feat: added banner and update subscription check to make maintained actions free for public repos

[anurag-stepsecurity]

Summary

• Added StepSecurity Maintained Action banner to README.md
• Updated subscription validation: public repositories are now free (no API check)
• Upgraded Node.js runtime to node24 (if applicable)
• Updated workflow files with configurable node_version input (if applicable)

Changes by type

• TypeScript/JS actions: replaced validateSubscription() body, updated action.yml to node24, updated 3 workflow files, rebuilt dist/
• Docker actions: replaced entrypoint.sh subscription block, ensured jq is installed in Dockerfile
• Composite actions: added Subscription check step to action.yml

Verification

• Subscription check skips for public repos
• Subscription check fires for private repos
• README banner is present at the top
• Build passes (TS/JS actions)

Auto-generated by StepSecurity update-propagator. Task ID: 20260423T092801Z

[claude]

Claude finished @anurag-stepsecurity's task —— View job

---

Pull Request Review - COMPREHENSIVE FINDINGS

I've completed a thorough review of this PR based on StepSecurity action standards. Here are my findings:

✅ General Requirements - PASSED

• ✅ License: Present with StepSecurity copyright and original author (madhead)
• ✅ SECURITY.md: Present
• ✅ FUNDING.yml files: Not present (correct)
• ✅ Required workflows: Both auto_cherry_pick.yml and actions_release.yaml present
• ✅ Prohibited files: renovate.json, PULL_REQUEST.md, ISSUE_TEMPLATE, CHANGELOG.md, .vscode - all correctly absent
• ✅ README banner: StepSecurity maintained action banner present at top
• ✅ README usage: Uses major version (@v4) not full semver (correct)

✅ Node-Based Action Requirements - PASSED

• ✅ Action type: Node-based TypeScript action (uses node24 runtime)
• ✅ Author field: Not present in action.yml or package.json (acceptable)
• ✅ Repository field: Contains "step-security" in package.json
• ✅ Dependencies: All dependencies in package.json are used in src/main.ts
• ✅ Dist folder: Present and contains built code with subscription check

✅ Subscription Check Implementation - PASSED

• ✅ Subscription URL: Correctly uses https://agent.api.stepsecurity.io/v1/github/$GITHUB_REPOSITORY/actions/maintained-actions-subscription
• ✅ Upstream variable: Set to 'madhead/semver-utils' which matches the original-owner/repo-name from auto_cherry_pick.yml (madhead/semver-utils)
• ✅ Public repo logic: Correctly skips subscription check for public repositories (if (repoPrivate === false) return)
• ✅ Private repo enforcement: Properly enforces subscription for private repositories with 403 error handling

✅ Security Analysis - PASSED

• ✅ Environment variables: Only uses standard GitHub environment variables safely
• ✅ No dangerous functions: No eval, exec, or spawn calls found
• ✅ Input validation: Proper error handling and validation throughout
• ✅ Network requests: Uses axios with timeout, proper error handling

❌ Issues Found

Critical Issue - Action.yml Quote Inconsistency

• Problem: Line 61 in action.yml has using: node24 but should be using: 'node24' (quotes removed)
• Context: The review comment from @Raj-StepSecurity correctly identified this issue
• Impact: This could cause action runtime issues as GitHub Actions expect quoted values for the using field
• Location: action.yml:61

🔧 Recommendation

The PR implementation is excellent overall and follows all StepSecurity standards correctly. The only issue is the missing quotes around node24 in the action.yml file. This should be fixed by restoring the quotes: using: 'node24'.

All other aspects including:

• Subscription validation logic
• Security implementation
• File structure
• Dependency management
• Build artifacts

Are properly implemented according to StepSecurity maintained action standards.