feat: add version-file input to read kubectl version from .tool-versions#261
feat: add version-file input to read kubectl version from .tool-versions#261acouvreur wants to merge 1 commit into
Conversation
Implements Azure#259 - Add `version-file` input to action.yml that accepts a path to a .tool-versions file (asdf/mise compatible format) - Add `parseToolVersionsFile()` helper that reads kubectl version from a .tool-versions file, skipping comments and blank lines - Update `run()` to check `version-file` before `version`; when provided, the resolved version goes through `resolveKubectlVersion()` supporting both full (1.27.15) and major.minor (1.27) forms - Add unit tests for `parseToolVersionsFile()` and the new run() path
There was a problem hiding this comment.
Pull request overview
Adds support for selecting the kubectl version from an asdf/mise-style .tool-versions file, with the new input taking precedence over the existing version input.
Changes:
- Adds optional
version-fileinput to action metadata. - Parses
.tool-versionsfiles for akubectlentry. - Updates
run()and unit tests for the new input path.
Reviewed changes
Copilot reviewed 4 out of 4 changed files in this pull request and generated 1 comment.
| File | Description |
|---|---|
action.yml |
Adds the version-file input and makes version optional with a default. |
src/helpers.ts |
Adds .tool-versions parsing logic. |
src/run.ts |
Reads version-file before falling back to version. |
src/run.test.ts |
Adds and updates tests for version resolution and file parsing. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
|
|
||
| if (versionFile) { | ||
| const rawVersion = parseToolVersionsFile(versionFile) | ||
| version = await resolveKubectlVersion(rawVersion) |
There was a problem hiding this comment.
Thank you so much for the contributions @acouvreur here are some thoughts, please: #261 (review)
Tatsinnit
left a comment
Tatsinnit
left a comment
There was a problem hiding this comment.
❤️ 💡 Thank you so much @acouvreur for this contribution, even though this is new feature addition. I really appreciate this contribution. ❤️
There are few takes which we should think as team (including OP) for brainstorm, therefore sharing the whole thought process here. and gently fyi to @davidgamero & @bosesuneha for their thoughts as maintainers as well - most of the observation is detailed below, revolves around the documentation update and some key observations.
Suggested key observations:
- Address Copilot's review: assert in tests that
toolCache.find/downloadToolis called with the resolved/normalizedv1.27.15when.tool-versionssayskubectl 1.27(and the bare1.27.15case). - Add a test for
kubectl latestinside.tool-versions: decide whether to support it (route throughgetStableKubectlVersion) or reject it explicitly. - Add a regex sanity check on the parsed version before handing it to the resolver.
- Document precedence (
version-fileoverridesversion) in the action.yml description and README. - Consider warning (
core.warning) when bothversion-fileand a non-defaultversionare provided.
Behavior changes vs. current
-
versioninput becomes optional (wasrequired: true, nowrequired: falsewithdefault: 'latest').- Existing workflows that omitted
versionpreviously errored at the action layer; now they silently resolve tolatest. Mild behavior drift, but Copilot review's main concern is not here. - Internally
run.tsstill callscore.getInput('version', {required: true}): so the required-ness moved from action metadata to runtime. If a user passesversion-file: ''and noversion, the runtimerequired: truestill throws. Slightly inconsistent UX (action.yml says optional, runtime says required when no file).
- Existing workflows that omitted
-
Precedence ordering:
version-filewins overversion. If a workflow sets both (e.g., matrix overrides), the explicitversionis silently ignored. Worth documenting more loudly — silent-ignore is a footgun. -
Resolution path divergence (Copilot reviewer flagged this):
- Old
versionpath:latest→getStableKubectlVersion(), else →resolveKubectlVersion()(handles1.27→ latest patch). - New
version-filepath: only callsresolveKubectlVersion(rawVersion). It does not handle a literallatesttoken inside.tool-versions(asdf/mise allowkubectl latest). It will try to downloadvlatestand fail. Tests don't cover this.
- Old
-
vprefix handling:.tool-versionsconvention is bare versions (1.27.15), butresolveKubectlVersionis what normalizes tov1.27.15. Need to confirm it handles both1.27.15andv1.27.15entries equally, currently relies on existing helper, it is OK but worth a test. -
First non-comment kubectl line wins — duplicate
kubectlentries silently ignored. Fine, but undocumented.
Security aspects
-
Path traversal / arbitrary file read (low risk, worth noting):
parseToolVersionsFiledoesfs.readFileSync(filePath, 'utf8')with no validation, no workspace-root containment. A malicious workflow author could already read any file the runner can read, so this isn't a new privilege: but it does turn an arbitrary file's first whitespace-split token afterkubectlinto a string that flows into a download URL. Threat model: workflow author is trusted, so acceptable, but should be acknowledged. -
Untrusted content → download URL injection: The parsed
versionstring is interpolated intogetkubectlDownloadURL. If a.tool-versionsfile is fetched from a PR (e.g.,pull_request_targetflow checking out PR code), an attacker-controlled value could become part of the URL. CurrentlyresolveKubectlVersionlikely validates against the k8s release tag list, which mitigates — but the new code path should be explicitly tested for malformed/malicious tokens like../,..%2F, shell metacharacters, very long strings, embedded newlines (split is/\s+/so newlines split, good). Recommend adding a strict regex validation^v?\d+\.\d+(\.\d+)?$before passing to resolver. -
No
fs.existsSynccheck / error messaging: A missing file throws an ENOENT: fine, but error doesn't tell users the file wasn't found vs. malformed. Minor. -
Symlink following:
readFileSyncfollows symlinks. A.tool-versionssymlinked to passwd would be parsed; parser would simply not findkubectland throw. Low impact. -
No size limit:
readFileSyncof an attacker-supplied huge file could OOM the runner. Negligible in practice for GitHub Actions, but amaxBytesor stream-based read would be defensive. -
Supply-chain neutral: No new network endpoints, no new dependencies, no new code execution surfaces. The download flow is unchanged.
Altogather: it seems low-risk, additive feature. No new attack surface of consequence, but the new code path skips the latest branch and lacks input validation/tests at the boundary; those are the concrete improvements either we can do before or as post PR action.
Closes #259
Summary
Adds a new
version-fileinput that reads thekubectlversion from a.tool-versionsfile (asdf/mise compatible format).Changes
action.yml– new optionalversion-fileinputsrc/helpers.ts–parseToolVersionsFile()parses a.tool-versionsfile and returns the kubectl version, skipping comments and blank linessrc/run.ts–run()checksversion-filefirst; if provided the raw version is resolved viaresolveKubectlVersion()(supports both1.27and1.27.15forms)src/run.test.ts– unit tests forparseToolVersionsFile()and the newrun()code pathUsage
Example
.tool-versions: