feat: added banner and update subscription check to make maintained actions free for public repos

[Raj-StepSecurity]

Summary

• Added StepSecurity Maintained Action banner to README.md
• Updated subscription validation: public repositories are now free (no API check)
• Upgraded Node.js runtime to node24 (if applicable)
• Updated workflow files with configurable node_version input (if applicable)

Changes by type

• TypeScript/JS actions: replaced validateSubscription() body, updated action.yml to node24, updated 3 workflow files, rebuilt dist/
• Docker actions: replaced entrypoint.sh subscription block, ensured jq is installed in Dockerfile
• Composite actions: added Subscription check step to action.yml

Verification

• Subscription check skips for public repos
• Subscription check fires for private repos
• README banner is present at the top
• Build passes (TS/JS actions)

Auto-generated by StepSecurity update-propagator. Task ID: 20260416T083320Z

[claude]

Claude finished @Raj-StepSecurity's task —— View job

---

Pull Request Review - Complete ✅

I've completed a comprehensive review of this StepSecurity maintained action PR. Here's my detailed analysis:

Review Summary:

• Determine action type (node/docker/composite) - Node-based action ✅
• Check license and copyright compliance - ✅ Both authors present
• Verify action.yml structure and author - ⚠️ Missing author field
• Check required files (SECURITY.md, workflows) - ✅ All present
• Verify forbidden files are not present - ✅ Clean
• Review README banner and usage examples - ✅ Banner present, examples use major version
• Analyze subscription check implementation - ✅ Correctly implemented
• Review security vulnerabilities - ✅ No issues found
• Check node-specific requirements - ⚠️ Some issues found
• Provide final recommendations

---

✅ COMPLIANT ITEMS

General Requirements:

• ✅ License: Both original author (Matthew Lugg) and StepSecurity copyrights present
• ✅ SECURITY.md: Present with proper StepSecurity contact
• ✅ Required workflows: auto_cherry_pick.yml and actions_release.yml present
• ✅ Forbidden files: No FUNDING.yml, renovate.json, PULL_REQUEST.md, ISSUE_TEMPLATE/, CHANGELOG.md, or .vscode/ found
• ✅ README banner: StepSecurity maintained action banner properly placed at top
• ✅ Usage examples: Use major version @v2 instead of complete semver

Subscription Check:

• ✅ Implementation: validateSubscription() function present in main.js:126
• ✅ API endpoint: Correctly calls https://agent.api.stepsecurity.io/v1/github/${process.env.GITHUB_REPOSITORY}/actions/maintained-actions-subscription
• ✅ Public repo handling: Skips subscription check for public repositories (repoPrivate === false)
• ✅ Upstream reference: upstream = "mlugg/setup-zig" matches auto_cherry_pick.yml values (original-owner: "mlugg", repo-name: "setup-zig")

Node-specific Requirements:

• ✅ Runtime: Updated to node24 in action.yml:28
• ✅ Dist folder: Present and updated
• ✅ Build script: npm run build defined in package.json:7
• ✅ Dependencies: All declared dependencies appear to be used

---

⚠️ ISSUES FOUND

Minor Issues:

1. Missing author in action.yml (action.yml:1-32)

   • The action.yml file doesn't have an author field
   • While the requirement says "ignore if not present," StepSecurity maintained actions typically include this field

2. Missing author in package.json (package.json:11)

   • The author field is empty
   • Should be set to "step-security"

3. Missing repository field (package.json)

   • No repository field in package.json
   • Should contain reference to step-security organization

---

🔒 SECURITY ANALYSIS

No security vulnerabilities identified:

• ✅ Subscription check properly validates public vs private repos
• ✅ No hardcoded secrets or API keys
• ✅ Minisign signature verification implemented for downloads
• ✅ Tarball filename verification prevents malicious substitution
• ✅ Mirror validation prevents official ziglang.org abuse
• ✅ Error handling doesn't expose sensitive information

---

📝 RECOMMENDATIONS

High Priority:

1. Add author: step-security to action.yml
2. Set author: "step-security" in package.json
3. Add repository field to package.json: "repository": "step-security/setup-zig"

Low Priority:

• Consider running the build process in CI to verify dist/ files are properly updated

---

✅ OVERALL ASSESSMENT

This PR successfully implements the StepSecurity maintained action standards with only minor metadata issues. The subscription check is correctly implemented, security practices are sound, and all critical requirements are met. The issues identified are cosmetic and don't affect functionality.

Recommendation: APPROVE with minor fixes

[claude]

Claude finished @Raj-StepSecurity's task —— View job

---

Pull Request Review - Complete ✅

I've completed a comprehensive review of this StepSecurity maintained action PR. Here's my detailed analysis:

Review Summary:

• Determine action type (node/docker/composite) - Node-based action ✅
• Check license and copyright compliance - ✅ Both authors present
• Verify action.yml structure and author - ⚠️ Missing author field
• Check required files (SECURITY.md, workflows) - ✅ All present
• Verify forbidden files are not present - ✅ Clean
• Review README banner and usage examples - ✅ Banner present, examples use major version
• Analyze subscription check implementation - ✅ Correctly implemented
• Review security vulnerabilities - ✅ No issues found
• Check node-specific requirements - ⚠️ Some issues found
• Provide final recommendations

---

✅ COMPLIANT ITEMS

General Requirements:

• ✅ License: Both original author (Matthew Lugg) and StepSecurity copyrights present
• ✅ SECURITY.md: Present with proper StepSecurity contact
• ✅ Required workflows: auto_cherry_pick.yml and actions_release.yml present
• ✅ Forbidden files: No FUNDING.yml, renovate.json, PULL_REQUEST.md, ISSUE_TEMPLATE/, CHANGELOG.md, or .vscode/ found
• ✅ README banner: StepSecurity maintained action banner properly placed at top
• ✅ Usage examples: Use major version @v2 instead of complete semver

Subscription Check:

• ✅ Implementation: validateSubscription() function present in main.js:126
• ✅ API endpoint: Correctly calls https://agent.api.stepsecurity.io/v1/github/${process.env.GITHUB_REPOSITORY}/actions/maintained-actions-subscription
• ✅ Public repo handling: Skips subscription check for public repositories (repoPrivate === false)
• ✅ Upstream reference: upstream = "mlugg/setup-zig" matches auto_cherry_pick.yml values (original-owner: "mlugg", repo-name: "setup-zig")

Node-specific Requirements:

• ✅ Runtime: Updated to node24 in action.yml:28
• ✅ Dist folder: Present and updated
• ✅ Build script: npm run build defined in package.json:7
• ✅ Dependencies: All declared dependencies appear to be used

---

⚠️ ISSUES FOUND

Minor Issues:

1. Missing author in action.yml (action.yml:1-32)

   • The action.yml file doesn't have an author field
   • While the requirement says "ignore if not present," StepSecurity maintained actions typically include this field

2. Missing author in package.json (package.json:11)

   • The author field is empty
   • Should be set to "step-security"

3. Missing repository field (package.json)

   • No repository field in package.json
   • Should contain reference to step-security organization

---

🔒 SECURITY ANALYSIS

No security vulnerabilities identified:

• ✅ Subscription check properly validates public vs private repos
• ✅ No hardcoded secrets or API keys
• ✅ Minisign signature verification implemented for downloads
• ✅ Tarball filename verification prevents malicious substitution
• ✅ Mirror validation prevents official ziglang.org abuse
• ✅ Error handling doesn't expose sensitive information

---

📝 RECOMMENDATIONS

High Priority:

1. Add author: step-security to action.yml
2. Set author: "step-security" in package.json
3. Add repository field to package.json: "repository": "step-security/setup-zig"

Low Priority:

• Consider running the build process in CI to verify dist/ files are properly updated

---

✅ OVERALL ASSESSMENT

This PR successfully implements the StepSecurity maintained action standards with only minor metadata issues. The subscription check is correctly implemented, security practices are sound, and all critical requirements are met. The issues identified are cosmetic and don't affect functionality.

Recommendation: APPROVE with minor fixes