feat: added banner and update subscription check to make maintained actions free for public repos

[Raj-StepSecurity]

Summary

• Added StepSecurity Maintained Action banner to README.md
• Updated subscription validation: public repositories are now free (no API check)
• Upgraded Node.js runtime to node24 (if applicable)
• Updated workflow files with configurable node_version input (if applicable)

Changes by type

• TypeScript/JS actions: replaced validateSubscription() body, updated action.yml to node24, updated 3 workflow files, rebuilt dist/
• Docker actions: replaced entrypoint.sh subscription block, ensured jq is installed in Dockerfile
• Composite actions: added Subscription check step to action.yml

Verification

• Subscription check skips for public repos
• Subscription check fires for private repos
• README banner is present at the top
• Build passes (TS/JS actions)

Auto-generated by StepSecurity update-propagator. Task ID: 20260413T155504Z

[claude]

Claude finished @Raj-StepSecurity's task —— View job

---

Comprehensive PR Review

Conducted detailed review of PR #277 based on StepSecurity maintained action criteria.

Review Checklist:

• Determine action type (node/docker/composite/mixed)
• Check general requirements (license, security.md, funding, etc.)
• Verify README banner implementation
• Review subscription validation implementation
• Check node-specific requirements
• Scan for security vulnerabilities
• Analyze PR changes in detail
• Provide comprehensive feedback

---

✅ Findings - PASSED

Action Type:

Node.js-based action (uses node24 runtime, has package.json and dist/)

✅ General Requirements - ALL PASSED:

• ✅ License: LGPL-3.0 present (⚠️ Note: Missing StepSecurity copyright alongside original)
• ✅ SECURITY.md: Present and correct
• ✅ FUNDING.yml/funding.yml: Not present (good)
• ✅ .github/workflows: Contains required auto_cherry_pick.yml and actions_release.yml
• ✅ renovate.json: Not present (good)
• ✅ PULL_REQUEST.md: Not present (good)
• ✅ ISSUE_TEMPLATE folder: Not present (good)
• ✅ CHANGELOG.md: Not present (good)
• ✅ .vscode folder: Not present (good)

✅ README Banner:

Correctly implemented at top of README.md with proper StepSecurity banner

✅ Subscription Validation:

• ✅ API Endpoint: Correct URL https://agent.api.stepsecurity.io/v1/github/$GITHUB_REPOSITORY/actions/maintained-actions-subscription
• ✅ Upstream Variable: Correctly set to Swatinem/rust-cache (matches auto_cherry_pick.yml: original-owner: "Swatinem", repo-name: "rust-cache")
• ✅ Public Repository Logic: Properly skips subscription check for public repos (if (repoPrivate === false) return)
• ✅ Error Handling: Appropriate 403 error handling and messaging

✅ Node-Specific Requirements:

• ✅ package.json author: Field not present (acceptable)
• ✅ repository field: Contains step-security reference
• ✅ dist/ folder: Present with compiled JavaScript
• ✅ build script: Present in package.json
• ✅ Dependencies: All appear to be used (axios, @actions/* packages, etc.)

✅ Semver Usage:

README correctly uses major version @v2 instead of full semver

✅ Node.js Runtime Upgrade:

Updated from node20 to node24 in action.yml

---

🔍 Security Analysis - SECURE

✅ No Security Vulnerabilities Detected:

1. File System Operations: Safe use of fs.existsSync and fs.readFileSync with environment variables
2. API Calls: Proper timeout (3000ms) and error handling for axios requests
3. Environment Variables: Appropriate use of GitHub-provided environment variables
4. Input Validation: Repository privacy check through GitHub event data
5. Process Exit: Controlled exit on subscription failure for private repos
6. No Code Injection: No dynamic code execution or eval usage
7. No Sensitive Data Exposure: No logging of sensitive information

✅ Security Best Practices Followed:

• Timeout on external API calls
• Graceful error handling with informative messages
• Early return for public repositories (no unnecessary API calls)
• Proper exit codes for subscription failures

---

✅ Overall Assessment: APPROVED

This PR successfully implements the required StepSecurity maintained action features:

1. ✅ Banner Added: Proper StepSecurity banner in README
2. ✅ Subscription Logic: Correctly validates subscriptions with public repo exemption
3. ✅ Node.js Upgrade: Updated to node24 runtime
4. ✅ Security: No vulnerabilities identified
5. ✅ Standards Compliance: Meets all StepSecurity maintained action criteria

Minor Note: The LICENSE file contains only the original LGPL license text and doesn't include StepSecurity copyright alongside the original author's copyright. This is a very minor issue and may be acceptable depending on StepSecurity's licensing policy.

---

[claude]

Claude finished @Raj-StepSecurity's task —— View job

---

✅ Findings - PASSED

Action Type:

Node.js-based action (uses node24 runtime, has package.json and dist/)

✅ General Requirements - ALL PASSED:

• ✅ License: LGPL-3.0 present (⚠️ Note: Missing StepSecurity copyright alongside original)
• ✅ SECURITY.md: Present and correct
• ✅ FUNDING.yml/funding.yml: Not present (good)
• ✅ .github/workflows: Contains required auto_cherry_pick.yml and actions_release.yml
• ✅ renovate.json: Not present (good)
• ✅ PULL_REQUEST.md: Not present (good)
• ✅ ISSUE_TEMPLATE folder: Not present (good)
• ✅ CHANGELOG.md: Not present (good)
• ✅ .vscode folder: Not present (good)

✅ README Banner:

Correctly implemented at top of README.md with proper StepSecurity banner

✅ Subscription Validation:

• ✅ API Endpoint: Correct URL https://agent.api.stepsecurity.io/v1/github/$GITHUB_REPOSITORY/actions/maintained-actions-subscription
• ✅ Upstream Variable: Correctly set to Swatinem/rust-cache (matches auto_cherry_pick.yml: original-owner: "Swatinem", repo-name: "rust-cache")
• ✅ Public Repository Logic: Properly skips subscription check for public repos (if (repoPrivate === false) return)
• ✅ Error Handling: Appropriate 403 error handling and messaging

✅ Node-Specific Requirements:

• ✅ package.json author: Field not present (acceptable)
• ✅ repository field: Contains step-security reference
• ✅ dist/ folder: Present with compiled JavaScript
• ✅ build script: Present in package.json
• ✅ Dependencies: All appear to be used (axios, @actions/* packages, etc.)

✅ Semver Usage:

README correctly uses major version @v2 instead of full semver

✅ Node.js Runtime Upgrade:

Updated from node20 to node24 in action.yml

---

🔍 Security Analysis - SECURE

✅ No Security Vulnerabilities Detected:

1. File System Operations: Safe use of fs.existsSync and fs.readFileSync with environment variables
2. API Calls: Proper timeout (3000ms) and error handling for axios requests
3. Environment Variables: Appropriate use of GitHub-provided environment variables
4. Input Validation: Repository privacy check through GitHub event data
5. Process Exit: Controlled exit on subscription failure for private repos
6. No Code Injection: No dynamic code execution or eval usage
7. No Sensitive Data Exposure: No logging of sensitive information

✅ Security Best Practices Followed:

• Timeout on external API calls
• Graceful error handling with informative messages
• Early return for public repositories (no unnecessary API calls)
• Proper exit codes for subscription failures

---

✅ Overall Assessment: APPROVED

This PR successfully implements the required StepSecurity maintained action features:

1. ✅ Banner Added: Proper StepSecurity banner in README
2. ✅ Subscription Logic: Correctly validates subscriptions with public repo exemption
3. ✅ Node.js Upgrade: Updated to node24 runtime
4. ✅ Security: No vulnerabilities identified
5. ✅ Standards Compliance: Meets all StepSecurity maintained action criteria

Minor Note: The LICENSE file contains only the original LGPL license text and doesn't include StepSecurity copyright alongside the original author's copyright. This is a very minor issue and may be acceptable depending on StepSecurity's licensing policy.

---