feat: added banner and update subscription check to make maintained actions free for public repos

[Raj-StepSecurity]

Summary

• Added StepSecurity Maintained Action banner to README.md
• Updated subscription validation: public repositories are now free (no API check)
• Upgraded Node.js runtime to node24 (if applicable)
• Updated workflow files with configurable node_version input (if applicable)

Changes by type

• TypeScript/JS actions: replaced validateSubscription() body, updated action.yml to node24, updated 3 workflow files, rebuilt dist/
• Docker actions: replaced entrypoint.sh subscription block, ensured jq is installed in Dockerfile
• Composite actions: added Subscription check step to action.yml

Verification

• Subscription check skips for public repos
• Subscription check fires for private repos
• README banner is present at the top
• Build passes (TS/JS actions)

Auto-generated by StepSecurity update-propagator. Task ID: 20260420T092552Z

[claude]

Claude finished @Raj-StepSecurity's task —— View job

---

PR Review for StepSecurity Maintained Action ✅

Review Checklist:

• Determine action type (node/docker/composite)
• Check file structure and required files
• Validate license and authorship
• Review README banner implementation
• Analyze subscription check logic
• Verify security requirements
• Check workflow configurations
• Validate package.json (if node-based)
• Review for security vulnerabilities
• Provide final recommendations

Review Results

✅ Action Type Identified: Node-based Action

This is a Node.js based GitHub Action using node24 runtime with TypeScript source.

✅ File Structure Compliance

PASSED:

• ✅ LICENSE present with both StepSecurity and original author (CrazyMax) copyright
• ✅ action.yml present with author set to 'step-security'
• ✅ SECURITY.md present
• ✅ .github/workflows/ contains auto_cherry_pick.yml and actions_release.yml
• ✅ dist/ folder present with compiled assets
• ✅ No prohibited files found (FUNDING.yml, renovate.json, PULL_REQUEST.md, CHANGELOG.md, .vscode, ISSUE_TEMPLATE)

✅ README Banner Implementation

PASSED: The StepSecurity maintained action banner is correctly placed at the top of README.md:

[![](https://raw.githubusercontent.com/step-security/maintained-actions-assets/main/assets/maintained-action-banner.png)](https://docs.stepsecurity.io/actions/stepsecurity-maintained-actions)

⚠️ Subscription Check Analysis

MOSTLY PASSED with 1 Issue:

✅ Correct Implementation:

• Subscription check correctly calls https://agent.api.stepsecurity.io/v1/github/$GITHUB_REPOSITORY/actions/maintained-actions-subscription
• Public repositories are now free (correctly skips API check when repoPrivate === false)
• Proper error handling for 403 responses with informative messages
• Timeout handling implemented (3000ms)

❌ CRITICAL ISSUE: The upstream variable in src/main.ts:15 is correct:

const upstream = 'crazy-max/ghaction-github-runtime';

This correctly matches the original-owner/repo-name from auto_cherry_pick.yml:46-47.

✅ Package.json Compliance (Node-based)

PASSED:

• ✅ Author set to "step-security"
• ✅ Repository URL contains "step-security"
• ✅ Build script present ("build": "ncc build src/main.ts --source-map --minify --license licenses.txt")
• ✅ All dependencies appear to be used (@actions/core, axios)

✅ Workflow Configuration

PASSED:

• ✅ Node version correctly set to "24" in workflows
• ✅ Script inputs properly configured
• ✅ Package manager set to "yarn"

✅ Security Analysis

PASSED: No security vulnerabilities identified:

• ✅ No hardcoded secrets or sensitive information
• ✅ Proper timeout on external API calls
• ✅ Input validation and error handling
• ✅ Use of established, secure libraries

✅ Usage Example Compliance

PASSED: README usage example correctly uses major version tag (@v3) rather than full semver.

📋 Summary

This PR successfully implements all required StepSecurity standards for a maintained action. The key changes include:

1. ✅ Banner Addition: Correctly added StepSecurity banner to README
2. ✅ Subscription Logic: Updated to make public repositories free
3. ✅ Node Runtime: Upgraded to node24
4. ✅ Security: No vulnerabilities identified
5. ✅ Compliance: Meets all file structure and authorship requirements

🎯 Recommendation: APPROVE

This PR is compliant with all StepSecurity maintained action standards. The implementation correctly handles the subscription model change for public repositories while maintaining proper security practices.

---