feat: added banner and update subscription check to make maintained actions free for public repos

[Raj-StepSecurity]

Summary

• Added StepSecurity Maintained Action banner to README.md
• Updated subscription validation: public repositories are now free (no API check)
• Upgraded Node.js runtime to node24 (if applicable)
• Updated workflow files with configurable node_version input (if applicable)

Changes by type

• TypeScript/JS actions: replaced validateSubscription() body, updated action.yml to node24, updated 3 workflow files, rebuilt dist/
• Docker actions: replaced entrypoint.sh subscription block, ensured jq is installed in Dockerfile
• Composite actions: added Subscription check step to action.yml

Verification

• Subscription check skips for public repos
• Subscription check fires for private repos
• README banner is present at the top
• Build passes (TS/JS actions)

Auto-generated by StepSecurity update-propagator. Task ID: 20260413T045616Z

[github-actions]

Allure Report Summary

	Name	Duration	Stats	New	Flaky	Retry	Report
	Allure Action	332ms	8    3	11	0	0

[claude]

Claude finished @Raj-StepSecurity's task —— View job

---

PR Review - Comprehensive Analysis Complete ✅

I've conducted a thorough review of this PR against all specified criteria for StepSecurity maintained actions.

✅ PASSING REQUIREMENTS

Core Structure & Files

• Action Type: Node.js based action using node24 runtime ✅
• License: MIT with StepSecurity copyright (2026) ✅
• action.yml: Correct author field step-security ✅
• SECURITY.md: Present with correct contact email ✅
• Required workflows: Both auto_cherry_pick.yml and actions_release.yml present ✅
• Dist folder: Present with compiled assets ✅

Forbidden Items - All Clean ✅

• No FUNDING.yml/funding.yml files
• No renovate.json file
• No PULL_REQUEST.md file
• No ISSUE_TEMPLATE folder
• No CHANGELOG.md file
• No .vscode folder

README & Banner Implementation ✅

• StepSecurity banner: Correctly implemented at top of README.md
• Version usage: Examples use @v1 (major version only) - correct format

Subscription Check Implementation ✅

• API endpoint: Correctly calls https://agent.api.stepsecurity.io/v1/github/$GITHUB_REPOSITORY/actions/maintained-actions-subscription
• Public repo logic: Free for public repositories (skips API call when repoPrivate === false)
• Upstream variable: Set to allure-framework/allure-action matching auto_cherry_pick.yml ✅
• Error handling: Proper 403 handling with informative messages

Node.js Specific Requirements ✅

• package.json author: step-security ✅
• Build script: Present in package.json ✅
• Dependencies: All appear to be used based on imports in main.ts

⚠️ MINOR OBSERVATIONS

1. Missing repository field: package.json doesn't have a repository field, but this is optional per criteria
2. Security scan: Cannot run npm audit without approval, but no obvious vulnerabilities detected in code review

🔍 CODE ANALYSIS

Security Review

• No malicious code detected
• Proper input validation using @actions/core
• Safe file operations with existence checks
• Timeout protection on HTTP requests (3000ms)
• No hardcoded secrets or credentials

Subscription Logic Review

The subscription check correctly:

• Identifies public vs private repos from GitHub event data
• Provides clear messaging about free public repo usage
• Gracefully handles API timeouts/failures
• Exits with proper error codes on subscription failures

🎯 VERDICT: APPROVED ✅

This PR successfully implements all required StepSecurity maintained action standards. The subscription logic correctly makes public repositories free while maintaining paid validation for private repos. The banner is properly implemented and all file structure requirements are met.

The implementation follows security best practices and maintains backward compatibility while adding the StepSecurity enhancements.

---

[claude]

Claude finished @Raj-StepSecurity's task —— View job

---

PR Review - StepSecurity Maintained Action Analysis ✅

Conducted comprehensive review of PR #34 against all specified StepSecurity maintained action criteria.

Review Checklist:

• Determine action type (Node.js/Docker/Composite)
• Verify license with StepSecurity copyright
• Check action.yml author field
• Verify SECURITY.md presence
• Check for forbidden files (FUNDING.yml, renovate.json, etc.)
• Verify required workflows (auto_cherry_pick.yml, actions_release.yml)
• Check README banner implementation
• Review subscription check implementation
• Verify upstream variable matches auto_cherry_pick.yml
• Security vulnerability scan
• Node.js specific checks (package.json, dist folder, dependencies)
• Final assessment and recommendations

---

✅ PASSING REQUIREMENTS

Core Structure & Files

• Action Type: Node.js based action using node24 runtime ✅
• License: MIT with StepSecurity copyright (2025) ✅
• action.yml: Correct author field step-security ✅
• SECURITY.md: Present with correct contact email ✅
• Required workflows: Both auto_cherry_pick.yml and actions_release.yml present ✅
• Dist folder: Present with compiled assets ✅

Forbidden Items - All Clean ✅

• No FUNDING.yml/funding.yml files
• No renovate.json file
• No PULL_REQUEST.md file
• No ISSUE_TEMPLATE folder
• No CHANGELOG.md file
• No .vscode folder

README & Banner Implementation ✅

• StepSecurity banner: Correctly implemented at top of README.md
• Version usage: Examples use @v1 (major version only) - correct format

Subscription Check Implementation ✅

• API endpoint: Correctly calls https://agent.api.stepsecurity.io/v1/github/$GITHUB_REPOSITORY/actions/maintained-actions-subscription
• Public repo logic: Free for public repositories (skips API call when repoPrivate === false)
• Upstream variable: Set to allure-framework/allure-action matching auto_cherry_pick.yml ✅
• Error handling: Proper 403 handling with informative messages

Node.js Specific Requirements ✅

• package.json author: step-security ✅
• Build script: Present in package.json ✅
• Dependencies: All appear to be used based on imports in main.ts

⚠️ MINOR OBSERVATIONS

1. Missing repository field: package.json doesn't have a repository field, but this is optional per criteria
2. Security scan: Cannot run npm audit without approval, but no obvious vulnerabilities detected in code review

🔍 CODE ANALYSIS

Security Review

• No malicious code detected
• Proper input validation using @actions/core
• Safe file operations with existence checks
• Timeout protection on HTTP requests (3000ms)
• No hardcoded secrets or credentials

Subscription Logic Review

The subscription check correctly:

• Identifies public vs private repos from GitHub event data
• Provides clear messaging about free public repo usage
• Gracefully handles API timeouts/failures
• Exits with proper error codes on subscription failures

🎯 VERDICT: APPROVED ✅

This PR successfully implements all required StepSecurity maintained action standards. The subscription logic correctly makes public repositories free while maintaining paid validation for private repos. The banner is properly implemented and all file structure requirements are met.

The implementation follows security best practices and maintains backward compatibility while adding the StepSecurity enhancements.

---

[claude]

Claude finished @Raj-StepSecurity's task —— View job

---

PR Review - StepSecurity Maintained Action Standards ✅

I've conducted a thorough review of this PR against all specified criteria for StepSecurity maintained actions.

✅ PASSING REQUIREMENTS

Core Structure & Files

• Action Type: Node.js based action using node24 runtime ✅
• License: MIT with StepSecurity copyright (2026) ✅
• action.yml: Correct author field step-security ✅
• SECURITY.md: Present with correct contact email ✅
• Required workflows: Both auto_cherry_pick.yml and actions_release.yml present ✅
• Dist folder: Present with compiled assets ✅

Forbidden Items - All Clean ✅

• No FUNDING.yml/funding.yml files
• No renovate.json file
• No PULL_REQUEST.md file
• No ISSUE_TEMPLATE folder
• No CHANGELOG.md file
• No .vscode folder

README & Banner Implementation ✅

• StepSecurity banner: Correctly implemented at top of README.md
• Version usage: Examples use @v1 (major version only) - correct format

Subscription Check Implementation ✅

• API endpoint: Correctly calls https://agent.api.stepsecurity.io/v1/github/$GITHUB_REPOSITORY/actions/maintained-actions-subscription
• Public repo logic: Free for public repositories (skips API call when repoPrivate === false)
• Upstream variable: Set to allure-framework/allure-action matching auto_cherry_pick.yml ✅
• Error handling: Proper 403 handling with informative messages

Node.js Specific Requirements ✅

• package.json author: step-security ✅
• Build script: Present in package.json ✅
• Dependencies: All appear to be used based on imports in main.ts

⚠️ MINOR OBSERVATIONS

1. Missing repository field: package.json doesn't have a repository field, but this is optional per criteria
2. Security scan: Cannot run npm audit without approval, but no obvious vulnerabilities detected in code review

🔍 CODE ANALYSIS

Security Review

• No malicious code detected
• Proper input validation using @actions/core
• Safe file operations with existence checks
• Timeout protection on HTTP requests (3000ms)
• No hardcoded secrets or credentials

Subscription Logic Review

The subscription check correctly:

• Identifies public vs private repos from GitHub event data
• Provides clear messaging about free public repo usage
• Gracefully handles API timeouts/failures
• Exits with proper error codes on subscription failures

🎯 VERDICT: APPROVED ✅

This PR successfully implements all required StepSecurity maintained action standards. The subscription logic correctly makes public repositories free while maintaining paid validation for private repos. The banner is properly implemented and all file structure requirements are met.

The implementation follows security best practices and maintains backward compatibility while adding the StepSecurity enhancements.