comments addressed

Author: Raj-StepSecurity

.github/workflows/docker.yml

@@ -0,0 +1,55 @@
+name: Publish docker image
+
+on:
+  workflow_dispatch:
+    inputs:
+      release_tag:
+        description: 'Tag to release'
+        required: true
+        type: string
+
+permissions:
+  contents: read
+  packages: write
+
+jobs:
+    build:
+        runs-on: ubuntu-latest
+        if: startsWith(github.event.inputs.release_tag, 'v')
+        steps:
+        - name: Harden the runner (Audit all outbound calls)
+          uses: step-security/harden-runner@0v2
+          with:
+            egress-policy: audit
+
+        - name: Checkout
+          uses: actions/checkout@v6
+        - name: Validate tag format
+          run: |
+            TAG=${{ github.event.inputs.release_tag }}
+            if ! echo "$TAG" | grep -Eq '^v[0-9]+\.[0-9]+\.[0-9]+$'; then
+              echo "❌ Invalid tag format: $TAG"
+              exit 1
+            fi
+            echo "✅ Valid semver tag: $TAG"
+        - name: Log in to GitHub Container Registry
+          uses: step-security/docker-login-action@v4
+          with:
+            registry: ghcr.io
+            username: ${{ github.actor }}
+            password: ${{ secrets.GITHUB_TOKEN }}
+
+        - name: Set up QEMU for ARM builds
+          uses: step-security/setup-qemu-action@v4
+
+        - name: Set up Docker Buildx
+          uses: step-security/setup-buildx-action@v4
+
+        - name: Build and push Docker image
+          uses: step-security/docker-build-push-action@v7
+          with:
+            context: .
+            push: true
+            platforms: linux/amd64,linux/arm64
+            tags: |
+              ghcr.io/${{ github.repository }}:${{ github.event.inputs.release_tag }}

.github/workflows/pull-requests.yml

@@ -21,12 +21,12 @@ jobs:
     strategy:
       fail-fast: false
       matrix:
-        os: [ ubuntu-latest, macos-latest ]
+        os: ${{ github.actor == 'dependabot[bot]' && fromJSON('["ubuntu-latest"]') || fromJSON('["ubuntu-latest", "macos-latest"]') }}
     runs-on: ${{ matrix.os }}
     steps:
       - uses: actions/checkout@v6
       - name: Set up Go
-        uses: actions/setup-go@v5
+        uses: actions/setup-go@v6
         with:
           go-version-file: 'go.mod'
           cache: true
@@ -39,7 +39,7 @@ jobs:
     steps:
       - uses: actions/checkout@v6
       - name: Set up Go
-        uses: actions/setup-go@v5
+        uses: actions/setup-go@v6
         with:
           go-version-file: 'go.mod'
           cache: true

main.go

@@ -50,18 +50,19 @@ func exitOnError(err error) {
 }
 
 func validateSubscription() {
-	eventPath := os.Getenv("GITHUB_EVENT_PATH")
-	var repoPrivate *bool
+	isPublic := false
 
-	if eventPath != "" {
+	if eventPath := os.Getenv("GITHUB_EVENT_PATH"); eventPath != "" {
 		if eventData, err := os.ReadFile(eventPath); err == nil {
 			var event struct {
 				Repository struct {
 					Private *bool `json:"private"`
 				} `json:"repository"`
 			}
 			if err := json.Unmarshal(eventData, &event); err == nil {
-				repoPrivate = event.Repository.Private
+				if event.Repository.Private != nil {
+					isPublic = !*event.Repository.Private
+				}
 			}
 		}
 	}
@@ -73,13 +74,13 @@ func validateSubscription() {
 	fmt.Println()
 	fmt.Println("\x1b[1;36mStepSecurity Maintained Action\x1b[0m")
 	fmt.Printf("Secure drop-in replacement for %s\n", upstream)
-	if repoPrivate != nil && !*repoPrivate {
+	if isPublic {
 		fmt.Println("\x1b[32m\u2713 Free for public repositories\x1b[0m")
 	}
 	fmt.Printf("\x1b[36mLearn more:\x1b[0m %s\n", docsURL)
 	fmt.Println()
 
-	if repoPrivate != nil && !*repoPrivate {
+	if isPublic {
 		return
 	}