[Issue]: Add Pester tests for security scripts (3 scripts)

[WilliamBerryiii]

Summary

Create unit tests for the security-focused PowerShell scripts that validate dependency pinning, SHA staleness, and action updates.

Parent Issue: #190

Requirements

Create test files:

• scripts/tests/security/Test-DependencyPinning.Tests.ps1
• scripts/tests/security/Test-SHAStaleness.Tests.ps1
• scripts/tests/security/Update-ActionSHAPinning.Tests.ps1

Implementation Details

Scripts Under Test

Script	Purpose	Key Testing Areas
Test-DependencyPinning.ps1	Validate workflow actions are SHA-pinned	YAML parsing, SHA format validation
Test-SHAStaleness.ps1	Check if pinned SHAs are outdated	GitHub API mocking, version comparison
Update-ActionSHAPinning.ps1	Update stale SHAs	File modification, SHA resolution

Test Pattern

Describe 'Test-DependencyPinning.ps1' {
    Context 'SHA Detection' {
        It 'Should identify SHA-pinned actions' {
            $workflow = @"
jobs:
  build:
    steps:
      - uses: actions/checkout@abc123def456 # v4.2.2
"@
            $result = Test-ActionPinning -Content $workflow
            $result.IsPinned | Should -BeTrue
        }

        It 'Should flag version-tagged actions' {
            $workflow = @"
jobs:
  build:
    steps:
      - uses: actions/checkout@v4
"@
            $result = Test-ActionPinning -Content $workflow
            $result.IsPinned | Should -BeFalse
        }
    }

    Context 'Comment Validation' {
        It 'Should require version comment with SHA' {
            $workflow = @"
      - uses: actions/checkout@abc123def456
"@
            $result = Test-ActionPinning -Content $workflow
            $result.HasVersionComment | Should -BeFalse
        }
    }
}

GitHub API Mocking

Describe 'Test-SHAStaleness.ps1' {
    BeforeAll {
        # Mock GitHub API responses
        Mock Invoke-RestMethod {
            return @{
                sha = 'newsha123456'
                tag_name = 'v4.2.3'
            }
        } -ParameterFilter { $Uri -match 'api.github.com' }
    }

    Context 'Staleness Detection' {
        It 'Should detect outdated SHA' {
            $pinnedSha = 'oldsha789012'
            $result = Test-SHAStaleness -Action 'actions/checkout' -CurrentSha $pinnedSha
            $result.IsStale | Should -BeTrue
            $result.LatestSha | Should -Be 'newsha123456'
        }
    }
}

Acceptance Criteria

• Test file exists for each of the 3 security scripts
• SHA format validation tests
• YAML workflow parsing tests
• GitHub API interaction tests (mocked)
• File modification tests for update script
• Error handling for network failures

Dependencies

• [Issue]: Add Pester test infrastructure (config, directories, shared mocks) #193 (infrastructure) for test directory structure

Estimated Effort

2-3 hours

---

Additional Context

Target Scripts

• scripts/security/Test-DependencyPinning.ps1
• scripts/security/Test-SHAStaleness.ps1
• scripts/security/Update-ActionSHAPinning.ps1

Supporting Files

• scripts/security/tool-checksums.json - Checksum reference data

Related Issues

• Depends on: [Issue]: Add Pester test infrastructure (config, directories, shared mocks) #193 (infrastructure)
• Parent: [Issue]: Add Pester unit testing framework for PowerShell scripts #190