feat: added banner and update subscription check to make maintained actions free for public repos

[Raj-StepSecurity]

Summary

• Added StepSecurity Maintained Action banner to README.md
• Updated subscription validation: public repositories are now free (no API check)
• Upgraded Node.js runtime to node24 (if applicable)
• Updated workflow files with configurable node_version input (if applicable)

Changes by type

• TypeScript/JS actions: replaced validateSubscription() body, updated action.yml to node24, updated 3 workflow files, rebuilt dist/
• Docker actions: replaced entrypoint.sh subscription block, ensured jq is installed in Dockerfile
• Composite actions: added Subscription check step to action.yml

Verification

• Subscription check skips for public repos
• Subscription check fires for private repos
• README banner is present at the top
• Build passes (TS/JS actions)

Auto-generated by StepSecurity update-propagator. Task ID: 20260409T074908Z

[claude]

Claude finished @Raj-StepSecurity's task —— View job

---

StepSecurity Maintained Action PR Review

✅ Node.js-based Action - Uses node24 runtime with dist/ folder and build scripts

🔍 Compliance Review Results

✅ General Requirements - PASSED

• License: ✅ MIT license with StepSecurity copyright (LICENSE:4)
• Security.md: ✅ Present in repository
• README Banner: ✅ StepSecurity maintained action banner present (README.md:1)
• Workflows: ✅ Required workflows present:
  • .github/workflows/auto_cherry_pick.yml ✅
  • .github/workflows/actions_release.yml ✅
• Prohibited Files: ✅ None found (renovate.json, FUNDING.yml, PULL_REQUEST.md, ISSUE_TEMPLATE/, CHANGELOG.md, .vscode/)
• Usage Examples: ✅ Major version pinning used (@v6) in README examples

✅ Node.js Specific Requirements - PASSED

• package.json author: ✅ No author field (ignored as specified)
• Repository field: ✅ Points to step-security org (package.json:14)
• dist/ folder: ✅ Present with compiled assets
• Build script: ✅ Present in package.json:10 ("build": "rollup -c")

✅ Subscription Check Implementation - PASSED

• URL Correct: ✅ Uses required API endpoint (src/index.js:205)
• Public Repo Logic: ✅ Skips check for public repos (src/index.js:198)
• Upstream Variable: ✅ Correctly set to "amannn/action-semantic-pull-request" matching auto_cherry_pick.yml:39-40
• Error Handling: ✅ Proper 403 handling and timeout logic

⚠️ Security Analysis - MINOR CONCERNS

• Dependencies: ✅ No unused dependencies detected
• Secrets Handling: ✅ No hardcoded secrets found
• Input Validation: ⚠️ Minor: No explicit input sanitization, but GitHub Actions context should be safe

📊 Overall Assessment: APPROVED ✅

This PR successfully implements the StepSecurity maintained actions requirements. The subscription check correctly identifies public repositories and skips validation, while private repositories get proper subscription verification.

Key Changes Validated:

• ✅ Banner added to README
• ✅ Subscription validation updated for public repos
• ✅ Node.js runtime upgraded to node24
• ✅ Proper upstream reference maintained

Recommendation: This PR is ready for merge. All compliance requirements are met.

---