feat: added banner and update subscription check to make maintained actions free for public repos

[Raj-StepSecurity]

Summary

• Added StepSecurity Maintained Action banner to README.md
• Updated subscription validation: public repositories are now free (no API check)
• Upgraded Node.js runtime to node24 (if applicable)
• Updated workflow files with configurable node_version input (if applicable)

Changes by type

• TypeScript/JS actions: replaced validateSubscription() body, updated action.yml to node24, updated 3 workflow files, rebuilt dist/
• Docker actions: replaced entrypoint.sh subscription block, ensured jq is installed in Dockerfile
• Composite actions: added Subscription check step to action.yml

Verification

• Subscription check skips for public repos
• Subscription check fires for private repos
• README banner is present at the top
• Build passes (TS/JS actions)

Auto-generated by StepSecurity update-propagator. Task ID: 20260413T045616Z

[claude]

Claude finished @Raj-StepSecurity's task —— View job

---

Comprehensive PR Review

I'll perform a comprehensive review of this PR based on the StepSecurity maintained action guidelines.

Review Checklist:

• Determine action type (Node.js/Docker/Composite)
• Review general requirements (license, author, security.md, etc.)
• Check README banner and usage examples
• Examine subscription check implementation
• Review Node.js specific requirements
• Check file structure and forbidden files
• Scan for security vulnerabilities
• Provide final recommendations

---

📋 Review Summary

✅ PASSING REQUIREMENTS

General Requirements:

• License: ✅ MIT license present with both StepSecurity and original author (Federico Grandi) copyright
• Author: ✅ No author field in action.yml (correctly omitted)
• Security.md: ✅ Present in repository
• FUNDING.yml: ✅ Correctly absent
• Workflows: ✅ Both required workflow files present:
  • .github/workflows/auto_cherry_pick.yml
  • .github/workflows/actions_release.yml
• Forbidden Files: ✅ All correctly absent:
  • No renovate.json
  • No PULL_REQUEST.md
  • No ISSUE_TEMPLATE folder
  • No CHANGELOG.md
  • No .vscode folder

README Requirements:

• Banner: ✅ StepSecurity maintained action banner correctly placed at top
• Usage Examples: ✅ All examples use major version (@v9) instead of complete semver

Node.js Specific Requirements:

• Author in package.json: ✅ Set to "step-security"
• Repository field: ✅ Contains "step-security" in URL
• Dependencies: ✅ All dependencies appear to be used in the codebase
• Dist folder: ✅ Present with built artifacts
• Build script: ✅ Present in package.json scripts

⚠️ ISSUES FOUND

🚨 CRITICAL: Subscription Check Implementation

Issue 1: Incorrect upstream variable

• Location: src/main.ts:23
• Current: const upstream = 'EndBug/add-and-commit';
• Expected: Should be constructed from auto_cherry_pick.yml properties
• From auto_cherry_pick.yml: original-owner: "EndBug" + repo-name: "add-and-commit"
• Required: const upstream = 'EndBug/add-and-commit'; ✅ (Actually correct!)

Issue 2: Subscription API URL

• Location: src/main.ts:42-43
• Current: ✅ Correctly uses https://agent.api.stepsecurity.io/v1/github/${process.env.GITHUB_REPOSITORY}/actions/maintained-actions-subscription

Issue 3: Public Repository Logic

• Location: src/main.ts:31-36
• Status: ✅ Correctly implements free access for public repos
• Logic: Properly returns early if repoPrivate === false

🔍 SECURITY ANALYSIS

Subscription Check Security:

• ✅ Timeout Protection: 3-second timeout prevents hanging
• ✅ Error Handling: Proper handling of 403 responses and network errors
• ✅ Repository Context: Uses environment variables securely
• ✅ No Hardcoded Secrets: No sensitive information exposed

Code Security Scan:

• ✅ Dependencies: All dependencies are well-maintained and legitimate
• ✅ Input Validation: Proper input parsing and validation throughout
• ✅ Environment Variables: Secure usage of GitHub environment variables
• ✅ No Code Injection: Safe string handling and argument parsing

✅ EXCELLENT IMPLEMENTATION DETAILS

1. Modern Node.js: Upgraded to Node 24 runtime
2. Comprehensive Error Handling: Robust error handling with proper exit codes
3. Informative Logging: Clear StepSecurity branding and messaging
4. Backward Compatibility: Maintains all original functionality
5. Clean Architecture: Well-structured code with proper separation of concerns

---

🎯 FINAL VERDICT: APPROVED ✅

This PR successfully implements all StepSecurity maintained action requirements with zero critical issues. The implementation is:

• Secure: No vulnerabilities identified
• Compliant: Meets all specified requirements
• Well-Implemented: High-quality code with proper error handling
• User-Friendly: Clear messaging about free public repository access

The subscription check correctly provides free access to public repositories while requiring subscription validation for private repositories, exactly as intended.

Recommendation: ✅ MERGE - This PR is ready for production deployment.

---

[anurag-stepsecurity]

LGTM 🚀

[claude]

Claude finished @Raj-StepSecurity's task —— View job

---

🔍 Comprehensive PR Review

I'll perform a comprehensive review of this PR based on the StepSecurity maintained action guidelines.

Review Checklist:

• Determine action type (Node.js/Docker/Composite)
• Review general requirements (license, author, security.md, etc.)
• Check README banner and usage examples
• Examine subscription check implementation
• Review Node.js specific requirements
• Check file structure and forbidden files
• Scan for security vulnerabilities
• Provide final recommendations

---

📋 Review Summary

✅ PASSING REQUIREMENTS

General Requirements:

• License: ✅ MIT license present with both StepSecurity and original author (Federico Grandi) copyright
• Author: ✅ No author field in action.yml (correctly omitted)
• Security.md: ✅ Present in repository
• FUNDING.yml: ✅ Correctly absent
• Workflows: ✅ Both required workflow files present:
  • .github/workflows/auto_cherry_pick.yml
  • .github/workflows/actions_release.yml
• Forbidden Files: ✅ All correctly absent:
  • No renovate.json
  • No PULL_REQUEST.md
  • No ISSUE_TEMPLATE folder
  • No CHANGELOG.md
  • No .vscode folder

README Requirements:

• Banner: ✅ StepSecurity maintained action banner correctly placed at top
• Usage Examples: ✅ All examples use major version (@v9) instead of complete semver

Node.js Specific Requirements:

• Author in package.json: ✅ Set to "step-security"
• Repository field: ✅ Contains "step-security" in URL
• Dependencies: ✅ All dependencies appear to be used in the codebase
• Dist folder: ✅ Present with built artifacts
• Build script: ✅ Present in package.json scripts

🔍 SUBSCRIPTION CHECK ANALYSIS

✅ Correct Implementation

• API URL: ✅ Correctly uses https://agent.api.stepsecurity.io/v1/github/${process.env.GITHUB_REPOSITORY}/actions/maintained-actions-subscription
• Upstream Variable: ✅ Set to 'EndBug/add-and-commit' (matches auto_cherry_pick.yml: original-owner: "EndBug" + repo-name: "add-and-commit")
• Public Repository Logic: ✅ Correctly implements free access for public repos - returns early if repoPrivate === false
• Error Handling: ✅ Proper handling of 403 responses and network errors
• Timeout Protection: ✅ 3-second timeout prevents hanging
• Repository Context: ✅ Uses environment variables securely

🔐 SECURITY ANALYSIS

Code Security Scan:

• ✅ No Code Injection: Safe string handling and argument parsing
• ✅ Environment Variables: Secure usage of GitHub environment variables (GITHUB_REPOSITORY, GITHUB_EVENT_PATH, etc.)
• ✅ No Hardcoded Secrets: No sensitive information exposed in code
• ✅ Input Validation: Proper input parsing and validation throughout
• ✅ Dependencies: All dependencies are well-maintained and legitimate:
  • @actions/core & @actions/github: Official GitHub Actions packages
  • axios: For HTTP requests with timeout protection
  • simple-git: For git operations
  • js-yaml & string-argv: For parsing utilities

Subscription Security:

• ✅ Timeout Protection: Prevents hanging requests
• ✅ Error Boundaries: Graceful failure handling
• ✅ No Command Injection: No dynamic command execution
• ✅ Token Safety: GitHub token handled through official GitHub Actions patterns

✅ EXCELLENT IMPLEMENTATION DETAILS

1. Modern Node.js: Upgraded to Node 24 runtime
2. Comprehensive Error Handling: Robust error handling with proper exit codes
3. Informative Logging: Clear StepSecurity branding and messaging
4. Backward Compatibility: Maintains all original functionality
5. Clean Architecture: Well-structured code with proper separation of concerns

---

🎯 FINAL VERDICT: APPROVED ✅

This PR successfully implements all StepSecurity maintained action requirements with zero critical issues. The implementation is:

• Secure: No vulnerabilities identified
• Compliant: Meets all specified requirements
• Well-Implemented: High-quality code with proper error handling
• User-Friendly: Clear messaging about free public repository access

The subscription check correctly provides free access to public repositories while requiring subscription validation for private repositories, exactly as intended.

Recommendation: ✅ MERGE - This PR is ready for production deployment.

---

[claude]

Claude finished @Raj-StepSecurity's task —— View job

---

Comprehensive StepSecurity Maintained Action Review

Review Checklist:

• Determine action type (Node.js/Docker/Composite)
• Review general requirements (license, author, security.md, etc.)
• Check README banner and usage examples
• Examine subscription check implementation
• Review Node.js specific requirements
• Check file structure and forbidden files
• Scan for security vulnerabilities
• Provide final recommendations

---

📋 COMPREHENSIVE REVIEW RESULTS

✅ PASSING REQUIREMENTS

Action Type

• Node.js Action: ✅ Confirmed (action.yml:84 uses node24 runtime)

General Requirements

• License: ✅ MIT license present with both StepSecurity and original author (Federico Grandi) copyright (LICENSE:3-4)
• Author: ✅ No author field in action.yml (correctly omitted per guidelines)
• Security.md: ✅ Present with proper StepSecurity contact (SECURITY.md:5)
• FUNDING.yml: ✅ Correctly absent (verified via file system)
• Required Workflows: ✅ Both files present:
  • .github/workflows/auto_cherry_pick.yml ✅
  • .github/workflows/actions_release.yml ✅
• Forbidden Files: ✅ All correctly absent:
  • No renovate.json
  • No PULL_REQUEST.md
  • No ISSUE_TEMPLATE folder
  • No CHANGELOG.md
  • No .vscode folder

README Requirements

• Banner: ✅ StepSecurity maintained action banner correctly placed at top (README.md:1)
• Usage Examples: ✅ All examples use major version (@v9) instead of complete semver throughout

Subscription Check Implementation

• API URL: ✅ Correctly uses required endpoint (src/main.ts:43)
• Upstream Variable: ✅ Set to 'EndBug/add-and-commit' (src/main.ts:23) - correctly matches auto_cherry_pick.yml:33-34
• Public Repository Logic: ✅ Correctly provides free access for public repos (src/main.ts:31-36)
• Error Handling: ✅ Proper timeout (3s) and 403 response handling (src/main.ts:42-58)

Node.js Specific Requirements

• Author in package.json: ✅ Set to "step-security" (package.json:49)
• Repository field: ✅ Contains "step-security" in URL (package.json:40)
• Dependencies: ✅ All dependencies are actively used:
  • @actions/core: Used throughout (src/main.ts:1, src/io.ts:1, src/util.ts:2)
  • @actions/github: Used for GitHub API (src/util.ts:5)
  • axios: Used for subscription API calls (src/main.ts:2)
  • js-yaml: Used for parsing input arrays (src/util.ts:3)
  • simple-git: Used for git operations (src/main.ts:5)
  • string-argv: Used for parsing git arguments (src/util.ts:1)
• Dist folder: ✅ Present with built artifacts (dist/index.js)
• Build script: ✅ Present in package.json scripts (package.json:9)

🔍 SECURITY ANALYSIS

Subscription Check Security

• ✅ Timeout Protection: 3-second timeout prevents hanging
• ✅ Error Handling: Proper handling of 403 responses and network errors
• ✅ Repository Context: Uses environment variables securely
• ✅ No Hardcoded Secrets: No sensitive information exposed

Code Security Scan

• ✅ Dependencies: All dependencies are well-maintained and legitimate
• ✅ Input Validation: Comprehensive input validation in src/io.ts:75-263
• ✅ Environment Variables: Secure usage of GitHub environment variables
• ✅ No Code Injection: Safe string handling and argument parsing
• ✅ Error Boundaries: Proper error handling throughout codebase

✅ IMPLEMENTATION HIGHLIGHTS

1. Modern Node.js: Successfully upgraded to Node 24 runtime
2. Comprehensive Error Handling: Robust error handling with proper exit codes
3. Clear StepSecurity Branding: Professional messaging about free public repository access
4. Backward Compatibility: Maintains all original functionality perfectly
5. Clean Architecture: Well-structured code with proper separation of concerns
6. Free Public Access: Correctly implements free usage for public repositories

---

🎯 FINAL VERDICT: ✅ APPROVED

This PR successfully implements ALL StepSecurity maintained action requirements with zero critical issues. The implementation is:

• ✅ Secure: No vulnerabilities identified
• ✅ Compliant: Meets all specified requirements perfectly
• ✅ Well-Implemented: High-quality code with excellent error handling
• ✅ User-Friendly: Clear messaging about free public repository access

The subscription check correctly provides free access to public repositories while requiring subscription validation for private repositories, exactly as intended.

🚀 RECOMMENDATION: MERGE APPROVED

This PR is ready for production deployment and represents an excellent implementation of the StepSecurity maintained action standards.

---