…n permissions (psake#118)

Potential fix for
[https://github.com/psake/PowerShellBuild/security/code-scanning/3](https://github.com/psake/PowerShellBuild/security/code-scanning/3)

In general, this should be fixed by explicitly defining GITHUB_TOKEN
permissions in the workflow, either at the root level (applying to all
jobs) or per job, and restricting them to the least privilege required
(for a simple test workflow usually `contents: read` is enough). This
documents the workflow’s needs and prevents it from gaining broader
access if repository or organization defaults change.

For this specific workflow in `.github/workflows/test.yml`, the safest,
least intrusive fix that preserves existing behavior is to add a
root-level `permissions:` block granting only `contents: read`. The
existing steps perform a checkout and run a PowerShell script; there is
no explicit indication they need to write to the repo, issues, or pull
requests. Adding the block directly under the workflow `name:` (before
`on:`) is conventional and applies to all jobs unless overridden. No
imports or additional methods are required; this is purely a YAML
configuration change within the workflow file.


_Suggested fixes powered by Copilot Autofix. Review carefully before
merging._

Signed-off-by: Gilbert Sanchez <me@gilbertsanchez.com>
Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com>

…n permissions (psake#119)

Potential fix for
[https://github.com/psake/PowerShellBuild/security/code-scanning/1](https://github.com/psake/PowerShellBuild/security/code-scanning/1)

In general, the fix is to explicitly define a `permissions:` block for
the workflow or individual jobs, granting only the scopes actually
needed. For most build/publish workflows that only need to read the
repository contents, `contents: read` is an appropriate minimal default.
If later steps need more permissions (e.g., to create releases or write
issues), those can be added explicitly.

For this specific file, the simplest and safest fix without altering
functionality is to add a workflow-level `permissions:` block with
`contents: read`. This will apply to the `publish` job because it
currently has no `permissions` of its own. Concretely, in
`.github/workflows/publish.yaml`, insert:

```yaml
permissions:
  contents: read
```

between the `on:` block and the `jobs:` block. No additional imports or
dependencies are needed, and no other lines in the workflow need to
change.


_Suggested fixes powered by Copilot Autofix. Review carefully before
merging._

Signed-off-by: Gilbert Sanchez <me@gilbertsanchez.com>
Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com>

Phase 0 of psake#120 — deploy [AIM (AI Agent Instruction
Modules)](https://github.com/tablackburn/ai-agent-instruction-modules)
as the first PR of the v1.0.0 cycle.

## What's included

- `AGENTS.md` (root) — agent-facing entry point with instruction matrix;
Last sync: 2026-05-17 (AIM 0.8.14)
- `aim.config.json` — module configuration; external sources enabled
(awesome-copilot fallback)
- `instructions/` — 12 instruction modules:
- Core: `agent-workflow`, `shorthand`, `git-workflow`, `testing`,
`update`
  - Language/tools: `powershell`, `markdown`, `readme`, `github-cli`
  - Repository management: `releases`, `contributing`
- Repo-specific: `repository-specific.instructions.md` (migrated from
CLAUDE.md)
- `CLAUDE.md` — one-line `@AGENTS.md` import so Claude Code auto-loads
AIM context (see "CLAUDE.md handling" below)

## CLAUDE.md migration

CLAUDE.md content was migrated to
`instructions/repository-specific.instructions.md`, keeping only
repo-specific content (project layout, `$PSBPreference` internals, task
dependency variables, naming conventions, build workflows, BuildHelpers
env vars). Generic content covered by standard AIM modules (PowerShell
style, git workflow, generic testing patterns) was dropped to avoid
duplication.

Stale references corrected during migration:
- Version: 0.7.3 → 0.8.0
- Public function count: 9 → 12 (signing functions added in 0.8.0)

## CLAUDE.md handling

The original CLAUDE.md was deleted, then re-added as a one-line file
containing only `@AGENTS.md`. Reason: Claude Code auto-loads `CLAUDE.md`
from the project root but does not auto-load `AGENTS.md` ([memory
docs](https://code.claude.com/docs/en/memory.md)). Using the official
`@`-import syntax means fresh Claude Code sessions in this repo
automatically pick up AIM context (AGENTS.md → instruction matrix →
applicable modules) without needing a manual pointer in every prompt.

This matches the AIM source repo, which ships both `AGENTS.md` and
`CLAUDE.md`.

## AIM 0.8.14 sync

Bumped from 0.8.13 → 0.8.14 (released 2026-05-16). Pulls three
instruction-file fixes from
[tablackburn/ai-agent-instruction-modules#24](tablackburn/ai-agent-instruction-modules#24):

- **`contributing.instructions.md`** — "Make Changes" pointed
contributors at `instructions/` instead of `instruction-templates/`.
Surfaced during Copilot review of this PR and filed upstream as
[tablackburn/ai-agent-instruction-modules#23](tablackburn/ai-agent-instruction-modules#23).
- **`github-cli.instructions.md`** — "Creating Releases" example used
`gh release create --notes`, contradicting `releases.instructions.md`
which mandates `--notes-file` to avoid escaping issues. Replaced with a
temp-file pattern and added a precedence note. Also surfaced during this
PR's review; same upstream issue.
- **`shorthand.instructions.md`** — backfilled the missing `Dir →
Directory` row (pre-existing sync drift in the upstream template; fixed
in the same upstream PR).

`AGENTS.md` Template Version 0.8.13 → 0.8.14 and Last sync 2026-05-15 →
2026-05-17.

## Scope

Docs/config-only — no module code changes. Verified locally:
- `git diff --stat origin/main`: 16 files changed, 0 under
`PowerShellBuild/`, `requirements.psd1`, `CHANGELOG.md`, or `.github/`
- `./build.ps1 -Task Test -Bootstrap` passes (314 passed, 0 failed, 2
skipped — the skips are git-tagging tests that expectedly skip on
feature branches)
- Module version, dependencies, and CI workflows untouched

## Note on module count vs psake#120 checklist

psake#120's Phase 0 checklist lists 8 modules. This PR deploys 12 — the
additional `readme`, `contributing`, `update`, and `repository-specific`
modules were included per the Phase 0 deployment scope I worked from.
Happy to drop any of them if the tracking issue's narrower list was
intentional.

## Phase 0 checklist (psake#120)

- [x] Add `AGENTS.md`, `aim.config.json`, `instructions/`
- [x] Migrate `CLAUDE.md` content →
`instructions/repository-specific.instructions.md`
- [x] Modules included: `agent-workflow`, `shorthand`, `git-workflow`,
`testing`, `powershell`, `markdown`, `releases`, `github-cli` (plus
`readme`, `contributing`, `update`, `repository-specific` — see note
above)
- [x] Fix stale version reference (CLAUDE.md said 0.7.3; actual is
0.8.0)

## Commits

1. `feat: deploy AIM (AI Agent Instruction Modules)` — main deployment +
CLAUDE.md content migration + CLAUDE.md deletion
2. `docs: add CLAUDE.md as @AGENTS.md import for Claude Code
auto-loading` — restore CLAUDE.md as a 1-line pointer
3. `docs: address Copilot review feedback on repository-specific
instructions` — Sign/Catalog rows, IB alias examples, `-FromModule`
psake pattern, signing task dependency + task rows
4. `docs: sync AIM 0.8.14 fixes (contributing folder, gh release notes,
Dir row)` — pull the three instruction-file fixes from AIM 0.8.14 and
bump template version + sync date

🤖 Generated with [Claude Code](https://claude.com/claude-code)

---------

Co-authored-by: Claude Opus 4.7 (1M context) <noreply@anthropic.com>