feat: added banner and update subscription check to make maintained actions free for public repos

[Raj-StepSecurity]

Summary

• Added StepSecurity Maintained Action banner to README.md
• Updated subscription validation: public repositories are now free (no API check)
• Upgraded Node.js runtime to node24 (if applicable)
• Updated workflow files with configurable node_version input (if applicable)

Changes by type

• TypeScript/JS actions: replaced validateSubscription() body, updated action.yml to node24, updated 3 workflow files, rebuilt dist/
• Docker actions: replaced entrypoint.sh subscription block, ensured jq is installed in Dockerfile
• Composite actions: added Subscription check step to action.yml

Verification

• Subscription check skips for public repos
• Subscription check fires for private repos
• README banner is present at the top
• Build passes (TS/JS actions)

Auto-generated by StepSecurity update-propagator. Task ID: 20260409T055046Z

[github-actions]

Hello
Goodbye

[github-actions]

Goodnight
🌕
!

[claude]

Claude finished @Raj-StepSecurity's task —— View job

---

Pull Request Review

I've completed a comprehensive security and compliance review of this PR. Here are my findings:

✅ COMPLIANCE STATUS: APPROVED

Action Type Identified

• Node-based TypeScript Action ✅

---

✅ Requirements Met

License & Copyright

• MIT License present with both StepSecurity and original author (Michael Shick) copyright ✅
• Package.json author field correctly set to "step-security" ✅
• Package.json repository field contains "step-security" ✅

Required Files

• SECURITY.md file present ✅
• action.yml file present ✅
• Required workflow files present: auto_cherry_pick.yml, actions_release.yml ✅

Forbidden Files Check

• No FUNDING.yml or funding.yml files ✅
• No renovate.json file ✅
• No PULL_REQUEST.md file ✅
• No ISSUE_TEMPLATE folder ✅
• No CHANGELOG.md file ✅
• No .vscode folder ✅

README.md Compliance

• StepSecurity banner properly implemented at the top ✅
• All usage examples use major version (@v2) instead of full semver ✅

Node.js Action Specifics

• Dist folder present ✅
• Package.json contains "build" script ✅
• Action.yml uses node24 runtime ✅
• Workflow files include configurable node_version input ✅

---

🔐 Subscription Check Implementation

✅ EXCELLENT IMPLEMENTATION

• Correct API endpoint: https://agent.api.stepsecurity.io/v1/github/$GITHUB_REPOSITORY/actions/maintained-actions-subscription ✅
• Upstream variable correctly set to mshick/add-pr-comment - matches the original-owner/repo-name from auto_cherry_pick.yml ✅
• Public repositories are now free - subscription check skips for public repos ✅
• Proper error handling with 403 status check ✅
• Informative logging with colored output ✅
• Timeout handling (3 seconds) ✅

Key Changes in src/main.ts:170:

if (repoPrivate === false) return  // Skip subscription check for public repos

---

🛡️ Security Analysis

✅ NO SECURITY VULNERABILITIES FOUND

• No dangerous functions (eval, exec, etc.) detected ✅
• Proper input validation and sanitization ✅
• No hardcoded secrets or credentials ✅
• Uses official GitHub Actions toolkit libraries ✅
• Proper error handling without information disclosure ✅

---

📋 Code Quality

Node.js Specific Checks

• All dependencies appear to be used (GitHub Actions toolkit, axios for API calls) ✅
• TypeScript configuration updated to latest standards ✅
• Proper build process with ncc bundling ✅

Workflow Configuration

• Both workflow files properly configured with node_version inputs ✅
• auto_cherry_pick.yml correctly references original owner "mshick" ✅

---

🎯 Summary

This PR successfully implements all required StepSecurity maintained action standards:

1. ✅ Banner Added: Proper StepSecurity banner at the top of README.md
2. ✅ Subscription Logic: Public repos are now free, private repos require subscription
3. ✅ Node.js Upgrade: Successfully upgraded to Node 24 runtime
4. ✅ Compliance: Meets all licensing, file structure, and workflow requirements
5. ✅ Security: No vulnerabilities detected, proper error handling implemented

The implementation is clean, secure, and follows all specified guidelines. The subscription check correctly identifies the upstream as mshick/add-pr-comment and provides appropriate messaging for both public and private repository scenarios.

Recommendation: ✅ APPROVE AND MERGE

---

[claude]

Claude finished @Raj-StepSecurity's task —— View job

---

Pull Request Review

✅ COMPLIANCE STATUS: APPROVED

Action Type Identified

• Node-based TypeScript Action ✅

---

✅ Requirements Met

License & Copyright

• MIT License present with both StepSecurity and original author (Michael Shick) copyright ✅
• Package.json author field correctly set to "step-security" ✅
• Package.json repository field contains "step-security" ✅

Required Files

• SECURITY.md file present ✅
• action.yml file present ✅
• Required workflow files present: auto_cherry_pick.yml, actions_release.yml ✅

Forbidden Files Check

• No FUNDING.yml or funding.yml files ✅
• No renovate.json file ✅
• No PULL_REQUEST.md file ✅
• No ISSUE_TEMPLATE folder ✅
• No CHANGELOG.md file ✅
• No .vscode folder ✅

README.md Compliance

• StepSecurity banner properly implemented at the top ✅
• All usage examples use major version (@v2) instead of full semver ✅

Node.js Action Specifics

• Dist folder present ✅
• Package.json contains "build" script ✅
• Action.yml uses node24 runtime ✅
• Workflow files include configurable node_version input ✅

---

🔐 Subscription Check Implementation

✅ EXCELLENT IMPLEMENTATION

• Correct API endpoint: https://agent.api.stepsecurity.io/v1/github/$GITHUB_REPOSITORY/actions/maintained-actions-subscription ✅
• Upstream variable correctly set to mshick/add-pr-comment - matches the original-owner/repo-name from auto_cherry_pick.yml ✅
• Public repositories are now free - subscription check skips for public repos ✅
• Proper error handling with 403 status check ✅
• Informative logging with colored output ✅
• Timeout handling (3 seconds) ✅

Key Changes in src/main.ts:181:

if (repoPrivate === false) return  // Skip subscription check for public repos

---

🛡️ Security Analysis

✅ NO SECURITY VULNERABILITIES FOUND

• No dangerous functions (eval, exec, etc.) detected ✅
• Proper input validation and sanitization ✅
• No hardcoded secrets or credentials ✅
• Uses official GitHub Actions toolkit libraries ✅
• Proper error handling without information disclosure ✅

---

📋 Code Quality

Node.js Specific Checks

• All dependencies appear to be used (GitHub Actions toolkit, axios for API calls) ✅
• TypeScript configuration updated to latest standards ✅
• Proper build process with ncc bundling ✅

Workflow Configuration

• Both workflow files properly configured with node_version inputs ✅
• auto_cherry_pick.yml correctly references original owner "mshick" ✅

---

🎯 Summary

This PR successfully implements all required StepSecurity maintained action standards:

1. ✅ Banner Added: Proper StepSecurity banner at the top of README.md
2. ✅ Subscription Logic: Public repos are now free, private repos require subscription
3. ✅ Node.js Upgrade: Successfully upgraded to Node 24 runtime
4. ✅ Compliance: Meets all licensing, file structure, and workflow requirements
5. ✅ Security: No vulnerabilities detected, proper error handling implemented

The implementation is clean, secure, and follows all specified guidelines. The subscription check correctly identifies the upstream as mshick/add-pr-comment and provides appropriate messaging for both public and private repository scenarios.

Recommendation: ✅ APPROVE AND MERGE

---