feat: add downloadBaseURL and checksum inputs (closes #206) by benjaminbob21 · Pull Request #264 · Azure/setup-kubectl

benjaminbob21 · 2026-05-20T15:42:59Z

Add downloadBaseURL and checksum inputs (closes #206)

Supports private kubectl mirrors (air-gapped / enterprise) with
optional SHA256 verification. Default base URL is unchanged.

Security: https-only, blocks loopback/link-local/RFC1918 hosts,
rejects redirects on custom mirrors, validates version
format before any URL/path use.

Copilot

Pull request overview

Adds opt-in support for downloading kubectl from a custom mirror (downloadBaseURL) and optional SHA256 integrity verification (checksum), addressing issue #206. Default behavior (download from https://dl.k8s.io without verification) is preserved. Custom-mirror downloads go through a hardened HTTP path (secureDownload) that validates the URL, blocks loopback/link-local/private hosts, and refuses redirects; user-supplied versions are validated before being interpolated into URLs.

Changes:

New downloadBaseURL and checksum inputs in action.yml, threaded through run(), getStableKubectlVersion, resolveKubectlVersion, getLatestPatchVersion, and getkubectlDownloadURL.
New helpers in src/helpers.ts (validateBaseURL, validateVersion, DEFAULT_KUBECTL_BASE_URL) and a secureDownload/verifyChecksum pair in src/run.ts for custom mirrors.
Extensive unit-test additions plus an integration-test case exercising valid and invalid checksums against the default mirror.

Reviewed changes

Copilot reviewed 5 out of 5 changed files in this pull request and generated 7 comments.

Show a summary per file

File	Description
action.yml	Declares the two new optional inputs with safe defaults.
src/helpers.ts	Adds URL/version validators and rewrites `getkubectlDownloadURL`/`getLatestPatchVersion` to honor the base URL.
src/run.ts	Wires inputs through `run()`, validates them, and adds `secureDownload`+`verifyChecksum` for the custom-mirror path.
src/run.test.ts	Adds coverage for URL composition, validation, checksum logic, and custom-mirror HTTP behavior.
.github/workflows/integration-tests.yml	Adds checksum success/failure integration steps against the default mirror.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

Copilot

Pull request overview

Copilot reviewed 6 out of 6 changed files in this pull request and generated 3 comments.

+): Promise<string> {
+   validateVersion(version)
+
   let cachedToolpath = toolCache.find(kubectlToolName, version)


Copilot

Pull request overview

Copilot reviewed 6 out of 6 changed files in this pull request and generated 3 comments.

Comments suppressed due to low confidence (1)

src/run.ts:83

getStableKubectlVersion reads the contents of stable.txt and returns it directly as the resolved version without running validateVersion on it. The value then flows into downloadKubectl -> getkubectlDownloadURL, which does validate, so a malformed value will eventually be rejected — but the rejection error message will be "Invalid kubectl version" rather than something pointing at the mirror that served bad data, which makes misconfigurations harder to diagnose. Consider calling validateVersion(version) here (after the empty check) so the failure is attributed to the stable.txt source rather than to the user's version input.

      (downloadPath) => {
         let version = fs.readFileSync(downloadPath, 'utf8').toString().trim()
         if (!version) {
            version = stableKubectlVersion
         }
         return version

Copilot

Pull request overview

Copilot reviewed 6 out of 7 changed files in this pull request and generated 2 comments.

Copilot

Pull request overview

Copilot reviewed 6 out of 7 changed files in this pull request and generated no new comments.

benjaminbob21 requested a review from Copilot May 29, 2026 18:43

Copilot started reviewing on behalf of benjaminbob21 May 29, 2026 18:44 View session

benjaminbob21 self-assigned this May 29, 2026