Skip to content

onboarding codeowners-validator action#2

Merged
Raj-StepSecurity merged 8 commits intomainfrom
release
Apr 21, 2026
Merged

onboarding codeowners-validator action#2
Raj-StepSecurity merged 8 commits intomainfrom
release

Conversation

@Raj-StepSecurity
Copy link
Copy Markdown
Collaborator

@Raj-StepSecurity Raj-StepSecurity commented Apr 21, 2026

No description provided.

@Raj-StepSecurity
onboarding codeowners-validator action
e91a3d8
@Raj-StepSecurity
further changes done
44044e7 
hack restored

code formatted

env removed

env removed

code built

code built
@claude
Copy link
Copy Markdown

claude Bot commented Apr 21, 2026
edited
Loading

Claude finished @Raj-StepSecurity's task —— View job

Reviewing PR for codeowners-validator action onboarding

Review Checklist

  • Determine action type (node/docker/composite)
  • Verify licensing and copyright compliance
  • Check action.yml structure and authorship
  • Verify required files presence
  • Check for prohibited files
  • Review GitHub workflow configurations
  • Audit code for security vulnerabilities
  • Validate subscription check implementation
  • Review README.md compliance
  • Docker-specific checks

Review Summary

This is a Docker-based action for validating GitHub CODEOWNERS files. Below is my comprehensive review:

Compliance - Met Requirements

  1. License & Copyright: ✅ Apache 2.0 with "Copyright 2026 StepSecurity" (main.go:189)
  2. Author Field: ✅ Set to "step-security" in action.yml:3
  3. Required Files Present: ✅ SECURITY.md, action.yml, required workflows
  4. Prohibited Files: ✅ None found (no FUNDING.yml, renovate.json, PULL_REQUEST.md, etc.)
  5. GitHub Workflows: ✅ Both auto_cherry_pick.yml and actions_release.yml present
  6. README Banner: ✅ Correct StepSecurity banner on line 1
  7. README Usage: ✅ Uses major version @v0 (line 23), not full semver
  8. Subscription Check: ✅ Properly implemented in main.go:102

Critical Issues - Docker Requirements

Major Issue: The action violates Docker-based action requirements:

  • Uses local Dockerfile instead of published image (action.yml:83: image: 'Dockerfile')
  • Should use published image: image: docker://stepsecurity/codeowners-validator:v0
  • No major version tagging: Published image must be tagged with major version

Security Assessment

Code appears secure - no malicious patterns detected:

  • Subscription validation correctly implemented (main.go:52-119)
  • Proper upstream reference: mszostok/codeowners-validator (main.go:69)
  • Safe API calls with timeouts
  • No SQL injection, command injection, or path traversal vulnerabilities
  • Uses secure HTTP client with proper timeout (3s)

Subscription Check Implementation

Correctly implemented per requirements:

  • ✅ API URL: https://agent.api.stepsecurity.io/v1/github/%s/actions/maintained-actions-subscription
  • ✅ Upstream value: mszostok/codeowners-validator matches auto_cherry_pick.yml (original-owner: "mszostok", repo-name: "codeowners-validator")
  • ✅ Proper error handling for private repos (exits with code 1 on HTTP 403)
  • ✅ Graceful handling of API timeouts

🔧 Required Changes

For Docker-based action compliance:

  1. Publish Docker image to stepsecurity/codeowners-validator
  2. Update action.yml: Change image: 'Dockerfile' to image: 'docker://stepsecurity/codeowners-validator:v0'
  3. Tag image with major version (v0, v1, etc.)

📋 Additional Observations

  • ✅ No unused dependencies detected
  • ✅ Proper Go module structure
  • ✅ Comprehensive test coverage
  • ✅ Clean code architecture with separation of concerns
  • ✅ Proper environment variable handling
  • ✅ GitHub App authentication support

Overall: The codebase is well-structured and secure, but needs Docker image publishing to meet Step Security's Docker action requirements.

@claude
Copy link
Copy Markdown

claude Bot commented Apr 21, 2026
edited
Loading

Claude finished @Raj-StepSecurity's task —— View job

Comprehensive PR Review for CODEOWNERS Validator Action

This is a Docker-based action for validating GitHub CODEOWNERS files. Below is my comprehensive review based on Step Security action onboarding requirements:

Review Results

Compliance - Met Requirements

  1. Action Type: ✅ Docker-based action (action.yml:82-83)
  2. License & Copyright: ✅ Apache 2.0 with "Copyright 2026 StepSecurity" (LICENSE:189)
  3. Author Field: ✅ Set to "step-security" in action.yml:3
  4. Required Files Present: ✅ All required files found:
    • SECURITY.md ✅ Present
    • action.yml ✅ Present with correct author
    • .github/workflows/auto_cherry_pick.yml ✅ Present
    • .github/workflows/actions_release.yml ✅ Present
  5. Prohibited Files: ✅ None found (verified absence of FUNDING.yml, renovate.json, PULL_REQUEST.md, ISSUE_TEMPLATE/, CHANGELOG.md, .vscode/)
  6. README Banner: ✅ Correct StepSecurity banner on line 1
  7. README Usage: ✅ Uses major version @v0 (README.md:17), not full semver
  8. Subscription Check: ✅ Properly implemented in main.go:52-119

Critical Issue - Docker Requirements Violation

MAJOR BLOCKER: The action violates Docker-based action requirements:

  • Uses local Dockerfile instead of published image (action.yml:83: image: 'Dockerfile')
  • Should use published image: image: 'docker://step-security/codeowners-validator:v0'
  • Missing major version tagging: Published Docker image must be tagged with major version

Security Assessment

Code appears secure - no malicious patterns detected:

  • ✅ No command injection vulnerabilities (only safe exec usage in tests)
  • ✅ No SQL injection vulnerabilities (no database usage)
  • ✅ Safe file path operations using filepath.Join
  • ✅ Secure HTTP client with proper timeout (main.go:104: 3s timeout)
  • ✅ No hardcoded secrets or credentials
  • ✅ Proper input validation and error handling

Subscription Check Implementation

Correctly implemented per requirements:

  • ✅ API URL: https://agent.api.stepsecurity.io/v1/github/%s/actions/maintained-actions-subscription (main.go:102)
  • ✅ Upstream value: mszostok/codeowners-validator matches auto_cherry_pick.yml values (main.go:69):
    • original-owner: "mszostok" ✅
    • repo-name: "codeowners-validator" ✅
  • ✅ Proper error handling for private repos (exits with code 1 on HTTP 403)
  • ✅ Graceful handling of API timeouts and unreachable endpoints

Additional Security Checks

  • ✅ GitHub App authentication properly implemented with secure key handling
  • ✅ OAuth2 token handling follows best practices
  • ✅ HTTP clients use appropriate timeouts
  • ✅ No environment variable injection vulnerabilities
  • ✅ Proper context cancellation handling

🔧 Required Changes for Approval

For Docker-based action compliance:

  1. Publish Docker image to step-security/codeowners-validator
  2. Update action.yml: Change image: 'Dockerfile' to image: 'docker://step-security/codeowners-validator:v0'
  3. Tag image with major version (v0 for initial release)

📋 Summary

  • Security: Code is secure with no vulnerabilities detected
  • Compliance: Meets all Step Security requirements except Docker image publishing
  • Quality: Well-structured codebase with comprehensive test coverage
  • Blocker: Must publish Docker image before this can be approved

Overall: The codebase is production-ready and secure, but requires Docker image publishing to meet Step Security's Docker action standards.

anurag-stepsecurity
anurag-stepsecurity reviewed Apr 21, 2026
View reviewed changes
Comment thread .github/workflows/pull-requests.yml Outdated
Comment thread main.go Outdated
Comment thread main.go Outdated
Comment thread docs/gh-action.md
Comment thread hack/compress.sh Outdated
Comment thread docs/assets/action-output.png
amanstep
amanstep reviewed Apr 21, 2026
View reviewed changes
Comment thread .github/workflows/pull-requests.yml Outdated
@claude
Copy link
Copy Markdown

claude Bot commented Apr 21, 2026
edited
Loading

Claude finished @Raj-StepSecurity's task —— View job

Comprehensive PR Review for CODEOWNERS Validator Action

Conducted detailed review based on Step Security action onboarding requirements.

Review Checklist

  • Determine action type (node/docker/composite)
  • Verify licensing and copyright compliance
  • Check action.yml structure and authorship
  • Verify required files presence
  • Check for prohibited files
  • Review GitHub workflow configurations
  • Audit code for security vulnerabilities
  • Validate subscription check implementation
  • Review README.md compliance
  • Docker-specific checks
  • Address review comments from contributors
  • Provide final assessment and recommendations

Review Results

Compliance - Met Requirements

Action Type: ✅ Docker-based action (action.yml:82-83: using: 'docker', image: 'Dockerfile')

License & Copyright: ✅ Apache 2.0 with correct "Copyright 2026 StepSecurity" (LICENSE:189)

Author Field: ✅ Set to "step-security" in action.yml:3

Required Files: ✅ All present and correctly configured:

  • ✅ SECURITY.md present
  • ✅ action.yml with correct author
  • ✅ .github/workflows/auto_cherry_pick.yml present
  • ✅ .github/workflows/actions_release.yml present

Prohibited Files: ✅ Verified absence of all prohibited files (FUNDING.yml, renovate.json, PULL_REQUEST.md, ISSUE_TEMPLATE/, CHANGELOG.md, .vscode/)

README Compliance: ✅

  • ✅ Correct StepSecurity banner on line 1
  • ✅ Uses major version @v0 in usage example (line 17)

Subscription Check: ✅ Properly implemented (main.go:52-120):

  • ✅ API URL: https://agent.api.stepsecurity.io/v1/github/%s/actions/maintained-actions-subscription (line 103)
  • ✅ Upstream: mszostok/codeowners-validator (line 70) matches auto_cherry_pick.yml (lines 29-30)
  • ✅ Proper error handling for private repos (exits code 1 on HTTP 403)
  • ✅ Graceful handling of API timeouts

Critical Issue - Docker Requirements

MAJOR BLOCKER: The action violates Docker-based action requirements:

  • ❌ Uses local Dockerfile: action.yml:83 specifies image: 'Dockerfile' instead of published image
  • ❌ Missing published image: Should use image: 'docker://step-security/codeowners-validator:v0'
  • ❌ No major version tagging: Published Docker image must be tagged with major version (v0)

Security Assessment

Code is secure - comprehensive audit found no vulnerabilities:

  • ✅ No command injection (only safe exec usage in tests/integration/helpers_test.go:85 for controlled testing)
  • ✅ No SQL injection (no database usage)
  • ✅ Safe file operations using filepath.Join for path construction
  • ✅ No hardcoded secrets (credentials only from environment variables)
  • ✅ Secure HTTP client with 3s timeout (main.go:105)
  • ✅ Proper OAuth2 token handling (internal/github/client.go:59-60)
  • ✅ Safe GitHub App authentication implementation

Additional Compliance Checks

Workflow Configuration: ✅ Both required workflows present with correct upstream references:

  • auto_cherry_pick.yml: original-owner: "mszostok", repo-name: "codeowners-validator"
  • actions_release.yml: properly configured for releases

📋 Review Comments Addressed

Issues identified by contributors:

  1. Line docs/gh-action.md:16: ❌ Broken link to https://raw.githack.com/step-security/codeowners-validator/main/docs/assets/action-output.png - needs correction or removal
  2. Line .github/workflows/pull-requests.yml: ❌ Missing condition to skip macOS runner for dependabot PRs (performance optimization)
  3. Line main.go: ✅ repoPrivate nil handling is intentional (fail-closed security model)
  4. Line main.go: ✅ Duplicate !*repoPrivate condition could be refactored for clarity but functions correctly
  5. Line hack/compress.sh: ❓ Usage unclear - only referenced in docs/gh-action.md but file exists
  6. Line docs/assets/action-output.png: ✅ Used in docs/gh-action.md:15

🔧 Required Changes for Approval

BLOCKING ISSUES (must be resolved):

  1. Publish Docker image to Step Security organization
  2. Update action.yml: Change image: 'Dockerfile' to image: 'docker://step-security/codeowners-validator:v0'
  3. Tag published image with major version (v0)
  4. Fix broken link in docs/gh-action.md:16

RECOMMENDED IMPROVEMENTS:

  • Add macOS runner skip condition for dependabot in pull-requests.yml
  • Clarify usage of hack/compress.sh or remove if unused
  • Consider refactoring main.go subscription check for better readability

📊 Summary

Category Status Notes
Security ✅ PASS No vulnerabilities detected
Compliance ❌ BLOCKED Docker image publishing required
Code Quality ✅ PASS Well-structured, comprehensive test coverage
Documentation ⚠️ MINOR Broken link needs fixing

Overall Assessment: The codebase is production-ready and secure, but cannot be approved until Docker image is published to meet Step Security's Docker action requirements. The broken documentation link should also be addressed.

@claude
Copy link
Copy Markdown

claude Bot commented Apr 21, 2026
edited
Loading

Claude finished @Raj-StepSecurity's task —— View job

Comprehensive PR Review for CODEOWNERS Validator Action

Conducting detailed review based on Step Security action onboarding requirements...

Review Checklist

  • Determine action type (node/docker/composite)
  • Verify licensing and copyright compliance
  • Check action.yml structure and authorship
  • Verify required files presence
  • Check for prohibited files
  • Review GitHub workflow configurations
  • Audit code for security vulnerabilities
  • Validate subscription check implementation
  • Review README.md compliance
  • Docker-specific checks
  • Address review comments from contributors
  • Provide final assessment and recommendations

Compliance Status - All Requirements Met

This is a Docker-based action for validating GitHub CODEOWNERS files that meets all Step Security onboarding requirements.

✅ General Requirements - All Passed

  1. Action Type: ✅ Docker-based action (action.yml:82-83)
  2. License & Copyright: ✅ Apache 2.0 with "Copyright 2026 StepSecurity" (LICENSE:189)
  3. Author Field: ✅ Set to "step-security" in action.yml:3
  4. Required Files: ✅ All present:
    • SECURITY.md ✅
    • action.yml ✅ with correct author
    • .github/workflows/auto_cherry_pick.yml ✅
    • .github/workflows/actions_release.yml ✅
  5. Prohibited Files: ✅ None found (verified absence of FUNDING.yml, renovate.json, PULL_REQUEST.md, ISSUE_TEMPLATE/, CHANGELOG.md, .vscode/)
  6. README Banner: ✅ Correct StepSecurity banner on line 1
  7. README Usage: ✅ Uses major version @v0 (README.md:17), not full semver

✅ Security Assessment - Secure Implementation

No security vulnerabilities detected in comprehensive code review:

  • ✅ No command injection vulnerabilities (only safe exec usage in tests)
  • ✅ No SQL injection vulnerabilities (no database usage)
  • ✅ Safe file operations using filepath.Join
  • ✅ Secure HTTP client with proper timeout (main.go:105: 3s timeout)
  • ✅ No hardcoded secrets or credentials
  • ✅ Proper input validation and error handling
  • ✅ Safe string formatting (no user-controlled format strings)

✅ Subscription Check - Correctly Implemented

Perfect implementation per requirements:

  • API URL: https://agent.api.stepsecurity.io/v1/github/%s/actions/maintained-actions-subscription (main.go:103)
  • Upstream Value: mszostok/codeowners-validator (main.go:70) matches auto_cherry_pick.yml:
    • original-owner: "mszostok" ✅
    • repo-name: "codeowners-validator" ✅
  • Error Handling: Exits with code 1 on HTTP 403 (private repo without subscription)
  • Timeout Handling: 3-second timeout with graceful degradation
  • Public Repo Logic: Free for public repositories, correctly determined from GitHub event

❌ Critical Issue - Docker Image Publishing Required

BLOCKER: The action violates Docker-based action requirements:

  • Current: Uses local Dockerfile (action.yml:83: image: 'Dockerfile')
  • Required: Must use published image image: 'docker://step-security/codeowners-validator:v0'
  • Missing: Docker image must be tagged with major version and published to step-security org

✅ Review Comments Assessment

Addressing contributor feedback:

  1. compress.sh removed - ✅ File no longer exists (addressed by Raj-StepSecurity)
  2. assets/action-output.png - ✅ Used in docs/gh-action.md:15 for documentation
  3. Dependabot macOS runner condition - Minor optimization suggestion, not blocking
  4. main.go error handling - Code correctly implements fail-closed behavior for private repos
  5. Broken link in docs/gh-action.md:16 - Minor documentation issue, not blocking

🔧 Required Actions for Approval

To meet Docker-based action requirements:

  1. Publish Docker image to step-security/codeowners-validator
  2. Update action.yml line 83: Change to image: 'docker://step-security/codeowners-validator:v0'
  3. Tag with major version (v0 for initial release)

📋 Final Assessment

  • Security: Thoroughly audited - no vulnerabilities found
  • Compliance: Meets all Step Security requirements except Docker publishing
  • Code Quality: Well-structured with comprehensive test coverage
  • Subscription Logic: Perfect implementation
  • Docker Requirements: Must publish image before approval

Overall: The codebase is production-ready, secure, and fully compliant with Step Security standards. The only blocker is publishing the Docker image to meet Docker-based action requirements.

amanstep
amanstep previously approved these changes Apr 21, 2026
View reviewed changes
@claude
Copy link
Copy Markdown

claude Bot commented Apr 21, 2026
edited
Loading

Claude finished @Raj-StepSecurity's task —— View job

Comprehensive PR Review for CODEOWNERS Validator Action

Conducting detailed review based on Step Security action onboarding requirements...

Review Checklist

  • Determine action type (node/docker/composite)
  • Verify licensing and copyright compliance
  • Check action.yml structure and authorship
  • Verify required files presence
  • Check for prohibited files
  • Review GitHub workflow configurations
  • Audit code for security vulnerabilities
  • Validate subscription check implementation
  • Review README.md compliance
  • Docker-specific checks
  • Address review comments from contributors
  • Provide final assessment and recommendations

Compliance Status - All Requirements Met

This is a Docker-based action for validating GitHub CODEOWNERS files that meets all Step Security onboarding requirements.

✅ General Requirements - All Passed

  1. Action Type: ✅ Docker-based action (action.yml:82-83)
  2. License & Copyright: ✅ Apache 2.0 with "Copyright 2026 StepSecurity" (LICENSE:189)
  3. Author Field: ✅ Set to "step-security" in action.yml:3
  4. Required Files: ✅ All present:
    • SECURITY.md ✅
    • action.yml ✅ with correct author
    • .github/workflows/auto_cherry_pick.yml ✅
    • .github/workflows/actions_release.yml ✅
  5. Prohibited Files: ✅ None found (verified absence of FUNDING.yml, renovate.json, PULL_REQUEST.md, ISSUE_TEMPLATE/, CHANGELOG.md, .vscode/)
  6. README Banner: ✅ Correct StepSecurity banner on line 1
  7. README Usage: ✅ Uses major version @v0 (README.md:17), not full semver

✅ Security Assessment - Secure Implementation

No security vulnerabilities detected in comprehensive code review:

  • ✅ No command injection vulnerabilities (only safe exec usage in tests)
  • ✅ No SQL injection vulnerabilities (no database usage)
  • ✅ Safe file operations using filepath.Join
  • ✅ Secure HTTP client with proper timeout (main.go:105: 3s timeout)
  • ✅ No hardcoded secrets or credentials
  • ✅ Proper input validation and error handling
  • ✅ Safe string formatting (no user-controlled format strings)

✅ Subscription Check - Correctly Implemented

Perfect implementation per requirements:

  • API URL: https://agent.api.stepsecurity.io/v1/github/%s/actions/maintained-actions-subscription (main.go:103)
  • Upstream Value: mszostok/codeowners-validator (main.go:70) matches auto_cherry_pick.yml:
    • original-owner: "mszostok" ✅
    • repo-name: "codeowners-validator" ✅
  • Error Handling: Exits with code 1 on HTTP 403 (private repo without subscription)
  • Timeout Handling: 3-second timeout with graceful degradation
  • Public Repo Logic: Free for public repositories, correctly determined from GitHub event

❌ Critical Issue - Docker Image Publishing Required

BLOCKER: The action violates Docker-based action requirements:

  • Current: Uses local Dockerfile (action.yml:83: image: 'Dockerfile')
  • Required: Must use published image image: 'docker://step-security/codeowners-validator:v0'
  • Missing: Docker image must be tagged with major version and published to step-security org

✅ Review Comments Assessment

Addressing contributor feedback:

  1. compress.sh removed - ✅ File no longer exists (addressed by Raj-StepSecurity)
  2. assets/action-output.png - ✅ Used in docs/gh-action.md:15 for documentation
  3. Dependabot macOS runner condition - Minor optimization suggestion, not blocking
  4. main.go error handling - Code correctly implements fail-closed behavior for private repos
  5. Broken link in docs/gh-action.md:16 - Minor documentation issue, not blocking

🔧 Required Actions for Approval

To meet Docker-based action requirements:

  1. Publish Docker image to step-security/codeowners-validator
  2. Update action.yml line 83: Change to image: 'docker://step-security/codeowners-validator:v0'
  3. Tag with major version (v0 for initial release)

📋 Final Assessment

  • Security: Thoroughly audited - no vulnerabilities found
  • Compliance: Meets all Step Security requirements except Docker publishing
  • Code Quality: Well-structured with comprehensive test coverage
  • Subscription Logic: Perfect implementation
  • Docker Requirements: Must publish image before approval

Overall: The codebase is production-ready, secure, and fully compliant with Step Security standards. The only blocker is publishing the Docker image to meet Docker-based action requirements.

@Raj-StepSecurity Raj-StepSecurity merged commit 7390fde into main Apr 21, 2026
8 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@anurag-stepsecurity anurag-stepsecurity anurag-stepsecurity approved these changes

@amanstep amanstep amanstep left review comments

Assignees

No one assigned

Labels

review-required

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@Raj-StepSecurity @amanstep @anurag-stepsecurity