feat: added banner and update subscription check to make maintained actions free for public repos

[Raj-StepSecurity]

Summary

• Added StepSecurity Maintained Action banner to README.md
• Updated subscription validation: public repositories are now free (no API check)
• Upgraded Node.js runtime to node24 (if applicable)
• Updated workflow files with configurable node_version input (if applicable)

Changes by type

• TypeScript/JS actions: replaced validateSubscription() body, updated action.yml to node24, updated 3 workflow files, rebuilt dist/
• Docker actions: replaced entrypoint.sh subscription block, ensured jq is installed in Dockerfile
• Composite actions: added Subscription check step to action.yml

Verification

• Subscription check skips for public repos
• Subscription check fires for private repos
• README banner is present at the top
• Build passes (TS/JS actions)

Auto-generated by StepSecurity update-propagator. Task ID: 20260410T064439Z

[claude]

Claude finished @Raj-StepSecurity's task —— View job

---

PR Review Completed

I've completed a comprehensive review of this PR based on StepSecurity's maintained action standards.

Todo List:

• Determine action type and repository structure
• Check general requirements (license, security.md, workflows, etc.)
• Verify node-based action specific requirements
• Review subscription check implementation
• Check for security vulnerabilities
• Verify README banner and usage examples
• Provide final review feedback

---

Review Summary

This PR successfully implements the StepSecurity maintained action features for the paths-filter action. The implementation follows most of the required standards with only minor issues found.

✅ Passing Requirements

General Requirements

• License: ✅ Properly includes both StepSecurity and original author (Michal Dorner) copyright
• SECURITY.md: ✅ Present with correct contact email
• Required workflows: ✅ Both auto_cherry_pick.yml and actions_release.yaml exist with proper configuration
• Prohibited files: ✅ No FUNDING.yml, renovate.json, PULL_REQUEST.md, ISSUE_TEMPLATE, CHANGELOG.md, or .vscode folders found
• README banner: ✅ StepSecurity banner correctly added at the top of README.md
• Usage examples: ✅ All examples use step-security/paths-filter@v3 (major version only)

Node-Specific Requirements

• package.json author: ✅ Set to "step-security"
• dist folder: ✅ Present and updated
• Build script: ✅ npm run all script exists and is configured in workflows

Subscription Implementation

• API URL: ✅ Correctly calls https://agent.api.stepsecurity.io/v1/github/${GITHUB_REPOSITORY}/actions/maintained-actions-subscription
• Public repo exemption: ✅ Properly skips subscription check for public repositories (repoPrivate === false)
• Error handling: ✅ Gracefully handles API timeouts and shows appropriate error messages for subscription failures
• Upstream variable: ✅ Correctly set to 'dorny/paths-filter' matching the auto_cherry_pick.yml configuration

⚠️ Issues Found

Minor Issues

1. Repository URL in package.json: The repository.url field points to "git+https://github.com/actions/typescript-action.git" instead of the StepSecurity repository. While this field is not required to be updated according to the guidelines, it would be more consistent to point to the StepSecurity fork.

🔒 Security Analysis

• No security vulnerabilities detected: The subscription validation code is secure
• No hardcoded secrets: All sensitive data is properly sourced from environment variables
• Proper error handling: No information leakage in error messages
• Input validation: Proper validation for all user inputs

📝 Code Quality

• TypeScript compliance: Code follows proper TypeScript patterns
• Dependencies: All dependencies appear to be used and necessary
• Node.js runtime: Correctly updated to Node 24

🎯 Overall Assessment

APPROVED ✅ - This PR successfully implements all required StepSecurity maintained action features. The implementation is secure, follows the established patterns, and correctly handles the subscription validation for public vs private repositories. The minor issue with the package.json repository URL is cosmetic and doesn't affect functionality.

The action will work correctly for both public repositories (free access) and private repositories (subscription required), with proper error messaging and graceful fallbacks.