Skip to content

feat: Implement dynamic Kubescape versioning in GitHub Action #72

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
matthyx merged 1 commit into from
Jan 11, 2026
Merged

feat: Implement dynamic Kubescape versioning in GitHub Action #72

matthyx merged 1 commit into from
Jan 11, 2026

Conversation

@esafak
Copy link
Contributor

@esafak esafak commented Dec 20, 2025
edited
Loading

Why

Users should not have to wait for someone to update this action, which unfortunately happens very rarely, to benefit from updates to the main utility. We refactor the GitHub Action to build the Docker image at runtime using a user-specified version of kubescape-cli.

What this does

  • Introduce a build argument KUBESCAPE_VERSION in the Dockerfile to dynamically set the base image version.
  • Convert the action to a composite action in action.yml.
  • Add a mandatory version input to action.yml to allow users to specify any kubescape-cli version or 'latest'.
  • Implement version resolution logic in action.yml to fetch the latest tag if version is set to 'latest', using the github.token for authentication.
  • Update the build step in action.yml to pass the resolved version as the --build-arg KUBESCAPE_VERSION to docker build.
  • Update the run step in action.yml to use the resolved version tag for the docker run command.
  • Rewrite update.sh to fetch the latest release tag and update the KUBESCAPE_VERSION argument in the Dockerfile using sed.

Testing

I successfully ran the refactored action on my fork: https://github.com/esafak/kubescape-gha/actions/runs/20386459620/job/58588241646

Notes

The kubescape-fix-pr-reviews workflow, which I did not touch, fails with the typo "Scannign scope is not specified. Scanning all frameworks".

@esafak
feat: Implement dynamic Kubescape versioning in GitHub Action
b2454fb 
Refactor the GitHub Action to build the Docker image at runtime using a user-specified version of `kubescape-cli`.

* Introduce a build argument `KUBESCAPE_VERSION` in the `Dockerfile` to dynamically set the base image version.
* Convert the action to a composite action in `action.yml`.
* Add a mandatory `version` input to `action.yml` to allow users to specify any `kubescape-cli` version or 'latest'.
* Implement version resolution logic in `action.yml` to fetch the latest tag if `version` is set to 'latest', using the `github.token` for authentication.
* Update the build step in `action.yml` to pass the resolved version as the `--build-arg KUBESCAPE_VERSION` to `docker build`.
* Update the run step in `action.yml` to use the resolved version tag for the `docker run` command.
* Rewrite `update.sh` to fetch the latest release tag and update the `KUBESCAPE_VERSION` argument in the `Dockerfile` using `sed`.

Signed-off-by: Emre Şafak <[email protected]>
@matthyx matthyx moved this to Needs Reviewer in KS PRs tracking Jan 6, 2026
@matthyx matthyx self-requested a review January 6, 2026 14:21
matthyx
matthyx approved these changes Jan 11, 2026
View reviewed changes
Copy link
Contributor

@matthyx matthyx left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

thanks @esafak

@matthyx matthyx merged commit f5dccf5 into kubescape:main Jan 11, 2026
6 of 7 checks passed
@matthyx matthyx moved this from Needs Reviewer to To Archive in KS PRs tracking Jan 11, 2026
@esafak
Copy link
Contributor Author

esafak commented Jan 11, 2026

Thank you too. Can we get a new Action release soon?

@matthyx
Copy link
Contributor

matthyx commented Jan 12, 2026

@esafak I think your code broke the action when referred as main:

2026-01-12T10:21:06.4576176Z ##[group]Run docker build -t kubescape-action: \
2026-01-12T10:21:06.4576587Z �[36;1mdocker build -t kubescape-action: \�[0m
2026-01-12T10:21:06.4576936Z �[36;1m  --build-arg KUBESCAPE_VERSION= \�[0m
2026-01-12T10:21:06.4577344Z �[36;1m  /home/runner/work/_actions/kubescape/github-action/main�[0m
2026-01-12T10:21:06.4608037Z shell: /usr/bin/bash --noprofile --norc -e -o pipefail {0}
2026-01-12T10:21:06.4608424Z ##[endgroup]
2026-01-12T10:21:06.8531333Z ERROR: failed to build: invalid tag "kubescape-action:": invalid reference format
2026-01-12T10:21:06.8578644Z ##[error]Process completed with exit code 1.
2026-01-12T10:21:06.8723065Z ##[group]Run github/codeql-action/upload-sarif@v2
2026-01-12T10:21:06.8723454Z with:
2026-01-12T10:21:06.8723679Z   sarif_file: results.sarif
2026-01-12T10:21:06.8724014Z   checkout_path: /home/runner/work/helm-charts/helm-charts
2026-01-12T10:21:06.8724763Z   token: ***
2026-01-12T10:21:06.8725004Z   matrix: null
2026-01-12T10:21:06.8725233Z   wait-for-processing: true
2026-01-12T10:21:06.8725498Z ##[endgroup]

@esafak esafak deleted the feat/dynamic-kubescape-version-2273465593180639718 branch January 12, 2026 16:09
@esafak esafak mentioned this pull request Jan 12, 2026
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@matthyx matthyx matthyx approved these changes

Assignees

No one assigned

Labels

None yet

Projects

KS PRs tracking
Status: To Archive

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@esafak @matthyx