Update CODEOWNERS

Bumps the actions group in /.github/workflows with 1 update: [github/codeql-action](https://github.com/github/codeql-action).


Updates `github/codeql-action` from 3.29.2 to 3.29.3
- [Release notes](https://github.com/github/codeql-action/releases)
- [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md)
- [Commits](181d5eefc2...d6bbdef45e)

---
updated-dependencies:
- dependency-name: github/codeql-action
  dependency-version: 3.29.3
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: actions
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

.github/CODEOWNERS

@@ -1 +1 @@
-* @Azure/aks-atlanta
+* @Azure/cloud-native-github-action-owners

.github/workflows/codeql.yml

@@ -59,7 +59,7 @@ jobs:
 
          # Initializes the CodeQL tools for scanning.
          - name: Initialize CodeQL
-           uses: github/codeql-action/init@ce28f5bb42b7a9f2c824e633a3f6ee835bab6858 # v3.29.0
+           uses: github/codeql-action/init@d6bbdef45e766d081b84a2def353b0055f728d3e # v3.29.3
            with:
               languages: ${{ matrix.language }}
               build-mode: ${{ matrix.build-mode }}
@@ -86,6 +86,6 @@ jobs:
               echo '  make release'
               exit 1
          - name: Perform CodeQL Analysis
-           uses: github/codeql-action/analyze@ce28f5bb42b7a9f2c824e633a3f6ee835bab6858 # v3.29.0
+           uses: github/codeql-action/analyze@d6bbdef45e766d081b84a2def353b0055f728d3e # v3.29.3
            with:
               category: '/language:${{matrix.language}}'

.github/workflows/integration-tests.yml

@@ -27,6 +27,8 @@ jobs:
               if [[ $PR_BASE_REF != releases/* ]]; then
                 npm install
                 npm run build
+                # remove node_modules to match production environment where only index.js is present
+                rm -rf node_modules 
               fi
 
          - uses: actions/setup-python@a26af69be951a213d495a4c3e4e4022e16d87065 # v5.6.0

.husky/pre-commit

@@ -0,0 +1,9 @@
+set +e
+npm test
+# Run format check
+npm run format-check || {
+  echo ""
+  echo "❌ Formatting check failed."
+  echo "💡 Run 'npm run format' or 'prettier --write .' to fix formatting issues."
+  exit 1
+}

package.json

@@ -8,7 +8,8 @@
       "test": "jest",
       "test-coverage": "jest --coverage",
       "format": "prettier --write .",
-      "format-check": "prettier --check ."
+      "format-check": "prettier --check .",
+      "prepare": "husky"
    },
    "keywords": [
       "actions",
@@ -24,10 +25,11 @@
    },
    "devDependencies": {
       "@types/jest": "^30.0.0",
-      "@types/node": "^24.0.2",
+      "@types/node": "^24.0.13",
       "@vercel/ncc": "^0.38.3",
-      "jest": "^30.0.0",
-      "prettier": "3.5.3",
+      "husky": "^9.1.7",
+      "jest": "^30.0.4",
+      "prettier": "3.6.2",
       "ts-jest": "^29.4.0",
       "typescript": "5.8.3"
    }

src/helpers.ts

@@ -1,6 +1,8 @@
 import * as os from 'os'
 import * as util from 'util'
-
+import * as fs from 'fs'
+import * as core from '@actions/core'
+import * as toolCache from '@actions/tool-cache'
 export function getKubectlArch(): string {
    const arch = os.arch()
    if (arch === 'x64') {
@@ -23,6 +25,29 @@ export function getkubectlDownloadURL(version: string, arch: string): string {
    }
 }
 
+export async function getLatestPatchVersion(
+   major: string,
+   minor: string
+): Promise<string> {
+   const version = `${major}.${minor}`
+   const sourceURL = `https://cdn.dl.k8s.io/release/stable-${version}.txt`
+   try {
+      const downloadPath = await toolCache.downloadTool(sourceURL)
+      const latestPatch = fs
+         .readFileSync(downloadPath, 'utf8')
+         .toString()
+         .trim()
+      if (!latestPatch) {
+         throw new Error(`No patch version found for ${version}`)
+      }
+      return latestPatch
+   } catch (error) {
+      core.debug(error)
+      core.warning('GetLatestPatchVersionFailed')
+      throw new Error(`Failed to get latest patch version for ${version}`)
+   }
+}
+
 export function getExecutableExtension(): string {
    if (os.type().match(/^Win/)) {
       return '.exe'

src/run.test.ts

@@ -2,7 +2,8 @@ import * as run from './run'
 import {
    getkubectlDownloadURL,
    getKubectlArch,
-   getExecutableExtension
+   getExecutableExtension,
+   getLatestPatchVersion
 } from './helpers'
 import * as os from 'os'
 import * as toolCache from '@actions/tool-cache'
@@ -12,6 +13,9 @@ import * as core from '@actions/core'
 import * as util from 'util'
 
 describe('Testing all functions in run file.', () => {
+   beforeEach(() => {
+      jest.clearAllMocks()
+   })
    test('getExecutableExtension() - return .exe when os is Windows', () => {
       jest.spyOn(os, 'type').mockReturnValue('Windows_NT')
       expect(getExecutableExtension()).toBe('.exe')
@@ -164,6 +168,59 @@ describe('Testing all functions in run file.', () => {
       )
       expect(toolCache.downloadTool).not.toHaveBeenCalled()
    })
+   test('getLatestPatchVersion() - download and return latest patch version', async () => {
+      jest.spyOn(toolCache, 'downloadTool').mockResolvedValue('pathToTool')
+      jest.spyOn(fs, 'readFileSync').mockReturnValue('v1.27.15')
+
+      const result = await getLatestPatchVersion('1', '27')
+
+      expect(result).toBe('v1.27.15')
+      expect(toolCache.downloadTool).toHaveBeenCalledWith(
+         'https://cdn.dl.k8s.io/release/stable-1.27.txt'
+      )
+   })
+
+   test('getLatestPatchVersion() - throw error when patch version is empty', async () => {
+      jest.spyOn(toolCache, 'downloadTool').mockResolvedValue('pathToTool')
+      jest.spyOn(fs, 'readFileSync').mockReturnValue('')
+
+      await expect(getLatestPatchVersion('1', '27')).rejects.toThrow(
+         'Failed to get latest patch version for 1.27'
+      )
+   })
+
+   test('getLatestPatchVersion() - throw error when download fails', async () => {
+      jest
+         .spyOn(toolCache, 'downloadTool')
+         .mockRejectedValue(new Error('Network error'))
+
+      await expect(getLatestPatchVersion('1', '27')).rejects.toThrow(
+         'Failed to get latest patch version for 1.27'
+      )
+   })
+   test('resolveKubectlVersion() - expands major.minor to latest patch', async () => {
+      jest.spyOn(toolCache, 'downloadTool').mockResolvedValue('pathToTool')
+      jest.spyOn(fs, 'readFileSync').mockReturnValue('v1.27.15')
+
+      const result = await run.resolveKubectlVersion('1.27')
+      expect(result).toBe('v1.27.15')
+   })
+
+   test('resolveKubectlVersion() - returns full version unchanged', async () => {
+      const result = await run.resolveKubectlVersion('v1.27.15')
+      expect(result).toBe('v1.27.15')
+   })
+   test('resolveKubectlVersion() - adds v prefix to full version', async () => {
+      const result = await run.resolveKubectlVersion('1.27.15')
+      expect(result).toBe('v1.27.15')
+   })
+   test('resolveKubectlVersion() - expands v-prefixed major.minor to latest patch', async () => {
+      jest.spyOn(toolCache, 'downloadTool').mockResolvedValue('pathToTool')
+      jest.spyOn(fs, 'readFileSync').mockReturnValue('v1.27.15')
+
+      const result = await run.resolveKubectlVersion('v1.27')
+      expect(result).toBe('v1.27.15')
+   })
    test('run() - download specified version and set output', async () => {
       jest.spyOn(core, 'getInput').mockReturnValue('v1.15.5')
       jest.spyOn(toolCache, 'find').mockReturnValue('pathToCachedTool')

src/run.ts

@@ -1,14 +1,13 @@
 import * as path from 'path'
 import * as util from 'util'
 import * as fs from 'fs'
-
 import * as toolCache from '@actions/tool-cache'
 import * as core from '@actions/core'
-
 import {
    getkubectlDownloadURL,
    getKubectlArch,
-   getExecutableExtension
+   getExecutableExtension,
+   getLatestPatchVersion
 } from './helpers'
 
 const kubectlToolName = 'kubectl'
@@ -20,6 +19,8 @@ export async function run() {
    let version = core.getInput('version', {required: true})
    if (version.toLocaleLowerCase() === 'latest') {
       version = await getStableKubectlVersion()
+   } else {
+      version = await resolveKubectlVersion(version)
    }
    const cachedPath = await downloadKubectl(version)
 
@@ -89,3 +90,28 @@ export async function downloadKubectl(version: string): Promise<string> {
    fs.chmodSync(kubectlPath, '775')
    return kubectlPath
 }
+
+export async function resolveKubectlVersion(version: string): Promise<string> {
+   const cleanedVersion = version.trim()
+   const versionMatch = cleanedVersion.match(
+      /^v?(?<major>\d+)\.(?<minor>\d+)(?:\.(?<patch>\d+))?$/
+   )
+
+   if (!versionMatch?.groups) {
+      throw new Error(
+         `Invalid version format: "${version}". Version must be in "major.minor" or "major.minor.patch" format (e.g., "1.27" or "v1.27.15").`
+      )
+   }
+
+   const {major, minor, patch} = versionMatch.groups
+
+   if (patch) {
+      // Full version was provided, just ensure it has a 'v' prefix
+      return cleanedVersion.startsWith('v')
+         ? cleanedVersion
+         : `v${cleanedVersion}`
+   }
+
+   // Patch version is missing, fetch the latest
+   return await getLatestPatchVersion(major, minor)
+}

tsconfig.json

@@ -1,7 +1,8 @@
 {
    "compilerOptions": {
-      "target": "ES6",
-      "module": "commonjs"
+      "target": "ES2020",
+      "module": "commonjs",
+      "lib": ["ES2020", "DOM"]
    },
    "exclude": ["node_modules", "test"]
 }