feat: added banner and update subscription check to make maintained actions free for public repos

[anurag-stepsecurity]

Summary

• Added StepSecurity Maintained Action banner to README.md
• Updated subscription validation: public repositories are now free (no API check)
• Adapted the Docker subscription-check pattern into the .NET entrypoint (this action has no shell entrypoint.sh)

Changes by type

• .NET Docker action: replaced validateSubscription block inside src/EditRelease/Program.cs — now reads GITHUB_EVENT_PATH for repo privacy, prints the maintained-action banner, and only calls maintained-actions-subscription (POST) for private repositories with proper GHES server detection.

Verification

• Subscription check skips for public repos
• Subscription check fires for private repos
• README banner is present at the top

Auto-generated by StepSecurity update-propagator. Task ID: 20260423T092801Z

[claude]

Claude finished @anurag-stepsecurity's task —— View job

---

Pull Request Review - Complete ✅

Comprehensive review of PR #23 against StepSecurity maintained action criteria has been completed.

🔍 Action Type Analysis

Docker-based action - Uses docker://ghcr.io/step-security/edit-release:v1.2.0 image

✅ Compliance Assessment

General Requirements - COMPLIANT

• License: MIT license present with both StepSecurity and original author (Irongut, Taranis Software) copyright
• action.yml: Present with author: step-security field
• SECURITY.md: Present with proper security contact (security@stepsecurity.io)
• Workflow files: Both required files present:
  • .github/workflows/auto_cherry_pick.yml ✅
  • .github/workflows/actions_release.yml ✅
• Unwanted files: None found (FUNDING.yml, renovate.json, PULL_REQUEST.md, ISSUE_TEMPLATE, CHANGELOG.md, .vscode)
• README banner: StepSecurity maintained action banner correctly implemented at line 1
• Usage examples: Correctly use major version only (@v1) instead of full semver

Subscription Check Implementation - COMPLIANT

• API endpoint: Correctly calls https://agent.api.stepsecurity.io/v1/github/{repo}/actions/maintained-actions-subscription
• Upstream variable: upstream = "irongut/EditRelease" matches auto_cherry_pick.yml values (original-owner: "irongut", repo-name: "EditRelease")
• Public repo logic: ✨ NEW FEATURE - Now skips subscription check for public repositories (repoPrivate != false)
• GHES detection: Includes proper GitHub Enterprise Server detection

Docker-specific Requirements - COMPLIANT

• Published image: Uses ghcr.io/step-security/edit-release:v1.2.0 (StepSecurity org)
• Image tagging: Tagged with major version (v1.2.0)
• SHA pinning: Image includes SHA256 digest for security

🎯 Key Improvements in This PR

1. Public Repository Support

• Before: All repositories required subscription validation
• After: Public repositories get free access (no API call made)
• Implementation: Reads GITHUB_EVENT_PATH to detect repository privacy

2. Enhanced User Experience

• Added colorized console output with "Free for public repositories" message
• Clearer messaging about StepSecurity maintained actions

3. Robust Error Handling

• Graceful handling of malformed event payloads
• Proper timeout handling for API calls (3 seconds)

🔒 Security Analysis - SECURE

• No sensitive information exposure detected
• Proper error handling prevents information leakage
• API calls use HTTPS with appropriate timeouts
• No hardcoded secrets or credentials found

📋 Minor Observations

• Code follows .NET best practices with proper async/await patterns
• Subscription logic is well-structured and maintainable
• Console output provides good user feedback

✅ Final Verdict: APPROVED

This PR successfully implements the required subscription model changes while maintaining full compliance with StepSecurity maintained action standards. The implementation correctly makes maintained actions free for public repositories while preserving subscription requirements for private repositories.

[claude]

Claude finished @anurag-stepsecurity's task —— View job

---

Pull Request Review - Complete ✅

Comprehensive review of PR #23 against StepSecurity maintained action criteria has been completed.

🔍 Action Type Analysis

Docker-based action - Uses docker://ghcr.io/step-security/edit-release:v1.2.0 image

✅ Compliance Assessment

General Requirements - COMPLIANT

• License: MIT license present with both StepSecurity and original author (Irongut, Taranis Software) copyright
• action.yml: Present with author: step-security field
• SECURITY.md: Present with proper security contact (security@stepsecurity.io)
• Workflow files: Both required files present:
  • .github/workflows/auto_cherry_pick.yml ✅
  • .github/workflows/actions_release.yml ✅
• Unwanted files: None found (FUNDING.yml, renovate.json, PULL_REQUEST.md, ISSUE_TEMPLATE, CHANGELOG.md, .vscode)
• README banner: StepSecurity maintained action banner correctly implemented at line 1
• Usage examples: Correctly use major version only (@v1) instead of full semver

Subscription Check Implementation - COMPLIANT

• API endpoint: Correctly calls https://agent.api.stepsecurity.io/v1/github/{repo}/actions/maintained-actions-subscription
• Upstream variable: upstream = "irongut/EditRelease" matches auto_cherry_pick.yml values (original-owner: "irongut", repo-name: "EditRelease")
• Public repo logic: ✨ NEW FEATURE - Now skips subscription check for public repositories (repoPrivate != false)
• GHES detection: Includes proper GitHub Enterprise Server detection

Docker-specific Requirements - COMPLIANT

• Published image: Uses ghcr.io/step-security/edit-release:v1.2.0 (StepSecurity org)
• Image tagging: Tagged with major version (v1.2.0)
• SHA pinning: Image includes SHA256 digest for security

🎯 Key Improvements in This PR

1. Public Repository Support

• Before: All repositories required subscription validation
• After: Public repositories get free access (no API call made)
• Implementation: Reads GITHUB_EVENT_PATH to detect repository privacy

2. Enhanced User Experience

• Added colorized console output with "Free for public repositories" message
• Clearer messaging about StepSecurity maintained actions

3. Robust Error Handling

• Graceful handling of malformed event payloads
• Proper timeout handling for API calls (3 seconds)

🔒 Security Analysis - SECURE

• No sensitive information exposure detected
• Proper error handling prevents information leakage
• API calls use HTTPS with appropriate timeouts
• No hardcoded secrets or credentials found

📋 Minor Observations

• Code follows .NET best practices with proper async/await patterns
• Subscription logic is well-structured and maintainable
• Console output provides good user feedback

✅ Final Verdict: APPROVED

This PR successfully implements the required subscription model changes while maintaining full compliance with StepSecurity maintained action standards. The implementation correctly makes maintained actions free for public repositories while preserving subscription requirements for private repositories.