feat: added banner and update subscription check to make maintained actions free for public repos

[Raj-StepSecurity]

Summary

• Added StepSecurity Maintained Action banner to README.md
• Updated subscription validation: public repositories are now free (no API check)
• Updated entrypoint.sh and action.yml with new subscription check logic

Changes by type

• Composite actions: added Subscription check step to action.yml
• Shell script: replaced entrypoint.sh subscription block with new maintained-actions-subscription API

Verification

• Subscription check skips for public repos
• Subscription check fires for private repos
• README banner is present at the top

Auto-generated by StepSecurity update-propagator. Task ID: 20260409T050436Z

[claude]

Claude finished @Raj-StepSecurity's task —— View job

---

PR Review Complete ✅

Todo List:

• Analyze repository structure and action type
• Review general requirements for all StepSecurity actions
• Review composite action specific requirements
• Analyze subscription check implementation
• Review changed files for security vulnerabilities
• Provide comprehensive feedback and recommendations

Review Summary

Action Type: ✅ Composite Action

✅ PASSING Requirements

General Requirements:

• ✅ License: MIT license present with both original author (Bo-Yi Wu) and StepSecurity copyright
• ✅ action.yml: Author field correctly set to "step-security"
• ✅ SECURITY.md: Present with StepSecurity contact
• ✅ Required workflows: Both auto_cherry_pick.yml and actions_release.yml present
• ✅ No forbidden files: FUNDING.yml, renovate.json, PULL_REQUEST.md, CHANGELOG.md, .vscode, ISSUE_TEMPLATE folder not present
• ✅ Banner: StepSecurity maintained action banner correctly added to README.md:1
• ✅ Version usage: Examples in README use major version (@v1) not full semver

Subscription Check:

• ✅ API URL: Correctly uses "https://agent.api.stepsecurity.io/v1/github/$GITHUB_REPOSITORY/actions/maintained-actions-subscription"
• ✅ Public repo logic: Properly skips subscription check for public repositories
• ✅ Private repo validation: Correctly validates subscription for private repos
• ✅ Upstream variable: Set correctly as "appleboy/scp-action" matching auto_cherry_pick.yml properties

Composite Action Specific:

• ✅ Action pinning: Uses official GitHub actions without explicit pinning (acceptable for official actions)

🚨 CRITICAL ISSUES

1. Duplicate Subscription Check Logic

Impact: High - Code duplication and potential inconsistency

• Location: Both action.yml:92-134 and entrypoint.sh:5-43
• Issue: Nearly identical subscription validation logic exists in both files
• Risk: Logic could diverge, leading to inconsistent behavior
• Recommendation: Remove duplicate logic. Keep subscription check in composite action step OR in entrypoint.sh, not both

2. Inconsistent Environment Variable Usage

Impact: Medium - Potential runtime failures

• Location: action.yml:94 vs entrypoint.sh:5
• Issue:
  • action.yml uses: REPO_PRIVATE: ${{ github.event.repository.private }}
  • entrypoint.sh uses: REPO_PRIVATE=$(jq -r '.repository.private | tostring' "$GITHUB_EVENT_PATH" ...)
• Risk: Different data sources could yield different results
• Recommendation: Standardize on one approach

⚠️ SECURITY CONSIDERATIONS

1. Error Handling in jq Command

Location: entrypoint.sh:5
Issue: jq -r '.repository.private | tostring' "$GITHUB_EVENT_PATH" 2>/dev/null || echo ""
Risk: Silently fails if GITHUB_EVENT_PATH is malformed, defaulting to empty string
Recommendation: Add explicit validation

2. curl Timeout Handling

Location: Both subscription check implementations
Issue: 3-second timeout may be too aggressive for network latency
Recommendation: Consider increasing to 5-10 seconds

📋 RECOMMENDATIONS

1. Remove duplicate subscription logic - Keep in action.yml only since it runs first
2. Standardize environment variable access - Use composite action approach consistently
3. Add validation for critical environment variables
4. Consider increasing curl timeout for better reliability

🔍 CODE QUALITY

The implementation is generally well-structured with:

• Proper error handling and exit codes
• Clear logging with color coding
• Graceful degradation when API is unavailable
• Secure handling of sensitive data

Overall Assessment: The PR successfully implements the required StepSecurity maintained action features but has critical code duplication that should be addressed before merging.

---

[claude]

Claude finished @Raj-StepSecurity's task —— View job

---

Claude finished reviewing this PR ✅

Todo List:

• Analyze repository structure and action type
• Review general requirements for all StepSecurity actions
• Review composite action specific requirements
• Analyze subscription check implementation
• Review changed files for security vulnerabilities
• Provide comprehensive feedback and recommendations

Review Summary

Action Type: ✅ Composite Action

✅ PASSING Requirements

General Requirements:

• ✅ License: MIT license present with both original author (Bo-Yi Wu) and StepSecurity copyright
• ✅ action.yml: Author field correctly set to "step-security"
• ✅ SECURITY.md: Present with StepSecurity contact
• ✅ Required workflows: Both auto_cherry_pick.yml and actions_release.yml present
• ✅ No forbidden files: FUNDING.yml, renovate.json, PULL_REQUEST.md, CHANGELOG.md, .vscode, ISSUE_TEMPLATE folder not present
• ✅ Banner: StepSecurity maintained action banner correctly added to README.md:1
• ✅ Version usage: Examples in README use major version (@v1) not full semver

Subscription Check:

• ✅ API URL: Correctly uses "https://agent.api.stepsecurity.io/v1/github/$GITHUB_REPOSITORY/actions/maintained-actions-subscription"
• ✅ Public repo logic: Properly skips subscription check for public repositories
• ✅ Private repo validation: Correctly validates subscription for private repos
• ✅ Upstream variable: Set correctly as "appleboy/scp-action" matching auto_cherry_pick.yml properties
• ✅ Duplicate logic resolved: Previous duplicate subscription check in entrypoint.sh was removed (commit e46c6d4)

Composite Action Specific:

• ✅ Action pinning: The composite action only uses built-in shell steps (no external actions used)

🔍 SECURITY ANALYSIS

✅ No Critical Security Issues Found

Positive Security Aspects:

• Subscription check uses proper error handling and graceful degradation
• Environment variables properly referenced using GitHub context
• Binary downloads use secure HTTPS URLs from trusted source (github.com/appleboy/drone-scp)
• File permissions correctly set for downloaded binary
• No hardcoded secrets or sensitive information exposed
• INPUT_CURL_INSECURE flag properly controlled and defaults to secure behavior

⚠️ Minor Security Considerations

1. curl Timeout: 3-second timeout for subscription API call may be aggressive for some network conditions but acceptable for this use case
2. Binary Download: Downloads external binary from appleboy/drone-scp (expected behavior for this SCP wrapper action)
3. Shell Parameter Expansion: Uses "$@" parameter expansion correctly to pass arguments safely

📋 RECOMMENDATIONS

1. ✅ All Previous Issues Resolved: The duplicate subscription logic issue identified in the previous review has been successfully addressed
2. Code Quality: Implementation follows security best practices with proper error handling
3. Documentation: README examples correctly demonstrate major version usage
4. Structure: Repository structure meets all StepSecurity maintained action requirements

🎯 FINAL ASSESSMENT

Status: ✅ APPROVED - All requirements met

This PR successfully implements the StepSecurity maintained action requirements. The most critical issue from the previous review (duplicate subscription logic) has been resolved. The implementation is secure, well-structured, and follows all specified guidelines for StepSecurity maintained actions.

Key Improvements Made:

• ✅ Added StepSecurity banner to README
• ✅ Implemented proper subscription check with public repo exemption
• ✅ Removed duplicate subscription logic from entrypoint.sh
• ✅ Maintained secure coding practices throughout

The action is ready for deployment and use.

---