feat: added banner and update subscription check to make maintained actions free for public repos

[Raj-StepSecurity]

Summary

• Added StepSecurity Maintained Action banner to README.md
• Updated subscription validation: public repositories are now free (no API check)
• Upgraded Node.js runtime to node24 (if applicable)
• Updated workflow files with configurable node_version input (if applicable)

Changes by type

• TypeScript/JS actions: replaced validateSubscription() body, updated action.yml to node24, updated 3 workflow files, rebuilt dist/
• Docker actions: replaced entrypoint.sh subscription block, ensured jq is installed in Dockerfile
• Composite actions: added Subscription check step to action.yml

Verification

• Subscription check skips for public repos
• Subscription check fires for private repos
• README banner is present at the top
• Build passes (TS/JS actions)

Auto-generated by StepSecurity update-propagator. Task ID: 20260420T163520Z

[claude]

Claude finished @Raj-StepSecurity's task —— View job

---

PR Review Complete ✅

I've completed a comprehensive review of this PR against the StepSecurity maintained action requirements.

Review Checklist:

• Determine action type (node-based, docker-based, composite, or multiple)
• Review repository structure and required files
• Check license and copyright requirements
• Verify action.yml file and author field
• Check for Security.md file
• Verify absence of prohibited files (FUNDING.yml, renovate.json, etc.)
• Review .github/workflows folder contents
• Check README.md banner and usage examples
• Verify subscription check implementation
• Review upstream variable configuration
• Scan for security vulnerabilities
• Review changed workflow files
• Provide final assessment and recommendations

Action Type: Node-based action ✅

✅ COMPLIANCE SUMMARY

All major requirements are met:

General Requirements:

• ✅ License: MIT license present with both original author (Cypress.io) and StepSecurity copyright
• ✅ action.yml: Author field correctly set to "step-security"
• ✅ Security.md: Present
• ✅ Prohibited files: None found (FUNDING.yml, renovate.json, CHANGELOG.md, .vscode/, PULL_REQUEST.md, ISSUE_TEMPLATE/ all absent)
• ✅ Required workflows: Both auto_cherry_pick.yml and actions_release.yml are present

Node-specific Requirements:

• ✅ package.json author: Set to "step-security"
• ✅ package.json repository: Points to step-security organization
• ✅ Dependencies: All dependencies appear to be used appropriately
• ✅ dist/ folder: Present (required for Node-based actions)

README Requirements:

• ✅ Banner: StepSecurity banner is correctly placed at the top
• ✅ Usage examples: Use major version tags (@v7) instead of complete semver

Subscription Check Implementation:

• ✅ Subscription check: Properly implemented in index.js:21-70
• ✅ API endpoint: Uses correct URL https://agent.api.stepsecurity.io/v1/github/$GITHUB_REPOSITORY/actions/maintained-actions-subscription
• ✅ Public repo exemption: ✨ NEW FEATURE - Public repositories are now free (no API check)
• ✅ Upstream variable: Correctly set to cypress-io/github-action (matches auto_cherry_pick.yml configuration)

Security Assessment:

• ✅ Command execution: Uses secure @actions/exec with proper argument handling
• ✅ Input validation: Proper input sanitization and quoting
• ✅ No hardcoded secrets: All sensitive data uses environment variables/GitHub secrets
• ✅ No malicious patterns: No suspicious code patterns detected

📝 PR Changes Review

This PR adds configurable node_version input to three workflow files:

• .github/workflows/actions_release.yml
• .github/workflows/audit_package.yml
• .github/workflows/auto_cherry_pick.yml

Impact: ✅ Low-risk infrastructure improvement for Node.js version flexibility.

🎯 Final Assessment: APPROVED

This is an excellent example of a properly maintained StepSecurity action that:

1. ✅ Meets all compliance requirements
2. ✅ Implements the new public repository free access feature
3. ✅ Follows security best practices
4. ✅ Maintains proper attribution and licensing
5. ✅ Uses correct subscription check implementation

Recommendation: This PR can be safely merged. It successfully implements the StepSecurity maintained action standards and the new public repository free access policy.

---