Skip to content

feat: added banner and update subscription check to make maintained actions free for public repos#147

Merged
Raj-StepSecurity merged 2 commits into
mainfrom
feat/update-subscription-check
May 13, 2026
Merged

feat: added banner and update subscription check to make maintained actions free for public repos#147
Raj-StepSecurity merged 2 commits into
mainfrom
feat/update-subscription-check

Conversation

@anurag-stepsecurity
Copy link
Copy Markdown
Contributor

@anurag-stepsecurity anurag-stepsecurity commented Apr 23, 2026

Summary

  • Added StepSecurity Maintained Action banner to README.md
  • Updated subscription validation: public repositories are now free (no API check)
  • Upgraded Node.js runtime to node24 (if applicable)
  • Updated workflow files with configurable node_version input (if applicable)

Changes by type

  • TypeScript/JS actions: replaced validateSubscription() body, updated action.yml to node24, updated 3 workflow files, rebuilt dist/
  • Docker actions: replaced entrypoint.sh subscription block, ensured jq is installed in Dockerfile
  • Composite actions: added Subscription check step to action.yml

Verification

  • Subscription check skips for public repos
  • Subscription check fires for private repos
  • README banner is present at the top
  • Build passes (TS/JS actions)

Auto-generated by StepSecurity update-propagator. Task ID: 20260423T092801Z

@anurag-stepsecurity
feat: added banner and update subscription check to make maintained a…
22d82ff 
…ctions free for public repos

Signed-off-by: Anurag Rajawat <anurag@stepsecurity.io>
@claude
Copy link
Copy Markdown

claude Bot commented Apr 23, 2026
edited
Loading

Claude finished @anurag-stepsecurity's task —— View job

StepSecurity Action PR Review Complete ✅

I've completed a comprehensive review of this pull request against StepSecurity action requirements. Below is my detailed analysis:

Todo List

  • Analyze repository structure and file requirements
  • Determine action type (Node.js/Docker/Composite)
  • Review licensing and author information
  • Check security and subscription implementation
  • Verify workflow files and configuration
  • Review README banner and usage examples
  • Check for security vulnerabilities
  • Provide comprehensive feedback

📋 Review Summary

Action Type: Node.js-based action ✅
Overall Assessment: COMPLIANT with StepSecurity requirements ✅

✅ Requirements Met

General Requirements

  • License: ✅ Both Apache and MIT licenses present with proper StepSecurity copyright (LICENSE-MIT:1 shows Copyright (c) 2023 StepSecurity)
  • Author: ✅ Package.json has @step-security/foundry-toolchain name (line 2)
  • SECURITY.md: ✅ Present and points to security@stepsecurity.io
  • Forbidden files: ✅ None found (no FUNDING.yml, renovate.json, PULL_REQUEST.md, ISSUE_TEMPLATE, CHANGELOG.md, .vscode)
  • Required workflows: ✅ Both auto_cherry_pick.yml and actions_release.yml present

Node.js Action Requirements

  • dist/ folder: ✅ Present with compiled code
  • Build script: ✅ Package.json has build script in line 17
  • Dependencies: ✅ All appear to be used (checked against imports in src/index.ts)

StepSecurity Branding & Subscription

  • README Banner: ✅ Correct StepSecurity banner added at top (README.md:1)
  • Subscription Check: ✅ Properly implemented with correct URL and logic
  • Upstream Reference: ✅ Matches auto_cherry_pick.yml config (foundry-rs/foundry-toolchain)

Workflow Configuration

  • Required workflows: ✅ Both workflows present and updated with node_version input
  • Node.js version: ✅ Upgraded to node24 in action.yml:48

Security Analysis

  • Subscription validation: ✅ Properly handles public vs private repos
  • API URL: ✅ Uses correct maintained-actions-subscription endpoint
  • Error handling: ✅ Proper timeout handling and graceful degradation
  • No security vulnerabilities identified in the code changes

📝 Code Review Details

Subscription Implementation (src/index.ts:86-131)

The subscription check implementation is excellent:

  • ✅ Correctly detects repo privacy status via GITHUB_EVENT_PATH
  • ✅ Properly skips check for public repos (line 108)
  • ✅ Uses correct API endpoint for maintained actions
  • ✅ Includes proper error messages and branding
  • ✅ Upstream variable correctly set to foundry-rs/foundry-toolchain (line 95)

Workflow Updates

All three workflow files properly updated:

  • node_version input added with default "24"
  • ✅ Input properly passed to reusable workflows

README Changes

  • ✅ StepSecurity banner correctly placed at top
  • ✅ Usage examples correctly show major version (@v1) instead of full semver

🔍 Minor Observations

  • Package.json doesn't have explicit "author" field, but this is acceptable per requirements
  • Action.yml doesn't have "author" field, but this is also acceptable per requirements
  • No repository field in package.json, but this is acceptable per requirements

🚀 Verification Status

Based on the PR description checklist:

  • Subscription check skips for public repos: Implemented correctly
  • Subscription check fires for private repos: Implemented correctly
  • README banner present: Added at top of README
  • Build requirements: dist/ folder updated, Node.js upgraded to 24

🎯 Conclusion

This pull request fully complies with all StepSecurity action requirements. The implementation is clean, secure, and follows all specified guidelines. The subscription validation logic properly handles both public and private repositories, and all required branding and configuration updates are present.

Recommendation: ✅ APPROVE - Ready for merge

@claude
Copy link
Copy Markdown

claude Bot commented May 13, 2026
edited
Loading

Claude finished @anurag-stepsecurity's task —— View job

StepSecurity Action PR Review Complete ✅

I've completed a comprehensive review of this pull request against StepSecurity action requirements. Below is my detailed analysis:

Todo List

  • Analyze repository structure and file requirements
  • Determine action type (Node.js/Docker/Composite)
  • Review licensing and author information
  • Check security and subscription implementation
  • Verify workflow files and configuration
  • Review README banner and usage examples
  • Check for security vulnerabilities
  • Provide comprehensive feedback

📋 Review Summary

Action Type: Node.js-based action ✅
Overall Assessment: COMPLIANT with StepSecurity requirements ✅

✅ Requirements Met

General Requirements

  • License: ✅ Both Apache and MIT licenses present with proper StepSecurity copyright (LICENSE-MIT:1 shows Copyright (c) 2023 StepSecurity)
  • Author: ✅ Package.json has @step-security/foundry-toolchain name (line 2)
  • SECURITY.md: ✅ Present and points to security@stepsecurity.io
  • Forbidden files: ✅ None found (no FUNDING.yml, renovate.json, PULL_REQUEST.md, ISSUE_TEMPLATE, CHANGELOG.md, .vscode)
  • Required workflows: ✅ Both auto_cherry_pick.yml and actions_release.yml present

Node.js Action Requirements

  • dist/ folder: ✅ Present with compiled code
  • Build script: ✅ Package.json has build script in line 17
  • Dependencies: ✅ All appear to be used (checked against imports in src/index.ts)

StepSecurity Branding & Subscription

  • README Banner: ✅ Correct StepSecurity banner added at top (README.md:1)
  • Subscription Check: ✅ Properly implemented with correct URL and logic
  • Upstream Reference: ✅ Matches auto_cherry_pick.yml config (foundry-rs/foundry-toolchain)

Workflow Configuration

  • Required workflows: ✅ Both workflows present and updated with node_version input
  • Node.js version: ✅ Upgraded to node24 in action.yml:48

Security Analysis

  • Subscription validation: ✅ Properly handles public vs private repos
  • API URL: ✅ Uses correct maintained-actions-subscription endpoint
  • Error handling: ✅ Proper timeout handling and graceful degradation
  • No security vulnerabilities identified in the code changes

📝 Code Review Details

Subscription Implementation (src/index.ts:86-131)

The subscription check implementation is excellent:

  • ✅ Correctly detects repo privacy status via GITHUB_EVENT_PATH
  • ✅ Properly skips check for public repos (line 108)
  • ✅ Uses correct API endpoint for maintained actions
  • ✅ Includes proper error messages and branding
  • ✅ Upstream variable correctly set to foundry-rs/foundry-toolchain (line 95)

Workflow Updates

All three workflow files properly updated:

  • node_version input added with default "24"
  • ✅ Input properly passed to reusable workflows

README Changes

  • ✅ StepSecurity banner correctly placed at top
  • ✅ Usage examples correctly show major version (@v1) instead of full semver

🔍 Minor Observations

  • Package.json doesn't have explicit "author" field, but this is acceptable per requirements
  • Action.yml doesn't have "author" field, but this is also acceptable per requirements
  • No repository field in package.json, but this is acceptable per requirements

🚀 Verification Status

Based on the PR description checklist:

  • Subscription check skips for public repos: Implemented correctly
  • Subscription check fires for private repos: Implemented correctly
  • README banner present: Added at top of README
  • Build requirements: dist/ folder updated, Node.js upgraded to 24

🎯 Conclusion

This pull request fully complies with all StepSecurity action requirements. The implementation is clean, secure, and follows all specified guidelines. The subscription validation logic properly handles both public and private repositories, and all required branding and configuration updates are present.

Recommendation: ✅ APPROVE - Ready for merge

@Raj-StepSecurity Raj-StepSecurity merged commit 52c5ff6 into main May 13, 2026
8 checks passed
@anurag-stepsecurity anurag-stepsecurity deleted the feat/update-subscription-check branch May 18, 2026 20:11
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@amanstep amanstep amanstep approved these changes

Assignees

No one assigned

Labels

review-required

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@anurag-stepsecurity @amanstep @Raj-StepSecurity