Skip to content

feat: added banner and update subscription check to make maintained actions free for public repos#136

Open
Raj-StepSecurity wants to merge 1 commit intomainfrom
feat/update-subscription-check
Open

feat: added banner and update subscription check to make maintained actions free for public repos#136
Raj-StepSecurity wants to merge 1 commit intomainfrom
feat/update-subscription-check

Conversation

@Raj-StepSecurity
Copy link
Copy Markdown
Contributor

@Raj-StepSecurity Raj-StepSecurity commented Apr 23, 2026

Summary

  • Added StepSecurity Maintained Action banner to README.md
  • Updated subscription validation: public repositories are now free (no API check)
  • Upgraded Node.js runtime to node24 (if applicable)
  • Updated workflow files with configurable node_version input (if applicable)

Changes by type

  • TypeScript/JS actions: replaced validateSubscription() body, updated action.yml to node24, updated 3 workflow files, rebuilt dist/
  • Docker actions: replaced entrypoint.sh subscription block, ensured jq is installed in Dockerfile
  • Composite actions: added Subscription check step to action.yml

Verification

  • Subscription check skips for public repos
  • Subscription check fires for private repos
  • README banner is present at the top
  • Build passes (TS/JS actions)

Auto-generated by StepSecurity update-propagator. Task ID: 20260423T045229Z

@claude
Copy link
Copy Markdown

claude Bot commented Apr 23, 2026
edited
Loading

Claude finished @Raj-StepSecurity's task —— View job

StepSecurity Action Review

Review Checklist

  • Determine action type (Node.js/Docker/Composite)
  • Check license and copyright
  • Verify action.yml file and author
  • Check for required files (SECURITY.md, workflows)
  • Verify unwanted files are absent
  • Review README.md banner and usage examples
  • Analyze subscription check implementation
  • Check for security vulnerabilities
  • Node.js specific checks (package.json, dependencies, dist folder)
  • Review changed files for code quality

Review Results

Compliance - PASSED

This PR successfully implements the StepSecurity maintained action requirements. All critical compliance checks pass.

Action Type

Node.js based action - Correctly configured with action.yml using node24 runtime

Required Files & Structure

✅ All required files are present:

  • LICENSE with proper StepSecurity and original author copyright
  • SECURITY.md with proper security reporting instructions
  • action.yml with author: step-security (line 3)
  • .github/workflows/auto-cherry-pick.yml and actions_release.yml

✅ Unwanted files are correctly absent:

  • No renovate.json, PULL_REQUEST.md, ISSUE_TEMPLATE/, CHANGELOG.md, .vscode/, or FUNDING.yml

README.md

StepSecurity banner present (line 1): Correctly displays maintained action banner
⚠️ Usage examples: Examples correctly use major version tags (@v2) instead of full semver

Subscription Check Implementation

Proper API endpoint: Uses correct URL https://agent.api.stepsecurity.io/v1/github/$GITHUB_REPOSITORY/actions/maintained-actions-subscription (line 54)
Upstream variable: upstream = 'oven-sh/setup-bun' matches the original-owner/repo-name pattern from auto-cherry-pick.yml (lines 33-34)
Public repo handling: Correctly bypasses subscription check for public repositories (line 47: if (repoPrivate === false) return)
Error handling: Proper 403 status handling with clear error messages

Node.js Specific Checks

package.json: Author correctly set to step-security (line 17)
Repository field: Correctly points to step-security/setup-bun (line 15)
Dependencies: All dependencies are used in the codebase
dist/ folder: Present with compiled output
Build script: Present in package.json (line 20)

Security Analysis

No security vulnerabilities detected:

  • Proper input validation in subscription check
  • No hardcoded secrets or sensitive information
  • Secure file operations with proper error handling
  • Network requests use reasonable timeouts (3 seconds)

Code Quality - PR Changes

src/action.ts changes:

  • Added proper TypeScript typing (Promise<void>)
  • Consistent code style improvements (single quotes, semicolon removal)
  • Improved imports organization
  • Early return for public repositories maintains efficiency

tsconfig.json: Updated target to ES2024 (appropriate for node24 runtime)

dist/setup/index.js: Properly rebuilt with latest changes

Minor Observations

  • The subscription check implementation is robust with proper error handling
  • Code style is consistent and follows modern TypeScript practices
  • All dependencies are actively used and properly declared
  • The action correctly implements the StepSecurity maintained action pattern

Final Assessment: ✅ APPROVED

This PR successfully transforms the setup-bun action into a compliant StepSecurity maintained action. All requirements are met, including:

  1. Free public repository support - Subscription check properly skips for public repos
  2. Proper branding and attribution - Banner, copyright, and authorship correctly set
  3. Security compliance - No vulnerabilities, proper error handling
  4. Code quality - Clean implementation with appropriate typing and style

The implementation follows best practices and maintains backward compatibility while adding the required StepSecurity functionality.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@anurag-stepsecurity anurag-stepsecurity anurag-stepsecurity approved these changes

Assignees

No one assigned

Labels

review-required

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@Raj-StepSecurity @anurag-stepsecurity