Skip to content

Comments

fix: kubectl download hardening from Copilot review#1342

Open
dholt wants to merge 1 commit intoNVIDIA:masterfrom
dholt:fix/kubectl-copilot-feedback
Open

fix: kubectl download hardening from Copilot review#1342
dholt wants to merge 1 commit intoNVIDIA:masterfrom
dholt:fix/kubectl-copilot-feedback

Conversation

@dholt
Copy link
Contributor

@dholt dholt commented Feb 20, 2026

Summary

Follow-up to PR #1339 addressing Copilot review feedback:

  • Set executable mode on fetched kubectl binary (fetch doesn't preserve permissions)
  • Add changed_when: false to kubectl version command for idempotent runs
  • Add SHA256 checksum verification for cross-platform kubectl download (supply-chain safety)
  • Respect proxy_env for get_url in proxy environments

Test plan

  • --tags local run is idempotent (no spurious "changed" on kubectl version)
  • Cross-platform download verifies checksum
  • Fetched kubectl has executable permissions
  • Works behind HTTP proxy (if applicable)

🤖 Generated with Claude Code

@dholt @claude
fix: address Copilot review feedback on kubectl cross-platform
cf9f321 
- Set executable mode on fetched kubectl binary (fetch doesn't preserve)
- Add changed_when: false to kubectl version command for idempotency
- Add SHA256 checksum verification for cross-platform kubectl download
- Respect proxy_env for get_url in proxy environments

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Signed-off-by: Douglas Holt <dholt@nvidia.com>
@dholt dholt requested a review from Copilot February 20, 2026 17:37
Copilot AI reviewed Feb 20, 2026
View reviewed changes
Copy link

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR addresses Copilot review feedback from PR #1339, adding security hardening and operational improvements to the kubectl binary download and installation process. The changes ensure proper file permissions, idempotent runs, checksum verification for supply-chain security, and proxy environment support.

Changes:

  • Set executable permissions on fetched kubectl binary (fetch module doesn't preserve permissions)
  • Mark kubectl version check as non-changing for idempotent playbook runs
  • Add SHA256 checksum verification for cross-platform kubectl downloads to prevent supply-chain attacks

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

@dholt dholt marked this pull request as ready for review February 20, 2026 17:46
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@dholt