feat: added banner and update subscription check to make maintained actions free for public repos

[Raj-StepSecurity]

Summary

• Added StepSecurity Maintained Action banner to README.md
• Updated subscription validation: public repositories are now free (no API check)
• Updated LICENSE copyright year to 2026
• Added jq to Dockerfile for event payload parsing

Changes by type

• Docker actions: replaced entrypoint.sh subscription block, ensured jq is installed in Dockerfile

Verification

• Subscription check skips for public repos
• Subscription check fires for private repos
• README banner is present at the top

Auto-generated by StepSecurity update-propagator. Task ID: 20260409T074908Z

[claude]

Claude finished @Raj-StepSecurity's task —— View job

---

Pull Request Review

I've completed a comprehensive review of this Docker-based action PR against the specified criteria.

Review Summary

✅ PASSED - General Action Requirements:

• License: Properly configured with StepSecurity copyright (2026) and original Decathlon copyright
• action.yml: Present, uses Docker runner, no author field (acceptable)
• SECURITY.md: Present and properly configured
• Required workflows: Both auto_cherry_pick.yml and actions_release.yml are present
• Prohibited files: None found (no FUNDING.yml, renovate.json, PULL_REQUEST.md, CHANGELOG.md, ISSUE_TEMPLATE, .vscode)
• README banner: ✅ StepSecurity Maintained Action banner correctly added at the top
• Usage examples: ✅ All examples use major version @v3 instead of full semver

✅ PASSED - Docker-Specific Requirements:

• Published image: ✅ Uses ghcr.io/step-security/release-notes-generator-action:v3.2.2 from StepSecurity org
• Major version tagging: ✅ Image tagged with major version v3
• SHA pinning: ✅ Image properly pinned with SHA256 hash

✅ PASSED - Subscription Check Implementation:

• API endpoint: ✅ Correctly calls https://agent.api.stepsecurity.io/v1/github/$GITHUB_REPOSITORY/actions/maintained-actions-subscription
• UPSTREAM variable: ✅ Set to "Decathlon/release-notes-generator-action" which matches the original-owner/repo-name format from auto_cherry_pick.yml (Decathlon/release-notes-generator-action)
• Public repo logic: ✅ KEY IMPROVEMENT - Public repositories now skip subscription check entirely (if [ "$REPO_PRIVATE" != "false" ])
• Private repo handling: ✅ Proper API call with timeout and error handling for private repositories

✅ PASSED - Security Analysis:

• No credential exposure: GITHUB_TOKEN properly handled, not logged or echoed
• Input sanitization: Event data parsed using proper JSON parsing with /JSON.sh
• Command injection protection: No eval, backticks, or unsafe variable substitution
• File operations: Safe mkdir operations with proper variable handling
• Error handling: Proper exit codes and error messages

✅ PASSED - Changes Analysis:

The PR correctly implements the intended changes:

1. README banner: Added StepSecurity maintained action banner
2. Public repo subscription: Properly skips API check for public repositories
3. License update: Updated copyright to 2026
4. Dockerfile: Added jq dependency for JSON parsing
5. Enhanced messaging: Clear output indicating free usage for public repos

Recommendations

Minor Improvements:

1. Consider adding input validation for milestone IDs to prevent potential issues with malformed event data
2. The timeout of 3 seconds for the API call is reasonable but could be documented

Final Verdict: ✅ APPROVED

This PR successfully implements the subscription model changes while maintaining security best practices. All requirements from the review checklist are satisfied, and the implementation correctly makes maintained actions free for public repositories while preserving subscription checks for private repositories.

---