feat: added banner and update subscription check to make maintained actions free for public repos

[anurag-stepsecurity]

Summary

• Added StepSecurity Maintained Action banner to README.md
• Updated subscription validation: public repositories are now free (no API check)
• Upgraded Node.js runtime to node24 (if applicable)
• Updated workflow files with configurable node_version input (if applicable)

Changes by type

• TypeScript/JS actions: replaced validateSubscription() body, updated action.yml to node24, updated 3 workflow files, rebuilt dist/
• Docker actions: replaced entrypoint.sh subscription block, ensured jq is installed in Dockerfile
• Composite actions: added Subscription check step to action.yml

Verification

• Subscription check skips for public repos
• Subscription check fires for private repos
• README banner is present at the top
• Build passes (TS/JS actions)

Auto-generated by StepSecurity update-propagator. Task ID: 20260423T092801Z

[claude]

Claude finished @anurag-stepsecurity's task —— View job

---

StepSecurity Maintained Action Review

Comprehensive review of PR #93 for StepSecurity maintained action compliance completed.

Todo List:

• Determine action type (node-based, docker-based, composite, or mixed)
• Check general compliance requirements
• Review license and copyright
• Verify action.yml structure and author
• Check for required files (Security.md)
• Verify absence of prohibited files
• Review workflow files structure
• Analyze README banner implementation
• Review subscription validation logic
• Check upstream variable configuration
• Perform security vulnerability scan
• Review type-specific requirements
• Provide final recommendations

Review Summary

Action Type: Node.js-based action ✅

✅ COMPLIANCE PASSED

General Requirements:

• ✅ License: MIT license present with both original author (Kevin Stillhammer) and StepSecurity copyrights
• ✅ action.yml: Present with correct author "step-security"
• ✅ SECURITY.md: Present and properly configured
• ✅ Prohibited files: None found (no FUNDING.yml, renovate.json, PULL_REQUEST.md, CHANGELOG.md, ISSUE_TEMPLATE, .vscode)
• ✅ Workflow files: Required workflows present (auto_cherry_pick.yml, actions_release.yml)
• ✅ README banner: Correctly implemented at top of README
• ✅ README examples: Using major version tags only (@v7)

Subscription Validation:

• ✅ Implementation: Properly implemented in src/utils/subscription.ts:34
• ✅ API endpoint: Correct URL https://agent.api.stepsecurity.io/v1/github/$GITHUB_REPOSITORY/actions/maintained-actions-subscription
• ✅ Upstream variable: Correctly set to "astral-sh/setup-uv" (matches auto_cherry_pick.yml:38-39)
• ✅ Public repo handling: Free for public repositories (skips API check on line 27)
• ✅ Integration: Called in main entry points (setup-uv.ts, save-cache.ts, update-known-checksums.ts)

Node.js Specific Requirements:

• ✅ package.json author: "step-security"
• ✅ package.json repository: Contains "step-security" in URL
• ✅ dist folder: Present with compiled outputs
• ✅ Build script: Available in package.json ("build": "tsc")
• ✅ Dependencies: All dependencies appear to be used (verified imports)

Security Analysis:

• ✅ File operations: Safe file reading operations, no arbitrary file access
• ✅ Process execution: Uses @actions/exec properly, no shell injection risks
• ✅ Environment variables: Proper access patterns, no credential exposure
• ✅ Network requests: Only to trusted StepSecurity API endpoint with timeout
• ✅ Input validation: Proper handling throughout codebase

RECOMMENDATION: APPROVE ✅

This PR successfully implements all required StepSecurity maintained action standards. The subscription validation logic properly handles both public (free) and private (subscription-required) repositories, the banner is correctly placed, and all compliance requirements are met.

Key Highlights:

• Subscription check correctly skips for public repos while maintaining security for private repos
• All required workflows and files are properly configured
• License maintains both original and StepSecurity copyrights
• No security vulnerabilities detected
• Node.js runtime upgraded to node24 as intended

---

[claude]

Claude finished @anurag-stepsecurity's task —— View job

---

StepSecurity Maintained Action Compliance Review

Comprehensive review of PR #93 for StepSecurity maintained action compliance.

Todo List:

• Determine action type (node-based, docker-based, composite, or mixed)
• Check general compliance requirements
• Review license and copyright
• Verify action.yml structure and author
• Check for required files (Security.md)
• Verify absence of prohibited files
• Review workflow files structure
• Analyze README banner implementation
• Review subscription validation logic
• Check upstream variable configuration
• Perform security vulnerability scan
• Review type-specific requirements
• Provide final recommendations

Review Summary

Action Type: Node.js-based action ✅

✅ COMPLIANCE PASSED

General Requirements:

• ✅ License: MIT license present with both original author (Kevin Stillhammer) and StepSecurity copyrights
• ✅ action.yml: Present with correct author "step-security"
• ✅ SECURITY.md: Present and properly configured
• ✅ Prohibited files: None found (no FUNDING.yml, renovate.json, PULL_REQUEST.md, CHANGELOG.md, ISSUE_TEMPLATE, .vscode)
• ✅ Workflow files: Required workflows present (auto_cherry_pick.yml, actions_release.yml)
• ✅ README banner: Correctly implemented at top of README
• ✅ README examples: Using major version tags only (@v7)

Subscription Validation:

• ✅ Implementation: Properly implemented in src/utils/subscription.ts:34
• ✅ API endpoint: Correct URL https://agent.api.stepsecurity.io/v1/github/$GITHUB_REPOSITORY/actions/maintained-actions-subscription
• ✅ Upstream variable: Correctly set to "astral-sh/setup-uv" (matches auto_cherry_pick.yml:38-39)
• ✅ Public repo handling: Free for public repositories (skips API check on line 27)
• ✅ Integration: Called in main entry points (setup-uv.ts, save-cache.ts, update-known-checksums.ts)

Node.js Specific Requirements:

• ✅ package.json author: "step-security"
• ✅ package.json repository: Contains "step-security" in URL
• ✅ dist folder: Present with compiled outputs
• ✅ Build script: Available in package.json ("build": "tsc")
• ✅ Dependencies: All dependencies appear to be used (verified imports)

Security Analysis:

• ✅ File operations: Safe file reading operations, no arbitrary file access
• ✅ Process execution: Uses @actions/exec properly, no shell injection risks
• ✅ Environment variables: Proper access patterns, no credential exposure
• ✅ Network requests: Only to trusted StepSecurity API endpoint with timeout
• ✅ Input validation: Proper handling throughout codebase

RECOMMENDATION: APPROVE ✅

This PR successfully implements all required StepSecurity maintained action standards. The subscription validation logic properly handles both public (free) and private (subscription-required) repositories, the banner is correctly placed, and all compliance requirements are met.

Key Highlights:

• Subscription check correctly skips for public repos while maintaining security for private repos
• All required workflows and files are properly configured
• License maintains both original and StepSecurity copyrights
• No security vulnerabilities detected
• Node.js runtime upgraded to node24 as intended

---