feat: added banner and update subscription check to make maintained actions free for public repos

[Raj-StepSecurity]

Summary

• Added StepSecurity Maintained Action banner to README.md
• Updated subscription validation: public repositories are now free (no API check)
• Updated Dockerfile to install jq for event payload parsing

Changes by type

• Docker actions: replaced entrypoint.sh subscription block, ensured jq is installed in Dockerfile

Verification

• Subscription check skips for public repos
• Subscription check fires for private repos
• README banner is present at the top

Auto-generated by StepSecurity update-propagator. Task ID: 20260416T083320Z

[claude]

Claude finished @Raj-StepSecurity's task —— View job

---

PR Review Completed ✅

Comprehensive review of PR #72 according to StepSecurity standards:

Todo List:

• Determine action type (node/docker/composite)
• Check general requirements (license, action.yml, security.md, etc.)
• Verify banner implementation in README.md
• Analyze subscription check implementation
• Check Docker-specific requirements
• Review changed files for security vulnerabilities
• Verify upstream variable configuration
• Check for unwanted files/folders

---

✅ OVERALL ASSESSMENT: COMPLIANT

This PR successfully implements StepSecurity standards for a Docker-based action. All critical requirements are met.

📋 Detailed Review

Action Type: Docker-based ✅

• Uses Docker image: ghcr.io/step-security/actions-codespell/stable:v2.1.5
• Published to StepSecurity organization
• Tagged with major version (v2)

General Requirements ✅

• ✅ License: Present with StepSecurity copyright (LICENSE:4)
• ✅ action.yml: Present with author as step-security (action.yml:2)
• ✅ SECURITY.md: Present
• ✅ Required workflows: auto_cherry_pick.yml and actions_release.yml exist
• ✅ Banner: Correctly implemented in README (README.md:1)
• ✅ Version usage: Examples use major version @v2 (not full semver)

Prohibited Files/Folders ✅

• ✅ No FUNDING.yml/funding.yml files
• ✅ No renovate.json
• ✅ No PULL_REQUEST.md
• ✅ No ISSUE_TEMPLATE folder
• ✅ No CHANGELOG.md
• ✅ No .vscode folder

Subscription Check Implementation ✅

• ✅ API URL: Correct (entrypoint.sh:26)
• ✅ Public repo logic: Properly skips check when REPO_PRIVATE=false (entrypoint.sh:17)
• ✅ Private repo validation: Makes API call for private repos
• ✅ Error handling: Proper timeout and 403 response handling
• ✅ Event parsing: Uses jq to parse repository privacy (entrypoint.sh:3)

Upstream Variable Configuration ✅

• ✅ Upstream value: codespell-project/actions-codespell (entrypoint.sh:4)
• ✅ Matches auto_cherry_pick.yml: original-owner: codespell-project + repo-name: actions-codespell

Docker-specific Requirements ✅

• ✅ Published image: Uses ghcr.io/step-security/actions-codespell/stable:v2.1.5
• ✅ StepSecurity org: Published to step-security organization
• ✅ Major version tag: Tagged with v2
• ✅ Dependencies: Dockerfile installs jq for event parsing (Dockerfile:3)

Security Analysis ✅

• ✅ No secrets/keys: No sensitive information exposed
• ✅ Secure practices: Uses timeout for API calls
• ✅ Input validation: Proper handling of environment variables
• ✅ Banner display: Provides clear indication of StepSecurity maintenance

Test Updates ✅

• ✅ Test compatibility: Tests properly mock public repository event (test.bats:38-42)
• ✅ Banner testing: Tests account for new banner output

🔍 Key Changes Verified

1. Banner addition: Correctly placed at top of README with proper formatting
2. Subscription logic: Public repositories now bypass API check entirely
3. Docker updates: Added jq dependency for JSON parsing
4. Test updates: Mocked repository events to maintain test determinism

✅ Recommendation: APPROVE

This PR meets all StepSecurity requirements for maintained actions. The implementation correctly:

• Provides free usage for public repositories
• Maintains subscription validation for private repositories
• Displays appropriate StepSecurity branding
• Follows Docker action best practices