Bump github/codeql-action in /.github/workflows in the actions group

Bumps the actions group in /.github/workflows with 1 update: [github/codeql-action](https://github.com/github/codeql-action).


Updates `github/codeql-action` from 4.31.0 to 4.31.2
- [Release notes](https://github.com/github/codeql-action/releases)
- [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md)
- [Commits](4e94bd11f7...0499de31b9)

---
updated-dependencies:
- dependency-name: github/codeql-action
  dependency-version: 4.31.2
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: actions
...

Signed-off-by: dependabot[bot] <support@github.com>

.github/CODEOWNERS

@@ -1 +1 @@
-* @Azure/aks-atlanta
+* @Azure/cloud-native-github-action-owners

.github/workflows/codeql.yml

@@ -0,0 +1,91 @@
+# For most projects, this workflow file will not need changing; you simply need
+# to commit it to your repository.
+#
+# You may wish to alter this file to override the set of languages analyzed,
+# or to provide custom queries or build logic.
+#
+# ******** NOTE ********
+# We have attempted to detect the languages in your repository. Please check
+# the `language` matrix defined below to confirm you have the correct set of
+# supported CodeQL languages.
+#
+name: 'CodeQL Advanced'
+
+on:
+   push:
+      branches: ['main']
+   pull_request:
+      branches: ['main']
+   schedule:
+      - cron: '15 9 * * 0'
+
+jobs:
+   analyze:
+      name: Analyze (${{ matrix.language }})
+      # Runner size impacts CodeQL analysis time. To learn more, please see:
+      #   - https://gh.io/recommended-hardware-resources-for-running-codeql
+      #   - https://gh.io/supported-runners-and-hardware-resources
+      #   - https://gh.io/using-larger-runners (GitHub.com only)
+      # Consider using larger runners or machines with greater resources for possible analysis time improvements.
+      runs-on: ${{ (matrix.language == 'swift' && 'macos-latest') || 'ubuntu-latest' }}
+      permissions:
+         # required for all workflows
+         security-events: write
+
+         # required to fetch internal or private CodeQL packs
+         packages: read
+
+         # only required for workflows in private repositories
+         actions: read
+         contents: read
+
+      strategy:
+         fail-fast: false
+         matrix:
+            include:
+               - language: javascript-typescript
+                 build-mode: none
+            # CodeQL supports the following values keywords for 'language': 'c-cpp', 'csharp', 'go', 'java-kotlin', 'javascript-typescript', 'python', 'ruby', 'swift'
+            # Use `c-cpp` to analyze code written in C, C++ or both
+            # Use 'java-kotlin' to analyze code written in Java, Kotlin or both
+            # Use 'javascript-typescript' to analyze code written in JavaScript, TypeScript or both
+            # To learn more about changing the languages that are analyzed or customizing the build mode for your analysis,
+            # see https://docs.github.com/en/code-security/code-scanning/creating-an-advanced-setup-for-code-scanning/customizing-your-advanced-setup-for-code-scanning.
+            # If you are analyzing a compiled language, you can modify the 'build-mode' for that language to customize how
+            # your codebase is analyzed, see https://docs.github.com/en/code-security/code-scanning/creating-an-advanced-setup-for-code-scanning/codeql-code-scanning-for-compiled-languages
+      steps:
+         - name: Checkout repository
+           uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
+
+         # Initializes the CodeQL tools for scanning.
+         - name: Initialize CodeQL
+           uses: github/codeql-action/init@0499de31b99561a6d14a36a5f662c2a54f91beee # v3.29.5
+           with:
+              languages: ${{ matrix.language }}
+              build-mode: ${{ matrix.build-mode }}
+              # If you wish to specify custom queries, you can do so here or in a config file.
+              # By default, queries listed here will override any specified in a config file.
+              # Prefix the list here with "+" to use these queries and those in the config file.
+
+              # For more details on CodeQL's query packs, refer to: https://docs.github.com/en/code-security/code-scanning/automatically-scanning-your-code-for-vulnerabilities-and-errors/configuring-code-scanning#using-queries-in-ql-packs
+              # queries: security-extended,security-and-quality
+
+         # If the analyze step fails for one of the languages you are analyzing with
+         # "We were unable to automatically build your code", modify the matrix above
+         # to set the build mode to "manual" for that language. Then modify this step
+         # to build your code.
+         # ℹ️ Command-line programs to run using the OS shell.
+         # 📚 See https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#jobsjob_idstepsrun
+         - if: matrix.build-mode == 'manual'
+           shell: bash
+           run: |
+              echo 'If you are using a "manual" build mode for one or more of the' \
+                'languages you are analyzing, replace this with the commands to build' \
+                'your code, for example:'
+              echo '  make bootstrap'
+              echo '  make release'
+              exit 1
+         - name: Perform CodeQL Analysis
+           uses: github/codeql-action/analyze@0499de31b99561a6d14a36a5f662c2a54f91beee # v3.29.5
+           with:
+              category: '/language:${{matrix.language}}'

.github/workflows/defaultLabels.yml

@@ -8,7 +8,7 @@ jobs:
    label-issues:
       runs-on: ubuntu-latest
       steps:
-         - uses: actions/stale@v3
+         - uses: actions/stale@5f858e3efba33a5ca4407a664cc011ad407f2008 # v10.1.0
            name: Setting issue as idle
            with:
               repo-token: ${{ secrets.GITHUB_TOKEN }}
@@ -19,7 +19,7 @@ jobs:
               operations-per-run: 100
               exempt-issue-labels: 'backlog'
 
-         - uses: actions/stale@v3
+         - uses: actions/stale@5f858e3efba33a5ca4407a664cc011ad407f2008 # v10.1.0
            name: Setting PR as idle
            with:
               repo-token: ${{ secrets.GITHUB_TOKEN }}

.github/workflows/integration-tests.yml

@@ -17,7 +17,7 @@ jobs:
          KUBECONFIG: /home/runner/.kube/config
          PR_BASE_REF: ${{ github.event.pull_request.base.ref }}
       steps:
-         - uses: actions/checkout@v2
+         - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
            name: Checkout from PR branch
 
          - id: action-npm-build
@@ -27,9 +27,11 @@ jobs:
               if [[ $PR_BASE_REF != releases/* ]]; then
                 npm install
                 npm run build
+                # remove node_modules to match production environment where only index.js is present
+                rm -rf node_modules 
               fi
 
-         - uses: actions/setup-python@v2
+         - uses: actions/setup-python@e797f83bcb11b83ae66e0230d6156d7c80228e7c # v6.0.0
            name: Install Python
            with:
               python-version: '3.x'
@@ -37,13 +39,18 @@ jobs:
          - name: Install requests library
            run: pip install requests
 
+         - name: Setup kubectl latest
+           uses: ./
+           with:
+              version: 'latest'
+
          - name: Validate kubectl setup
            run: python test/validate-kubectl.py latest
 
-         - name: Setup kubectl
+         - name: Setup kubectl old version
            uses: ./
            with:
               version: 'v1.15.1'
 
-         - name: Validate kubectl setup
+         - name: Validate kubectl setup old version
            run: python test/validate-kubectl.py 'v1.15.1'

.github/workflows/prettify-code.yml

@@ -10,9 +10,16 @@ jobs:
       runs-on: ubuntu-latest
       steps:
          - name: Checkout Repository
-           uses: actions/checkout@v2
+           uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
 
-         - name: Enforce Prettier
-           uses: actionsx/prettier@v2
+         - name: Setup Node.js
+           uses: actions/setup-node@2028fbc5c25fe9cf00d9f06a71cc4710d4507903 # v6.0.0
            with:
-              args: --check .
+              node-version: 'lts/*'
+              cache: 'npm'
+
+         - name: Install Dependencies
+           run: npm ci
+
+         - name: Run Prettier Check
+           run: npx prettier --check .

.github/workflows/unit-tests.yml

@@ -13,7 +13,7 @@ jobs:
    build: # make sure build/ci works properly
       runs-on: ubuntu-latest
       steps:
-         - uses: actions/checkout@v1
+         - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
 
          - name: Build and run L0 tests.
            run: |

.husky/pre-commit

@@ -0,0 +1,9 @@
+set +e
+npm test
+# Run format check
+npm run format-check || {
+  echo ""
+  echo "❌ Formatting check failed."
+  echo "💡 Run 'npm run format' or 'prettier --write .' to fix formatting issues."
+  exit 1
+}

CHANGELOG.md

@@ -1,7 +1,12 @@
 # Changelog
 
-## [v4.0.0] - 2024-01-30
+## [4.0.1] - 2025-06-17
+
+- Remove erronious 'v' prefix on previous changelog for v4.0.0 that led to "vv4.0.0" tag issue
+- Dependabot fixes
+
+## [4.0.0] - 2024-01-30
 
 ### Changed
 
--  #90 Migrate to node 20 as node 16 is deprecated
+- #90 Migrate to node 20 as node 16 is deprecated

CODE_OF_CONDUCT.md

@@ -4,6 +4,6 @@ This project has adopted the [Microsoft Open Source Code of Conduct](https://ope
 
 Resources:
 
--  [Microsoft Open Source Code of Conduct](https://opensource.microsoft.com/codeofconduct/)
--  [Microsoft Code of Conduct FAQ](https://opensource.microsoft.com/codeofconduct/faq/)
--  Contact [opencode@microsoft.com](mailto:opencode@microsoft.com) with questions or concerns
+- [Microsoft Open Source Code of Conduct](https://opensource.microsoft.com/codeofconduct/)
+- [Microsoft Code of Conduct FAQ](https://opensource.microsoft.com/codeofconduct/faq/)
+- Contact [opencode@microsoft.com](mailto:opencode@microsoft.com) with questions or concerns

SECURITY.md

@@ -14,13 +14,13 @@ You should receive a response within 24 hours. If for some reason you do not, pl
 
 Please include the requested information listed below (as much as you can provide) to help us better understand the nature and scope of the possible issue:
 
--  Type of issue (e.g. buffer overflow, SQL injection, cross-site scripting, etc.)
--  Full paths of source file(s) related to the manifestation of the issue
--  The location of the affected source code (tag/branch/commit or direct URL)
--  Any special configuration required to reproduce the issue
--  Step-by-step instructions to reproduce the issue
--  Proof-of-concept or exploit code (if possible)
--  Impact of the issue, including how an attacker might exploit the issue
+- Type of issue (e.g. buffer overflow, SQL injection, cross-site scripting, etc.)
+- Full paths of source file(s) related to the manifestation of the issue
+- The location of the affected source code (tag/branch/commit or direct URL)
+- Any special configuration required to reproduce the issue
+- Step-by-step instructions to reproduce the issue
+- Proof-of-concept or exploit code (if possible)
+- Impact of the issue, including how an attacker might exploit the issue
 
 This information will help us triage your report more quickly.
 

action.yml

@@ -1,5 +1,5 @@
 name: 'Kubectl tool installer'
-description: 'Install a specific version of kubectl binary. Acceptable values are latest or any semantic version string like 1.15.0'
+description: 'Install a specific version of kubectl binary. Acceptable values are latest or any semantic version string like "v1.15.0"'
 inputs:
    version:
       description: 'Version of kubectl'

package.json

@@ -4,11 +4,12 @@
    "private": true,
    "main": "lib/index.js",
    "scripts": {
-      "build": "npm i ncc && npx ncc build src/run.ts -o lib",
+      "build": "npm i ncc && npx ncc build src/index.ts -o lib",
       "test": "jest",
       "test-coverage": "jest --coverage",
       "format": "prettier --write .",
-      "format-check": "prettier --check ."
+      "format-check": "prettier --check .",
+      "prepare": "husky"
    },
    "keywords": [
       "actions",
@@ -18,17 +19,18 @@
    "author": "GitHub",
    "license": "MIT",
    "dependencies": {
-      "@actions/core": "^1.10.0",
+      "@actions/core": "^1.11.1",
       "@actions/exec": "^1.0.0",
-      "@actions/tool-cache": "^1.0.0"
+      "@actions/tool-cache": "^2.0.2"
    },
    "devDependencies": {
-      "@types/jest": "^26.0.0",
-      "@types/node": "^12.0.4",
-      "@vercel/ncc": "^0.34.0",
-      "jest": "^26.0.1",
-      "prettier": "2.7.1",
-      "ts-jest": "^26.0.0",
-      "typescript": "3.9.2"
+      "@types/jest": "^30.0.0",
+      "@types/node": "^24.9.1",
+      "@vercel/ncc": "^0.38.4",
+      "husky": "^9.1.7",
+      "jest": "^30.2.0",
+      "prettier": "3.6.2",
+      "ts-jest": "^29.4.5",
+      "typescript": "5.9.3"
    }
 }

src/helpers.ts

@@ -1,6 +1,8 @@
 import * as os from 'os'
 import * as util from 'util'
-
+import * as fs from 'fs'
+import * as core from '@actions/core'
+import * as toolCache from '@actions/tool-cache'
 export function getKubectlArch(): string {
    const arch = os.arch()
    if (arch === 'x64') {
@@ -23,6 +25,29 @@ export function getkubectlDownloadURL(version: string, arch: string): string {
    }
 }
 
+export async function getLatestPatchVersion(
+   major: string,
+   minor: string
+): Promise<string> {
+   const version = `${major}.${minor}`
+   const sourceURL = `https://cdn.dl.k8s.io/release/stable-${version}.txt`
+   try {
+      const downloadPath = await toolCache.downloadTool(sourceURL)
+      const latestPatch = fs
+         .readFileSync(downloadPath, 'utf8')
+         .toString()
+         .trim()
+      if (!latestPatch) {
+         throw new Error(`No patch version found for ${version}`)
+      }
+      return latestPatch
+   } catch (error) {
+      core.debug(error)
+      core.warning('GetLatestPatchVersionFailed')
+      throw new Error(`Failed to get latest patch version for ${version}`)
+   }
+}
+
 export function getExecutableExtension(): string {
    if (os.type().match(/^Win/)) {
       return '.exe'

src/index.ts

@@ -0,0 +1,4 @@
+import {run} from './run'
+import * as core from '@actions/core'
+
+run().catch(core.setFailed)

src/run.test.ts

@@ -2,7 +2,8 @@ import * as run from './run'
 import {
    getkubectlDownloadURL,
    getKubectlArch,
-   getExecutableExtension
+   getExecutableExtension,
+   getLatestPatchVersion
 } from './helpers'
 import * as os from 'os'
 import * as toolCache from '@actions/tool-cache'
@@ -12,20 +13,19 @@ import * as core from '@actions/core'
 import * as util from 'util'
 
 describe('Testing all functions in run file.', () => {
+   beforeEach(() => {
+      jest.clearAllMocks()
+   })
    test('getExecutableExtension() - return .exe when os is Windows', () => {
       jest.spyOn(os, 'type').mockReturnValue('Windows_NT')
-
       expect(getExecutableExtension()).toBe('.exe')
-      expect(os.type).toBeCalled()
+      expect(os.type).toHaveBeenCalled()
    })
-
    test('getExecutableExtension() - return empty string for non-windows OS', () => {
       jest.spyOn(os, 'type').mockReturnValue('Darwin')
-
       expect(getExecutableExtension()).toBe('')
-      expect(os.type).toBeCalled()
+      expect(os.type).toHaveBeenCalled()
    })
-
    test.each([
       ['arm', 'arm'],
       ['arm64', 'arm64'],
@@ -33,13 +33,11 @@ describe('Testing all functions in run file.', () => {
    ])(
       'getKubectlArch() - return on %s os arch %s kubectl arch',
       (osArch, kubectlArch) => {
-         jest.spyOn(os, 'arch').mockReturnValue(osArch)
-
+         jest.spyOn(os, 'arch').mockReturnValue(osArch as NodeJS.Architecture)
          expect(getKubectlArch()).toBe(kubectlArch)
-         expect(os.arch).toBeCalled()
+         expect(os.arch).toHaveBeenCalled()
       }
    )
-
    test.each([['arm'], ['arm64'], ['amd64']])(
       'getkubectlDownloadURL() - return the URL to download %s kubectl for Linux',
       (arch) => {
@@ -48,12 +46,10 @@ describe('Testing all functions in run file.', () => {
             'https://dl.k8s.io/release/v1.15.0/bin/linux/%s/kubectl',
             arch
          )
-
          expect(getkubectlDownloadURL('v1.15.0', arch)).toBe(kubectlLinuxUrl)
-         expect(os.type).toBeCalled()
+         expect(os.type).toHaveBeenCalled()
       }
    )
-
    test.each([['arm'], ['arm64'], ['amd64']])(
       'getkubectlDownloadURL() - return the URL to download %s kubectl for Darwin',
       (arch) => {
@@ -62,57 +58,47 @@ describe('Testing all functions in run file.', () => {
             'https://dl.k8s.io/release/v1.15.0/bin/darwin/%s/kubectl',
             arch
          )
-
          expect(getkubectlDownloadURL('v1.15.0', arch)).toBe(kubectlDarwinUrl)
-         expect(os.type).toBeCalled()
+         expect(os.type).toHaveBeenCalled()
       }
    )
-
    test.each([['arm'], ['arm64'], ['amd64']])(
       'getkubectlDownloadURL() - return the URL to download %s kubectl for Windows',
       (arch) => {
          jest.spyOn(os, 'type').mockReturnValue('Windows_NT')
-
          const kubectlWindowsUrl = util.format(
             'https://dl.k8s.io/release/v1.15.0/bin/windows/%s/kubectl.exe',
             arch
          )
          expect(getkubectlDownloadURL('v1.15.0', arch)).toBe(kubectlWindowsUrl)
-         expect(os.type).toBeCalled()
+         expect(os.type).toHaveBeenCalled()
       }
    )
-
    test('getStableKubectlVersion() - download stable version file, read version and return it', async () => {
       jest
          .spyOn(toolCache, 'downloadTool')
          .mockReturnValue(Promise.resolve('pathToTool'))
       jest.spyOn(fs, 'readFileSync').mockReturnValue('v1.20.4')
-
       expect(await run.getStableKubectlVersion()).toBe('v1.20.4')
-      expect(toolCache.downloadTool).toBeCalled()
-      expect(fs.readFileSync).toBeCalledWith('pathToTool', 'utf8')
+      expect(toolCache.downloadTool).toHaveBeenCalled()
+      expect(fs.readFileSync).toHaveBeenCalledWith('pathToTool', 'utf8')
    })
-
    test('getStableKubectlVersion() - return default v1.15.0 if version read is empty', async () => {
       jest
          .spyOn(toolCache, 'downloadTool')
          .mockReturnValue(Promise.resolve('pathToTool'))
       jest.spyOn(fs, 'readFileSync').mockReturnValue('')
-
       expect(await run.getStableKubectlVersion()).toBe('v1.15.0')
-      expect(toolCache.downloadTool).toBeCalled()
-      expect(fs.readFileSync).toBeCalledWith('pathToTool', 'utf8')
+      expect(toolCache.downloadTool).toHaveBeenCalled()
+      expect(fs.readFileSync).toHaveBeenCalledWith('pathToTool', 'utf8')
    })
-
    test('getStableKubectlVersion() - return default v1.15.0 if unable to download file', async () => {
       jest
          .spyOn(toolCache, 'downloadTool')
          .mockRejectedValue('Unable to download.')
-
       expect(await run.getStableKubectlVersion()).toBe('v1.15.0')
-      expect(toolCache.downloadTool).toBeCalled()
+      expect(toolCache.downloadTool).toHaveBeenCalled()
    })
-
    test('downloadKubectl() - download kubectl, add it to toolCache and return path to it', async () => {
       jest.spyOn(toolCache, 'find').mockReturnValue('')
       jest
@@ -123,43 +109,37 @@ describe('Testing all functions in run file.', () => {
          .mockReturnValue(Promise.resolve('pathToCachedTool'))
       jest.spyOn(os, 'type').mockReturnValue('Windows_NT')
       jest.spyOn(fs, 'chmodSync').mockImplementation(() => {})
-
       expect(await run.downloadKubectl('v1.15.0')).toBe(
          path.join('pathToCachedTool', 'kubectl.exe')
       )
-      expect(toolCache.find).toBeCalledWith('kubectl', 'v1.15.0')
-      expect(toolCache.downloadTool).toBeCalled()
-      expect(toolCache.cacheFile).toBeCalled()
-      expect(os.type).toBeCalled()
-      expect(fs.chmodSync).toBeCalledWith(
+      expect(toolCache.find).toHaveBeenCalledWith('kubectl', 'v1.15.0')
+      expect(toolCache.downloadTool).toHaveBeenCalled()
+      expect(toolCache.cacheFile).toHaveBeenCalled()
+      expect(os.type).toHaveBeenCalled()
+      expect(fs.chmodSync).toHaveBeenCalledWith(
          path.join('pathToCachedTool', 'kubectl.exe'),
          '775'
       )
    })
-
    test('downloadKubectl() - throw DownloadKubectlFailed error when unable to download kubectl', async () => {
       jest.spyOn(toolCache, 'find').mockReturnValue('')
       jest
          .spyOn(toolCache, 'downloadTool')
          .mockRejectedValue('Unable to download kubectl.')
-
       await expect(run.downloadKubectl('v1.15.0')).rejects.toThrow(
          'DownloadKubectlFailed'
       )
-      expect(toolCache.find).toBeCalledWith('kubectl', 'v1.15.0')
-      expect(toolCache.downloadTool).toBeCalled()
+      expect(toolCache.find).toHaveBeenCalledWith('kubectl', 'v1.15.0')
+      expect(toolCache.downloadTool).toHaveBeenCalled()
    })
-
    test('downloadKubectl() - throw kubectl not found error when receive 404 response', async () => {
       const kubectlVersion = 'v1.15.0'
       const arch = 'arm128'
-
-      jest.spyOn(os, 'arch').mockReturnValue(arch)
+      jest.spyOn(os, 'arch').mockReturnValue(arch as any)
       jest.spyOn(toolCache, 'find').mockReturnValue('')
       jest.spyOn(toolCache, 'downloadTool').mockImplementation((_) => {
          throw new toolCache.HTTPError(404)
       })
-
       await expect(run.downloadKubectl(kubectlVersion)).rejects.toThrow(
          util.format(
             "Kubectl '%s' for '%s' arch not found.",
@@ -167,29 +147,80 @@ describe('Testing all functions in run file.', () => {
             arch
          )
       )
-      expect(os.arch).toBeCalled()
-      expect(toolCache.find).toBeCalledWith('kubectl', kubectlVersion)
-      expect(toolCache.downloadTool).toBeCalled()
+      expect(os.arch).toHaveBeenCalled()
+      expect(toolCache.find).toHaveBeenCalledWith('kubectl', kubectlVersion)
+      expect(toolCache.downloadTool).toHaveBeenCalled()
    })
-
    test('downloadKubectl() - return path to existing cache of kubectl', async () => {
+      jest.spyOn(core, 'getInput').mockImplementation(() => 'v1.15.5')
       jest.spyOn(toolCache, 'find').mockReturnValue('pathToCachedTool')
       jest.spyOn(os, 'type').mockReturnValue('Windows_NT')
       jest.spyOn(fs, 'chmodSync').mockImplementation(() => {})
       jest.spyOn(toolCache, 'downloadTool')
-
       expect(await run.downloadKubectl('v1.15.0')).toBe(
          path.join('pathToCachedTool', 'kubectl.exe')
       )
-      expect(toolCache.find).toBeCalledWith('kubectl', 'v1.15.0')
-      expect(os.type).toBeCalled()
-      expect(fs.chmodSync).toBeCalledWith(
+      expect(toolCache.find).toHaveBeenCalledWith('kubectl', 'v1.15.0')
+      expect(os.type).toHaveBeenCalled()
+      expect(fs.chmodSync).toHaveBeenCalledWith(
          path.join('pathToCachedTool', 'kubectl.exe'),
          '775'
       )
-      expect(toolCache.downloadTool).not.toBeCalled()
+      expect(toolCache.downloadTool).not.toHaveBeenCalled()
+   })
+   test('getLatestPatchVersion() - download and return latest patch version', async () => {
+      jest.spyOn(toolCache, 'downloadTool').mockResolvedValue('pathToTool')
+      jest.spyOn(fs, 'readFileSync').mockReturnValue('v1.27.15')
+
+      const result = await getLatestPatchVersion('1', '27')
+
+      expect(result).toBe('v1.27.15')
+      expect(toolCache.downloadTool).toHaveBeenCalledWith(
+         'https://cdn.dl.k8s.io/release/stable-1.27.txt'
+      )
    })
 
+   test('getLatestPatchVersion() - throw error when patch version is empty', async () => {
+      jest.spyOn(toolCache, 'downloadTool').mockResolvedValue('pathToTool')
+      jest.spyOn(fs, 'readFileSync').mockReturnValue('')
+
+      await expect(getLatestPatchVersion('1', '27')).rejects.toThrow(
+         'Failed to get latest patch version for 1.27'
+      )
+   })
+
+   test('getLatestPatchVersion() - throw error when download fails', async () => {
+      jest
+         .spyOn(toolCache, 'downloadTool')
+         .mockRejectedValue(new Error('Network error'))
+
+      await expect(getLatestPatchVersion('1', '27')).rejects.toThrow(
+         'Failed to get latest patch version for 1.27'
+      )
+   })
+   test('resolveKubectlVersion() - expands major.minor to latest patch', async () => {
+      jest.spyOn(toolCache, 'downloadTool').mockResolvedValue('pathToTool')
+      jest.spyOn(fs, 'readFileSync').mockReturnValue('v1.27.15')
+
+      const result = await run.resolveKubectlVersion('1.27')
+      expect(result).toBe('v1.27.15')
+   })
+
+   test('resolveKubectlVersion() - returns full version unchanged', async () => {
+      const result = await run.resolveKubectlVersion('v1.27.15')
+      expect(result).toBe('v1.27.15')
+   })
+   test('resolveKubectlVersion() - adds v prefix to full version', async () => {
+      const result = await run.resolveKubectlVersion('1.27.15')
+      expect(result).toBe('v1.27.15')
+   })
+   test('resolveKubectlVersion() - expands v-prefixed major.minor to latest patch', async () => {
+      jest.spyOn(toolCache, 'downloadTool').mockResolvedValue('pathToTool')
+      jest.spyOn(fs, 'readFileSync').mockReturnValue('v1.27.15')
+
+      const result = await run.resolveKubectlVersion('v1.27')
+      expect(result).toBe('v1.27.15')
+   })
    test('run() - download specified version and set output', async () => {
       jest.spyOn(core, 'getInput').mockReturnValue('v1.15.5')
       jest.spyOn(toolCache, 'find').mockReturnValue('pathToCachedTool')
@@ -198,16 +229,14 @@ describe('Testing all functions in run file.', () => {
       jest.spyOn(core, 'addPath').mockImplementation()
       jest.spyOn(console, 'log').mockImplementation()
       jest.spyOn(core, 'setOutput').mockImplementation()
-
       expect(await run.run()).toBeUndefined()
-      expect(core.getInput).toBeCalledWith('version', {required: true})
-      expect(core.addPath).toBeCalledWith('pathToCachedTool')
-      expect(core.setOutput).toBeCalledWith(
+      expect(core.getInput).toHaveBeenCalledWith('version', {required: true})
+      expect(core.addPath).toHaveBeenCalledWith('pathToCachedTool')
+      expect(core.setOutput).toHaveBeenCalledWith(
          'kubectl-path',
          path.join('pathToCachedTool', 'kubectl.exe')
       )
    })
-
    test('run() - get latest version, download it and set output', async () => {
       jest.spyOn(core, 'getInput').mockReturnValue('latest')
       jest
@@ -220,14 +249,13 @@ describe('Testing all functions in run file.', () => {
       jest.spyOn(core, 'addPath').mockImplementation()
       jest.spyOn(console, 'log').mockImplementation()
       jest.spyOn(core, 'setOutput').mockImplementation()
-
       expect(await run.run()).toBeUndefined()
-      expect(toolCache.downloadTool).toBeCalledWith(
-         'https://storage.googleapis.com/kubernetes-release/release/stable.txt'
+      expect(toolCache.downloadTool).toHaveBeenCalledWith(
+         'https://dl.k8s.io/release/stable.txt'
       )
-      expect(core.getInput).toBeCalledWith('version', {required: true})
-      expect(core.addPath).toBeCalledWith('pathToCachedTool')
-      expect(core.setOutput).toBeCalledWith(
+      expect(core.getInput).toHaveBeenCalledWith('version', {required: true})
+      expect(core.addPath).toHaveBeenCalledWith('pathToCachedTool')
+      expect(core.setOutput).toHaveBeenCalledWith(
          'kubectl-path',
          path.join('pathToCachedTool', 'kubectl.exe')
       )

src/run.ts

@@ -1,25 +1,25 @@
 import * as path from 'path'
 import * as util from 'util'
 import * as fs from 'fs'
-
 import * as toolCache from '@actions/tool-cache'
 import * as core from '@actions/core'
-
 import {
    getkubectlDownloadURL,
    getKubectlArch,
-   getExecutableExtension
+   getExecutableExtension,
+   getLatestPatchVersion
 } from './helpers'
 
 const kubectlToolName = 'kubectl'
 const stableKubectlVersion = 'v1.15.0'
-const stableVersionUrl =
-   'https://storage.googleapis.com/kubernetes-release/release/stable.txt'
+const stableVersionUrl = 'https://dl.k8s.io/release/stable.txt'
 
 export async function run() {
    let version = core.getInput('version', {required: true})
    if (version.toLocaleLowerCase() === 'latest') {
       version = await getStableKubectlVersion()
+   } else {
+      version = await resolveKubectlVersion(version)
    }
    const cachedPath = await downloadKubectl(version)
 
@@ -90,4 +90,27 @@ export async function downloadKubectl(version: string): Promise<string> {
    return kubectlPath
 }
 
-run().catch(core.setFailed)
+export async function resolveKubectlVersion(version: string): Promise<string> {
+   const cleanedVersion = version.trim()
+   const versionMatch = cleanedVersion.match(
+      /^v?(?<major>\d+)\.(?<minor>\d+)(?:\.(?<patch>\d+))?$/
+   )
+
+   if (!versionMatch?.groups) {
+      throw new Error(
+         `Invalid version format: "${version}". Version must be in "major.minor" or "major.minor.patch" format (e.g., "1.27" or "v1.27.15").`
+      )
+   }
+
+   const {major, minor, patch} = versionMatch.groups
+
+   if (patch) {
+      // Full version was provided, just ensure it has a 'v' prefix
+      return cleanedVersion.startsWith('v')
+         ? cleanedVersion
+         : `v${cleanedVersion}`
+   }
+
+   // Patch version is missing, fetch the latest
+   return await getLatestPatchVersion(major, minor)
+}

test/validate-kubectl.py

@@ -10,7 +10,7 @@ def get_latest_version():
     time_to_sleep = 2
     for _ in range(10):
         response = requests.get(
-            'https://storage.googleapis.com/kubernetes-release/release/stable.txt')
+            'https://dl.k8s.io/release/stable.txt')
         if response.status_code == 200:
             break
         print('Failed to obtain latest version info, retrying.')

tsconfig.json

@@ -1,7 +1,8 @@
 {
    "compilerOptions": {
-      "target": "ES6",
-      "module": "commonjs"
+      "target": "ES2020",
+      "module": "commonjs",
+      "lib": ["ES2020", "DOM"]
    },
    "exclude": ["node_modules", "test"]
 }