fix(#139): resolve CI dependency installation issues

[stiwicourage]

Summary

• Fix the local run.ps1 quality loop after the CI installer refactor introduced ScriptAnalyzer warnings in scripts/build/ci/Install-CiPowerShellModules.ps1.
• Rename the internal install-options helper to satisfy PSUseSingularNouns and add SupportsShouldProcess around the PSGallery trust update to satisfy PSUseShouldProcessForStateChangingFunctions.
• No linked issue. Follow-up work is not currently expected.

Affected area

• nova CLI or command routing
• Public PowerShell cmdlet behavior
• Scaffolding or project.json handling
• Build, test, analyzer, coverage, or CI helper flow
• Package, raw upload, or package metadata workflow
• Publish, release, or GitHub Actions automation
• Self-update or notification preference behavior
• Contributor documentation (README.md, CONTRIBUTING.md, repository workflow docs)
• End-user docs (docs/*.html)
• Command help (docs/NovaModuleTools/en-US/*.md)
• src/resources/example/
• Dependency or manifest changes (project.json, workflow dependencies, release tooling)
• Security-sensitive change
• Documentation-only change
• Other

Review guidance

• Start with scripts/build/ci/Install-CiPowerShellModules.ps1, especially Get-CiModuleInstallOption and Set-CiRepositoryTrust, because that is where the analyzer regression was introduced and fixed.
• Then check run.ps1 together with scripts/build/Invoke-ScriptAnalyzerCI.ps1 to confirm why analyzer warnings stop the local quality loop.
• Primary files to review: scripts/build/ci/Install-CiPowerShellModules.ps1 and CHANGELOG.md.
• Trade-off: this intentionally keeps the fix narrow and analyzer-focused; the only behavior change is making the repository trust helper explicitly ShouldProcess-compliant.

Validation

• Invoke-NovaBuild
• Test-NovaBuild
• ./scripts/build/Invoke-ScriptAnalyzerCI.ps1
• ./scripts/build/ci/Invoke-NovaModuleToolsCI.ps1
• Targeted Nova workflow validated (% nova build, % nova test, % nova merge, % nova deploy,
  % nova publish,
  % nova release, % nova update, % nova notification, or % nova init as relevant)
• Docs/example only; executable validation not needed

Validation notes:

Reproduced the original run.ps1 failure before the fix.

Confirmed the analyzer step is clean:
pwsh -NoProfile -Command 'Set-Location "/Users/stiwi.courage/workspace/couragedk/NovaModuleTools"; & "./scripts/build/Invoke-ScriptAnalyzerCI.ps1" *> "./artifacts/scriptanalyzer-validation.log"; Get-Content -LiteralPath "./artifacts/scriptanalyzer.txt" -Raw'

Observed output:
PSScriptAnalyzer: no findings.

Confirmed the full local quality loop succeeds:
pwsh -NoProfile -Command 'Set-Location "/Users/stiwi.courage/workspace/couragedk/NovaModuleTools"; $ErrorActionPreference = "Stop"; try { & "./run.ps1" *> "./artifacts/run-ps1-validation.log"; "exit=0" } catch { "exit=1"; $_ | Out-String | Write-Output; exit 1 }'

Artifacts verified:
- ./artifacts/scriptanalyzer.txt
- ./artifacts/TestResults.xml
- ./artifacts/run-ps1-validation.log

The captured test log ended with zero failures.

Documentation and release follow-up

• README.md reviewed and updated if contributor workflow, architecture, CI, release, or automation changed
• CONTRIBUTING.md reviewed and updated if contribution expectations or review guidance changed
• CHANGELOG.md reviewed and updated if the change matters to users, maintainers, or contributors
• docs/NovaModuleTools/en-US/ help updated if a public command or CLI behavior changed
• docs/*.html updated if end-user workflows or examples changed
• src/resources/example/ reviewed and updated if the real-world project layout, package model, or upload workflow
  changed
• No documentation, changelog, or example updates were needed

Maintainability, compatibility, and risk

• Code Health / maintainability impact considered
• No breaking change
• Breaking change
• Security-sensitive change
• CI, workflow, or release-pipeline impact
• Dependency-review impact

Risk, rollout, or rollback notes:

Low risk: this is a narrow fix in an internal CI/helper script and does not change public Nova commands.

Compatibility impact is limited to restoring the expected local run.ps1 quality loop behavior after analyzer-compliance warnings began failing the build.

Rollback is straightforward: revert the helper rename and the ShouldProcess wrapper in scripts/build/ci/Install-CiPowerShellModules.ps1, but that would reintroduce the analyzer warnings and break run.ps1 again.

Important

Do not use a public pull request to disclose a vulnerability before coordinated handling.
Use the private reporting path in SECURITY.md for new security issues.

[github-actions]

Dependency Review

✅ No vulnerabilities or license issues or OpenSSF Scorecard issues found.

Scanned Files

None

[codescene-delta-analysis]

Gates Passed
6 Quality Gates Passed

See analysis details in CodeScene

Quality Gate Profile: Pay Down Tech Debt
Install CodeScene MCP: safeguard and uplift AI-generated code. Catch issues early with our IDE extension and CLI tool.

[codescene-delta-analysis]

Code Coverage Gates Passed
Overall Coverage: 100.0% (required = 95%)
New & Changed Code Coverage: 100% (required = 100%)

Review details by gate

• Overall Coverage

  • Pass/Fail Reason:
    The overall coverage gate was checked for all code and meets the goal: 100.0% covered >= threshold = 95%
  • Action:
    You have 273 files with a sum of 2722 covered and 1 uncovered lines of code.

• New & Changed Code Coverage

  • Pass/Fail Reason:
    New or changed code meets coverage goal: 100% covered >= threshold = 100%
  • Action:
    You modified 1 files, and covered 3 added/modified lines of code.

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.

📢 Thoughts on this report? Let us know!