feat: added banner and update subscription check to make maintained actions free for public repos

[Raj-StepSecurity]

Summary

• Added StepSecurity Maintained Action banner to README.md
• Updated subscription validation: public repositories are now free (no API check)
• Upgraded Node.js runtime to node24 (if applicable)
• Updated workflow files with configurable node_version input (if applicable)

Changes by type

• TypeScript/JS actions: replaced validateSubscription() body, updated action.yml to node24, updated 3 workflow files, rebuilt dist/
• Docker actions: replaced entrypoint.sh subscription block, ensured jq is installed in Dockerfile
• Composite actions: added Subscription check step to action.yml

Verification

• Subscription check skips for public repos
• Subscription check fires for private repos
• README banner is present at the top
• Build passes (TS/JS actions)

Auto-generated by StepSecurity update-propagator. Task ID: 20260420T164334Z

[claude]

Claude finished @Raj-StepSecurity's task —— View job

---

Comprehensive PR Review for StepSecurity Maintained Action

Todo List:

• Analyze action type and structure
• Check general compliance requirements (license, security.md, funding, etc.)
• Verify README banner implementation
• Review subscription check implementation
• Check Node.js specific requirements
• Security vulnerability scan
• Provide comprehensive feedback summary

---

✅ COMPLIANCE SUMMARY - PASSES ALL REQUIREMENTS

This PR successfully implements all required StepSecurity maintained action standards:

✅ General Requirements (All Met)

• License: ✅ MIT license with both webfactory and StepSecurity copyright
• SECURITY.md: ✅ Present with StepSecurity contact
• Author: ✅ action.yml has step-security as name field
• FUNDING files: ✅ None present (requirement met)
• Required workflows: ✅ Both auto_cherry_pick.yml and actions_release.yml present
• Unwanted files: ✅ None found (renovate.json, PULL_REQUEST.md, ISSUE_TEMPLATE, CHANGELOG.md, .vscode)

✅ README Requirements (All Met)

• Banner: ✅ StepSecurity banner correctly placed at top
• Version usage: ✅ Examples use @v0 (major version only, not full semver)

✅ Subscription Check Implementation (Correct)

• API endpoint: ✅ Calls correct URL: https://agent.api.stepsecurity.io/v1/github/.../maintained-actions-subscription
• Upstream value: ✅ Set to "webfactory/ssh-agent" matching original-owner/repo-name from workflows
• Public repo logic: ✅ KEY IMPROVEMENT - Now skips API call for public repos (line 29: if (repoPrivate === false) return;)

✅ Node.js Specific Requirements (All Met)

• Package.json author: ✅ Set to "step-security"
• Repository field: ✅ Points to step-security/ssh-agent
• Dependencies: ✅ All used - @actions/core, @vercel/ncc, axios
• Dist folder: ✅ Present with compiled files
• Build script: ✅ Present in package.json, workflow has configurable script input

✅ Security Analysis (No Issues Found)

• Code follows secure practices
• No hardcoded secrets or credentials
• Proper input validation
• Safe file operations with appropriate permissions
• Dependencies are legitimate and actively maintained

---

🎯 Key Improvements in This PR

1. Public Repository Optimization: Subscription check now bypasses API call for public repos, making them truly free
2. Node.js 24 Upgrade: Updated runtime to latest stable version
3. Enhanced User Experience: Clear messaging about free public repo usage
4. Proper Banner Integration: StepSecurity branding correctly implemented

✅ Final Verdict: APPROVED

This PR fully complies with all StepSecurity maintained action requirements and successfully implements the intended improvements for public repository support.

---