feat: added banner and update subscription check to make maintained actions free for public repos

[anurag-stepsecurity]

Summary

• Added StepSecurity Maintained Action banner to README.md
• Updated subscription validation: public repositories are now free (no API check)
• Upgraded Node.js runtime to node24
• Updated workflow files with configurable node_version input
• Rebuilt dist/index.js

Changes by type

• JS action: replaced validateSubscription() body, updated action.yml to node24, updated 3 workflow files, rebuilt dist/

Verification

• Subscription check skips for public repos
• Subscription check fires for private repos
• README banner is present at the top
• Build passes

Auto-generated by StepSecurity update-propagator. Task ID: 20260423T092801Z

[claude]

Claude finished @anurag-stepsecurity's task —— View job

---

Comprehensive PR Review

Review Progress

• Determine action type (Node.js/Docker/Composite)
• Review general requirements (License, SECURITY.md, author fields, etc.)
• Check README.md banner implementation
• Verify subscription check implementation
• Review Node.js specific requirements
• Examine workflow files
• Check for security vulnerabilities
• Verify semver usage in documentation
• Check for forbidden files/folders

---

🎯 Overall Assessment: APPROVED ✅

This PR successfully implements the required StepSecurity branding and subscription model changes with proper configuration.

✅ Compliant Requirements

General Requirements

• ✅ License: Present with StepSecurity copyright (/LICENSE:2)
• ✅ SECURITY.md: Present and properly configured (/SECURITY.md)
• ✅ Action.yml author: Correctly set to "step-security" (/action.yml:3)
• ✅ Required workflows: Both auto_cherry_pick.yml and actions_release.yml are present
• ✅ Forbidden files: No renovate.json, PULL_REQUEST.md, ISSUE_TEMPLATE/, CHANGELOG.md, .vscode/, or FUNDING.yml files found

README.md Banner

• ✅ Banner implementation: Correctly placed at the top of README (/README.md:1)
• ✅ Semver usage: Uses major version @v2 instead of full semver in examples (/README.md:18)

Subscription Check

• ✅ Implementation: Properly implemented in validateSubscription() function (/index.js:191-235)
• ✅ API URL: Correctly uses required endpoint (/index.js:219)
• ✅ Upstream value: Matches auto_cherry_pick.yml configuration (action-pack/increment)
• ✅ Public repo handling: Correctly skips subscription check for public repositories (/index.js:207-212)
• ✅ Branding: Displays StepSecurity branding with proper messaging (/index.js:205-210)

Node.js Action Requirements

• ✅ Package.json repository: Correctly points to step-security org (/package.json:6)
• ✅ Dependencies: All dependencies are utilized in the code
• ✅ Dist folder: Present with built index.js
• ✅ Build script: Present in package.json (/package.json:9)
• ✅ Node.js version: Upgraded to node24 (/action.yml:44)

Workflow Files

• ✅ Node version configuration: All three workflow files properly updated with configurable node_version input defaulting to "24"
• ✅ Auto cherry-pick: Properly configured with original-owner and repo-name (/.github/workflows/auto_cherry_pick.yml:28-29)

🔒 Security Assessment

• ✅ No security vulnerabilities found in the code changes
• ✅ Proper error handling in subscription validation
• ✅ No secrets exposure risk
• ✅ Timeout handling for API calls (3 second timeout)

🔧 Code Quality Notes

• Code follows existing patterns and conventions
• Proper error handling for API failures
• Clean separation of subscription logic
• Appropriate use of GitHub context variables

📝 Change Summary

The PR successfully:

1. Adds StepSecurity branding banner to README
2. Implements subscription validation with public repo exemption
3. Upgrades Node.js runtime to node24
4. Updates all workflow files with configurable node version
5. Rebuilds distribution files

Verification Status:

• Subscription check skips for public repos
• Subscription check fires for private repos
• README banner is present at the top
• Build configuration updated

---

[claude]

Claude finished @anurag-stepsecurity's task —— View job

---

🎯 Overall Assessment: APPROVED ✅

This PR successfully implements the required StepSecurity branding and subscription model changes with proper configuration.

✅ Compliant Requirements

General Requirements

• ✅ License: Present with StepSecurity copyright (/LICENSE:2)
• ✅ SECURITY.md: Present and properly configured (/SECURITY.md)
• ✅ Action.yml author: Correctly set to "step-security" (/action.yml:3)
• ✅ Required workflows: Both auto_cherry_pick.yml and actions_release.yml are present
• ✅ Forbidden files: No renovate.json, PULL_REQUEST.md, ISSUE_TEMPLATE/, CHANGELOG.md, .vscode/, or FUNDING.yml files found

README.md Banner

• ✅ Banner implementation: Correctly placed at the top of README (/README.md:1)
• ✅ Semver usage: Uses major version @v2 instead of full semver in examples (/README.md:18)

Subscription Check

• ✅ Implementation: Properly implemented in validateSubscription() function (/index.js:191-235)
• ✅ API URL: Correctly uses required endpoint (/index.js:219)
• ✅ Upstream value: Matches auto_cherry_pick.yml configuration (action-pack/increment)
• ✅ Public repo handling: Correctly skips subscription check for public repositories (/index.js:207-212)
• ✅ Branding: Displays StepSecurity branding with proper messaging (/index.js:205-210)

Node.js Action Requirements

• ✅ Package.json repository: Correctly points to step-security org (/package.json:6)
• ✅ Dependencies: All dependencies are utilized in the code
• ✅ Dist folder: Present with built index.js
• ✅ Build script: Present in package.json (/package.json:9)
• ✅ Node.js version: Upgraded to node24 (/action.yml:44)

Workflow Files

• ✅ Node version configuration: All three workflow files properly updated with configurable node_version input defaulting to "24"
• ✅ Auto cherry-pick: Properly configured with original-owner and repo-name (/.github/workflows/auto_cherry_pick.yml:28-29)

⚠️ Minor Issues Identified

Unused Dependency

• ⚠️ @actions/http-client: Listed in package.json:15 but not used in the code. Consider removing if not needed for the build process.

🔒 Security Assessment

• ✅ No security vulnerabilities found in the code changes
• ✅ Proper error handling in subscription validation
• ✅ No secrets exposure risk
• ✅ Timeout handling for API calls (3 second timeout)

🔧 Code Quality Notes

• Code follows existing patterns and conventions
• Proper error handling for API failures
• Clean separation of subscription logic
• Appropriate use of GitHub context variables

📝 Change Summary

The PR successfully:

1. Adds StepSecurity branding banner to README
2. Implements subscription validation with public repo exemption
3. Upgrades Node.js runtime to node24
4. Updates all workflow files with configurable node version
5. Rebuilds distribution files

Verification Status:

• Subscription check skips for public repos
• Subscription check fires for private repos
• README banner is present at the top
• Build configuration updated

---