chore: added banner and new subscription check code

[amanstep]

No description provided.

[claude]

Claude finished @amanstep's task —— View job

---

Comprehensive PR Review Complete ✅

This PR adds banner and subscription check functionality to the Node.js-based GitHub Action. Here's my detailed review:

✅ Compliance Check Results:

Required Files & Structure:

• ✅ LICENSE with StepSecurity copyright
• ✅ SECURITY.md present
• ✅ action.yml with step-security author
• ✅ No FUNDING.yml/funding.yml files
• ✅ No renovate.json file
• ✅ No PULL_REQUEST.md file
• ✅ No ISSUE_TEMPLATE folder
• ✅ No CHANGELOG.md file
• ✅ No .vscode folder
• ✅ dist/ folder present

Node.js Specific Requirements:

• ✅ package.json author: step-security
• ✅ package.json repository contains step-security
• ✅ package.json has build script
• ✅ Dependencies appear to be used

README & Banner:

• ✅ StepSecurity banner correctly implemented
• ✅ Semver usage correct (using @v1, not full version)

⚠️ Issues Found:

Critical Issues:

1. Missing auto_cherry_pick.yml workflow ❌

   • Required workflow file .github/workflows/auto_cherry_pick.yml is missing
   • This file should contain original-owner and repo-name properties
   • Without this file, cannot verify upstream configuration

2. Missing fs import in src/run.js ❌

   • Line 14: fs.existsSync(eventPath) and line 15: fs.readFileSync(eventPath, "utf8")
   • File uses fs but doesn't import it
   • This will cause runtime errors

Subscription Check Analysis:

• ✅ Subscription check implemented correctly
• ✅ Calls correct API endpoint: https://agent.api.stepsecurity.io/v1/github/.../actions/maintained-actions-subscription
• ⚠️ Cannot verify upstream value: Line 19 hardcodes upstream = "ericnordelo/setup-class-hash" but this should match the original-owner/repo-name from auto_cherry_pick.yml (which is missing)

Minor Issues:

3. Mixed import styles in src/run.js ⚠️
   • Uses ES6 imports for most modules but CommonJS require() for axios (line 9)
   • Should be consistent: import axios from "axios"

🔍 Security Analysis:

• ✅ No hardcoded secrets or credentials found
• ✅ Subscription check properly handles errors
• ✅ API calls have proper timeout (3000ms)
• ✅ No obvious security vulnerabilities detected
• ✅ External dependencies are standard and well-maintained

📋 Recommendations:

1. Add missing auto_cherry_pick.yml workflow
2. Fix fs import in src/run.js: Add import fs from "fs"
3. Standardize imports: Convert axios to ES6 import
4. Verify upstream value once auto_cherry_pick.yml is added
5. Rebuild dist/index.js after source changes

Action Type: Node.js-based GitHub Action ✅

---