Skip to content

feat: added banner and update subscription check to make maintained actions free for public repos#47

Merged
Raj-StepSecurity merged 2 commits into
mainfrom
feat/update-subscription-check
Apr 8, 2026
Merged

feat: added banner and update subscription check to make maintained actions free for public repos#47
Raj-StepSecurity merged 2 commits into
mainfrom
feat/update-subscription-check

Conversation

@Raj-StepSecurity

Copy link
Copy Markdown
Contributor

Summary

  • Added StepSecurity Maintained Action banner to README.md
  • Updated subscription validation: public repositories are now free (no API check)
  • Added REPO_PRIVATE env var to action.yml for Docker entrypoint

Changes by type

  • Docker/Shell actions: replaced entrypoint.sh subscription block
  • action.yml: added REPO_PRIVATE environment variable
  • README.md: added StepSecurity banner

Verification

  • Subscription check skips for public repos
  • Subscription check fires for private repos
  • README banner is present at the top

Auto-generated by StepSecurity update-propagator. Task ID: 20260408T054923Z

@claude

claude Bot commented Apr 8, 2026

Copy link
Copy Markdown

Claude finished @Raj-StepSecurity's task —— View job


Pull Request Review ✅

Comprehensive review completed against StepSecurity maintained actions standards.

Todo List:

  • Analyze changed files and determine action type
  • Review general action requirements (license, security.md, workflows, etc.)
  • Review Docker-specific requirements
  • Analyze subscription check implementation
  • Check for security vulnerabilities
  • Provide final assessment and recommendations

Action Type Identified: Docker-based action (uses Dockerfile and entrypoint.sh)


✅ General Requirements Status:

  • ✅ License present with both original and StepSecurity copyright (LICENSE:4)
  • ✅ action.yml has step-security as author (action.yml:3)
  • ✅ SECURITY.md file present
  • ✅ Required workflow files present (.github/workflows/auto_cherry_pick.yml and actions_release.yml)
  • ✅ No prohibited files found (FUNDING.yml, renovate.json, PULL_REQUEST.md, ISSUE_TEMPLATE, CHANGELOG.md, .vscode)
  • ✅ README.md contains StepSecurity banner (README.md:1) and uses major version (v1) in usage example (README.md:26)

❌ Docker-Specific Requirements Status:

  • CRITICAL: Action uses published Docker image but with specific SHA digest pinning instead of major version tag
    • Current: docker://ghcr.io/step-security/action-actionlint:v1.71.0@sha256:... (action.yml:54)
    • Required Fix: Should use major version tag like docker://ghcr.io/step-security/action-actionlint:v1
  • ✅ Docker image published to step-security org (ghcr.io/step-security/)

✅ Subscription Check Implementation:

  • ✅ Subscription check present and correctly implemented (entrypoint.sh:16-40)
  • ✅ API URL matches required pattern: https://agent.api.stepsecurity.io/v1/github/$GITHUB_REPOSITORY/actions/maintained-actions-subscription (entrypoint.sh:25)
  • ✅ Upstream variable correctly set: "reviewdog/action-actionlint" (entrypoint.sh:3) matches auto_cherry_pick.yml configuration (auto_cherry_pick.yml:29-30)
  • NEW FEATURE: Public repositories now skip subscription check (REPO_PRIVATE=false logic) (entrypoint.sh:10-14)
  • ✅ Private repositories still require subscription validation (entrypoint.sh:16-40)

✅ Security Analysis:

  • ✅ No command injection vulnerabilities found
  • ✅ HTTP requests properly secured with timeouts and error handling (entrypoint.sh:27-31)
  • ✅ No unsafe eval, exec, or command substitution patterns detected in action code
  • ✅ Git configuration safely scoped to workspace directory (entrypoint.sh:47)
  • ✅ Input validation appropriate for shell script context
  • ✅ Error outputs properly formatted for GitHub Actions (entrypoint.sh:36-37)

🎯 Summary and Recommendations:

This PR successfully implements the required StepSecurity banner and public repository subscription logic, but has one critical issue that must be addressed:

❌ BLOCKER: The Docker image reference in action.yml:54 uses SHA pinning instead of major version tagging, violating Docker-based action requirements.

🔧 Required Fix:

# Current (INCORRECT):
image: 'docker://ghcr.io/step-security/action-actionlint:v1.71.0@sha256:06ce34c2a9b5566d4998e5c86153628abe752ec2cada1779cb824af7d07f65f0'

# Required (CORRECT):
image: 'docker://ghcr.io/step-security/action-actionlint:v1'

✅ What this PR does well:

  • Properly adds StepSecurity maintained action banner
  • Correctly implements public repo subscription bypass
  • Maintains all required security and compliance standards
  • Preserves existing functionality for private repositories

@claude

claude Bot commented Apr 8, 2026

Copy link
Copy Markdown

Claude finished @Raj-StepSecurity's task —— View job


Claude finished reviewing the pull request


Pull Request Review

Comprehensive review completed against StepSecurity maintained actions standards.

Todo List:

  • Analyze changed files and determine action type
  • Review general action requirements (license, security.md, workflows, etc.)
  • Review Docker-specific requirements
  • Analyze subscription check implementation
  • Check for security vulnerabilities
  • Provide final assessment and recommendations

Action Type Identified: Docker-based action (uses Dockerfile and entrypoint.sh)


✅ General Requirements Status:

  • ✅ License present with both original and StepSecurity copyright (LICENSE:4)
  • ✅ action.yml has step-security as author (action.yml:3)
  • ✅ SECURITY.md file present
  • ✅ Required workflow files present (.github/workflows/auto_cherry_pick.yml and actions_release.yml)
  • ✅ No prohibited files found (FUNDING.yml, renovate.json, PULL_REQUEST.md, ISSUE_TEMPLATE, CHANGELOG.md, .vscode)
  • ✅ README.md contains StepSecurity banner (README.md:1) and uses major version (v1) in usage example (README.md:26)

❌ Docker-Specific Requirements Status:

  • CRITICAL: Action uses published Docker image but with specific SHA digest pinning instead of major version tag
    • Current: docker://ghcr.io/step-security/action-actionlint:v1.71.0@sha256:... (action.yml:54)
    • Required Fix: Should use major version tag like docker://ghcr.io/step-security/action-actionlint:v1
  • ✅ Docker image published to step-security org (ghcr.io/step-security/)

✅ Subscription Check Implementation:

  • ✅ Subscription check present and correctly implemented (entrypoint.sh:16-40)
  • ✅ API URL matches required pattern: https://agent.api.stepsecurity.io/v1/github/$GITHUB_REPOSITORY/actions/maintained-actions-subscription (entrypoint.sh:25)
  • ✅ Upstream variable correctly set: "reviewdog/action-actionlint" (entrypoint.sh:3) matches auto_cherry_pick.yml configuration (auto_cherry_pick.yml:29-30)
  • NEW FEATURE: Public repositories now skip subscription check (REPO_PRIVATE=false logic) (entrypoint.sh:10-14)
  • ✅ Private repositories still require subscription validation (entrypoint.sh:16-40)

✅ Security Analysis:

  • ✅ No command injection vulnerabilities found
  • ✅ HTTP requests properly secured with timeouts and error handling (entrypoint.sh:27-31)
  • ✅ No unsafe eval, exec, or command substitution patterns detected in action code
  • ✅ Git configuration safely scoped to workspace directory (entrypoint.sh:47)
  • ✅ Input validation appropriate for shell script context
  • ✅ Error outputs properly formatted for GitHub Actions (entrypoint.sh:36-37)

🎯 Summary and Recommendations:

This PR successfully implements the required StepSecurity banner and public repository subscription logic, but has one critical issue that must be addressed:

❌ BLOCKER: The Docker image reference in action.yml:54 uses SHA pinning instead of major version tagging, violating Docker-based action requirements.

🔧 Required Fix:

# Current (INCORRECT):
image: 'docker://ghcr.io/step-security/action-actionlint:v1.71.0@sha256:06ce34c2a9b5566d4998e5c86153628abe752ec2cada1779cb824af7d07f65f0'

# Required (CORRECT):
image: 'docker://ghcr.io/step-security/action-actionlint:v1'

✅ What this PR does well:

  • Properly adds StepSecurity maintained action banner
  • Correctly implements public repo subscription bypass
  • Maintains all required security and compliance standards
  • Preserves existing functionality for private repositories

@Raj-StepSecurity Raj-StepSecurity merged commit ad8da1c into main Apr 8, 2026
14 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants