feat: added banner and update subscription check to make maintained actions free for public repos

[anurag-stepsecurity]

Summary

• Added StepSecurity Maintained Action banner to README.md
• Updated subscription validation: public repositories are now free (no API check)
• For Docker/Clojure action: updated validate-subscription! in src/release_on_push_action/core.clj with new logic that reads GITHUB_EVENT_PATH to skip check for public repos and POSTs to the new maintained-actions-subscription endpoint for private repos

Changes by type

• Docker action (Clojure): replaced validate-subscription! body, added banner print, public-repo skip, and new endpoint with body payload (action + optional ghes_server)

Verification

• Subscription check skips for public repos
• Subscription check fires for private repos
• README banner is present at the top

Auto-generated by StepSecurity update-propagator. Task ID: 20260423T092801Z

[claude]

Claude finished @anurag-stepsecurity's task —— View job

---

Pull Request Review

Comprehensive review of this StepSecurity maintained action PR completed.

Todo List:

• Determine action type and analyze structure
• Review changed files (README.md and core.clj)
• Check repository compliance (license, security.md, workflows, etc.)
• Verify action.yml configuration
• Review subscription check implementation
• Analyze Docker configuration and requirements
• Security vulnerability assessment
• Provide comprehensive feedback

Review Summary

Action Type: ✅ Docker-based action (Clojure implementation with published Docker image)

Compliance Analysis

✅ Passes Requirements

General Compliance:

• ✅ License present with StepSecurity copyright (LICENSE:4)
• ✅ Author in action.yml is "step-security" (action.yml:4)
• ✅ SECURITY.md file present
• ✅ Required workflow files present (.github/workflows/auto_cherry_pick.yml, actions_release.yml)
• ✅ Forbidden files absent (renovate.json, PULL_REQUEST.md, CHANGELOG.md, FUNDING.yml, ISSUE_TEMPLATE/, .vscode/)
• ✅ StepSecurity banner correctly implemented in README.md (line 1)
• ✅ Usage examples use major version (@v0) instead of full semver tags (README.md:41, 113, 143, etc.)

Docker-Specific Compliance:

• ✅ Uses published Docker image from StepSecurity org: ghcr.io/step-security/release-on-push-action
• ✅ Image tagged with major version: v0.28.5
• ✅ Image properly pinned with SHA256 digest for security

Subscription Check Implementation:

• ✅ Correct API endpoint: https://agent.api.stepsecurity.io/v1/github/{repo}/actions/maintained-actions-subscription (core.clj:195-197)
• ✅ Upstream variable correctly matches auto_cherry_pick.yml: rymndhng/release-on-push-action (core.clj:181, auto_cherry_pick.yml:21-22)
• ✅ Public repo exemption correctly implemented: reads GITHUB_EVENT_PATH to check repository.private flag (core.clj:175-180)
• ✅ Proper banner display with colored output and documentation links (core.clj:184-190)
• ✅ GHES server support included in API payload (core.clj:192-194)

🔍 Security Analysis

Dockerfile Security:

• ✅ Uses specific Alpine base image with SHA256 pinning
• ✅ No privilege escalation or unnecessary permissions
• ✅ Minimal attack surface with only required dependencies

Code Security:

• ✅ No hardcoded secrets or credentials
• ✅ Proper error handling for API timeouts/failures (core.clj:202-211)
• ✅ Input validation for bump version schemes (core.clj:23-26)
• ✅ Safe file operations with temporary files and proper cleanup (core.clj:137-138)
• ✅ No code injection vulnerabilities identified

API Security:

• ✅ HTTPS-only endpoint usage
• ✅ Proper JSON body construction without user input injection
• ✅ Timeout handling prevents hanging processes
• ✅ Graceful degradation when API is unreachable

📋 Code Quality Observations

Positive Implementation Details:

• Clean separation of public/private repo logic
• Comprehensive error handling and user feedback
• Proper integration with GitHub Actions environment variables
• Well-structured banner output with visual indicators
• Maintains backward compatibility while adding new functionality

Changes in This PR:

1. README.md: Added StepSecurity banner at top of file ✅
2. core.clj: Completely updated validate-subscription! function with:
   • Public repository detection and exemption logic
   • Enhanced banner output with colored text
   • New API endpoint usage
   • GHES server support
   • Improved error handling

Overall Assessment

✅ APPROVED - This PR successfully implements all required StepSecurity maintained action standards. The subscription check logic correctly exempts public repositories while enforcing subscription requirements for private repositories. The implementation follows security best practices and maintains the action's core functionality.

The changes are well-implemented, secure, and fully compliant with StepSecurity requirements.

---