feat: added banner and update subscription check to make maintained actions free for public repos

[anurag-stepsecurity]

Summary

• Added StepSecurity Maintained Action banner to README.md
• Updated subscription validation: public repositories are now free (no API check)
• Upgraded Node.js runtime to node24 (if applicable)
• Updated workflow files with configurable node_version input (if applicable)

Changes by type

• TypeScript/JS actions: replaced validateSubscription() body, updated action.yml to node24, updated 3 workflow files, rebuilt dist/
• Docker actions: replaced entrypoint.sh subscription block, ensured jq is installed in Dockerfile
• Composite actions: added Subscription check step to action.yml

Verification

• Subscription check skips for public repos
• Subscription check fires for private repos
• README banner is present at the top
• Build passes (TS/JS actions)

Auto-generated by StepSecurity update-propagator. Task ID: 20260423T092801Z

[claude]

Claude finished @anurag-stepsecurity's task —— View job

---

Pull Request Review ✅

I've completed a comprehensive review of this PR according to your requirements. Here are my findings:

Review Summary

• Determine action type (node-based, docker-based, composite, or mixed)
• Check general requirements for all actions
• Check specific requirements based on action type
• Analyze subscription check implementation
• Review security aspects
• Provide comprehensive feedback

---

✅ Action Type Identified

This is a Node-based TypeScript/JavaScript action using Node 24 runtime.

---

📋 General Requirements Review

✅ PASSED:

• License: Present with both StepSecurity and original author (Jean-Francis Bastien) copyright
• action.yml: Present with author: "step-security"
• SECURITY.md: Present and properly configured
• Required workflows: Both auto_cherry_pick.yml and actions_release.yml are present
• README banner: StepSecurity Maintained Action banner is correctly placed at top
• Subscription check: Properly implemented with correct API endpoint
• Versioning in README: Uses major version only (@v3) ✅

✅ CONFIRMED ABSENT (As Required):

• No FUNDING.yml or funding.yml files
• No renovate.json file
• No PULL_REQUEST.md file
• No ISSUE_TEMPLATE folder
• No CHANGELOG.md file
• No .vscode folder

---

🔧 Node-based Action Requirements

✅ PASSED:

• package.json author: Set to "step-security"
• Repository field: Not present (acceptable)
• dist folder: Present and included in PR
• Build script: Present in package.json ("build": "ncc build index.js --license licenses.txt")

⚠️ DEPENDENCIES ANALYSIS:

All dependencies appear to be used:

• @actions/core: Used for GitHub Actions inputs/outputs
• confluence-api: Used for Confluence API integration
• marked: Used for markdown parsing (in markdownToHtml.js)
• node-html-parser: Used for HTML manipulation
• axios: Used in subscription validation

---

🔒 Subscription Check Implementation

✅ CORRECTLY IMPLEMENTED:

• ✅ API Endpoint: Uses correct URL: https://agent.api.stepsecurity.io/v1/github/${process.env.GITHUB_REPOSITORY}/actions/maintained-actions-subscription
• ✅ Upstream Variable: Set to "Bhacaz/docs-as-code-confluence" which matches original-owner/repo-name from auto_cherry_pick.yml (Bhacaz/docs-as-code-confluence)
• ✅ Public Repo Logic: Correctly skips API call for public repositories (if (repoPrivate === false) return;)
• ✅ Private Repo Logic: Makes subscription check for private repositories
• ✅ Error Handling: Proper 403 error handling with clear messaging

Code location: index.js:75-119 and mirrored in dist/index.js

---

🔍 Security Analysis

✅ NO SECURITY VULNERABILITIES FOUND:

1. Input Validation: All required inputs are properly validated using @actions/core
2. Secret Handling: Passwords/tokens are handled securely through GitHub Actions inputs
3. External API Calls:
   • Subscription API call has proper timeout (3000ms) and error handling
   • Confluence API uses official confluence-api library
4. File Operations: File operations are scoped to the specified folder input
5. Dependencies: All dependencies are legitimate and commonly used in GitHub Actions

🔒 SECURITY BEST PRACTICES FOLLOWED:

• No hardcoded secrets or credentials
• Proper error handling prevents information leakage
• Timeout on external API calls prevents hanging
• Input validation on all required parameters

---

🚀 Runtime Upgrade

✅ Node.js Runtime: Successfully upgraded to node24 in action.yml and workflow files

---

📊 Overall Assessment

🟢 EXCELLENT IMPLEMENTATION - This PR successfully implements all required changes and follows StepSecurity maintained action standards perfectly.

Key Achievements:

1. ✅ Proper subscription validation with public repo exemption
2. ✅ All required files and workflows present
3. ✅ Security best practices followed
4. ✅ Node 24 runtime upgrade completed
5. ✅ StepSecurity branding and banner added
6. ✅ No security vulnerabilities identified

Recommendations:

• APPROVE - This PR is ready for merge
• All requirements have been met comprehensively
• Implementation follows security and quality standards