feat: added banner and update subscription check to make maintained actions free for public repos

[anurag-stepsecurity]

Summary

• Added StepSecurity Maintained Action banner to README.md
• Updated subscription validation: public repositories are now free (no API check)
• Upgraded Node.js runtime to node24
• Updated workflow files with configurable node_version input

Changes by type

• TypeScript/JS actions: replaced validateSubscription() body, updated action.yml to node24, updated 3 workflow files, rebuilt dist/

Verification

• Subscription check skips for public repos
• Subscription check fires for private repos
• README banner is present at the top
• Build passes (TS/JS actions)

Auto-generated by StepSecurity update-propagator. Task ID: 20260423T092801Z

[claude]

Claude finished @anurag-stepsecurity's task —— View job

---

Pull Request Review

I've completed a comprehensive review of this PR based on the StepSecurity maintained action requirements.

Review Checklist

• Determine action type (Node.js/Docker/Composite)
• Check license and copyright requirements
• Verify action.yml structure and author
• Check for required files (Security.md, workflows)
• Verify prohibited files are not present
• Review README banner and usage examples
• Analyze subscription check implementation
• Check for security vulnerabilities
• Review Node.js-specific requirements
• Verify dependencies and build process

📊 Overall Assessment: APPROVED ✅

This PR successfully implements the required StepSecurity maintained action standards with proper subscription validation for public repositories.

---

✅ Compliant Areas

Action Structure

• Type: Node.js-based action using node24 runtime ✅
• License: MIT with StepSecurity copyright (2025) ✅
• Author fields: step-security in both action.yml and package.json ✅

Required Files Present

• action.yaml with correct author ✅
• SECURITY.md ✅
• .github/workflows/auto_cherry_pick.yml ✅
• .github/workflows/actions_release.yml ✅
• dist/ folder present ✅

Prohibited Files Correctly Absent

• No FUNDING.yml or funding.yml ✅
• No renovate.json ✅
• No PULL_REQUEST.md ✅
• No ISSUE_TEMPLATE folder ✅
• No CHANGELOG.md ✅
• No .vscode folder ✅

README Requirements

• StepSecurity banner present at top ✅
• Usage examples use major version only (@v1) ✅
• Repository field in package.json: step-security/setup-crate ✅

Subscription Logic Implementation

• URL: Correctly calls https://agent.api.stepsecurity.io/v1/github/${GITHUB_REPOSITORY}/actions/maintained-actions-subscription ✅
• Public repo handling: Properly skips API call for public repositories (repoPrivate === false) ✅
• Upstream variable: Set to 'extractions/setup-crate' which matches the original-owner/repo-name from auto_cherry_pick.yml (extractions/setup-crate) ✅
• Error handling: Proper 403 status handling with informative messages ✅

Node.js-Specific Requirements

• Build script present in package.json ✅
• Dependencies properly used: @actions/core, @step-security/setup-crate, axios ✅
• Node version upgraded to 24 in action.yml ✅
• Workflow files updated with configurable node_version input ✅

Security Analysis

• Environment variables used safely (standard GitHub context variables) ✅
• No dynamic code execution or eval usage ✅
• Axios used with proper timeout (3000ms) ✅
• No hardcoded secrets or credentials ✅

---

🎯 Key Changes Validated

1. Subscription Check Enhancement: src/index.ts:15,23-28

   • Public repositories now bypass subscription validation
   • Clear messaging: "✓ Free for public repositories"

2. Node.js Runtime Upgrade: action.yaml:25

   • Successfully upgraded from previous version to node24

3. README Banner: README.md:1

   • StepSecurity maintained action banner properly added

4. Workflow Updates: All workflow files updated with node_version input

---

✅ Final Verdict

This PR fully complies with all StepSecurity maintained action requirements. The implementation correctly makes public repositories free while maintaining subscription validation for private repositories. All security best practices are followed, and the codebase structure meets the required standards.

Recommendation: APPROVE AND MERGE 🚀