diff --git a/Dockerfile b/Dockerfile index baaa0bc..de2057c 100644 --- a/Dockerfile +++ b/Dockerfile @@ -1,6 +1,6 @@ FROM python:3.14-alpine3.23@sha256:faee120f7885a06fcc9677922331391fa690d911c020abb9e8025ff3d908e510 -RUN apk add --no-cache curl && apk upgrade --no-cache zlib +RUN apk add --no-cache curl jq && apk upgrade --no-cache zlib COPY LICENSE \ README.md \ diff --git a/README.md b/README.md index eabcdc3..f72b4ff 100644 --- a/README.md +++ b/README.md @@ -1,3 +1,5 @@ +[![StepSecurity Maintained Action](https://raw.githubusercontent.com/step-security/maintained-actions-assets/main/assets/maintained-action-banner.png)](https://docs.stepsecurity.io/actions/stepsecurity-maintained-actions) + # Codespell with GitHub Actions -- including annotations for Pull Requests This GitHub Actions runs codespell over your code. diff --git a/entrypoint.sh b/entrypoint.sh index 71bfd43..939c656 100755 --- a/entrypoint.sh +++ b/entrypoint.sh @@ -1,22 +1,43 @@ #!/bin/sh -# Validate subscription status -API_URL="https://agent.api.stepsecurity.io/v1/github/$GITHUB_REPOSITORY/actions/subscription" +REPO_PRIVATE=$(jq -r '.repository.private | tostring' "$GITHUB_EVENT_PATH" 2>/dev/null || echo "") +UPSTREAM="codespell-project/actions-codespell" +ACTION_REPO="${GITHUB_ACTION_REPOSITORY:-}" +DOCS_URL="https://docs.stepsecurity.io/actions/stepsecurity-maintained-actions" -# Set a timeout for the curl command (3 seconds) -RESPONSE=$(curl --max-time 3 -s -w "%{http_code}" "$API_URL" -o /dev/null) || true -CURL_EXIT_CODE=${?} +echo "" +echo -e "\033[1;36mStepSecurity Maintained Action\033[0m" +echo "Secure drop-in replacement for $UPSTREAM" +if [ "$REPO_PRIVATE" = "false" ]; then + echo -e "\033[32m✓ Free for public repositories\033[0m" +fi +echo -e "\033[36mLearn more:\033[0m $DOCS_URL" +echo "" -# Decide based on curl exit code and HTTP status -if [ $CURL_EXIT_CODE -ne 0 ]; then - echo "Timeout or API not reachable. Continuing to next step." -elif [ "$RESPONSE" = "200" ]; then - : -elif [ "$RESPONSE" = "403" ]; then - echo "Subscription is not valid. Reach out to support@stepsecurity.io" - exit 1 -else - echo "Timeout or API not reachable. Continuing to next step." +if [ "$REPO_PRIVATE" != "false" ]; then + SERVER_URL="${GITHUB_SERVER_URL:-https://github.com}" + + if [ "$SERVER_URL" != "https://github.com" ]; then + BODY=$(printf '{"action":"%s","ghes_server":"%s"}' "$ACTION_REPO" "$SERVER_URL") + else + BODY=$(printf '{"action":"%s"}' "$ACTION_REPO") + fi + + API_URL="https://agent.api.stepsecurity.io/v1/github/$GITHUB_REPOSITORY/actions/maintained-actions-subscription" + + RESPONSE=$(curl --max-time 3 -s -w "%{http_code}" \ + -X POST \ + -H "Content-Type: application/json" \ + -d "$BODY" \ + "$API_URL" -o /dev/null) && CURL_EXIT_CODE=0 || CURL_EXIT_CODE=$? + + if [ $CURL_EXIT_CODE -ne 0 ]; then + echo "Timeout or API not reachable. Continuing to next step." + elif [ "$RESPONSE" = "403" ]; then + echo -e "::error::\033[1;31mThis action requires a StepSecurity subscription for private repositories.\033[0m" + echo -e "::error::\033[31mLearn how to enable a subscription: $DOCS_URL\033[0m" + exit 1 + fi fi # Copy the matcher to the host system; otherwise "add-matcher" can't find it.