Skip to content

feat: added banner and update subscription check to make maintained actions free for public repos#224

Merged
Raj-StepSecurity merged 2 commits intomainfrom
feat/update-subscription-check
Apr 6, 2026
Merged

feat: added banner and update subscription check to make maintained actions free for public repos#224
Raj-StepSecurity merged 2 commits intomainfrom
feat/update-subscription-check

Conversation

@Raj-StepSecurity
Copy link
Copy Markdown
Contributor

@Raj-StepSecurity Raj-StepSecurity commented Apr 6, 2026

Summary

  • Added StepSecurity Maintained Action banner to README.md
  • Updated subscription validation: public repositories are now free (no API check)
  • Upgraded Node.js runtime to node24 (if applicable)
  • Updated workflow files with configurable node_version input (if applicable)

Changes by type

  • TypeScript/JS actions: replaced validateSubscription() body, updated action.yml to node24, updated 3 workflow files, rebuilt dist/
  • Docker/Shell actions: replaced entrypoint.sh subscription block
  • Composite actions: added Subscription check step to action.yml

Verification

  • Subscription check skips for public repos
  • Subscription check fires for private repos
  • README banner is present at the top
  • Build passes (TS/JS actions)

Auto-generated by StepSecurity update-propagator. Task ID: 20260406T135414Z

@claude
Copy link
Copy Markdown

claude Bot commented Apr 6, 2026
edited
Loading

Claude finished @Raj-StepSecurity's task —— View job

Comprehensive PR Review

Reviewing PR #224 against the comprehensive checklist for StepSecurity maintained actions.

Progress

  • Determine action type (node-based, docker-based, composite, or mixed)
  • Review repository file structure and compliance
  • Analyze changed files for implementation details
  • Verify subscription check implementation
  • Check README banner addition
  • Review for security vulnerabilities
  • Provide comprehensive feedback

Review Summary

Action Type: Node-based TypeScript action (uses node24 runtime in action.yml)

✅ Compliant Items

General Action Requirements:

  • ✅ License present (Apache-2.0) with original Docker, Inc. copyright
  • ✅ action.yml file present with step-security as author (field not present, so ignored)
  • ✅ SECURITY.md file present
  • ✅ No FUNDING.yml or funding.yml files
  • ✅ .github/workflows folder contains required files:
    • ✅ auto_cherry_pick.yml present
    • ✅ actions_release.yml present
  • ✅ No renovate.json file
  • ✅ No PULL_REQUEST.md file
  • ✅ No ISSUE_TEMPLATE folder
  • ✅ No CHANGELOG.md file
  • ✅ No .vscode folder
  • ✅ README.md banner correctly added at top
  • ✅ README examples use major version (@v4) not full semver

Node-based Action Requirements:

  • ✅ package.json author is "step-security"
  • ✅ package.json repository field contains "step-security"
  • ✅ dist/ folder present
  • ✅ package.json has "build" script and uses yarn (package manager configured correctly)

Subscription Check Implementation:

  • ✅ Subscription check URL correct: https://agent.api.stepsecurity.io/v1/github/${process.env.GITHUB_REPOSITORY}/actions/maintained-actions-subscription
  • ✅ Upstream variable matches auto_cherry_pick.yml: crazy-max/ghaction-setup-docker
  • ✅ Public repository logic correctly implemented (skips API call when repoPrivate === false)
  • ✅ Proper error handling for 403 responses and timeouts
  • ✅ Subscription check runs before main action logic

🔍 Security Analysis

No security vulnerabilities detected. The code follows security best practices:

  • Uses proper timeout (3000ms) for API calls
  • Handles errors gracefully without exposing sensitive information
  • Uses environment variables appropriately
  • No secrets or keys exposed in code
  • Input validation appears adequate
  • Uses trusted packages (@actions/core, @docker/actions-toolkit)

📋 Detailed Implementation Review

src/main.ts:15-54 - validateSubscription() function:

  • Correctly reads repository privacy from GitHub event data
  • Properly constructs upstream reference
  • Implements free public repository logic as intended
  • Uses appropriate error handling and messaging
  • Color-coded console output for better UX

README.md:1 - StepSecurity banner:

  • Correctly placed at top of README
  • Uses proper banner URL and links to documentation
  • Maintains existing structure and formatting

Action Runtime:

  • Successfully upgraded to node24 as indicated in action.yml:48

Package Dependencies:

  • All dependencies appear to be actively used
  • No unused dependencies detected
  • Versions are appropriate and secure

✅ Overall Assessment

APPROVED - This PR fully complies with all StepSecurity maintained action requirements. The implementation correctly:

  1. Adds the required StepSecurity banner to the README at the proper location
  2. Implements subscription validation that makes public repositories free while maintaining subscription checks for private repos
  3. Maintains all compliance requirements for file structure, licensing, and configuration
  4. Contains no security vulnerabilities and follows security best practices
  5. Properly configures the upstream reference matching the auto_cherry_pick.yml configuration

The changes are well-implemented, secure, and align perfectly with the StepSecurity maintained actions standards.

@claude
Copy link
Copy Markdown

claude Bot commented Apr 6, 2026
edited
Loading

Claude finished @Raj-StepSecurity's task —— View job

Comprehensive PR Review

Reviewing PR #224 against the comprehensive checklist for StepSecurity maintained actions.

Progress

  • Determine action type (node-based, docker-based, composite, or mixed)
  • Review repository file structure and compliance
  • Analyze changed files for implementation details
  • Verify subscription check implementation
  • Check README banner addition
  • Review for security vulnerabilities
  • Provide comprehensive feedback

Review Summary

Action Type: Node-based TypeScript action (uses node24 runtime in action.yml)

✅ Compliant Items

General Action Requirements:

  • ✅ License present (Apache-2.0) with original Docker, Inc. copyright
  • ✅ action.yml file present with step-security as author (field not present, so ignored)
  • ✅ SECURITY.md file present
  • ✅ No FUNDING.yml or funding.yml files
  • ✅ .github/workflows folder contains required files:
    • ✅ auto_cherry_pick.yml present
    • ✅ actions_release.yml present
  • ✅ No renovate.json file
  • ✅ No PULL_REQUEST.md file
  • ✅ No ISSUE_TEMPLATE folder
  • ✅ No CHANGELOG.md file
  • ✅ No .vscode folder
  • ✅ README.md banner correctly added at top
  • ✅ README examples use major version (@v4) not full semver

Node-based Action Requirements:

  • ✅ package.json author is "step-security"
  • ✅ package.json repository field contains "step-security"
  • ✅ dist/ folder present
  • ✅ package.json has "build" script and uses yarn (package manager configured correctly)

Subscription Check Implementation:

  • ✅ Subscription check URL correct: https://agent.api.stepsecurity.io/v1/github/${process.env.GITHUB_REPOSITORY}/actions/maintained-actions-subscription
  • ✅ Upstream variable matches auto_cherry_pick.yml: crazy-max/ghaction-setup-docker
  • ✅ Public repository logic correctly implemented (skips API call when repoPrivate === false)
  • ✅ Proper error handling for 403 responses and timeouts
  • ✅ Subscription check runs before main action logic

🔍 Security Analysis

No security vulnerabilities detected. The code follows security best practices:

  • Uses proper timeout (3000ms) for API calls
  • Handles errors gracefully without exposing sensitive information
  • Uses environment variables appropriately
  • No secrets or keys exposed in code
  • Input validation appears adequate
  • Uses trusted packages (@actions/core, @docker/actions-toolkit)

📋 Detailed Implementation Review

src/main.ts:15-54 - validateSubscription() function:

  • Correctly reads repository privacy from GitHub event data
  • Properly constructs upstream reference
  • Implements free public repository logic as intended
  • Uses appropriate error handling and messaging
  • Color-coded console output for better UX

README.md:1 - StepSecurity banner:

  • Correctly placed at top of README
  • Uses proper banner URL and links to documentation
  • Maintains existing structure and formatting

Action Runtime:

  • Successfully upgraded to node24 as indicated in action.yml:48

Package Dependencies:

  • All dependencies appear to be actively used
  • No unused dependencies detected
  • Versions are appropriate and secure

✅ Overall Assessment

APPROVED - This PR fully complies with all StepSecurity maintained action requirements. The implementation correctly:

  1. Adds the required StepSecurity banner to the README at the proper location
  2. Implements subscription validation that makes public repositories free while maintaining subscription checks for private repos
  3. Maintains all compliance requirements for file structure, licensing, and configuration
  4. Contains no security vulnerabilities and follows security best practices
  5. Properly configures the upstream reference matching the auto_cherry_pick.yml configuration

The changes are well-implemented, secure, and align perfectly with the StepSecurity maintained actions standards.

@Raj-StepSecurity Raj-StepSecurity merged commit 0231c38 into main Apr 6, 2026
74 of 76 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@amanstep amanstep amanstep approved these changes

Assignees

No one assigned

Labels

review-required

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@Raj-StepSecurity @amanstep