chore: Cherry-picked changes from upstream v1.5.47

[anurag-stepsecurity]

No description provided.

[anurag-stepsecurity]

📦 Target Release Version:v1.5.47
📋 Previous Release Version:v1.5.38

[claude]

Claude finished @anurag-stepsecurity's task —— View job

---

PR Review: Cherry-picked changes from upstream v1.5.47

I've completed a comprehensive review of this cherry-pick PR based on Step Security's action compliance requirements.

✅ Compliance Summary

Requirements Met (17/20):

• ✅ License has both Step Security and original author copyright
• ✅ Security.md file exists and correctly configured
• ✅ No prohibited files (FUNDING.yml, renovate.json, PULL_REQUEST.md, ISSUE_TEMPLATE, CHANGELOG.md, .vscode)
• ✅ Required .github workflows present (auto_cherry_pick.yml, actions_release.yml)
• ✅ package.json author field correctly set to "step-security"
• ✅ dist folder present with bundled code
• ✅ Build scripts properly configured
• ✅ Upstream variable construction matches auto_cherry_pick.yml pattern (jkroepke/setup-vals)
• ✅ Usage example uses major version (@v1) instead of full semver
• ✅ This is a Node.js based action (confirmed)
• ✅ Dependencies appear reasonable for the functionality
• ✅ OSV scanner configuration added for security
• ✅ Subscription check is implemented
• ✅ Code follows TypeScript/Node.js best practices
• ✅ Error handling is appropriate
• ✅ No obvious security vulnerabilities in source code
• ✅ Binary downloading and caching logic is secure

❌ Critical Issues Found (3)

1. 🚨 Incorrect Subscription Check URL

   • Current: https://agent.api.stepsecurity.io/v1/github/${process.env.GITHUB_REPOSITORY}/actions/subscription
   • Required: https://agent.api.stepsecurity.io/v1/github/${process.env.GITHUB_REPOSITORY}/actions/maintained-actions-subscription
   • Location: src/main.ts:19
   • Impact: Subscription validation will fail

2. 🚨 Missing Step Security Banner in README.md

   • Required: ![](https://raw.githubusercontent.com/step-security/maintained-actions-assets/main/assets/maintained-action-banner.png)](https://docs.stepsecurity.io/actions/stepsecurity-maintained-actions)
   • Current: README.md lacks the mandatory Step Security banner
   • Impact: Branding compliance violation

3. ⚠️ Missing Repository Field in package.json

   • Issue: package.json lacks repository field pointing to step-security organization
   • Recommended: Add repository field pointing to step-security/setup-vals
   • Impact: Metadata inconsistency

⚠️ Minor Issues

• action.yml: Missing author field (acceptable if not originally present)
• README.md: Contains references to original jkroepke repository in badges (should reference step-security)

🔒 Security Assessment

• ✅ No malicious code detected
• ✅ Proper input validation and error handling
• ✅ Secure file permissions (0o777) for executables
• ✅ Timeout configured for HTTP requests (3000ms)
• ✅ Axios error handling prevents information leakage
• ✅ Binary integrity via GitHub releases
• ✅ Tool caching implemented securely
• ✅ OSV scanner configuration added for vulnerability tracking

📋 Recommendation

❌ DO NOT MERGE until the critical subscription check URL is fixed. The current implementation will cause runtime failures for all users.

Required Fix: Update src/main.ts:19 to use the correct endpoint /maintained-actions-subscription

Optional Improvements: Add Step Security banner to README.md and update repository metadata.

---

[github-actions]

🔍 Cherry-Pick Verification Report

📦 Upstream Changes: v1.5.38...v1.5.47

📋 File-by-File Analysis:

.github/workflows/ci.yml

• Upstream has changes: ✅ Yes
• File exists in PR: ❌ No
• Status: 🔴 Missing - ❌ No PR patch available (+3 -3)

.github/workflows/pr.yaml

• Upstream has changes: ✅ Yes
• File exists in PR: ❌ No
• Status: 🔴 Missing - File missing in PR (upstream has 1 additions, 1 deletions)

.github/workflows/renovate-custom-hooks.yaml

• Upstream has changes: ✅ Yes
• File exists in PR: ❌ No
• Status: 🔴 Missing - File missing in PR (upstream has 2 additions, 2 deletions)

.node-version

• Upstream has changes: ✅ Yes
• File exists in PR: ❌ No
• Status: 🔴 Missing - ❌ No PR patch available (+1 -1)

---

📊 Summary:

• Total files changed upstream: 4
• Files present in PR: 0/4
• Files with matching changes: 0/4

❌ Overall Status: 🔴 INCOMPLETE - Missing files or changes

[claude]

Claude finished @anurag-stepsecurity's task —— View job

---

PR Review: Cherry-picked changes from upstream v1.5.47

Conducted comprehensive review based on Step Security compliance requirements.

Review Checklist:

• Read all changed files (.node-version, dist files, osv-scanner.toml, package files)
• Check action type (Node.js/Docker/Composite)
• Verify license compliance (Step Security + original author copyright)
• Check action.yml author field
• Verify Security.md file presence
• Check prohibited files (FUNDING.yml, renovate.json, etc.)
• Verify required .github workflows (auto_cherry_pick.yml, actions_release.yml)
• Check package.json author field
• Verify subscription check implementation and URL
• Check upstream variable construction
• Verify README.md Step Security banner
• Check usage examples use major version only
• Security vulnerability assessment
• Assess cherry-pick completeness vs upstream changes
• Final recommendation

---

✅ Compliance Summary

Action Type: Node.js based action (confirmed - uses node24 runtime)

Requirements Met (16/20):

• ✅ License: Correctly includes both Step Security and original author (Jan-Otto Kröpke) copyright
• ✅ Security.md: Present and properly configured
• ✅ Prohibited files: No FUNDING.yml, renovate.json, PULL_REQUEST.md, ISSUE_TEMPLATE, CHANGELOG.md, or .vscode found
• ✅ Required workflows: .github/workflows/auto_cherry_pick.yml and actions_release.yml both present
• ✅ package.json author: Correctly set to "step-security"
• ✅ dist folder: Present with bundled code (index.js, index.js.map)
• ✅ Build scripts: Properly configured in package.json
• ✅ Upstream variable: Correctly constructed as "jkroepke/setup-vals" matching auto_cherry_pick.yml pattern
• ✅ Usage example: Uses major version (@v1) in README.md:20
• ✅ Dependencies: All appear necessary and reasonable
• ✅ OSV scanner: Configuration added for security scanning
• ✅ Node.js runtime: Updated to node24 in action.yml:17
• ✅ Node version: Updated to 24.15.0 in .node-version
• ✅ Package versions: Dependencies updated appropriately
• ✅ Code quality: Follows TypeScript/Node.js best practices
• ✅ Error handling: Appropriate throughout the codebase

❌ Critical Issues Found (4)

🚨 1. Incorrect Subscription Check URL

• Current: https://agent.api.stepsecurity.io/v1/github/${process.env.GITHUB_REPOSITORY}/actions/subscription
• Required: https://agent.api.stepsecurity.io/v1/github/${process.env.GITHUB_REPOSITORY}/actions/maintained-actions-subscription
• Location: src/main.ts:19
• Impact: Subscription validation will fail for all users

🚨 2. Missing Step Security Banner in README.md

• Required: [![](https://raw.githubusercontent.com/step-security/maintained-actions-assets/main/assets/maintained-action-banner.png)](https://docs.stepsecurity.io/actions/stepsecurity-maintained-actions)
• Current: README.md completely lacks the mandatory Step Security banner
• Impact: Critical branding compliance violation

🚨 3. Missing Author Field in action.yml

• Current: No author field present in action.yml
• Required: Should include author: 'step-security'
• Impact: Metadata inconsistency with Step Security standards

❌ 4. Incomplete Cherry-Pick

Based on the GitHub Actions bot report, 4 upstream files were completely missed:

• .github/workflows/ci.yml (3 additions, 3 deletions)
• .github/workflows/pr.yaml (1 addition, 1 deletion)
• .github/workflows/renovate-custom-hooks.yaml (2 additions, 2 deletions)
• Additional .node-version changes (beyond what's in PR)

Status: 🔴 INCOMPLETE - Missing files and changes from upstream v1.5.38→v1.5.47

⚠️ Minor Issues

• README.md badges: Still reference original jkroepke repository instead of step-security
• package.json: Missing repository field pointing to step-security organization

🔒 Security Assessment

• ✅ No malicious code detected
• ✅ Input validation: Proper validation and sanitization
• ✅ HTTP client: Secure axios configuration with 3000ms timeout
• ✅ File permissions: Secure 0o777 for executables only
• ✅ Binary integrity: Downloads from trusted GitHub releases
• ✅ Tool caching: Implemented securely via @actions/tool-cache
• ✅ Error handling: Prevents information leakage
• ✅ Environment variables: Properly validated

📋 Final Recommendation

❌ DO NOT MERGE - Multiple critical issues require resolution:

1. Critical Priority: Fix subscription check URL endpoint (will cause runtime failures)
2. High Priority: Add required Step Security banner to README.md
3. Medium Priority: Add author field to action.yml
4. Cherry-pick incomplete: Missing 4 upstream files/changes

Required Actions:

1. Update src/main.ts:19 to use /maintained-actions-subscription endpoint
2. Add Step Security banner to top of README.md
3. Add author: 'step-security' to action.yml
4. Complete cherry-pick by including all missing upstream changes

Optional Improvements:

• Update README.md badges to reference step-security organization
• Add repository field to package.json

---

[github-actions]

🔍 Cherry-Pick Verification Report

📦 Upstream Changes: v1.5.38...v1.5.47

📋 File-by-File Analysis:

.github/workflows/ci.yml

• Upstream has changes: ✅ Yes
• File exists in PR: ❌ No
• Status: 🔴 Missing - ❌ No PR patch available (+3 -3)

.github/workflows/pr.yaml

• Upstream has changes: ✅ Yes
• File exists in PR: ❌ No
• Status: 🔴 Missing - File missing in PR (upstream has 1 additions, 1 deletions)

.github/workflows/renovate-custom-hooks.yaml

• Upstream has changes: ✅ Yes
• File exists in PR: ❌ No
• Status: 🔴 Missing - File missing in PR (upstream has 2 additions, 2 deletions)

.node-version

• Upstream has changes: ✅ Yes
• File exists in PR: ✅ Yes
• Changes match: ✅ Yes
• Status: 🟢 Perfect - ✅ All changes applied correctly (+1 -1)

---

📊 Summary:

• Total files changed upstream: 4
• Files present in PR: 1/4
• Files with matching changes: 1/4

❌ Overall Status: 🔴 INCOMPLETE - Missing files or changes