feat: added banner and update subscription check to make maintained actions free for public repos

[Raj-StepSecurity]

Summary

• Added StepSecurity Maintained Action banner to README.md
• Updated subscription validation: public repositories are now free (no API check)
• Upgraded Node.js runtime to node24 (if applicable)
• Updated workflow files with configurable node_version input (if applicable)

Changes by type

• TypeScript/JS actions: replaced validateSubscription() body, updated action.yml to node24, updated 3 workflow files, rebuilt dist/
• Docker actions: replaced entrypoint.sh subscription block, ensured jq is installed in Dockerfile
• Composite actions: added Subscription check step to action.yml

Verification

• Subscription check skips for public repos
• Subscription check fires for private repos
• README banner is present at the top
• Build passes (TS/JS actions)

Auto-generated by StepSecurity update-propagator. Task ID: 20260416T083320Z

[claude]

Claude finished @Raj-StepSecurity's task —— View job

---

PR Review Completed ✅

I've conducted a comprehensive review of this pull request focusing on StepSecurity maintained action standards.

Todo List:

• Determine action type (node/docker/composite)
• Review general requirements (license, security.md, funding, etc.)
• Check folder structure and workflow files
• Review README banner and usage examples
• Analyze subscription validation implementation
• Review node-specific requirements
• Scan for security vulnerabilities
• Provide final recommendations

---

✅ Review Summary: PASSES ALL REQUIREMENTS

Action Type: Node.js-based action

🟢 Compliance Results

General Requirements - ALL PASSED ✅

• ✅ License: Present with both StepSecurity and original author (Slack Technologies) copyright
• ✅ Author in action.yml: Set to "step-security"
• ✅ Security.md: Present with proper reporting instructions
• ✅ FUNDING.yml/funding.yml: Correctly absent
• ✅ Required workflows: Both auto_cherry_pick.yml and actions_release.yml present
• ✅ Prohibited files: renovate.json, PULL_REQUEST.md, ISSUE_TEMPLATE, CHANGELOG.md, .vscode all correctly absent

README & Usage Examples - PASSED ✅

• ✅ Banner: StepSecurity Maintained Action banner properly placed at top of README
• ✅ Usage examples: All documentation uses major version @v2 (not full semver), following best practices

Subscription Validation - PASSED ✅

• ✅ API endpoint: Correctly calls https://agent.api.stepsecurity.io/v1/github/$GITHUB_REPOSITORY/actions/maintained-actions-subscription
• ✅ Upstream value: Set to "slackapi/slack-github-action" which matches original-owner/repo-name from auto_cherry_pick.yml (line 28-29)
• ✅ Public repo handling: Correctly skips subscription check for public repositories (if (repoPrivate === false) return;)
• ✅ Private repo handling: Properly validates subscription and exits with error code 1 on 403 responses
• ✅ Error messaging: Clear user messaging for subscription requirements

Node-specific Requirements - PASSED ✅

• ✅ Author in package.json: Set to "step-security"
• ✅ Repository field: Contains "step-security" in URL
• ✅ Dependencies: All dependencies appear to be used based on import analysis
• ✅ Dist folder: Present with compiled files (index.js, sourcemap, licenses)
• ✅ Build script: Present in package.json ("build": "ncc build src/index.js --license licenses.txt --source-map")
• ✅ Node version: Updated to node24 in action.yml and workflow files

🔒 Security Analysis - NO ISSUES FOUND

• ✅ No hardcoded secrets or credentials
• ✅ Proper error handling without information leakage
• ✅ Secure API calls with timeout protection
• ✅ No shell injection vulnerabilities
• ✅ Dependencies appear legitimate and properly scoped

📋 Notable Implementation Details

1. Public Repository Optimization: The subscription check elegantly skips API calls for public repos, improving performance
2. Proper Error Handling: 403 responses trigger appropriate user messaging while other errors allow graceful continuation
3. Runtime Upgrade: Successfully upgraded from older Node.js to node24
4. Maintained Action Banner: Properly displays branding and links to StepSecurity documentation

🏆 Final Recommendation: APPROVE

This PR successfully implements all required StepSecurity maintained action standards. The subscription validation is properly implemented, the banner is correctly placed, and all compliance requirements are met. The code is secure and follows best practices.

---