feat: added banner and update subscription check to make maintained actions free for public repos

[Raj-StepSecurity]

Summary

• Added StepSecurity Maintained Action banner to README.md
• Updated subscription validation: public repositories are now free (no API check)
• Upgraded Node.js runtime to node24 (if applicable)
• Updated workflow files with configurable node_version input (if applicable)

Changes by type

• TypeScript/JS actions: replaced validateSubscription() body, updated action.yml to node24, updated 3 workflow files, rebuilt dist/
• Docker/Shell actions: replaced entrypoint.sh subscription block
• Composite actions: added Subscription check step to action.yml

Verification

• Subscription check skips for public repos
• Subscription check fires for private repos
• README banner is present at the top
• Build passes (TS/JS actions)

Auto-generated by StepSecurity update-propagator. Task ID: 20260325T100533Z

[claude]

Claude finished @Raj-StepSecurity's task —— View job

---

PR Review Analysis - COMPLETED ✅

Todo List:

• Determine action type (node/docker/composite)
• Review general compliance requirements
• Check specific action type requirements
• Analyze subscription check implementation
• Scan for security vulnerabilities
• Provide final recommendations

Action Type Analysis

✅ Composite Action - Confirmed by runs.using: "composite" in action.yml:17

General Compliance Review

✅ PASSING Requirements:

• License: Apache 2.0 with Step Security copyright (LICENSE:190)
• Author: Correctly set to "step-security" (action.yml:3)
• SECURITY.md: Present and properly configured
• Required Workflows: Both required files present:
  • auto_cherry_pick.yml ✅
  • actions_release.yml ✅
• Forbidden Files: All correctly absent:
  • No FUNDING.yml/funding.yml ✅
  • No renovate.json ✅
  • No PULL_REQUEST.md ✅
  • No ISSUE_TEMPLATE folder ✅
  • No CHANGELOG.md ✅
  • No .vscode folder ✅
• README Banner: StepSecurity banner correctly placed at top (README.md:1)
• Version Usage: Examples use major version @v0 (not full semver) ✅

Composite Action Specific Review

✅ Action Pinning: All external actions use official GitHub actions only (no pinning required)

Subscription Check Analysis

✅ PASSING Requirements:

• API URL: Correct endpoint used (action.yml:45)

  https://agent.api.stepsecurity.io/v1/github/$GITHUB_REPOSITORY/actions/maintained-actions-subscription

• Upstream Variable: ✅ Correctly matches auto_cherry_pick.yml configuration
  • Set as: UPSTREAM="ko-build/setup-ko" (action.yml:23)
  • Expected: ko-build/setup-ko (from auto_cherry_pick.yml:21-22)
• Public Repo Logic: ✅ Free for public repositories (action.yml:30-32)
• Private Repo Logic: ✅ Proper subscription validation (action.yml:36-60)
• Error Handling: ✅ Graceful timeout handling (action.yml:53-54)

Security Analysis

✅ SECURE Implementation:

• Token Usage: Properly scoped GitHub token usage (action.yml:82, 107)
• Input Validation: Safe handling of user inputs with proper shell escaping
• Download Security: Uses HTTPS for all external downloads (action.yml:98)
• Privilege Escalation: Conditional sudo usage with proper checks (action.yml:68-70)
• JSON Construction: Secure JSON body construction using printf (action.yml:40-43)
• API Timeout: 3-second timeout prevents hanging (action.yml:47)

🔍 Notable Security Practices:

• Registry authentication handled securely via stdin (action.yml:107)
• Environment variable propagation follows secure patterns
• No hardcoded secrets or sensitive data exposure

Final Recommendation

✅ APPROVED - This PR meets all StepSecurity maintained action standards:

Summary of Changes:

• ✅ StepSecurity banner added to README
• ✅ Subscription check properly implemented for private repos
• ✅ Public repositories marked as free
• ✅ All compliance requirements satisfied
• ✅ No security vulnerabilities identified

Code Quality: Excellent - Clean implementation following best practices

Security Posture: Strong - No vulnerabilities found, proper input validation and secure API handling

This PR successfully converts the action to StepSecurity maintained standards while preserving all original functionality.