feat: onboarding swift-doc action

[Raj-StepSecurity]

No description provided.

[claude]

Claude finished @Raj-StepSecurity's task —— View job

---

PR Review: swift-doc Action Onboarding

I've completed a comprehensive security and compliance review of this PR according to your requirements.

Review Progress

• Analyze action type and structure
• Review licensing and copyright compliance
• Check required file presence and structure
• Review security implementation and subscription checking
• Analyze code for security vulnerabilities
• Review GitHub workflows and configuration
• Provide final recommendations

Action Type Analysis

Mixed Action Type: This is primarily a Docker-based action with Node.js build tooling for CSS processing.

🔴 Critical Issues Found

CRITICAL SECURITY & COMPLIANCE FAILURES:

1. ❌ Missing Author Field in action.yml (action.yml:1-51)

   • Required: author: step-security field missing from action.yml
   • Impact: Fails StepSecurity branding requirements

2. ❌ Docker Compliance Violation (action.yml:30-31)

   • Issue: Uses local Dockerfile instead of published Docker image
   • Required: Must use published Docker image from step-security org with major version tag
   • Current: image: "Dockerfile"
   • Required Format: image: "ghcr.io/step-security/swift-doc:v1"

3. ❌ Incorrect Subscription API Endpoint (Sources/swift-doc/Helpers/SubscriptionCheck.swift:37)

   • Issue: Using wrong API endpoint for subscription validation
   • Current: https://agent.api.stepsecurity.io/v1/github/\(repo)/actions/maintained-actions-subscription
   • Required: https://agent.api.stepsecurity.io/v1/github/$GITHUB_REPOSITORY/actions/subscription

🟡 Security Analysis Results

Potential Security Concerns:

4. ⚠️ Environment Variable Dependencies (Sources/swift-doc/Helpers/SubscriptionCheck.swift:9-36)

   • Code relies heavily on GitHub environment variables (GITHUB_EVENT_PATH, GITHUB_REPOSITORY, etc.)
   • Generally safe within GitHub Actions context but should validate inputs

5. ⚠️ Network Timeout Handling (Sources/swift-doc/Helpers/SubscriptionCheck.swift:41-55)

   • 3-second timeout for subscription API call is reasonable
   • Graceful fallback on timeout (continues execution) - acceptable for this use case

6. ⚠️ Process Execution in Tests (Tests/EndToEndTests/Helpers/Process+Extensions.swift:6-22)

   • Test code executes external processes using Process.run()
   • Limited to test context, poses minimal risk in production

✅ Compliance Successes

Requirements Met:

• ✅ MIT License present with proper copyright (StepSecurity + original author)
• ✅ SECURITY.md file present with correct contact email
• ✅ Required GitHub workflows present:
  • auto_cherry_pick.yml - Correctly configured with StepSecurity reusable workflows
  • actions_release.yml - Proper release workflow setup
• ✅ No prohibited files found (FUNDING.yml, renovate.json, PULL_REQUEST.md, ISSUE_TEMPLATE/, CHANGELOG.md, .vscode/)
• ✅ README.md uses major version reference (@master) not full semver
• ✅ Subscription validation properly implemented and called in main.swift:30
• ✅ Docker workflow includes security hardening with harden-runner

📋 Additional Notes

Node.js Components (.node/ directory):

• Contains build tooling for CSS processing only
• No security issues identified in Node.js dependencies
• Package.json correctly excludes prohibited fields (author field not present, which is acceptable)

Code Quality:

• Swift code follows good security practices
• No shell command injections or unsafe file operations detected
• Proper error handling in subscription validation

🔧 Required Actions

Must Fix Before Merge:

1. Add author: step-security to action.yml
2. Replace local Dockerfile with published Docker image reference
3. Update subscription API endpoint URL to correct format
4. Ensure Docker image is published to step-security org with proper versioning

Recommended:

• Consider adding input validation for environment variables in SubscriptionCheck.swift
• Add error handling for malformed GitHub event JSON parsing

[claude]

Claude finished @Raj-StepSecurity's task —— View job

---

PR Review: swift-doc Action Onboarding

I've completed a comprehensive security and compliance review of this PR according to your StepSecurity requirements.

Review Progress

• Read and analyze action.yml structure and author field
• Check Docker-based action compliance requirements
• Verify licensing and copyright compliance
• Review required GitHub workflows and file structure
• Analyze subscription checking implementation
• Scan code for security vulnerabilities
• Review README.md for proper version referencing
• Address reviewer feedback on .gitattributes and README.md
• Provide comprehensive findings and recommendations

Action Type: Docker-based action using local Dockerfile

---

🔴 CRITICAL COMPLIANCE VIOLATIONS

1. MISSING AUTHOR FIELD IN ACTION.YML ❌

• File: action.yml:1-51
• Issue: No author: "step-security" field specified
• Impact: Critical compliance violation per StepSecurity requirements
• Required Fix: Add author: "step-security" to action.yml

2. DOCKER COMPLIANCE VIOLATION ❌

• File: action.yml:30-31
• Issue: Still using local Dockerfile instead of published Docker image from step-security org
• Current: image: "Dockerfile"
• Required: Must use published image format like image: "docker://ghcr.io/step-security/swift-doc:v1"
• Impact: Violates Docker-based action requirements for published images with major version tags

3. INCORRECT SUBSCRIPTION API ENDPOINT ❌

• File: Sources/swift-doc/Helpers/SubscriptionCheck.swift:37
• Issue: Wrong endpoint URL for subscription validation
• Current: https://agent.api.stepsecurity.io/v1/github/\(repo)/actions/maintained-actions-subscription
• Required: https://agent.api.stepsecurity.io/v1/github/$GITHUB_REPOSITORY/actions/subscription

4. README VERSION REFERENCE ISSUE ⚠️

• File: README.md:55
• Issue: Uses @v1 instead of major version without "v" prefix (addresses reviewer feedback)
• Current: uses: step-security/swift-doc@v1
• Recommended: Either @v1 or @1 (clarification needed on preferred format)

---

✅ COMPLIANCE SUCCESSES

Requirements Met:

• ✅ MIT License present with proper copyright (StepSecurity + original author)
• ✅ SECURITY.md file present with correct contact email
• ✅ Required GitHub workflows present:
  • auto_cherry_pick.yml - Correctly configured with StepSecurity reusable workflows
  • actions_release.yml - Proper release workflow setup
• ✅ No prohibited files found (FUNDING.yml, renovate.json, PULL_REQUEST.md, ISSUE_TEMPLATE/, CHANGELOG.md, .vscode/)
• ✅ Subscription validation properly implemented and called in main.swift:30
• ✅ No .gitattributes file present (addresses reviewer feedback - no file to delete)

---

🔒 SECURITY ANALYSIS RESULTS

No Critical Security Vulnerabilities Found:

• ✅ No hardcoded secrets or API keys detected
• ✅ No dangerous command execution patterns in Swift code
• ✅ Subscription validation with proper timeout handling (3 seconds)
• ✅ Environment variable usage follows GitHub Actions security practices
• ✅ Process execution limited to test context only (Tests/EndToEndTests/Helpers/Process+Extensions.swift:6-22)
• ✅ Docker build follows secure patterns
• ✅ Node.js build tooling for CSS processing poses minimal risk

Minor Security Observations:

• ⚠️ Code relies on GitHub environment variables (GITHUB_EVENT_PATH, GITHUB_REPOSITORY) - acceptable within Actions context
• ⚠️ Network timeout of 3 seconds with graceful fallback is reasonable

---

🔧 REQUIRED ACTIONS BEFORE MERGE

Priority: 🔴 CRITICAL - These must be resolved:

1. Add author field to action.yml:

   author: "step-security"

2. Replace local Dockerfile with published Docker image:

   runs:
     using: "docker" 
     image: "docker://ghcr.io/step-security/swift-doc:v1"  # Use published image

3. Fix subscription URL in SubscriptionCheck.swift:

   let url = URL(string: "https://agent.api.stepsecurity.io/v1/github/\(repo)/actions/subscription")!

Additional Notes:

• Docker image must be published to step-security organization before changing action.yml
• Docker image must be tagged with major version (v1, v2, etc.)
• README.md needs clarification on preferred version reference format
• All other StepSecurity compliance requirements are properly met

---

Status: ❌ NOT READY FOR MERGE - Critical compliance violations must be resolved first.

[claude]

Claude finished @Raj-StepSecurity's task —— View job

---

PR Review: swift-doc Action Onboarding

I've completed a comprehensive security and compliance review of this PR according to your StepSecurity requirements.

Review Progress

• Read and analyze action.yml structure and author field
• Check Docker-based action compliance requirements
• Verify licensing and copyright compliance
• Review required GitHub workflows and file structure
• Analyze subscription checking implementation
• Scan code for security vulnerabilities
• Review README.md for proper version referencing
• Address reviewer feedback on .gitattributes and README.md
• Provide comprehensive findings and recommendations

Action Type: Docker-based action using local Dockerfile

---

🔴 CRITICAL COMPLIANCE VIOLATIONS

1. MISSING AUTHOR FIELD IN ACTION.YML ❌

• File: action.yml:1-51
• Issue: No author: "step-security" field specified
• Impact: Critical compliance violation per StepSecurity requirements

2. DOCKER COMPLIANCE VIOLATION ❌

• File: action.yml:30-31
• Issue: Still using local Dockerfile instead of published Docker image from step-security org
• Current: image: "Dockerfile"
• Required: Must use published image format like image: "docker://ghcr.io/step-security/swift-doc:v1"

3. INCORRECT SUBSCRIPTION API ENDPOINT ❌

• File: Sources/swift-doc/Helpers/SubscriptionCheck.swift:37
• Issue: Wrong endpoint URL for subscription validation
• Current: https://agent.api.stepsecurity.io/v1/github/\(repo)/actions/maintained-actions-subscription
• Required: https://agent.api.stepsecurity.io/v1/github/$GITHUB_REPOSITORY/actions/subscription

---

✅ COMPLIANCE SUCCESSES

Requirements Met:

• ✅ MIT License present with proper copyright (StepSecurity + original author)
• ✅ SECURITY.md file present with correct contact email
• ✅ Required GitHub workflows present:
  • auto_cherry_pick.yml - Correctly configured
  • actions_release.yml - Proper release workflow setup
• ✅ No prohibited files found (FUNDING.yml, renovate.json, PULL_REQUEST.md, ISSUE_TEMPLATE/, CHANGELOG.md, .vscode/)
• ✅ Subscription validation properly implemented and called in main.swift:30
• ✅ .gitattributes file already absent (addresses reviewer feedback)
• ✅ README.md uses major version @v1 instead of full semver (line 55)

---

🔒 SECURITY ANALYSIS

No Critical Security Vulnerabilities Detected:

• ✅ No hardcoded secrets or API keys found
• ✅ Process execution limited to test context only (Tests/EndToEndTests/Helpers/Process+Extensions.swift:6-32)
• ✅ Subscription validation properly configured with timeouts
• ✅ Input validation present in Swift code
• ✅ Docker build process follows secure practices
• ✅ Network requests properly configured with 3-second timeout

---

📋 REVIEWER FEEDBACK STATUS

Addressing @amanstep's comments:

• ✅ .gitattributes file: Already absent from the repository
• ⚠️ README.md link: Line reference unclear - please specify which link needs to be added
• ✅ README.md version: Already uses major version @v1 not @master (line 55)

---

🔧 REQUIRED ACTIONS

Must Fix Before Merge:

1. Add author field to action.yml:

   author: "step-security"

2. Replace local Dockerfile with published image:

   runs:
     using: "docker" 
     image: "docker://ghcr.io/step-security/swift-doc:v1"

3. Fix subscription URL in SubscriptionCheck.swift:

   let url = URL(string: "https://agent.api.stepsecurity.io/v1/github/\(repo)/actions/subscription")!

Priority: 🔴 CRITICAL - These issues must be resolved before merge as they violate core StepSecurity compliance requirements.

---

[claude]

Claude finished @Raj-StepSecurity's task —— View job

---

PR Review: swift-doc Action Onboarding

I've completed a comprehensive security and compliance review of this PR according to Step Security requirements.

Review Progress

• Determine action type and structure
• Check action.yml author field compliance
• Verify Docker image compliance requirements
• Review subscription checking implementation
• Analyze required and prohibited files
• Scan code for security vulnerabilities
• Review GitHub workflows
• Provide final recommendations

Action Type: Docker-based action using local Dockerfile

---

🔴 CRITICAL COMPLIANCE VIOLATIONS

1. MISSING AUTHOR FIELD IN ACTION.YML ❌

• File: action.yml:1-51
• Issue: No author: "step-security" field specified
• Impact: Critical compliance violation per Step Security requirements
• Required Fix: Add author: "step-security" to action.yml

2. DOCKER COMPLIANCE VIOLATION ❌

• File: action.yml:30-31
• Issue: Using local Dockerfile instead of published Docker image from step-security org
• Current: image: "Dockerfile"
• Required: Must use published image format like image: "docker://ghcr.io/step-security/swift-doc:v1"
• Impact: Violates Docker-based action requirements for published images with major version tags

3. INCORRECT SUBSCRIPTION API ENDPOINT ❌

• File: Sources/swift-doc/Helpers/SubscriptionCheck.swift:37
• Issue: Wrong endpoint URL for subscription validation
• Current: https://agent.api.stepsecurity.io/v1/github/\(repo)/actions/maintained-actions-subscription
• Required: https://agent.api.stepsecurity.io/v1/github/$GITHUB_REPOSITORY/actions/subscription

---

✅ COMPLIANCE SUCCESSES

Requirements Met:

• ✅ MIT License present with proper copyright (StepSecurity + original author)
• ✅ SECURITY.md file present with correct contact email
• ✅ Required GitHub workflows present:
  • auto_cherry_pick.yml - Correctly configured with StepSecurity reusable workflows
  • actions_release.yml - Proper release workflow setup
• ✅ No prohibited files found (FUNDING.yml, renovate.json, PULL_REQUEST.md, ISSUE_TEMPLATE/, CHANGELOG.md, .vscode/)
• ✅ Subscription validation properly implemented and called in main.swift:30
• ✅ README.md uses major version @v1 not full semver (line 55)

---

🔒 SECURITY ANALYSIS RESULTS

No Critical Security Vulnerabilities Detected:

• ✅ No hardcoded secrets or API keys found
• ✅ Process execution limited to test context only (Tests/EndToEndTests/Helpers/Process+Extensions.swift:6-34)
• ✅ Subscription validation properly configured with 3-second timeout and graceful fallback
• ✅ Environment variable usage follows GitHub Actions security practices
• ✅ Docker build process follows secure patterns
• ✅ Node.js build tooling (.node/ directory) for CSS processing poses minimal risk

Minor Security Observations:

• ⚠️ Code relies on GitHub environment variables (GITHUB_EVENT_PATH, GITHUB_REPOSITORY) - acceptable within Actions context
• ⚠️ Network timeout of 3 seconds with graceful fallback is reasonable for subscription checking

---

🔧 REQUIRED ACTIONS BEFORE MERGE

Priority: 🔴 CRITICAL - These must be resolved:

1. Add author field to action.yml:

   author: "step-security"

2. Replace local Dockerfile with published Docker image:

   runs:
     using: "docker" 
     image: "docker://ghcr.io/step-security/swift-doc:v1"  # Use published image

3. Fix subscription URL in SubscriptionCheck.swift:

   let url = URL(string: "https://agent.api.stepsecurity.io/v1/github/\(repo)/actions/subscription")!

Additional Notes:

• Docker image must be published to step-security organization before changing action.yml
• Docker image must be tagged with major version (v1, v2, etc.)
• All other Step Security compliance requirements are properly met

---

Status: ❌ NOT READY FOR MERGE - Critical compliance violations must be resolved first.