ci(workflows): align copilot-setup-steps install scope

[WilliamBerryiii]

Pull Request

Description

This PR makes two small, surgical edits to .github/workflows/copilot-setup-steps.yml — the workflow that prebuilds the Copilot Coding Agent environment:

1. PowerShell module install scope — change -Scope CurrentUser to -Scope AllUsers for the three required modules (PowerShell-Yaml 0.4.7, PSScriptAnalyzer 1.25.0, Pester 5.7.1). Versions and the optional HVE_PSGALLERY_SOURCE_URL repository registration are unchanged. AllUsers writes modules to /usr/local/share/powershell/Modules, which is on the default PSModulePath for any user and any shell on the runner, so subsequent workflow steps and ad-hoc shells do not need per-user PSModulePath fixups to resolve the modules.
2. Remove an erroneous verification line — drop npx --no vally -- --version from the tool verification block. The intended command does not exist; it was a stray typo (likely from --no-install followed by a partial package name) and currently fails silently or noisily depending on the environment.

This PR is a sibling of #1497, branched off main. It is independent of PRs A/B/C/D in the post-#1497 stack and can land in any order relative to them.

Scope

This PR ships only the workflow edit. The matching local-environment changes from the original snapshot (.devcontainer/scripts/on-create.sh and .vscode/settings.json) are deliberately deferred to a separate PR (PR F) pending user confirmation of intent. See follow-on WI-02 in the planning log.

Related Issue(s)

Sibling of #1497. No other issue references.

Type of Change

Select all that apply:

Code & Documentation:

• Bug fix (non-breaking change fixing an issue)
• New feature (non-breaking change adding functionality)
• Breaking change (fix or feature causing existing functionality to change)
• Documentation update

Infrastructure & Configuration:

• GitHub Actions workflow
• Linting configuration (markdown, PowerShell, etc.)
• Security configuration
• DevContainer configuration
• Dependency update

AI Artifacts:

• Reviewed contribution with prompt-builder agent and addressed all feedback
• Copilot instructions (.github/instructions/*.instructions.md)
• Copilot prompt (.github/prompts/*.prompt.md)
• Copilot agent (.github/agents/*.agent.md)
• Copilot skill (.github/skills/*/SKILL.md)

Other:

• Script/automation (.ps1, .sh, .py)
• Other (please describe):

Sample Prompts (for AI Artifact Contributions)

For detailed contribution requirements, see:

• Common Standards: docs/contributing/ai-artifacts-common.md
• Agents: docs/contributing/custom-agents.md
• Prompts: docs/contributing/prompts.md
• Instructions: docs/contributing/instructions.md
• Skills: docs/contributing/skills.md

Testing

Automated validation performed by the agent:

• npm run lint:yaml — PASS (50 workflow files, including copilot-setup-steps.yml).
• actionlint .github/workflows/copilot-setup-steps.yml — PASS (EXIT=0).
• npm run lint:ps — skipped in the sandbox (PSGallery network restricted); the diff contains no .ps1 changes, so PSScriptAnalyzer would have nothing new to flag.

Security analysis findings:

• No secrets, credentials, or customer data in the diff.
• No new external dependencies. Module names and pinned versions are unchanged; only the install scope changes.
• -Scope AllUsers requires root on the runner. The copilot-setup job already runs as root on ubuntu-latest, so no privilege escalation is introduced.
• No surface area is added: the typo line npx --no vally -- --version is removed, not replaced.

Diff-based assessments:

• Three line-level scope rewrites plus one line removal. Net change: +3 / -4, one file, zero new files, zero structural changes to the workflow graph.

Note

Manual testing was not performed. The next live run of copilot-setup-steps.yml on a Coding Agent task will exercise the new install scope end-to-end.

Checklist

Required Checks

• Documentation is updated (if applicable) — (N/A — workflow-only change.)
• Files follow existing naming conventions.
• Changes are backwards compatible.
• Tests added for new functionality (if applicable) — (N/A — no new behavior surface.)

AI Artifact Contributions

• Used /prompt-analyze to review contribution
• Addressed all feedback from prompt-builder review
• Verified contribution follows common standards and type-specific requirements

Required Automated Checks

The following validation commands must pass before merging:

• Markdown linting: npm run lint:md
• Spell checking: npm run spell-check
• Frontmatter validation: npm run lint:frontmatter
• Skill structure validation: npm run validate:skills
• Link validation: npm run lint:md-links
• PowerShell analysis: npm run lint:ps
• Plugin freshness: npm run plugin:generate
• Docusaurus tests: npm run docs:test

Security Considerations

• This PR does not contain any sensitive or NDA information
• Any new dependencies have been reviewed for security issues — (N/A — no new dependencies.)
• Security-related scripts follow the principle of least privilege — (N/A — workflow already runs as root on the runner; scope change does not broaden it.)

Additional Notes

Companion PRs in the post-#1497 work stream:

• PR A (feat(planning): add Security Planner state schema with contract suite and fixtures #1638) — Security Planner state schema and fixtures (stacked on feat/sssc-planner-rai-parity).
• PR C (feat(instructions)!: disclaimer SSOT migration (stacked on #1497) #1639) — Planner disclaimer SSOT migration (stacked on feat/sssc-planner-rai-parity).
• PR D (feat(scripts): add instruction applyTo scope Pester suite #1640) — Planner linter hardening: applyTo regression guard (sibling off main).
• PR B — Security Planner agent and phase-gate parity (depends on PR A); will also carry deferred Pester suites and content edits.
• PR F (future, optional) — Devcontainer and .vscode/settings.json companion changes, pending user confirmation of intent (WI-02).

[codecov-commenter]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 85.49%. Comparing base (1102901) to head (b74def1).

Additional details and impacted files

@@            Coverage Diff             @@
##             main    #1641      +/-   ##
==========================================
- Coverage   85.50%   85.49%   -0.01%     
==========================================
  Files          82       82              
  Lines       11805    11805              
==========================================
- Hits        10094    10093       -1     
- Misses       1711     1712       +1     

Flag	Coverage Δ
pester	83.65% <ø> (-0.02%)	⬇️

Flags with carried forward coverage won't be shown. Click here to find out more.
see 1 file with indirect coverage changes

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.