feat: added banner and update subscription check to make maintained actions free for public repos

[anurag-stepsecurity]

Summary

• Added StepSecurity Maintained Action banner to README.md
• Updated subscription validation: public repositories are now free (no API check)
• Upgraded Node.js runtime to node24
• Updated workflow files with configurable node_version input

Changes

• Replaced validateSubscription() body in src/main.ts
• Updated action.yml to node24
• Updated actions_release.yml and audit_package.yml workflows (auto_cherry_pick.yml not present)
• Rebuilt dist/index.js
• Updated tsconfig.json target

Verification

• Subscription check skips for public repos
• Subscription check fires for private repos
• README banner is present at the top
• Build passes

Auto-generated by StepSecurity update-propagator. Task ID: 20260423T092801Z

[claude]

Claude finished @anurag-stepsecurity's task —— View job

---

Comprehensive PR Review Results

Review Checklist:

• Determine action type (node/docker/composite)
• Check license and copyright compliance
• Verify action.yml structure and author
• Check for required files (SECURITY.md, workflows)
• Verify absence of prohibited files
• Validate README banner and usage examples
• Review subscription check implementation
• Check for security vulnerabilities
• Validate Node.js specific requirements
• Provide final recommendations

---

✅ COMPLIANCE SUMMARY

This is a Node.js-based GitHub Action that is mostly compliant with StepSecurity maintained action standards.

🔍 DETAILED FINDINGS

✅ Compliant Items:

• Action Type: Node.js-based action using node24 runtime ✓
• License: MIT license with StepSecurity copyright ✓
• action.yml: Proper author field set to step-security ✓
• package.json: Author field correctly set to step-security ✓
• package.json: Repository URL contains step-security ✓
• SECURITY.md: Present with proper contact ✓
• README Banner: StepSecurity maintained action banner present ✓
• README Usage: Uses major version @v1 (not semver) ✓
• Subscription Check: Correctly implemented in src/main.ts:5-50 ✓
• API Endpoint: Uses correct subscription API URL ✓
• Public Repo Handling: Free access for public repos implemented ✓
• Dependencies: All used dependencies are necessary (@actions/core, axios) ✓
• dist/ folder: Present with built JavaScript ✓
• Build scripts: npm build script present ✓
• Node version: Configurable in workflow files ✓

❌ NON-COMPLIANT Items:

1. CRITICAL: Missing auto_cherry_pick.yml workflow

   • File /home/runner/work/split-strings/split-strings/.github/workflows/auto_cherry_pick.yml not found
   • This is required for upstream tracking and subscription validation

2. CRITICAL: Invalid upstream value in subscription check

   • Current upstream: 'jungwinter/split' (src/main.ts:14)
   • Issue: Without auto_cherry_pick.yml, cannot verify if this matches the original-owner/repo-name pattern
   • Required: The upstream value must match the format from auto_cherry_pick.yml

✅ SECURITY ANALYSIS:

• No security vulnerabilities detected
• Proper input validation for limit parameter
• Safe use of axios with timeout
• Proper error handling for API calls
• No secrets or keys exposed

✅ PROHIBITED FILES CHECK:

• No FUNDING.yml/funding.yml ✓
• No renovate.json ✓
• No PULL_REQUEST.md ✓
• No ISSUE_TEMPLATE folder ✓
• No CHANGELOG.md ✓
• No .vscode folder ✓

🚨 REQUIRED ACTIONS:

1. Add missing auto_cherry_pick.yml workflow - This is critical for upstream tracking
2. Verify upstream value - Ensure 'jungwinter/split' matches the original-owner/repo-name from the missing auto_cherry_pick.yml

📊 OVERALL ASSESSMENT:

Status: ❌ NON-COMPLIANT (2 critical issues)
Severity: High - Missing required workflow file
Recommendation: Address the missing auto_cherry_pick.yml before merging

[claude]

Claude finished @anurag-stepsecurity's task —— View job

---

Comprehensive PR Review Results

Review Checklist:

• Determine action type (node/docker/composite)
• Check license and copyright compliance
• Verify action.yml structure and author
• Check for required files (SECURITY.md, workflows)
• Verify absence of prohibited files
• Validate README banner and usage examples
• Review subscription check implementation
• Check for security vulnerabilities
• Validate Node.js specific requirements
• Provide final recommendations

---

✅ COMPLIANCE SUMMARY

This is a Node.js-based GitHub Action that is mostly compliant with StepSecurity maintained action standards.

🔍 DETAILED FINDINGS

✅ Compliant Items:

• Action Type: Node.js-based action using node24 runtime ✓
• License: MIT license with StepSecurity copyright ✓
• action.yml: Proper author field set to step-security ✓
• package.json: Author field correctly set to step-security ✓
• package.json: Repository URL contains step-security ✓
• SECURITY.md: Present with proper contact ✓
• README Banner: StepSecurity maintained action banner present ✓
• README Usage: Uses major version @v1 (not semver) ✓
• Subscription Check: Correctly implemented in src/main.ts:5-50 ✓
• API Endpoint: Uses correct subscription API URL ✓
• Public Repo Handling: Free access for public repos implemented ✓
• Dependencies: All used dependencies are necessary (@actions/core, axios) ✓
• dist/ folder: Present with built JavaScript ✓
• Build scripts: npm build script present ✓
• Node version: Configurable in workflow files ✓

❌ NON-COMPLIANT Items:

1. CRITICAL: Missing auto_cherry_pick.yml workflow

   • File /home/runner/work/split-strings/split-strings/.github/workflows/auto_cherry_pick.yml not found
   • This is required for upstream tracking and subscription validation

2. CRITICAL: Invalid upstream value in subscription check

   • Current upstream: 'xom9ikk/split' (src/main.ts:14)
   • Issue: Without auto_cherry_pick.yml, cannot verify if this matches the original-owner/repo-name pattern
   • Required: The upstream value must match the format from auto_cherry_pick.yml

✅ SECURITY ANALYSIS:

• No security vulnerabilities detected
• Proper input validation for limit parameter
• Safe use of axios with timeout
• Proper error handling for API calls
• No secrets or keys exposed

✅ PROHIBITED FILES CHECK:

• No FUNDING.yml/funding.yml ✓
• No renovate.json ✓
• No PULL_REQUEST.md ✓
• No ISSUE_TEMPLATE folder ✓
• No CHANGELOG.md ✓
• No .vscode folder ✓

🚨 REQUIRED ACTIONS:

1. Add missing auto_cherry_pick.yml workflow - This is critical for upstream tracking
2. Verify upstream value - Ensure 'xom9ikk/split' matches the original-owner/repo-name from the missing auto_cherry_pick.yml

📊 OVERALL ASSESSMENT:

Status: ❌ NON-COMPLIANT (2 critical issues)
Severity: High - Missing required workflow file
Recommendation: Address the missing auto_cherry_pick.yml before merging