-core PowerShell CI infrastructure" but the PR contains:

• PowerShell CI scripts (the stated purpose, ~6 files)
• WASM operator builder agent + 3 instruction files + prompt (~1930 lines of AI artifacts)
• Terraform msgraph→azurerm_client_config migration (~17 files)
• Key Vault purge protection toggle (~10 files)
• ACR export policy toggle (~8 files)
• should_deploy_aio toggle across 3 blueprints (~15 files)
• Schema registry RBAC timing fix with time_sleep
• VPN gateway enable_bgp → bgp_enabled rename
• MegaLinter configuration (157 lines)
• Dockerfile x264 git→tarball fix
• Markdown table formatter exclusion changes

This makes thorough review impractical. Each of these is a distinct concern that should be independently reviewable.

[katriendg]

I guess in addition to the changes, this seems to include a latest pull from ADO as well. Not sure this is your intention, happy to approve if that's the flow you'd want to take here, but wondering if it was by mistake.

[WilliamBerryiii]

I guess in addition to the changes, this seems to include a latest pull from ADO as well. Not sure this is your intention, happy to approve if that's the flow you'd want to take here, but wondering if it was by mistake.

No it was not ... I'll fix this

[WilliamBerryiii]

@katriendg & @auyidi1 - this should be clear for re-review.