step-security · anurag-stepsecurity · May 6, 2026 · Apr 16, 2026
diff --git a/.github/workflows/actions_release.yml b/.github/workflows/actions_release.yml
@@ -6,6 +6,14 @@ on:
       tag:
         description: "Tag for the release"
         required: true
+      script:
+        required: true
+        type: string
+        default: 'npm run all'
+      node_version:
+        description: "Specify Node.js version (e.g., '18', '20', 'lts/*')"
+        required: false
+        default: "24"
 
 permissions:
   contents: read
@@ -18,4 +26,6 @@ jobs:
       contents: write
     uses: step-security/reusable-workflows/.github/workflows/actions_release.yaml@v1
     with:
-      tag: "${{ github.event.inputs.tag }}"
+      tag: "${{ github.event.inputs.tag }}"
+      script: "${{ github.event.inputs.script }}"
+      node_version: "${{ github.event.inputs.node_version }}"
diff --git a/.github/workflows/audit_package.yml b/.github/workflows/audit_package.yml
@@ -10,6 +10,10 @@ on:
         description: "Specify a base branch"
         required: false
         default: "main"
+      node_version:
+        description: "Specify Node.js version (e.g., '18', '20', 'lts/*')"
+        required: false
+        default: "24"
   schedule:
     - cron: "0 0 * * 1"
 
@@ -19,6 +23,7 @@ jobs:
     with:
       force: ${{ inputs.force || false }}
       base_branch: ${{ inputs.base_branch || 'main' }}
+      node_version: "${{ inputs.node_version || '24' }}"
 
 permissions:
   contents: write

diff --git a/.github/workflows/auto_cherry_pick.yml b/.github/workflows/auto_cherry_pick.yml
@@ -11,6 +11,10 @@ on:
         description: "Run mode: cherry-pick or verify"
         required: false
         default: "cherry-pick"
+      node_version:
+        description: "Specify Node.js version (e.g., '18', '20', 'lts/*')"
+        required: false
+        default: "24"
 
   pull_request:
     types: [labeled, opened, synchronize]
@@ -30,3 +34,4 @@ jobs:
       repo-name: "setup-zig"
       base_branch: ${{ inputs.base_branch }}
       mode: ${{ github.event_name == 'pull_request' && 'verify' || inputs.mode }}
+      node_version: "${{ inputs.node_version || '24' }}"
diff --git a/README.md b/README.md
@@ -1,3 +1,5 @@
+[![StepSecurity Maintained Action](https://raw.githubusercontent.com/step-security/maintained-actions-assets/main/assets/maintained-action-banner.png)](https://docs.stepsecurity.io/actions/stepsecurity-maintained-actions)
+
 # setup-zig
 
 Install the Zig compiler for use in an Actions workflow, and preserve the Zig cache across workflow runs.

diff --git a/action.yml b/action.yml
@@ -25,7 +25,7 @@ inputs:
     required: false
     default: ''
 runs:
-  using: "node20"
+  using: "node24"
   main: "dist/index.js"
   post: "dist/post/index.js"
   post-if: success()
diff --git a/dist/index.js b/dist/index.js
@@ -90088,6 +90088,7 @@ module.exports = /*#__PURE__*/JSON.parse('{"application/1d-interleaved-parityfec
 var __webpack_exports__ = {};
 const os = __nccwpck_require__(857);
 const path = __nccwpck_require__(6928);
+const fsSync = __nccwpck_require__(9896);
 const fs = (__nccwpck_require__(9896).promises);
 const core = __nccwpck_require__(7484);
 const tc = __nccwpck_require__(3472);
@@ -90211,19 +90212,48 @@ async function retrieveTarball(tarball_name, tarball_ext) {
 }
 
 async function validateSubscription() {
-  const API_URL = `https://agent.api.stepsecurity.io/v1/github/${process.env.GITHUB_REPOSITORY}/actions/subscription`;
-
+  let repoPrivate;
+  const eventPath = process.env.GITHUB_EVENT_PATH;
+  if (eventPath && fsSync.existsSync(eventPath)) {
+    const payload = JSON.parse(fsSync.readFileSync(eventPath, "utf8"));
+    repoPrivate = payload?.repository?.private;
+  }
+
+  const upstream = "mlugg/setup-zig";
+  const action = process.env.GITHUB_ACTION_REPOSITORY;
+  const docsUrl =
+    "https://docs.stepsecurity.io/actions/stepsecurity-maintained-actions";
+
+  core.info("");
+  core.info("\u001b[1;36mStepSecurity Maintained Action\u001b[0m");
+  core.info(`Secure drop-in replacement for ${upstream}`);
+  if (repoPrivate === false)
+    core.info("\u001b[32m\u2713 Free for public repositories\u001b[0m");
+  core.info(`\u001b[36mLearn more:\u001b[0m ${docsUrl}`);
+  core.info("");
+
+  if (repoPrivate === false) return;
+  const serverUrl = process.env.GITHUB_SERVER_URL || "https://github.com";
+  const body = { action: action || "" };
+
+  if (serverUrl !== "https://github.com") body.ghes_server = serverUrl;
   try {
-    await axios.get(API_URL, {timeout: 3000});
+    await axios.post(
+      `https://agent.api.stepsecurity.io/v1/github/${process.env.GITHUB_REPOSITORY}/actions/maintained-actions-subscription`,
+      body,
+      { timeout: 3000 },
+    );
   } catch (error) {
-    if (error.response && error.response.status === 403) {
-      console.error(
-        'Subscription is not valid. Reach out to support@stepsecurity.io'
+    if (axios.isAxiosError(error) && error.response?.status === 403) {
+      core.error(
+        `\u001b[1;31mThis action requires a StepSecurity subscription for private repositories.\u001b[0m`,
+      );
+      core.error(
+        `\u001b[31mLearn how to enable a subscription: ${docsUrl}\u001b[0m`,
       );
       process.exit(1);
-    } else {
-      core.info('Timeout or API not reachable. Continuing to next step.');
     }
+    core.info("Timeout or API not reachable. Continuing to next step.");
   }
 }
 

diff --git a/dist/index.js.map b/dist/index.js.map
diff --git a/main.js b/main.js
@@ -1,5 +1,6 @@
 const os = require('os');
 const path = require('path');
+const fsSync = require('fs');
 const fs = require('fs').promises;
 const core = require('@actions/core');
 const tc = require('@actions/tool-cache');
@@ -123,19 +124,48 @@ async function retrieveTarball(tarball_name, tarball_ext) {
 }
 
 async function validateSubscription() {
-  const API_URL = `https://agent.api.stepsecurity.io/v1/github/${process.env.GITHUB_REPOSITORY}/actions/subscription`;
+  let repoPrivate;
+  const eventPath = process.env.GITHUB_EVENT_PATH;
+  if (eventPath && fsSync.existsSync(eventPath)) {
+    const payload = JSON.parse(fsSync.readFileSync(eventPath, "utf8"));
+    repoPrivate = payload?.repository?.private;
+  }
+
+  const upstream = "mlugg/setup-zig";
+  const action = process.env.GITHUB_ACTION_REPOSITORY;
+  const docsUrl =
+    "https://docs.stepsecurity.io/actions/stepsecurity-maintained-actions";
+
+  core.info("");
+  core.info("\u001b[1;36mStepSecurity Maintained Action\u001b[0m");
+  core.info(`Secure drop-in replacement for ${upstream}`);
+  if (repoPrivate === false)
+    core.info("\u001b[32m\u2713 Free for public repositories\u001b[0m");
+  core.info(`\u001b[36mLearn more:\u001b[0m ${docsUrl}`);
+  core.info("");
 
+  if (repoPrivate === false) return;
+  const serverUrl = process.env.GITHUB_SERVER_URL || "https://github.com";
+  const body = { action: action || "" };
+
+  if (serverUrl !== "https://github.com") body.ghes_server = serverUrl;
   try {
-    await axios.get(API_URL, {timeout: 3000});
+    await axios.post(
+      `https://agent.api.stepsecurity.io/v1/github/${process.env.GITHUB_REPOSITORY}/actions/maintained-actions-subscription`,
+      body,
+      { timeout: 3000 },
+    );
   } catch (error) {
-    if (error.response && error.response.status === 403) {
-      console.error(
-        'Subscription is not valid. Reach out to support@stepsecurity.io'
+    if (axios.isAxiosError(error) && error.response?.status === 403) {
+      core.error(
+        `\u001b[1;31mThis action requires a StepSecurity subscription for private repositories.\u001b[0m`,
+      );
+      core.error(
+        `\u001b[31mLearn how to enable a subscription: ${docsUrl}\u001b[0m`,
       );
       process.exit(1);
-    } else {
-      core.info('Timeout or API not reachable. Continuing to next step.');
     }
+    core.info("Timeout or API not reachable. Continuing to next step.");
   }
 }