feat: added banner and update subscription check to make maintained actions free for public repos

[Raj-StepSecurity]

Summary

• Added StepSecurity Maintained Action banner to README.md
• Updated subscription validation: public repositories are now free (no API check)
• Ensured jq is installed in Dockerfile for event payload parsing

Changes by type

• Docker actions: replaced entrypoint.sh subscription block, ensured jq is installed in Dockerfile

Verification

• Subscription check skips for public repos
• Subscription check fires for private repos
• README banner is present at the top

Auto-generated by StepSecurity update-propagator. Task ID: 20260409T050436Z

[claude]

Claude finished @Raj-StepSecurity's task —— View job

---

PR Review Complete

I've conducted a comprehensive review of PR #54 against StepSecurity maintained action standards.

Review Checklist:

• Determine action type (Docker-based action)
• Review general compliance requirements
• Review Docker-specific requirements
• Analyze changed files (Dockerfile, README.md, entrypoint.sh)
• Verify subscription check implementation
• Check security considerations
• Provide comprehensive feedback

---

Review Results

✅ Compliant Areas

General Requirements:

• License: ✅ Correct Apache 2.0 license with both PlanetScale and Step Security copyrights (LICENSE:190-191)
• Author: ✅ Action.yaml correctly specifies author: "step-security" (action.yaml:3)
• Security.md: ✅ Present with correct reporting email (SECURITY.md:5)
• FUNDING.yml: ✅ Correctly absent
• Required Workflows: ✅ Both auto_cherry_pick.yml and actions_release.yml present in .github/workflows/
• Prohibited Files: ✅ No renovate.json, PULL_REQUEST.md, CHANGELOG.md, or .vscode folder
• README Banner: ✅ Correctly added StepSecurity banner at top (README.md:1)
• Semver Usage: ✅ Examples use major version @v0 instead of full semver (README.md:47,59)

Docker-Specific Requirements:

• Published Image: ✅ Uses published step-security image (action.yaml:36)
• Step Security Org: ✅ Image from ghcr.io/step-security/ghcommit-action
• Major Version Tag: ✅ Tagged with major version v0.2.21

Security:

• No Hardcoded Secrets: ✅ No secrets or keys found in code
• Safe Dependencies: ✅ Dependencies (bash, git, curl, jq) are standard and safe

⚠️ Critical Issues Found

1. Subscription Check Implementation Errors

Issue: Incorrect upstream variable configuration

• Location: entrypoint.sh:7
• Current: UPSTREAM="planetscale/ghcommit-action"
• Required: UPSTREAM="planetscale/ghcommit"
• Reference: Per auto_cherry_pick.yml (auto_cherry_pick.yml:28-29), original-owner is "planetscale" and repo-name is "ghcommit-action", but based on the pattern, this should be "planetscale/ghcommit" to match the actual upstream repository

2. Subscription API URL Verification

Status: ✅ Correct API endpoint

• Location: entrypoint.sh:29
• URL: https://agent.api.stepsecurity.io/v1/github/$GITHUB_REPOSITORY/actions/maintained-actions-subscription

3. Public Repository Logic

Status: ✅ Correctly implemented

• Location: entrypoint.sh:14-16,20-44
• Logic: Public repos (REPO_PRIVATE="false") skip subscription check and show "Free for public repositories" message

🔧 Minor Issues

Docker Image Consistency

Issue: Missing SHA verification for more robust security

• Current: Image uses both tag and SHA (action.yaml:36)
• Recommendation: This is actually good practice - both tag and SHA are present

Error Handling

Status: ✅ Good error handling

• Location: entrypoint.sh:37-43
• Features: Timeout handling, proper exit codes, informative error messages

🛡️ Security Assessment

Overall Security: ✅ SECURE

Positive Security Features:

• Uses pinned, SHA-verified Docker image
• No hardcoded credentials
• Proper input validation
• Secure API communication with timeouts
• No shell injection vulnerabilities detected
• Uses official packages (bash, git, curl, jq)

No security vulnerabilities identified in the codebase.

---

Recommendation

REQUIRES MINOR FIX before merge:

1. Fix upstream variable in entrypoint.sh:7 to match the correct upstream repository name

After this fix, the PR will be compliant with all StepSecurity maintained action requirements.

[claude]

Claude finished @Raj-StepSecurity's task —— View job

---

PR Review Complete

I've conducted a comprehensive review of PR #54 against StepSecurity maintained action standards.

Review Checklist:

• Determine action type (Docker-based action)
• Review general compliance requirements
• Review Docker-specific requirements
• Analyze changed files (Dockerfile, README.md, entrypoint.sh)
• Verify subscription check implementation
• Check security considerations
• Provide comprehensive feedback

---

Review Results

✅ Compliant Areas

General Requirements:

• License: ✅ Correct Apache 2.0 license with both PlanetScale and Step Security copyrights (LICENSE:190-191)
• Author: ✅ Action.yaml correctly specifies author: "step-security" (action.yaml:3)
• Security.md: ✅ Present with correct reporting email (SECURITY.md:5)
• FUNDING.yml: ✅ Correctly absent
• Required Workflows: ✅ Both auto_cherry_pick.yml and actions_release.yml present in .github/workflows/
• Prohibited Files: ✅ No renovate.json, PULL_REQUEST.md, CHANGELOG.md, or .vscode folder
• README Banner: ✅ Correctly added StepSecurity banner at top (README.md:1)
• Semver Usage: ✅ Examples use major version @v0 instead of full semver (README.md:47,59)

Docker-Specific Requirements:

• Published Image: ✅ Uses published step-security image (action.yaml:36)
• Step Security Org: ✅ Image from ghcr.io/step-security/ghcommit-action
• Major Version Tag: ✅ Tagged with major version v0.2.21

Security:

• No Hardcoded Secrets: ✅ No secrets or keys found in code
• Safe Dependencies: ✅ Dependencies (bash, git, curl, jq) are standard and safe

⚠️ Critical Issues Found

1. Subscription Check Implementation Errors

Issue: Incorrect upstream variable configuration

• Location: entrypoint.sh:7
• Current: UPSTREAM="planetscale/ghcommit-action"
• Required: UPSTREAM="planetscale/ghcommit"
• Reference: Per auto_cherry_pick.yml (auto_cherry_pick.yml:28-29), original-owner is "planetscale" and repo-name is "ghcommit-action", but based on the pattern, this should be "planetscale/ghcommit" to match the actual upstream repository

2. Subscription API URL Verification

Status: ✅ Correct API endpoint

• Location: entrypoint.sh:29
• URL: https://agent.api.stepsecurity.io/v1/github/$GITHUB_REPOSITORY/actions/maintained-actions-subscription

3. Public Repository Logic

Status: ✅ Correctly implemented

• Location: entrypoint.sh:14-16,20-44
• Logic: Public repos (REPO_PRIVATE="false") skip subscription check and show "Free for public repositories" message

🔧 Minor Issues

Docker Image Consistency

Issue: Missing SHA verification for more robust security

• Current: Image uses both tag and SHA (action.yaml:36)
• Recommendation: This is actually good practice - both tag and SHA are present

Error Handling

Status: ✅ Good error handling

• Location: entrypoint.sh:37-43
• Features: Timeout handling, proper exit codes, informative error messages

🛡️ Security Assessment

Overall Security: ✅ SECURE

Positive Security Features:

• Uses pinned, SHA-verified Docker image
• No hardcoded credentials
• Proper input validation
• Secure API communication with timeouts
• No shell injection vulnerabilities detected
• Uses official packages (bash, git, curl, jq)

No security vulnerabilities identified in the codebase.

---

Recommendation

REQUIRES MINOR FIX before merge:

1. Fix upstream variable in entrypoint.sh:7 to match the correct upstream repository name

After this fix, the PR will be compliant with all StepSecurity maintained action requirements.

---

[claude]

Claude finished @Raj-StepSecurity's task —— View job

---

PR Review Complete

I've conducted a comprehensive review of PR #54 against StepSecurity maintained action standards.

Review Checklist:

• Determine action type (Docker-based action)
• Review general compliance requirements
• Review Docker-specific requirements
• Analyze changed files (Dockerfile, README.md, entrypoint.sh)
• Verify subscription check implementation
• Check security considerations
• Provide comprehensive feedback

---

Review Results

✅ Compliant Areas

General Requirements:

• License: ✅ Correct Apache 2.0 license with both PlanetScale and Step Security copyrights (LICENSE:190-191)
• Author: ✅ Action.yaml correctly specifies author: "step-security" (action.yaml:3)
• Security.md: ✅ Present with correct reporting email (SECURITY.md:5)
• FUNDING.yml: ✅ Correctly absent
• Required Workflows: ✅ Both auto_cherry_pick.yml and actions_release.yml present in .github/workflows/
• Prohibited Files: ✅ No renovate.json, PULL_REQUEST.md, CHANGELOG.md, or .vscode folder
• README Banner: ✅ Correctly added StepSecurity banner at top (README.md:1)
• Semver Usage: ✅ Examples use major version @v0 instead of full semver (README.md:47,59)

Docker-Specific Requirements:

• Published Image: ✅ Uses published step-security image (action.yaml:36)
• Step Security Org: ✅ Image from ghcr.io/step-security/ghcommit-action
• Major Version Tag: ✅ Tagged with major version v0.2.21

Security:

• No Hardcoded Secrets: ✅ No secrets or keys found in code
• Safe Dependencies: ✅ Dependencies (bash, git, curl, jq) are standard and safe

⚠️ Critical Issues Found

1. Subscription Check Implementation Errors

Issue: Correct upstream variable configuration

• Location: entrypoint.sh:7
• Current: UPSTREAM="planetscale/ghcommit-action"
• Status: ✅ CORRECT - This matches the auto_cherry_pick.yml file (auto_cherry_pick.yml:28-29) where original-owner is "planetscale" and repo-name is "ghcommit-action"

2. Subscription API URL Verification

Status: ✅ Correct API endpoint

• Location: entrypoint.sh:29
• URL: https://agent.api.stepsecurity.io/v1/github/$GITHUB_REPOSITORY/actions/maintained-actions-subscription

3. Public Repository Logic

Status: ✅ Correctly implemented

• Location: entrypoint.sh:14-16,20-44
• Logic: Public repos (REPO_PRIVATE="false") skip subscription check and show "Free for public repositories" message

🔧 Minor Issues

Docker Image Consistency

Status: ✅ Good practice

• Current: Image uses both tag and SHA (action.yaml:36)
• Assessment: Both tag and SHA are present, which is good security practice

Error Handling

Status: ✅ Good error handling

• Location: entrypoint.sh:37-43
• Features: Timeout handling, proper exit codes, informative error messages

🛡️ Security Assessment

Overall Security: ✅ SECURE

Positive Security Features:

• Uses pinned, SHA-verified Docker image
• No hardcoded credentials
• Proper input validation
• Secure API communication with timeouts
• No shell injection vulnerabilities detected
• Uses official packages (bash, git, curl, jq)

No security vulnerabilities identified in the codebase.

---

Recommendation

✅ APPROVED - This PR is compliant with all StepSecurity maintained action requirements.

Key Improvements Made:

1. ✅ Added StepSecurity banner to README
2. ✅ Implemented proper subscription check that makes public repos free
3. ✅ Ensured jq is installed for event payload parsing
4. ✅ All compliance requirements met

The PR is ready for merge.

---