Skip to content

feat: added banner and update subscription check to make maintained actions free for public repos#70

Merged
Raj-StepSecurity merged 2 commits intomainfrom
feat/update-subscription-check
Apr 14, 2026
Merged

feat: added banner and update subscription check to make maintained actions free for public repos#70
Raj-StepSecurity merged 2 commits intomainfrom
feat/update-subscription-check

Conversation

@Raj-StepSecurity
Copy link
Copy Markdown
Contributor

@Raj-StepSecurity Raj-StepSecurity commented Apr 13, 2026

Summary

  • Added StepSecurity Maintained Action banner to README.md
  • Updated subscription validation: public repositories are now free (no API check)
  • Upgraded Node.js runtime to node24 (if applicable)
  • Updated workflow files with configurable node_version input (if applicable)

Changes by type

  • TypeScript/JS actions: replaced validateSubscription() body, updated action.yml to node24, updated 3 workflow files, rebuilt dist/
  • Docker actions: replaced entrypoint.sh subscription block, ensured jq is installed in Dockerfile
  • Composite actions: added Subscription check step to action.yml

Verification

  • Subscription check skips for public repos
  • Subscription check fires for private repos
  • README banner is present at the top
  • Build passes (TS/JS actions)

Auto-generated by StepSecurity update-propagator. Task ID: 20260413T045616Z

@claude
Copy link
Copy Markdown

claude Bot commented Apr 13, 2026
edited
Loading

Claude finished @Raj-StepSecurity's task —— View job

StepSecurity Maintained Action Review

Reviewing PR #70 for StepSecurity maintained action compliance...

Review Checklist:

  • Determine action type (node/docker/composite)
  • Check licensing and copyright requirements
  • Verify action.yml structure and authorship
  • Check required/forbidden files and folders
  • Validate README banner and usage examples
  • Review subscription check implementation
  • Scan for security vulnerabilities
  • Verify StepSecurity branding consistency

Action Type Identified: Node.js-based action (has package.json, action.yml runs using node24, dist/ folder present)

✅ Compliance Review Results

Licensing & Copyright:

  • ✅ LICENSE file present with both original author (Stefan Zweifel) and StepSecurity copyright
  • ✅ action.yml has author: step-security correctly set

File Structure:

  • ✅ action.yml present with correct author
  • ✅ SECURITY.md file present
  • ✅ Required workflow files: auto_cherry_pick.yml, actions_release.yml present
  • ✅ No forbidden files found (FUNDING.yml, renovate.json, PULL_REQUEST.md, CHANGELOG.md, .vscode, ISSUE_TEMPLATE)
  • ✅ dist/ folder present for Node.js action

README Compliance:

  • ✅ StepSecurity banner present at top of README
  • ✅ Usage examples correctly use major version (@v7) instead of full semver
  • ✅ All examples reference step-security/git-auto-commit-action@v7

Subscription Check Implementation:

  • ✅ Subscription check implemented correctly in index.js:14-58
  • ✅ Makes API call to correct URL: https://agent.api.stepsecurity.io/v1/github/${GITHUB_REPOSITORY}/actions/maintained-actions-subscription
  • ✅ Upstream variable correctly set to "stefanzweifel/git-auto-commit-action" matching auto_cherry_pick.yml original-owner/repo-name
  • ✅ Public repositories bypass subscription check (line 35: if (repoPrivate === false) return;)
  • ✅ Private repositories require valid subscription, exit on 403 response

Dependencies & Build:

  • ✅ Only necessary dependencies: axios (used), child_process/path/fs (Node.js built-ins)
  • ✅ No unused dependencies detected
  • ✅ dist/ folder present and built
  • ✅ package.json has build script: "ncc build index.js -m -o dist"

Security Assessment:

  • ✅ No security vulnerabilities detected
  • ✅ No hardcoded secrets or credentials
  • ✅ Proper error handling for subscription API calls
  • ✅ Input validation and safe API usage

Summary

This PR successfully implements StepSecurity maintained action standards. All compliance requirements are met:

  • Proper licensing and branding
  • Correct file structure
  • Valid subscription check with public repo exemption
  • Security best practices followed
  • Clean dependency management

✅ APPROVED - All StepSecurity maintained action requirements satisfied.

@claude
Copy link
Copy Markdown

claude Bot commented Apr 13, 2026
edited
Loading

Claude finished @Raj-StepSecurity's task —— View job

StepSecurity Maintained Action Review

Conducting comprehensive review of PR #70 for StepSecurity maintained action compliance...

Review Checklist:

  • Determine action type (node/docker/composite)
  • Check licensing and copyright requirements
  • Verify action.yml structure and authorship
  • Check required/forbidden files and folders
  • Validate README banner and usage examples
  • Review subscription check implementation
  • Scan for security vulnerabilities
  • Verify StepSecurity branding consistency

Action Type Identified: Node.js-based action (has package.json, action.yml runs using node24, dist/ folder present)

✅ Compliance Review Results

Licensing & Copyright:

  • ✅ LICENSE file present with both original author (Stefan Zweifel) and StepSecurity copyright
  • ✅ action.yml has author: step-security correctly set

File Structure:

  • ✅ action.yml present with correct author
  • ✅ SECURITY.md file present
  • ✅ Required workflow files: auto_cherry_pick.yml, actions_release.yml present
  • ✅ No forbidden files found (FUNDING.yml, renovate.json, PULL_REQUEST.md, CHANGELOG.md, .vscode, ISSUE_TEMPLATE)
  • ✅ dist/ folder present for Node.js action

README Compliance:

  • ✅ StepSecurity banner present at top of README
  • ✅ Usage examples correctly use major version (@v7) instead of full semver
  • ✅ All examples reference step-security/git-auto-commit-action@v7

Subscription Check Implementation:

  • ✅ Subscription check implemented correctly in index.js:14-58
  • ✅ Makes API call to correct URL: https://agent.api.stepsecurity.io/v1/github/${GITHUB_REPOSITORY}/actions/maintained-actions-subscription
  • ✅ Upstream variable correctly set to "stefanzweifel/git-auto-commit-action" matching auto_cherry_pick.yml original-owner/repo-name
  • ✅ Public repositories bypass subscription check (line 35: if (repoPrivate === false) return;)
  • ✅ Private repositories require valid subscription, exit on 403 response

Dependencies & Build:

  • ✅ Only necessary dependencies: axios (used), child_process/path/fs (Node.js built-ins)
  • ✅ No unused dependencies detected
  • ✅ dist/ folder present and built
  • ✅ package.json has build script: "ncc build index.js -m -o dist"

Security Assessment:

  • ✅ No security vulnerabilities detected
  • ✅ No hardcoded secrets or credentials
  • ✅ Proper error handling for subscription API calls
  • ✅ Input validation and safe API usage

Summary

This PR successfully implements StepSecurity maintained action standards. All compliance requirements are met:

  • Proper licensing and branding
  • Correct file structure
  • Valid subscription check with public repo exemption
  • Security best practices followed
  • Clean dependency management

✅ APPROVED - All StepSecurity maintained action requirements satisfied.

@Raj-StepSecurity Raj-StepSecurity merged commit eca6815 into main Apr 14, 2026
10 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@amanstep amanstep amanstep approved these changes

Assignees

No one assigned

Labels

review-required

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@Raj-StepSecurity @amanstep