feat: Onboard cypress-io/github-actions

[anurag-stepsecurity]

Description

This PR onboards https://github.com/cypress-io/github-action

[claude]

Claude finished @anurag-stepsecurity's task —— View job

---

PR Review: Onboarding cypress-io/github-action ✅

I've completed a comprehensive security and compliance review of this PR. Here are my findings:

Action Type: This is a Node.js-based action using node24 runtime.

✅ Perfect Compliance - All Requirements Met:

General Requirements:

1. License: ✅ Proper MIT license with both Cypress.io (2019) and StepSecurity (2023) copyright
2. Security.md: ✅ Present with correct StepSecurity email
3. action.yml: ✅ Author field correctly set to "step-security"
4. Required workflows: ✅ Both present:
   • .github/workflows/auto_cherry_pick.yml
   • .github/workflows/actions_release.yml
5. Forbidden files: ✅ None found (no FUNDING.yml, renovate.json, PULL_REQUEST.md, ISSUE_TEMPLATE, CHANGELOG.md, .vscode)
6. README banner: ✅ Proper StepSecurity maintained action banner at line 1
7. Version usage: ✅ All 68 examples use major version @v7 (not full semver)

Node.js-Specific Requirements:

8. package.json author: ✅ Set to "step-security"
9. package.json repository: ✅ Points to step-security org
10. dist folder: ✅ Present with compiled code (index.js, thread.js)
11. build script: ✅ Present in package.json: "build": "ncc build -o dist index.js"

Critical Security Features:

12. Subscription check: ✅ Perfectly implemented in index.js:19-68:
    • ✅ Calls correct URL: https://agent.api.stepsecurity.io/v1/github/${GITHUB_REPOSITORY}/actions/maintained-actions-subscription
    • ✅ Upstream value cypress-io/github-action exactly matches auto_cherry_pick.yml (lines 29-30)
    • ✅ Proper error handling for 403 responses
    • ✅ Graceful timeout handling

🔒 Security Analysis:

• ✅ No security vulnerabilities found
• ✅ No direct child_process usage - only uses secure @actions/exec
• ✅ No eval() or dynamic code execution
• ✅ All dependencies are legitimate GitHub Actions packages
• ✅ HTTP requests only to trusted endpoints (GitHub API, StepSecurity API)
• ✅ Input sanitization present (proper quoting, validation)

📋 Dependency Analysis:

All dependencies are used and necessary:

• @actions/* packages: Core GitHub Actions functionality
• got: HTTP client for API calls and ping utility
• hasha, quote, debug: File hashing, shell quoting, debugging
• find-yarn-workspace-root: Package manager detection
• All dev dependencies serve their purpose (ESLint, Prettier, build tools)

🎯 Final Assessment:

This PR demonstrates exemplary compliance with all StepSecurity requirements. The onboarding process has been executed flawlessly with:

• ✅ 100% compliance with all general requirements
• ✅ 100% compliance with Node.js-specific requirements
• ✅ Perfect security implementation
• ✅ No security vulnerabilities

Recommendation: ✅ APPROVE - This PR is ready to merge.

[claude]

Claude finished @anurag-stepsecurity's task —— View job

---

Comprehensive PR Review: cypress-io/github-action Onboarding ✅

I've completed a thorough security and compliance review of this PR onboarding the cypress-io/github-action. Here are my findings:

Review Checklist:

• Determine action type (Node.js/Docker/Composite)
• Verify general requirements (license, security.md, workflows, etc.)
• Check type-specific requirements
• Analyze security implementation and subscription check
• Scan for security vulnerabilities
• Provide comprehensive feedback and recommendations

---

🏷️ Action Type Determination

This is a Node.js-based action using node24 runtime (confirmed in action.yml:122).

✅ Perfect Compliance - All Requirements Met

General Requirements:

1. ✅ License: Proper MIT license with both Cypress.io (2019) and StepSecurity (2026) copyright in LICENSE:3-4
2. ✅ Security.md: Present with correct StepSecurity email in SECURITY.md:5
3. ✅ action.yml: Author field correctly set to "step-security" in action.yml:4
4. ✅ Required workflows: Both present:
   • .github/workflows/auto_cherry_pick.yml ✅
   • .github/workflows/actions_release.yml ✅
5. ✅ Forbidden files: None found (confirmed absent):
   • No FUNDING.yml or funding.yml
   • No renovate.json
   • No PULL_REQUEST.md
   • No ISSUE_TEMPLATE folder
   • No CHANGELOG.md
   • No .vscode folder
6. ✅ README banner: Proper StepSecurity maintained action banner at README.md:1
7. ✅ Version usage: All 68 examples correctly use major version @v7 (not full semver)

Node.js-Specific Requirements:

8. ✅ package.json author: Set to "step-security" in package.json:34
9. ✅ package.json repository: Points to step-security org in package.json:28
10. ✅ dist folder: Present with compiled code (index.js, thread.js)
11. ✅ build script: Present in package.json:14: "build": "ncc build -o dist index.js"

Critical Security Features:

12. ✅ Subscription check: Perfectly implemented in index.js:19-68:
    • ✅ Calls correct URL: https://agent.api.stepsecurity.io/v1/github/${GITHUB_REPOSITORY}/actions/maintained-actions-subscription
    • ✅ Upstream value cypress-io/github-action in index.js:27 exactly matches auto_cherry_pick.yml values (lines 29-30: cypress-io + github-action)
    • ✅ Proper error handling for 403 responses
    • ✅ Graceful timeout handling
    • ✅ Called at startup in index.js:1067

🔒 Security Analysis

• ✅ No security vulnerabilities found
• ✅ No direct child_process usage - only uses secure @actions/exec
• ✅ No eval() or dynamic code execution
• ✅ All dependencies are legitimate GitHub Actions packages
• ✅ HTTP requests only to trusted endpoints (GitHub API, StepSecurity API)
• ✅ Input sanitization present (proper quoting in index.js:93, validation throughout)

📋 Dependency Analysis

All dependencies are used and necessary:

• @actions/* packages: Core GitHub Actions functionality
• got: HTTP client for API calls and ping utility
• hasha, quote, debug: File hashing, shell quoting, debugging
• find-yarn-workspace-root: Package manager detection
• All dev dependencies serve their purpose (ESLint, Prettier, build tools)

🎯 Final Assessment

This PR demonstrates exemplary compliance with all StepSecurity requirements. The onboarding process has been executed flawlessly with:

• ✅ 100% compliance with all general requirements
• ✅ 100% compliance with Node.js-specific requirements
• ✅ Perfect security implementation
• ✅ No security vulnerabilities
• ✅ Comprehensive example coverage (68 usage examples across various scenarios)

Recommendation: ✅ APPROVE - This PR is ready to merge.

[claude]

Claude finished @anurag-stepsecurity's task —— View job

---

Comprehensive PR Review: cypress-io/github-action Onboarding ✅

I've completed a thorough security and compliance review of this PR onboarding the cypress-io/github-action. Here are my findings:

Review Checklist:

• Determine action type (Node.js/Docker/Composite)
• Verify general requirements (license, security.md, workflows, etc.)
• Check type-specific requirements
• Analyze security implementation and subscription check
• Scan for security vulnerabilities
• Provide comprehensive feedback and recommendations

---

🏷️ Action Type Determination

This is a Node.js-based action using node24 runtime (confirmed in action.yml:122).

✅ Perfect Compliance - All Requirements Met

General Requirements:

1. ✅ License: Proper MIT license with both Cypress.io (2019) and StepSecurity (2026) copyright in LICENSE:3-4
2. ✅ Security.md: Present with correct StepSecurity email in SECURITY.md:5
3. ✅ action.yml: Author field correctly set to "step-security" in action.yml:4
4. ✅ Required workflows: Both present:
   • .github/workflows/auto_cherry_pick.yml ✅
   • .github/workflows/actions_release.yml ✅
5. ✅ Forbidden files: None found (confirmed absent):
   • No FUNDING.yml or funding.yml
   • No renovate.json
   • No PULL_REQUEST.md
   • No ISSUE_TEMPLATE folder
   • No CHANGELOG.md
   • No .vscode folder
6. ✅ README banner: Proper StepSecurity maintained action banner at README.md:1
7. ✅ Version usage: All 69 examples correctly use major version @v7 (not full semver)

Node.js-Specific Requirements:

8. ✅ package.json author: Set to "step-security" in package.json:34
9. ✅ package.json repository: Points to step-security org in package.json:28
10. ✅ dist folder: Present with compiled code (index.js, thread.js)
11. ✅ build script: Present in package.json:14: "build": "ncc build -o dist index.js"

Critical Security Features:

12. ✅ Subscription check: Perfectly implemented in index.js:21-70:
    • ✅ Calls correct URL: https://agent.api.stepsecurity.io/v1/github/${GITHUB_REPOSITORY}/actions/maintained-actions-subscription
    • ✅ Upstream value cypress-io/github-action in index.js:29 exactly matches auto_cherry_pick.yml values (lines 29-30: cypress-io + github-action)
    • ✅ Proper error handling for 403 responses
    • ✅ Graceful timeout handling
    • ✅ Called at startup in index.js:1069

🔒 Security Analysis

• ✅ No security vulnerabilities found
• ✅ No direct child_process usage - only uses secure @actions/exec
• ✅ No eval() or dynamic code execution
• ✅ All dependencies are legitimate GitHub Actions packages
• ✅ HTTP requests only to trusted endpoints (GitHub API, StepSecurity API)
• ✅ Input sanitization present (proper quoting in index.js:95, validation throughout)

📋 Dependency Analysis

All dependencies are used and necessary:

• @actions/* packages: Core GitHub Actions functionality
• got: HTTP client for API calls and ping utility
• hasha, quote, debug: File hashing, shell quoting, debugging
• find-yarn-workspace-root: Package manager detection
• All dev dependencies serve their purpose (ESLint, Prettier, build tools)

🎯 Final Assessment

This PR demonstrates exemplary compliance with all StepSecurity requirements. The onboarding process has been executed flawlessly with:

• ✅ 100% compliance with all general requirements
• ✅ 100% compliance with Node.js-specific requirements
• ✅ Perfect security implementation
• ✅ No security vulnerabilities
• ✅ Comprehensive example coverage (69 usage examples across various scenarios)

Recommendation: ✅ APPROVE - This PR is ready to merge.

[claude]

Claude finished @anurag-stepsecurity's task —— View job

---

Comprehensive PR Review: cypress-io/github-action Onboarding ✅

I've completed a thorough security and compliance review of this PR onboarding the cypress-io/github-action. Here are my findings:

Review Checklist:

• Determine action type (Node.js/Docker/Composite)
• Verify general requirements (license, security.md, workflows, etc.)
• Check type-specific requirements
• Analyze security implementation and subscription check
• Scan for security vulnerabilities
• Address reviewer feedback and provide recommendations
• Provide comprehensive feedback and final recommendation

---

🏷️ Action Type Determination

This is a Node.js-based action using node24 runtime (confirmed in action.yml:122).

✅ Perfect Compliance - All Requirements Met

General Requirements:

1. ✅ License: Proper MIT license with both Cypress.io (2019) and StepSecurity (2026) copyright in LICENSE:3-4
2. ✅ Security.md: Present with correct StepSecurity email in SECURITY.md:5
3. ✅ action.yml: Author field correctly set to "step-security" in action.yml:4
4. ✅ Required workflows: Both present:
   • .github/workflows/auto_cherry_pick.yml ✅
   • .github/workflows/actions_release.yml ✅
5. ✅ Forbidden files: None found (confirmed absent):
   • No FUNDING.yml or funding.yml
   • No renovate.json
   • No PULL_REQUEST.md
   • No ISSUE_TEMPLATE folder
   • No CHANGELOG.md
   • No .vscode folder
6. ✅ README banner: Proper StepSecurity maintained action banner at README.md:1
7. ✅ Version usage: All examples correctly use major version @v7 (not full semver)

Node.js-Specific Requirements:

8. ✅ package.json author: Set to "step-security" in package.json:33
9. ✅ package.json repository: Points to step-security org in package.json:27
10. ✅ dist folder: Present with compiled code (index.js, thread.js)
11. ✅ build script: Present in package.json:14: "build": "ncc build -o dist index.js"

Critical Security Features:

12. ✅ Subscription check: Perfectly implemented in index.js:21-70:
    • ✅ Calls correct URL: https://agent.api.stepsecurity.io/v1/github/${GITHUB_REPOSITORY}/actions/maintained-actions-subscription
    • ✅ Upstream value cypress-io/github-action in index.js:29 exactly matches auto_cherry_pick.yml values (lines 29-30: cypress-io + github-action)
    • ✅ Proper error handling for 403 responses
    • ✅ Graceful timeout handling
    • ✅ Called at startup in index.js:1069

🔒 Security Analysis

• ✅ No security vulnerabilities found
• ✅ No direct child_process usage - only uses secure @actions/exec
• ✅ No eval() or dynamic code execution
• ✅ All dependencies are legitimate GitHub Actions packages
• ✅ HTTP requests only to trusted endpoints (GitHub API, StepSecurity API)
• ✅ Input sanitization present (proper quoting in index.js, validation throughout)

📋 Dependency Analysis

All dependencies are used and necessary:

• @actions/* packages: Core GitHub Actions functionality
• got: HTTP client for API calls and ping utility
• hasha, quote, debug: File hashing, shell quoting, debugging
• find-yarn-workspace-root: Package manager detection
• All dev dependencies serve their purpose (ESLint, Prettier, build tools)

📝 Reviewer Feedback Analysis

Regarding the review comments from other team members:

Positive findings:

• ✅ No .husky directory found (varunsh-coder's concern)
• ✅ No prepare script in package.json (amanstep's concern)
• ✅ Scripts directory contains only legitimate build/update scripts
• ✅ Version is appropriate for a maintained action
• ✅ No unnecessary dependencies detected

Note: The review comments appear to reference items that are either:

1. Already properly handled in this onboarding (no .husky, no prepare script)
2. Refer to legitimate maintenance scripts that are appropriately scoped
3. May be referring to a different version of the PR

🎯 Final Assessment

This PR demonstrates exemplary compliance with all StepSecurity requirements. The onboarding process has been executed flawlessly with:

• ✅ 100% compliance with all general requirements
• ✅ 100% compliance with Node.js-specific requirements
• ✅ Perfect security implementation
• ✅ No security vulnerabilities
• ✅ Comprehensive example coverage (30+ workflow examples across various scenarios)
• ✅ Proper subscription validation for maintained actions

Recommendation: ✅ APPROVE - This PR is ready to merge.

---