Skip to content

feat: added banner and update subscription check to make maintained actions free for public repos#47

Merged
Raj-StepSecurity merged 1 commit intomainfrom
feat/update-subscription-check
Apr 10, 2026
Merged

feat: added banner and update subscription check to make maintained actions free for public repos#47
Raj-StepSecurity merged 1 commit intomainfrom
feat/update-subscription-check

Conversation

@Raj-StepSecurity
Copy link
Copy Markdown
Collaborator

@Raj-StepSecurity Raj-StepSecurity commented Mar 26, 2026

Summary

  • Added StepSecurity Maintained Action banner to README.md
  • Updated subscription validation: public repositories are now free (no API check)
  • Upgraded Node.js runtime to node24 (if applicable)
  • Updated workflow files with configurable node_version input (if applicable)

Changes by type

  • TypeScript/JS actions: replaced validateSubscription() body, updated action.yml to node24, updated 3 workflow files, rebuilt dist/
  • Docker/Shell actions: replaced entrypoint.sh subscription block
  • Composite actions: added Subscription check step to action.yml

Verification

  • Subscription check skips for public repos
  • Subscription check fires for private repos
  • README banner is present at the top
  • Build passes (TS/JS actions)

Auto-generated by StepSecurity update-propagator. Task ID: 20260326T064354Z

@claude
Copy link
Copy Markdown

claude Bot commented Mar 26, 2026
edited
Loading

Claude finished @Raj-StepSecurity's task —— View job

Comprehensive PR Review Complete ✅

This pull request successfully implements StepSecurity maintained action standards with proper subscription validation for public repositories.

Review Checklist

  • Determine action type (node-based, docker-based, composite, or mixed)
  • Check general compliance requirements (license, security files, etc.)
  • Analyze node-specific requirements (package.json, dependencies, dist folder)
  • Review subscription check implementation and URL validation
  • Verify banner implementation in README
  • Check workflow configurations and cherry pick setup
  • Scan for security vulnerabilities
  • Provide comprehensive feedback summary

✅ Compliance Summary

Action Type: Node-based TypeScript action (confirmed by action.yml with using: 'node24', package.json, and dist/ folder)

General Requirements - All Passed ✅

  • License: Correct MIT license with both original and StepSecurity copyright
  • Security.md: Present and properly configured
  • action.yml: Present (author field not required per specs)
  • Prohibited files: None found (no FUNDING.yml, renovate.json, PULL_REQUEST.md, etc.)
  • Required workflows: Both auto_cherry_pick.yml and actions_release.yml present
  • README banner: Correct StepSecurity maintained action banner implemented
  • Usage examples: Properly use major version tags (@v2)

Node-Specific Requirements - All Passed ✅

  • package.json author: Correctly set to "step-security"
  • package.json repository: Correctly points to step-security organization
  • dist folder: Present with properly built JavaScript files
  • Build process: Package.json contains "build" script and uses npm

Subscription Check Implementation - All Passed ✅

  • Implementation present: Comprehensive implementation in src/index.ts:17-62
  • Correct API URL: Uses required https://agent.api.stepsecurity.io/v1/github/${GITHUB_REPOSITORY}/actions/maintained-actions-subscription
  • Public repo handling:Key feature - Correctly skips subscription check for public repositories (if (repoPrivate === false) return)
  • Upstream variable: Correctly matches upstream lasith-kg/dispatch-workflow with cherry-pick config
  • Error handling: Proper 403 status handling and timeout management
  • User experience: Clear messaging with colored output for public repo status

Security Analysis - No Issues Found ✅

  • Code review: No dangerous functions (eval, exec, shell commands) in user-facing code
  • Token handling: Tokens properly handled through GitHub Actions core, no logging of sensitive data
  • Dependencies: Standard GitHub Actions dependencies, no suspicious packages
  • Process exit: Only used appropriately in subscription validation failure case
  • API calls: Proper timeout and error handling for external API calls

Key Changes Successfully Implemented ✅

  1. Public repository exemption - Main feature working correctly
  2. StepSecurity banner - Properly added to README
  3. Node 24 runtime - Updated in action.yml
  4. Workflow configurations - Updated with configurable node_version input
  5. Subscription validation - Robust implementation with proper error handling

Recommendations

  • All requirements met - This PR fully complies with StepSecurity maintained action standards
  • Security posture - Good security practices throughout the codebase
  • User experience - Clear messaging and proper handling of public vs private repositories
  • Testing - Consider running the verification checklist from the PR description

Final Assessment: ✅ APPROVED

This pull request successfully transforms the action to meet all StepSecurity maintained action requirements while properly implementing the key feature of making maintained actions free for public repositories.

@Raj-StepSecurity Raj-StepSecurity force-pushed the feat/update-subscription-check branch from 3ac5906 to fb8bab3 Compare April 9, 2026 07:53
@claude
Copy link
Copy Markdown

claude Bot commented Apr 9, 2026
edited
Loading

Claude finished @Raj-StepSecurity's task —— View job

Comprehensive PR Review Complete ✅

This pull request successfully implements StepSecurity maintained action standards with proper subscription validation for public repositories.

Review Checklist

  • Determine action type (node-based, docker-based, composite, or mixed)
  • Check general compliance requirements (license, security files, etc.)
  • Analyze node-specific requirements (package.json, dependencies, dist folder)
  • Review subscription check implementation and URL validation
  • Verify banner implementation in README
  • Check workflow configurations and cherry pick setup
  • Scan for security vulnerabilities
  • Provide comprehensive feedback summary

✅ Compliance Summary

Action Type: Node-based TypeScript action (confirmed by action.yml with using: 'node24', package.json, and dist/ folder)

General Requirements - All Passed ✅

  • License: Correct MIT license with both original and StepSecurity copyright
  • Security.md: Present and properly configured
  • action.yml: Present (author field not required per specs)
  • Prohibited files: None found (no FUNDING.yml, renovate.json, PULL_REQUEST.md, etc.)
  • Required workflows: Both auto_cherry_pick.yml and actions_release.yml present
  • README banner: Correct StepSecurity maintained action banner implemented
  • Usage examples: Properly use major version tags (@v2)

Node-Specific Requirements - All Passed ✅

  • package.json author: Correctly set to "step-security"
  • package.json repository: Correctly points to step-security organization
  • dist folder: Present with properly built JavaScript files
  • Build process: Package.json contains "build" script and uses npm

Subscription Check Implementation - All Passed ✅

  • Implementation present: Comprehensive implementation in src/index.ts:17-62
  • Correct API URL: Uses required https://agent.api.stepsecurity.io/v1/github/${GITHUB_REPOSITORY}/actions/maintained-actions-subscription
  • Public repo handling:Key feature - Correctly skips subscription check for public repositories (if (repoPrivate === false) return)
  • Upstream variable: Correctly matches upstream lasith-kg/dispatch-workflow with cherry-pick config
  • Error handling: Proper 403 status handling and timeout management
  • User experience: Clear messaging with colored output for public repo status

Security Analysis - No Issues Found ✅

  • Code review: No dangerous functions (eval, exec, shell commands) in user-facing code
  • Token handling: Tokens properly handled through GitHub Actions core, no logging of sensitive data
  • Dependencies: Standard GitHub Actions dependencies, no suspicious packages
  • Process exit: Only used appropriately in subscription validation failure case
  • API calls: Proper timeout and error handling for external API calls

Key Changes Successfully Implemented ✅

  1. Public repository exemption - Main feature working correctly
  2. StepSecurity banner - Properly added to README
  3. Node 24 runtime - Updated in action.yml
  4. Workflow configurations - Updated with configurable node_version input
  5. Subscription validation - Robust implementation with proper error handling

Recommendations

  • All requirements met - This PR fully complies with StepSecurity maintained action standards
  • Security posture - Good security practices throughout the codebase
  • User experience - Clear messaging and proper handling of public vs private repositories
  • Testing - Consider running the verification checklist from the PR description

Final Assessment: ✅ APPROVED

This pull request successfully transforms the action to meet all StepSecurity maintained action requirements while properly implementing the key feature of making maintained actions free for public repositories.

@Raj-StepSecurity Raj-StepSecurity merged commit 66f1d28 into main Apr 10, 2026
10 of 11 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@amanstep amanstep amanstep approved these changes

Assignees

No one assigned

Labels

review-required

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@Raj-StepSecurity @amanstep