CI: add dotnet --info / df -h / free -m diagnostics and an explicit 'Restore NuGet packages' step before build to isolate restore failures (build of e15f650 on main exited with code -1 and zero dotnet output). #5

2026-06-05T01:24:31Z

gsadmin commented

2026-06-05 01:24:31 +00:00

No description provided.

gsadmin added 27 commits 2026-06-05 01:24:32 +00:00

CI: add dotnet --info / df -h / free -m diagnostics and an explicit 'Restore NuGet packages' step before build to isolate restore failures (build of e15f650 on main exited with code -1 and zero dotnet output). 19615363e3

Request-InfisicalCertificate + PKI lifecycle, MAML help for all 39 cmdlets, chain-store routing fix 51bf819c37

Cmdlets added: Request-InfisicalCertificate, Get-InfisicalCertificate, Get-InfisicalCertificates. Request supports BySubscriber/ByCa parameter sets, BouncyCastle CSR generation (RSA/ECDSA/Ed25519), local-key generation, -Install/-InstallChain (chain certs routed to Root vs CertificateAuthority by self-signed status), idempotency reuse with -AllowRenewal/-RenewalThresholdDays, local chain reconstruction with -LocalChainOnly opt-out, Infisical bundle fallback when local stores are incomplete, and private-key protection modes (Exportable/LocalOnly/NonExportable/Ephemeral) via -PrivateKeyProtection plus -PersistKey/-MachineKey/-PrivateKeyPath.

Install-InfisicalCertificate fix: chain certs were previously dumped into CertificateAuthority unconditionally. They are now routed by Subject==Issuer (self-signed -> Root, otherwise -> CertificateAuthority), matching Request-InfisicalCertificate. Routing centralized in InfisicalCertificateRequestHelpers.GetChainCertificateTargetStore and a new InstallChain(IEnumerable<X509Certificate2>,...) overload.

Help: authored Module/PSInfisicalAPI/en-US/PSInfisicalAPI.dll-Help.xml covering all 39 cmdlets (synopsis, description, notes, two examples per cmdlet: one-liner + OrderedDictionary splat with preceding Get- resolvers for IDs/slugs).

Build pipeline: build.ps1 stages the help XML into bin/<culture>/ next to the DLL during publish (hard-fails if missing or has zero <command:command> entries). Test-ModuleImports now enumerates every exported cmdlet via Get-Command, cross-checks against expected names, and asserts non-empty synopsis (rejecting auto-generated cmdlet-name fallback), non-empty description, and at least one example with a non-empty <dev:code> block.

Tests: 230/230 passing (up from 190).

Consolidate Get-Infisical* singular/plural pairs; fix PKI subscriber 404; add Get-InfisicalPkiSubscriber 2489b7adca

BREAKING: Removed Get-InfisicalProjects, Get-InfisicalEnvironments, Get-InfisicalFolders, Get-InfisicalTags, Get-InfisicalSecrets, and Get-InfisicalCertificates. Their list behavior is now the default parameter set on the singular cmdlets; supplying the identity parameter switches to single-record retrieval. No back-compat aliases.

Fix: SignCertificateBySubscriber endpoint resolved to /api/v1/pki/subscribers/{subscriberName}/sign-certificate (was /pki/pki-subscribers and /cert-manager/pki-subscribers, both 404).

Added Get-InfisicalPkiSubscriber (List/ByName), InfisicalPkiSubscriber model, DTOs, mapper, and InfisicalPkiClient.ListPkiSubscribers/GetPkiSubscriber. MAML help refreshed for all consolidated cmdlets with 2 straight-line + 1 OrderedDictionary splat examples each. README extended with extension guide. CHANGELOG updated. 230/230 tests pass.

Rebuild against commit 2489b7a; expand README cmdlets table with per-cmdlet synopses a34db831d8

Refreshed Module/PSInfisicalAPI/bin/PSInfisicalAPI.dll and Module/PSInfisicalAPI/PSInfisicalAPI.psd1 so the embedded BuildCommitHash matches the now-checked-in source (was 51bf819, now 2489b7a). CHANGELOG gains the 2026.06.04.1915 build stamp.

README cmdlets section now lists all 34 cmdlets grouped by Session/Secrets/Projects/Environments/Folders/Tags/PKI, each with the synopsis pulled verbatim from Get-Help to keep the two surfaces in sync.

Build artifacts for a34db83 29cbac4d13

Rebuild outputs only: Module DLL and manifest now embed BuildCommitHash=a34db831d8bf, matching the source commit they were produced from. CHANGELOG gains the 2026.06.04.1917 build stamp. No source changes.

Add build.ps1 -CommitArtifacts switch for source/artifact lockstep commits 0f8f44afdb

New switch stages and commits only the three build-output paths (Module/PSInfisicalAPI/bin/**, Module/PSInfisicalAPI/PSInfisicalAPI.psd1, CHANGELOG.md) with a message referencing the embedded BuildCommitHash. Mutually exclusive with -CommitOnSuccess. README and CHANGELOG updated to document the recommended two-commit workflow.

Build artifacts for 0f8f44afdb 8e7ab3570a

Auto-generated by build.ps1 -CommitArtifacts. Build 2026.06.04.1920. Module DLL and manifest embed BuildCommitHash=0f8f44afdb38, matching the source commit they were produced from.

Surface Infisical API error body in thrown exceptions 5e6364f9e0

Parse the JSON envelope (message/error/reqId) returned by 4xx/5xx responses and include the human-readable message in the InfisicalApiException message itself, plus new ApiErrorMessage and ApiRequestId properties. InfisicalErrorDetails and the error handler propagate the new fields so PowerShell error records and the logger surface the server-side reason instead of an opaque status line.

Add Get-InfisicalCertificateProfile cmdlet 2140ffe8ff

Covers GET /api/v1/cert-manager/certificate-profiles (List default with optional -Limit, -Offset, -IncludeConfigs) and GET /api/v1/cert-manager/certificate-profiles/{certificateProfileId} (ById). New InfisicalCertificateProfile model surfaces ca/policy ids, slug, enrollment type, per-profile defaults (ttl, key/extended key usages with polymorphic string-or-array shapes flattened) and embedded CA/policy/apiConfig summaries. Manifest, build expected list, and MAML help updated.

Add Get-InfisicalCertificatePolicy cmdlet 9efdafb7fb

Covers GET /api/v1/cert-manager/certificate-policies (List default with optional -Limit, -Offset) and GET /api/v1/cert-manager/certificate-policies/{certificatePolicyId} (ById). New InfisicalCertificatePolicy model surfaces subject, SANs, key usages, extended key usages, algorithms, and validity. Polymorphic string-or-array fields (allowed/required/keyAlgorithm) are normalized to arrays; sans is normalized whether the API returns an object or an array. Manifest, build expected list, and MAML help updated.

Add -Kind switch to Get-InfisicalCertificateAuthority c9c8a8446b

List parameter set gains -Kind Internal|Acme|Any. Internal (default) preserves current behavior against /api/v1/cert-manager/ca/internal. Any binds to the generic /api/v1/cert-manager/ca endpoint returning both internal and ACME CAs. Acme uses the generic endpoint and client-side filters to type=acme. ById retrieval is unchanged and still resolves against the internal CA endpoint. The existing InfisicalCertificateAuthority model already exposes a Type property to distinguish entries when -Kind Any is used. MAML help updated.

Add profile-based issuance to Request-InfisicalCertificate ebabd6cf26

New ByProfile parameter set bound by -CertificateProfileId (alias ProfileId) POSTs to /api/v1/cert-manager/certificates with the profile id, the locally generated CSR, and an attributes envelope (subject fields, ttl, notBefore, notAfter, keyUsages, extendedKeyUsages). The wrapped response is unwrapped into the existing InfisicalSignedCertificate so reuse, install, chain-completion and key-protection paths remain unchanged. Issuance that returns without a certificate (e.g. status pending_approval) raises a configuration exception that surfaces the reported status and message. Ttl/NotBefore/NotAfter/KeyUsage/ExtendedKeyUsage parameters are now shared by ByCa and ByProfile. MAML help and existing parameter-set test updated.

Treat profile pending-approval as warning instead of throw 3754de74f6

Issuance via Request-InfisicalCertificate -CertificateProfileId no longer throws when the API responds without a certificate body (e.g. status pending_approval / pending_validation). InfisicalPkiClient.IssueCertificateByProfile now logs a warning and returns an InfisicalSignedCertificate populated only with Status, StatusMessage, and CertificateRequestId. New Status, StatusMessage, CertificateRequestId properties on InfisicalSignedCertificate and InfisicalCertificateResult propagate the lifecycle state. The cmdlet short-circuits when CertificatePem is empty: it skips key build, install, chain install, and private-key write, scrubs PrivateKeyPem, and emits a status-only result so callers can poll or trigger approval. Whether issuance is immediate is dictated by the certificate policy bound to the profile.

Build artifacts for 3754de74f6 b375ebc9b3

Auto-generated by build.ps1 -CommitArtifacts. Build 2026.06.04.2112. Module DLL and manifest embed BuildCommitHash=3754de74f6c8, matching the source commit they were produced from.

Add InfisicalScepMdmProfile model with ToSyncMl() builder 80454576b8

POCO mirrors the Windows ClientCertificateInstall/SCEP CSP node set (ServerURL, Challenge, SubjectName, SubjectAlternativeNames, EKUMapping, KeyUsage, KeyLength, KeyAlgorithm, HashAlgorithm, KeyProtection, ContainerName, ValidPeriod, ValidPeriodUnits, RetryCount, RetryDelay, TemplateName, CAThumbprint, CustomTextToShowInPrompt) plus a Scope hint (Device or User) and a UniqueId for the CSP path segment. ToSyncMl() builds an Atomic SyncBody of Replace operations and a trailing Exec on Install/Enroll using XDocument, serializes through XmlWriter with explicit settings (UTF-8 no BOM, indented, no BOM, Replace newline handling), then round-trip-validates through XmlReader before returning the string.

Add Get-InfisicalScepMdmProfile cmdlet d0eeb19f2d

Maps an InfisicalCertificateProfile (pipeline-bound) to an InfisicalScepMdmProfile model. ServerUrl defaults to {baseUri}/scep/{profileId}/pkiclient.exe derived from the active connection. UniqueId defaults to a sanitized slug. Challenge is accepted as SecureString and decrypted with SecureStringToGlobalAllocUnicode (zero/free on exit). KeyAlgorithm and EkuMapping are inherited from the source profile defaults when not overridden.

Add Export-InfisicalScepMdmProfile cmdlet 4bcdf372d4

Writes the SyncML payload from InfisicalScepMdmProfile.ToSyncMl() to disk as UTF-8 (no BOM). Honors -WhatIf, auto-creates the target directory, and follows the project rule for -Force: if the file exists without -Force, logs a warning and returns instead of throwing. Optional -PassThru emits the resulting FileInfo.

Add Write-InfisicalScepMdmProfileToWmi cmdlet d5afe6cccb

Submits an InfisicalScepMdmProfile to the local MDM Bridge WMI provider (root/cimv2/mdm/dmmap, MDM_ClientCertificateInstall_SCEP02 by default). Builds a property hashtable mirroring the CSP node set and invokes New-CimInstance via InvokeCommand.InvokeScript so no new package references are required. Guards: throws PlatformNotSupportedException off Windows; Device-scope enrollment requires an elevated session unless -SkipElevationCheck is passed; supports -WhatIf; -PassThru emits the returned CIM instance.

Wire SCEP MDM cmdlets into manifest, build, help, and docs 183fb48c32

Adds Get-/Export-/Write-InfisicalScepMdmProfile(ToWmi) to CmdletsToExport in the module manifest and to the build.ps1 manifest template and expected-cmdlet probe. Adds MAML help entries (description, notes, two examples each with an OrderedDictionary splat) for all three cmdlets. Updates README's cmdlet count from 34 to 37 and the cmdlet table with one-line descriptions. CHANGELOG entry summarizes the new feature, the default SCEP URL pattern, the elevation/platform guards, and the export-vs-throw rule for -Force.

Build artifacts for 183fb48c32 485ee8a7dd

Auto-generated by build.ps1 -CommitArtifacts. Build 2026.06.04.2147. Module DLL and manifest embed BuildCommitHash=183fb48c32ce, matching the source commit they were produced from.

feat(pki): add Certificate Application + Enrollment models and client methods a195901a10

Adds InfisicalCertificateApplication and InfisicalCertificateApplicationEnrollment models (with SCEP/EST/ACME/API sub-blocks) and DTO/mapper layer. Mapper computes the SHA-1 RA certificate thumbprint from the enrollment PEM so it can be fed directly into MDM payloads. InfisicalPkiClient gains ListCertificateApplications, GetCertificateApplication, GetCertificateApplicationByName, ListCertificateApplicationProfiles, GetCertificateApplicationEnrollment, and GenerateScepDynamicChallenge. InfisicalApiInvoker accepts an optional extraHeaders argument so callers can attach x-infisical-project-id and override Accept (used by the plain-text SCEP challenge endpoint). New endpoint names and registry entries cover /api/v1/cert-manager/applications/** and /scep/applications/**/profiles/**/challenge.

feat(cmdlets): add Get-InfisicalCertificateApplication, Get-InfisicalCertificateApplicationEnrollment, New-InfisicalScepDynamicChallenge 148a09f0d9

Get-InfisicalCertificateApplication exposes List/ById/ByName parameter sets over /api/v1/cert-manager/applications. Get-InfisicalCertificateApplicationEnrollment returns the per-application/profile enrollment block (API/EST/ACME/SCEP) with the computed RA cert thumbprint. New-InfisicalScepDynamicChallenge wraps POST /scep/applications/{appId}/profiles/{profileId}/challenge and returns the minted challenge as a SecureString (default) or string (-AsPlainText), surfacing plan-restriction and not-configured errors as descriptive ErrorRecords.

feat(scep): rework Get-InfisicalScepMdmProfile into FromEnrollment/FromProfile/Manual parameter sets 3c39a99b9a

FromEnrollment (new default) consumes an InfisicalCertificateApplicationEnrollment and auto-fills ServerUrl from scep.scepEndpointUrl, CAThumbprint from the RA certificate thumbprint, and mints a fresh dynamic challenge automatically when challengeType=dynamic and -Challenge is not supplied. FromProfile preserves the legacy projection from an InfisicalCertificateProfile but now requires -ApplicationId so the server URL is built against /scep/applications/{appId}/profiles/{profileId}/pkiclient.exe. Manual requires explicit -ServerUrl, -Challenge, and -UniqueId. Module manifest, help XML, and build.ps1 expectedCmds list updated to register the three new cmdlets. CHANGELOG updated.

Build artifacts for 3c39a99b9a fb27ab8a85

Auto-generated by build.ps1 -CommitArtifacts. Build 2026.06.04.2335. Module DLL and manifest embed BuildCommitHash=3c39a99b9a4c, matching the source commit they were produced from.

fix(cmdlets): remove self-aliases that broke parameter binding on three new cmdlets 7ae5d4a59d

Get-InfisicalCertificateApplication declared [Alias("Id", "ApplicationId")] on its Id parameter and Get-InfisicalCertificateApplicationEnrollment / New-InfisicalScepDynamicChallenge declared [Alias("Id", "ApplicationId")] on their ApplicationId parameter. PowerShell rejects an [Alias] entry whose value matches the parameter's own name with ParameterNameConflictsWithAlias at registration time, leaving the cmdlets unusable. Removed the self-referential alias from each.

refactor!(scoping): mandate explicit -ProjectId/-Environment; add -Type/-IncludeRoles to Get-InfisicalProject cffda99591

BREAKING CHANGES
- Connect-Infisical no longer accepts -ProjectId, -Environment, or -SecretPath.
- InfisicalConnection no longer carries ProjectId, Environment, or DefaultSecretPath.
- Every cmdlet that previously inherited those fields now requires -ProjectId
  and/or -Environment as Mandatory=true. -SecretPath / -Path remain optional
  and default to "/" at the client layer.
- INFISICAL_PROJECT_ID, INFISICAL_ENVIRONMENT, INFISICAL_SECRET_PATH env-var
  scanning removed from Connect-Infisical.
- Resolve{ProjectId,Environment,SecretPath} helpers removed from
  InfisicalCmdletBase. ResolveOrganizationId retained.

ADDED
- Get-InfisicalProject -Type <enum> filters the list by product surface
  (secret-manager, cert-manager, kms, ssh, secret-scanning, pam, ai) with
  IntelliSense via ValidateSet.
- Get-InfisicalProject -IncludeRoles switch maps to includeRoles=true/false
  query parameter (always sent).

RATIONALE
- Implicit connection scoping caused 400 Bad Request when the active
  connection's ProjectId belonged to a different product surface than the
  cmdlet's target (e.g. secret-manager project id passed to /cert-manager/*).
- Explicit parameters make scope unambiguous and make scripts portable
  across projects.
- The new -Type filter on Get-InfisicalProject lets callers discover the
  correct project id for each subsequent CRUD invocation without needing
  connection-level inheritance.

INTERNAL
- All client classes (Secrets / Folders / Environments / Tags / Projects /
  Pki) now receive scoping as explicit arguments rather than reading the
  InfisicalConnection object.
- Client-layer SecretPath / Path defaulting to "/" is preserved via
  FirstNonEmpty(...).
- Help XML updated to remove all "session-pinned" / "active connection"
  phrasing; OrderedDictionary splatting examples now include the mandatory
  parameters.
- 216/216 unit tests passing.

Build artifacts for cffda99591

Publish to PowerShell Gallery / build (pull_request) Failing after 13s

Details

Publish to PowerShell Gallery / release (pull_request) Has been skipped

Details

Publish to PowerShell Gallery / publish (pull_request) Has been skipped

Details

56be777095

Auto-generated by build.ps1 -CommitArtifacts. Build 2026.06.05.0117. Module DLL and manifest embed BuildCommitHash=cffda99591c9, matching the source commit they were produced from.

gsadmin merged commit 621cb87943 into main

2026-06-05 01:24:51 +00:00

Sign in to join this conversation.

1 Participants

Notifications

Due Date

No due date set.

Dependencies

No dependencies set.

Reference: gsadmin/PSInfisicalAPI#5

CI: add dotnet --info / df -h / free -m diagnostics and an explicit 'Restore NuGet packages' step before build to isolate restore failures (build of e15f650 on main exited with code -1 and zero dotnet output). #5

CI: add dotnet --info / df -h / free -m diagnostics and an explicit 'Restore NuGet packages' step before build to isolate restore failures (build of `e15f650` on main exited with code -1 and zero dotnet output). #5