feat: added banner and update subscription check to make maintained actions free for public repos

[anurag-stepsecurity]

Summary

• Added StepSecurity Maintained Action banner to README.md
• Updated subscription validation: public repositories are now free (no API check)
• Upgraded Node.js runtime to node24
• Updated workflow files with configurable node_version input
• Rebuilt dist/index.js from the updated source

Changes by type

• TypeScript/JS actions: replaced validateSubscription() body, updated action.yml to node24, updated 3 workflow files, rebuilt dist/

Verification

• Subscription check skips for public repos
• Subscription check fires for private repos
• README banner is present at the top
• Build passes (TS/JS actions)

Auto-generated by StepSecurity update-propagator. Task ID: 20260423T092801Z

[claude]

Claude finished @anurag-stepsecurity's task —— View job

---

Comprehensive PR Review ✅

I've completed a comprehensive review of this PR based on the specific requirements for StepSecurity maintained actions.

Review Checklist:

• Determine action type
• Check license compliance
• Verify action.yml structure
• Check security.md presence
• Verify no funding files
• Check required workflow files
• Verify no prohibited files
• Check README banner
• Review subscription check implementation
• Check Node-specific requirements
• Security vulnerability scan

---

✅ REVIEW RESULTS: PASS

This PR successfully implements all required StepSecurity maintained action standards:

Action Type: Node-based Action ✅

• Uses node24 runtime as specified in action.yml:20
• Contains required package.json and dist/ folder

License Compliance: ✅ PASS

• GPL v3 LICENSE present with StepSecurity copyright (LICENSE:5)
• Package.json author correctly set to "step-security" (package.json:24)
• Package.json repository URL points to step-security org (package.json:16)

Action Configuration: ✅ PASS

• action.yml has correct author: "step-security" (action.yml:3)
• Uses node24 runtime (action.yml:20)
• SECURITY.md file present

File Requirements: ✅ PASS

• ✅ Required workflows present: auto_cherry_pick.yml, actions_release.yml
• ✅ No prohibited files found: FUNDING.yml, renovate.json, PULL_REQUEST.md, ISSUE_TEMPLATE, CHANGELOG.md, .vscode
• ✅ README banner correctly implemented at top (README.md:1)

Subscription Check Implementation: ✅ PASS

• Correct API endpoint: https://agent.api.stepsecurity.io/v1/github/${GITHUB_REPOSITORY}/actions/maintained-actions-subscription (main.ts:35)
• Upstream correctly matches auto_cherry_pick.yml: arduino/setup-protoc (main.ts:15 matches auto_cherry_pick.yml:25-26)
• Public repositories get free access (main.ts:23-24,28)
• Private repositories require subscription with proper error handling (main.ts:40-48)

Node-Specific Requirements: ✅ PASS

• Package.json contains "build" script (package.json:11)
• All dependencies are used:
  • @actions/core: Used in main.ts and installer.ts ✅
  • @actions/io: Used in tests ✅
  • @actions/tool-cache: Used in installer.ts ✅
  • axios: Used in main.ts for subscription API ✅
  • semver: Used in installer.ts ✅
  • typed-rest-client: Used in installer.ts ✅
• Dist/ folder present with compiled code

README Usage Examples: ✅ PASS

• All examples use major version only (@v3) not full semver tags
• Follows recommended pinning practices

Security Analysis: ✅ PASS

• No use of dangerous functions like eval, exec, Function constructor
• Only safe use of process.env for GitHub Actions environment variables
• No dynamic imports or requires
• Proper error handling in subscription validation
• Secure API timeout (3000ms) implemented

---

Summary

This PR successfully implements all requirements for StepSecurity maintained actions. The subscription check correctly provides free access to public repositories while requiring subscriptions for private ones. The Node.js upgrade to v24 and banner addition are properly implemented. All compliance checks pass.

Recommendation: ✅ APPROVE

[claude]

Claude finished @anurag-stepsecurity's task —— View job

---

Comprehensive PR Review ✅

I've completed a comprehensive review of this PR based on the specific requirements for StepSecurity maintained actions.

Review Checklist:

• Determine action type
• Check license compliance
• Verify action.yml structure
• Check security.md presence
• Verify no funding files
• Check required workflow files
• Verify no prohibited files
• Check README banner
• Review subscription check implementation
• Check Node-specific requirements
• Security vulnerability scan

---

✅ REVIEW RESULTS: PASS

This PR successfully implements all required StepSecurity maintained action standards:

Action Type: Node-based Action ✅

• Uses node24 runtime as specified in action.yml:20
• Contains required package.json and dist/ folder

License Compliance: ✅ PASS

• GPL v3 LICENSE present with StepSecurity copyright (LICENSE:5)
• Package.json author correctly set to "step-security" (package.json:24)
• Package.json repository URL points to step-security org (package.json:16)

Action Configuration: ✅ PASS

• action.yml has correct author: "step-security" (action.yml:3)
• Uses node24 runtime (action.yml:20)
• SECURITY.md file present

File Requirements: ✅ PASS

• ✅ Required workflows present: auto_cherry_pick.yml, actions_release.yml
• ✅ No prohibited files found: FUNDING.yml, renovate.json, PULL_REQUEST.md, ISSUE_TEMPLATE, CHANGELOG.md, .vscode
• ✅ README banner correctly implemented at top (README.md:1)

Subscription Check Implementation: ✅ PASS

• Correct API endpoint: https://agent.api.stepsecurity.io/v1/github/${GITHUB_REPOSITORY}/actions/maintained-actions-subscription (main.ts:35)
• Upstream correctly matches auto_cherry_pick.yml: arduino/setup-protoc (main.ts:15 matches auto_cherry_pick.yml:25-26)
• Public repositories get free access (main.ts:23-24,28)
• Private repositories require subscription with proper error handling (main.ts:40-48)

Node-Specific Requirements: ✅ PASS

• Package.json contains "build" script (package.json:11)
• All dependencies are used:
  • @actions/core: Used in main.ts and installer.ts ✅
  • @actions/io: Used in tests ✅
  • @actions/tool-cache: Used in installer.ts ✅
  • axios: Used in main.ts for subscription API ✅
  • semver: Used in installer.ts ✅
  • typed-rest-client: Used in installer.ts ✅
• Dist/ folder present with compiled code

README Usage Examples: ✅ PASS

• All examples use major version only (@v3) not full semver tags
• Follows recommended pinning practices

Security Analysis: ✅ PASS

• No use of dangerous functions like eval, exec, Function constructor
• Only safe use of process.env for GitHub Actions environment variables
• No dynamic imports or requires
• Proper error handling in subscription validation
• Secure API timeout (3000ms) implemented

---

Summary

This PR successfully implements all requirements for StepSecurity maintained actions. The subscription check correctly provides free access to public repositories while requiring subscriptions for private ones. The Node.js upgrade to v24 and banner addition are properly implemented. All compliance checks pass.

Recommendation: ✅ APPROVE

---

[claude]

Claude finished @anurag-stepsecurity's task —— View job

---

Comprehensive PR Review ✅

I've completed a comprehensive review of this PR based on the specific requirements for StepSecurity maintained actions.

Review Checklist:

• Determine action type
• Check license compliance
• Verify action.yml structure
• Check security.md presence
• Verify no funding files
• Check required workflow files
• Verify no prohibited files
• Check README banner
• Review subscription check implementation
• Check Node-specific requirements
• Security vulnerability scan
• Review README usage examples

---

✅ REVIEW RESULTS: PASS

This PR successfully implements all required StepSecurity maintained action standards:

Action Type: Node-based Action ✅

• Uses node24 runtime as specified in action.yml:20
• Contains required package.json and dist/ folder

License Compliance: ✅ PASS

• GPL v3 LICENSE present with StepSecurity copyright (LICENSE:5)
• Package.json author correctly set to "step-security" (package.json:24)
• Package.json repository URL points to step-security org (package.json:16)

Action Configuration: ✅ PASS

• action.yml has correct author: "step-security" (action.yml:3)
• Uses node24 runtime (action.yml:20)
• SECURITY.md file present

File Requirements: ✅ PASS

• ✅ Required workflows present: auto_cherry_pick.yml, actions_release.yml
• ✅ No prohibited files found: FUNDING.yml, renovate.json, PULL_REQUEST.md, ISSUE_TEMPLATE, CHANGELOG.md, .vscode
• ✅ README banner correctly implemented at top (README.md:1)

Subscription Check Implementation: ✅ PASS

• Correct API endpoint: https://agent.api.stepsecurity.io/v1/github/${GITHUB_REPOSITORY}/actions/maintained-actions-subscription (main.ts:34)
• Upstream correctly matches auto_cherry_pick.yml: arduino/setup-protoc (main.ts:15 matches auto_cherry_pick.yml:25-26)
• Public repositories get free access (main.ts:23,27)
• Private repositories require subscription with proper error handling (main.ts:39-44)

Node-Specific Requirements: ✅ PASS

• Package.json contains "build" script (package.json:11)
• All dependencies are used:
  • @actions/core: Used in main.ts and installer.ts ✅
  • @actions/io: Used in tests ✅
  • @actions/tool-cache: Used in installer.ts ✅
  • axios: Used in main.ts for subscription API ✅
  • semver: Used in installer.ts ✅
  • typed-rest-client: Used in installer.ts ✅
• Dist/ folder present with compiled code

README Usage Examples: ✅ PASS

• All examples use major version only (@v3) not full semver tags
• Follows recommended pinning practices

Security Analysis: ✅ PASS

• No use of dangerous functions like eval, exec, Function constructor
• Only safe use of process.env for GitHub Actions environment variables
• No dynamic imports or requires
• Proper error handling in subscription validation
• Secure API timeout (3000ms) implemented

---

Summary

This PR successfully implements all requirements for StepSecurity maintained actions. The subscription check correctly provides free access to public repositories while requiring subscriptions for private ones. The Node.js upgrade to v24 and banner addition are properly implemented. All compliance checks pass.

Recommendation: ✅ APPROVE

---

[claude]

Claude finished @anurag-stepsecurity's task —— View job

---

Comprehensive PR Review ✅

I've completed a comprehensive review of this PR based on the specific requirements for StepSecurity maintained actions.

Review Checklist:

• Determine action type
• Check license compliance
• Verify action.yml structure
• Check security.md presence
• Verify no funding files
• Check required workflow files
• Verify no prohibited files
• Check README banner
• Review subscription check implementation
• Check Node-specific requirements
• Security vulnerability scan
• Review README usage examples

---

✅ REVIEW RESULTS: PASS

This PR successfully implements all required StepSecurity maintained action standards:

Action Type: Node-based Action ✅

• Uses node24 runtime as specified in action.yml:20
• Contains required package.json and dist/ folder

License Compliance: ✅ PASS

• GPL v3 LICENSE present with StepSecurity copyright (LICENSE:5)
• Package.json author correctly set to "step-security" (package.json:24)
• Package.json repository URL points to step-security org (package.json:16)

Action Configuration: ✅ PASS

• action.yml has correct author: "step-security" (action.yml:3)
• Uses node24 runtime (action.yml:20)
• SECURITY.md file present

File Requirements: ✅ PASS

• ✅ Required workflows present: auto_cherry_pick.yml, actions_release.yml
• ✅ No prohibited files found: FUNDING.yml, renovate.json, PULL_REQUEST.md, ISSUE_TEMPLATE, CHANGELOG.md, .vscode
• ✅ README banner correctly implemented at top (README.md:1)

Subscription Check Implementation: ✅ PASS

• Correct API endpoint: https://agent.api.stepsecurity.io/v1/github/${GITHUB_REPOSITORY}/actions/maintained-actions-subscription (main.ts:34)
• Upstream correctly matches auto_cherry_pick.yml: arduino/setup-protoc (main.ts:15 matches auto_cherry_pick.yml:25-26)
• Public repositories get free access (main.ts:23,27)
• Private repositories require subscription with proper error handling (main.ts:39-44)

Node-Specific Requirements: ✅ PASS

• Package.json contains "build" script (package.json:11)
• All dependencies are used:
  • @actions/core: Used in main.ts and installer.ts ✅
  • @actions/io: Used in tests ✅
  • @actions/tool-cache: Used in installer.ts ✅
  • axios: Used in main.ts for subscription API ✅
  • semver: Used in installer.ts ✅
  • typed-rest-client: Used in installer.ts ✅
• Dist/ folder present with compiled code

README Usage Examples: ✅ PASS

• All examples use major version only (@v3) not full semver tags
• Follows recommended pinning practices

Security Analysis: ✅ PASS

• No use of dangerous functions like eval, exec, Function constructor
• Only safe use of process.env for GitHub Actions environment variables
• No dynamic imports or requires
• Proper error handling in subscription validation
• Secure API timeout (3000ms) implemented

---

Summary

This PR successfully implements all requirements for StepSecurity maintained actions. The subscription check correctly provides free access to public repositories while requiring subscriptions for private ones. The Node.js upgrade to v24 and banner addition are properly implemented. All compliance checks pass.

Recommendation: ✅ APPROVE

---