feat: added banner and update subscription check to make maintained actions free for public repos

[Raj-StepSecurity]

Summary

• Added StepSecurity Maintained Action banner to README.md
• Updated subscription validation: public repositories are now free (no API check)
• Added REPO_PRIVATE env var to action.yml for Docker entrypoint

Changes by type

• Docker/Shell actions: replaced entrypoint.sh subscription block
• action.yml: added REPO_PRIVATE environment variable
• README.md: added StepSecurity banner

Verification

• Subscription check skips for public repos
• Subscription check fires for private repos
• README banner is present at the top

Auto-generated by StepSecurity update-propagator. Task ID: 20260408T054923Z

[claude]

Claude finished @Raj-StepSecurity's task —— View job

---

Pull Request Review ✅

Comprehensive review completed against StepSecurity maintained actions standards.

Todo List:

• Analyze changed files and determine action type
• Review general action requirements (license, security.md, workflows, etc.)
• Review Docker-specific requirements
• Analyze subscription check implementation
• Check for security vulnerabilities
• Provide final assessment and recommendations

Action Type Identified: Docker-based action (uses Dockerfile and entrypoint.sh)

---

✅ General Requirements Status:

• ✅ License present with both original and StepSecurity copyright (LICENSE:4)
• ✅ action.yml has step-security as author (action.yml:3)
• ✅ SECURITY.md file present
• ✅ Required workflow files present (.github/workflows/auto_cherry_pick.yml and actions_release.yml)
• ✅ No prohibited files found (FUNDING.yml, renovate.json, PULL_REQUEST.md, ISSUE_TEMPLATE, CHANGELOG.md, .vscode)
• ✅ README.md contains StepSecurity banner (README.md:1) and uses major version (v1) in usage example (README.md:26)

❌ Docker-Specific Requirements Status:

• ❌ CRITICAL: Action uses published Docker image but with specific SHA digest pinning instead of major version tag
  • Current: docker://ghcr.io/step-security/action-actionlint:v1.71.0@sha256:... (action.yml:54)
  • Required Fix: Should use major version tag like docker://ghcr.io/step-security/action-actionlint:v1
• ✅ Docker image published to step-security org (ghcr.io/step-security/)

✅ Subscription Check Implementation:

• ✅ Subscription check present and correctly implemented (entrypoint.sh:16-40)
• ✅ API URL matches required pattern: https://agent.api.stepsecurity.io/v1/github/$GITHUB_REPOSITORY/actions/maintained-actions-subscription (entrypoint.sh:25)
• ✅ Upstream variable correctly set: "reviewdog/action-actionlint" (entrypoint.sh:3) matches auto_cherry_pick.yml configuration (auto_cherry_pick.yml:29-30)
• ✅ NEW FEATURE: Public repositories now skip subscription check (REPO_PRIVATE=false logic) (entrypoint.sh:10-14)
• ✅ Private repositories still require subscription validation (entrypoint.sh:16-40)

✅ Security Analysis:

• ✅ No command injection vulnerabilities found
• ✅ HTTP requests properly secured with timeouts and error handling (entrypoint.sh:27-31)
• ✅ No unsafe eval, exec, or command substitution patterns detected in action code
• ✅ Git configuration safely scoped to workspace directory (entrypoint.sh:47)
• ✅ Input validation appropriate for shell script context
• ✅ Error outputs properly formatted for GitHub Actions (entrypoint.sh:36-37)

---

🎯 Summary and Recommendations:

This PR successfully implements the required StepSecurity banner and public repository subscription logic, but has one critical issue that must be addressed:

❌ BLOCKER: The Docker image reference in action.yml:54 uses SHA pinning instead of major version tagging, violating Docker-based action requirements.

🔧 Required Fix:

# Current (INCORRECT):
image: 'docker://ghcr.io/step-security/action-actionlint:v1.71.0@sha256:06ce34c2a9b5566d4998e5c86153628abe752ec2cada1779cb824af7d07f65f0'

# Required (CORRECT):
image: 'docker://ghcr.io/step-security/action-actionlint:v1'

✅ What this PR does well:

• Properly adds StepSecurity maintained action banner
• Correctly implements public repo subscription bypass
• Maintains all required security and compliance standards
• Preserves existing functionality for private repositories

[claude]

Claude finished @Raj-StepSecurity's task —— View job

---

Claude finished reviewing the pull request ✅

---

Pull Request Review

Comprehensive review completed against StepSecurity maintained actions standards.

Todo List:

• Analyze changed files and determine action type
• Review general action requirements (license, security.md, workflows, etc.)
• Review Docker-specific requirements
• Analyze subscription check implementation
• Check for security vulnerabilities
• Provide final assessment and recommendations

Action Type Identified: Docker-based action (uses Dockerfile and entrypoint.sh)

---

✅ General Requirements Status:

• ✅ License present with both original and StepSecurity copyright (LICENSE:4)
• ✅ action.yml has step-security as author (action.yml:3)
• ✅ SECURITY.md file present
• ✅ Required workflow files present (.github/workflows/auto_cherry_pick.yml and actions_release.yml)
• ✅ No prohibited files found (FUNDING.yml, renovate.json, PULL_REQUEST.md, ISSUE_TEMPLATE, CHANGELOG.md, .vscode)
• ✅ README.md contains StepSecurity banner (README.md:1) and uses major version (v1) in usage example (README.md:26)

❌ Docker-Specific Requirements Status:

• ❌ CRITICAL: Action uses published Docker image but with specific SHA digest pinning instead of major version tag
  • Current: docker://ghcr.io/step-security/action-actionlint:v1.71.0@sha256:... (action.yml:54)
  • Required Fix: Should use major version tag like docker://ghcr.io/step-security/action-actionlint:v1
• ✅ Docker image published to step-security org (ghcr.io/step-security/)

✅ Subscription Check Implementation:

• ✅ Subscription check present and correctly implemented (entrypoint.sh:16-40)
• ✅ API URL matches required pattern: https://agent.api.stepsecurity.io/v1/github/$GITHUB_REPOSITORY/actions/maintained-actions-subscription (entrypoint.sh:25)
• ✅ Upstream variable correctly set: "reviewdog/action-actionlint" (entrypoint.sh:3) matches auto_cherry_pick.yml configuration (auto_cherry_pick.yml:29-30)
• ✅ NEW FEATURE: Public repositories now skip subscription check (REPO_PRIVATE=false logic) (entrypoint.sh:10-14)
• ✅ Private repositories still require subscription validation (entrypoint.sh:16-40)

✅ Security Analysis:

• ✅ No command injection vulnerabilities found
• ✅ HTTP requests properly secured with timeouts and error handling (entrypoint.sh:27-31)
• ✅ No unsafe eval, exec, or command substitution patterns detected in action code
• ✅ Git configuration safely scoped to workspace directory (entrypoint.sh:47)
• ✅ Input validation appropriate for shell script context
• ✅ Error outputs properly formatted for GitHub Actions (entrypoint.sh:36-37)

---

🎯 Summary and Recommendations:

This PR successfully implements the required StepSecurity banner and public repository subscription logic, but has one critical issue that must be addressed:

❌ BLOCKER: The Docker image reference in action.yml:54 uses SHA pinning instead of major version tagging, violating Docker-based action requirements.

🔧 Required Fix:

# Current (INCORRECT):
image: 'docker://ghcr.io/step-security/action-actionlint:v1.71.0@sha256:06ce34c2a9b5566d4998e5c86153628abe752ec2cada1779cb824af7d07f65f0'

# Required (CORRECT):
image: 'docker://ghcr.io/step-security/action-actionlint:v1'

✅ What this PR does well:

• Properly adds StepSecurity maintained action banner
• Correctly implements public repo subscription bypass
• Maintains all required security and compliance standards
• Preserves existing functionality for private repositories