feat: added banner and update subscription check to make maintained actions free for public repos

[anurag-stepsecurity]

Summary

• Added StepSecurity Maintained Action banner to README.md
• Updated subscription validation: public repositories are now free (no API check)
• Docker action: replaced entrypoint.sh subscription block with new format that skips public repos and posts action + ghes_server metadata for private repos

Verification

• Subscription check skips for public repos
• Subscription check fires for private repos
• README banner is present at the top

Auto-generated by StepSecurity update-propagator. Task ID: 20260423T092801Z

[claude]

Claude finished @anurag-stepsecurity's task —— View job

---

Comprehensive PR Review

I've completed a thorough review of this PR against StepSecurity maintained actions standards.

Tasks:

• Determine action type (Docker/Node/Composite)
• Review changed files (README.md, entrypoint.sh)
• Check action.yml structure and metadata
• Verify license and copyright requirements
• Check required/forbidden files and folders
• Review subscription check implementation
• Scan for security vulnerabilities
• Verify banner implementation
• Check Docker-specific requirements (if applicable)
• Provide comprehensive feedback

Review Results

Action Type: Composite Action using Docker containers

---

🔴 Critical Issues

1. Missing auto_cherry_pick.yml
   • Required workflow .github/workflows/auto_cherry_pick.yml is not present
   • This file should contain original-owner and repo-name properties
   • Cannot verify if upstream variable UPSTREAM="rtCamp/action-slack-notify" (entrypoint.sh:4) matches the required format

---

✅ Compliant Items

File Structure & Requirements:

• ✅ License: Present with both original (rtCamp) and StepSecurity copyright
• ✅ action.yml: Author correctly set to "step-security"
• ✅ SECURITY.md: Present and correctly formatted
• ✅ actions_release.yml: Required workflow present
• ✅ No forbidden files: FUNDING.yml, renovate.json, PULL_REQUEST.md, CHANGELOG.md, .vscode, ISSUE_TEMPLATE folders absent

Banner Implementation:

• ✅ StepSecurity banner: Correctly added to README.md:1 with proper URL and format
• ✅ README examples: Use major version tags (@v2) instead of full semver

Subscription Check Implementation:

• ✅ API URL: Correctly uses https://agent.api.stepsecurity.io/v1/github/$GITHUB_REPOSITORY/actions/maintained-actions-subscription
• ✅ Public repo logic: Properly skips subscription check for public repositories (REPO_PRIVATE != "false")
• ✅ Private repo enforcement: Correctly exits with error for private repos without subscription

Composite Action Specific:

• ✅ Action pinning: All non-GitHub actions are properly pinned to commit SHA:
  • step-security/slackify-markdown-action@c73f0df37907842e2074609d65096efde9a7e8e2

Docker Specific:

• ✅ Published images: Uses published docker images from StepSecurity org
• ✅ Image tagging: Uses major version tags (v2.3.5) with SHA pinning
• ✅ Proper format: docker://ghcr.io/step-security/action-slack-notify:v2.3.5@sha256:...

Security:

• ✅ No security vulnerabilities found in the modified code
• ✅ Safe scripting: No unsafe eval, exec, or system calls in user code
• ✅ Proper input validation: Environment variables are properly validated

---

📋 Summary

This PR is mostly compliant with StepSecurity maintained action standards. The main blocker is the missing auto_cherry_pick.yml workflow file, which is required to:

1. Meet the structural requirements
2. Validate that the upstream variable matches the expected format

Recommendation: Add the missing .github/workflows/auto_cherry_pick.yml file with proper original-owner: rtCamp and repo-name: action-slack-notify properties to complete compliance.

[claude]

Claude finished @anurag-stepsecurity's task —— View job

---

Comprehensive PR Review

I've completed a thorough review of this PR against StepSecurity maintained actions standards.

Tasks:

• Determine action type (Docker/Node/Composite)
• Review changed files (README.md, entrypoint.sh)
• Check action.yml structure and metadata
• Verify license and copyright requirements
• Check required/forbidden files and folders
• Review subscription check implementation
• Scan for security vulnerabilities
• Verify banner implementation
• Check Docker-specific requirements (if applicable)
• Provide comprehensive feedback

Review Results

Action Type: Composite Action using Docker containers

---

✅ Fully Compliant

This PR meets all StepSecurity maintained actions standards. Here's what was verified:

File Structure & Requirements:

• ✅ License: Present with both original (rtCamp) and StepSecurity copyright
• ✅ action.yml: Author correctly set to "step-security"
• ✅ SECURITY.md: Present and correctly formatted
• ✅ actions_release.yml: Required workflow present
• ✅ auto_cherry_pick.yml: Present with correct original-owner and repo-name properties
• ✅ No forbidden files: FUNDING.yml, renovate.json, PULL_REQUEST.md, CHANGELOG.md, .vscode, ISSUE_TEMPLATE folders absent

Banner Implementation:

• ✅ StepSecurity banner: Correctly added to README.md:1 with proper URL and format
• ✅ README examples: Use major version tags (@v2) instead of full semver

Subscription Check Implementation:

• ✅ API URL: Correctly uses https://agent.api.stepsecurity.io/v1/github/$GITHUB_REPOSITORY/actions/maintained-actions-subscription
• ✅ Public repo logic: Properly skips subscription check for public repositories (REPO_PRIVATE != "false")
• ✅ Private repo enforcement: Correctly exits with error for private repos without subscription
• ✅ Upstream variable: UPSTREAM="rtCamp/action-slack-notify" (entrypoint.sh:4) correctly matches original-owner: "rtCamp" + repo-name: "action-slack-notify" from auto_cherry_pick.yml:29-30

Composite Action Specific:

• ✅ Action pinning: All non-GitHub actions are properly pinned to commit SHA:
  • step-security/slackify-markdown-action@c73f0df37907842e2074609d65096efde9a7e8e2

Docker Specific:

• ✅ Published images: Uses published docker images from StepSecurity org
• ✅ Image tagging: Uses major version tags (v2.3.5) with SHA pinning
• ✅ Proper format: docker://ghcr.io/step-security/action-slack-notify:v2.3.5@sha256:...

Security:

• ✅ No security vulnerabilities found in the modified code
• ✅ Safe scripting: No unsafe eval, exec, or system calls in user code
• ✅ Proper input validation: Environment variables are properly validated

---

📋 Summary

This PR is fully compliant with all StepSecurity maintained action standards and is ready for merge.

Key Changes Reviewed:

1. Banner Addition: Proper StepSecurity maintained action banner added to README.md
2. Subscription Logic: Updated entrypoint.sh with correct subscription check that skips public repos and validates private repos
3. Metadata Handling: Proper action and GHES server metadata posting for private repositories

Recommendation: ✅ APPROVE - All compliance requirements met.