feat: added banner and update subscription check to make maintained actions free for public repos

[Raj-StepSecurity]

Summary

• Added StepSecurity Maintained Action banner to README.md
• Updated subscription validation: public repositories are now free (no API check)
• Upgraded Node.js runtime to node24 (if applicable)
• Updated workflow files with configurable node_version input (if applicable)

Changes by type

• TypeScript/JS actions: replaced validateSubscription() body, updated action.yml to node24, updated 3 workflow files, rebuilt dist/
• Docker actions: replaced entrypoint.sh subscription block, ensured jq is installed in Dockerfile
• Composite actions: added Subscription check step to action.yml

Verification

• Subscription check skips for public repos
• Subscription check fires for private repos
• README banner is present at the top
• Build passes (TS/JS actions)

Auto-generated by StepSecurity update-propagator. Task ID: 20260413T045616Z

[claude]

Claude finished @Raj-StepSecurity's task —— View job

---

Pull Request Review ✅

Reviewed PR #27 for StepSecurity maintained action compliance and security best practices.

Review Summary

Action Type: Node.js-based action (using node24 runtime)

✅ Compliance - PASSED

Required Files & Structure

• License: Present with both original author (Maxim Lobanov) and StepSecurity copyright
• SECURITY.md: Present with correct StepSecurity contact
• action.yml: Author field correctly set to "step-security"
• Required workflows: Both auto_cherry_pick.yml and actions_release.yml present
• Forbidden files: No renovate.json, PULL_REQUEST.md, CHANGELOG.md, FUNDING.yml, .vscode, or ISSUE_TEMPLATE found

Node.js Specific Requirements

• package.json author: Correctly set to "step-security"
• Repository field: Contains "step-security" organization
• Dependencies: All dependencies are used across the source files:
  • @actions/core: Used in all source files
  • axios: Used for subscription API calls in setup-xcode.ts:3
  • plist: Used in xcode-utils.ts:4 for parsing Xcode plist files
  • semver: Used in xcode-selector.ts:4 and xcode-utils.ts:5
• dist folder: Present with compiled index.js
• Build script: package.json contains build script using tsc && ncc build

README.md Usage Examples

• Version pinning: All examples correctly use major version @v1 instead of full semver
• StepSecurity banner: Added at the top of README

🔧 Subscription Check Implementation

ISSUE IDENTIFIED: The subscription check URL is incorrect.

Current Implementation (setup-xcode.ts:35)

await axios.post(
  `https://agent.api.stepsecurity.io/v1/github/${process.env.GITHUB_REPOSITORY}/actions/maintained-actions-subscription`,
  // ...
)

Expected URL (per requirements)

https://agent.api.stepsecurity.io/v1/github/$GITHUB_REPOSITORY/actions/subscription

Required Fix: Change the endpoint from /maintained-actions-subscription to /subscription

Subscription Logic ✅

• Correctly skips API check for public repositories (repoPrivate === false)
• Shows appropriate messaging for free public repos
• Properly handles private repository validation
• Good error handling with 403 status check and timeout handling

🔒 Security Analysis - SECURE

No security vulnerabilities identified:

• No hardcoded secrets or credentials
• Proper input validation using @actions/core
• Safe file operations with existence checks
• Secure subprocess execution using child.spawnSync with proper arguments
• Network requests use proper timeout (3000ms)
• Environment variables handled safely

📋 Additional Observations

Positive Changes

• Updated to Node.js 24 runtime
• Improved error messaging with colored output
• Good separation of concerns across multiple TypeScript files
• Comprehensive test coverage structure

Minor Recommendations

1. The workflow files have been updated with configurable node_version input (good practice)
2. The dist folder has been properly rebuilt after TypeScript changes

🎯 Final Recommendation

APPROVE with one required fix: Update the subscription check URL endpoint from /maintained-actions-subscription to /subscription to match StepSecurity API requirements.

All other compliance requirements are met successfully.

---

[claude]

Claude finished @Raj-StepSecurity's task —— View job

---

Pull Request Review ✅

Reviewed PR #27 for StepSecurity maintained action compliance and security best practices.

Review Summary

Action Type: Node.js-based action (using node24 runtime)

✅ Compliance - PASSED

Required Files & Structure

• License: Present with both original author (Maxim Lobanov) and StepSecurity copyright
• SECURITY.md: Present with correct StepSecurity contact
• action.yml: Author field correctly set to "step-security"
• Required workflows: Both auto_cherry_pick.yml and actions_release.yml present
• Forbidden files: No renovate.json, PULL_REQUEST.md, CHANGELOG.md, FUNDING.yml, .vscode, or ISSUE_TEMPLATE found

Node.js Specific Requirements

• package.json author: Correctly set to "step-security"
• Repository field: Contains "step-security" organization
• Dependencies: All dependencies are used across the source files:
  • @actions/core: Used in all source files
  • axios: Used for subscription API calls in setup-xcode.ts:3
  • plist: Used in xcode-utils.ts:4 for parsing Xcode plist files
  • semver: Used in xcode-selector.ts:4 and xcode-utils.ts:5
• dist folder: Present with compiled index.js
• Build script: package.json contains build script using tsc && ncc build

README.md Usage Examples

• Version pinning: All examples correctly use major version @v1 instead of full semver
• StepSecurity banner: Added at the top of README

🚨 Subscription Check Implementation

ISSUE IDENTIFIED: The subscription check URL is incorrect.

Current Implementation (setup-xcode.ts:33)

await axios.post(
  `https://agent.api.stepsecurity.io/v1/github/${process.env.GITHUB_REPOSITORY}/actions/maintained-actions-subscription`,
  // ...
)

Expected URL (per requirements)

https://agent.api.stepsecurity.io/v1/github/$GITHUB_REPOSITORY/actions/subscription

Required Fix: Change the endpoint from /maintained-actions-subscription to /subscription

Subscription Logic ✅

• Correctly skips API check for public repositories (repoPrivate === false)
• Shows appropriate messaging for free public repos
• Properly handles private repository validation
• Good error handling with 403 status check and timeout handling

🔒 Security Analysis - SECURE

No security vulnerabilities identified:

• No hardcoded secrets or credentials
• Proper input validation using @actions/core
• Safe file operations with existence checks
• Secure subprocess execution using child.spawnSync with proper arguments
• Network requests use proper timeout (3000ms)
• Environment variables handled safely

📋 Additional Observations

Positive Changes

• Updated to Node.js 24 runtime
• Improved error messaging with colored output
• Good separation of concerns across multiple TypeScript files
• Comprehensive test coverage structure

Minor Recommendations

1. The workflow files have been updated with configurable node_version input (good practice)
2. The dist folder has been properly rebuilt after TypeScript changes

🎯 Final Recommendation

APPROVE with one required fix: Update the subscription check URL endpoint from /maintained-actions-subscription to /subscription to match StepSecurity API requirements.

All other compliance requirements are met successfully.

---