From 96cce8b5a2e03223b10a340320b91916fda1b798 Mon Sep 17 00:00:00 2001 From: Raj-StepSecurity Date: Thu, 16 Apr 2026 14:13:56 +0530 Subject: [PATCH 1/5] feat: added banner and update subscription check to make maintained actions free for public repos --- Dockerfile | 2 +- README.md | 2 ++ entrypoint.sh | 51 ++++++++++++++++++++++++++++++++++++--------------- 3 files changed, 39 insertions(+), 16 deletions(-) diff --git a/Dockerfile b/Dockerfile index baaa0bc..de2057c 100644 --- a/Dockerfile +++ b/Dockerfile @@ -1,6 +1,6 @@ FROM python:3.14-alpine3.23@sha256:faee120f7885a06fcc9677922331391fa690d911c020abb9e8025ff3d908e510 -RUN apk add --no-cache curl && apk upgrade --no-cache zlib +RUN apk add --no-cache curl jq && apk upgrade --no-cache zlib COPY LICENSE \ README.md \ diff --git a/README.md b/README.md index eabcdc3..f72b4ff 100644 --- a/README.md +++ b/README.md @@ -1,3 +1,5 @@ +[![StepSecurity Maintained Action](https://raw.githubusercontent.com/step-security/maintained-actions-assets/main/assets/maintained-action-banner.png)](https://docs.stepsecurity.io/actions/stepsecurity-maintained-actions) + # Codespell with GitHub Actions -- including annotations for Pull Requests This GitHub Actions runs codespell over your code. diff --git a/entrypoint.sh b/entrypoint.sh index 71bfd43..939c656 100755 --- a/entrypoint.sh +++ b/entrypoint.sh @@ -1,22 +1,43 @@ #!/bin/sh -# Validate subscription status -API_URL="https://agent.api.stepsecurity.io/v1/github/$GITHUB_REPOSITORY/actions/subscription" +REPO_PRIVATE=$(jq -r '.repository.private | tostring' "$GITHUB_EVENT_PATH" 2>/dev/null || echo "") +UPSTREAM="codespell-project/actions-codespell" +ACTION_REPO="${GITHUB_ACTION_REPOSITORY:-}" +DOCS_URL="https://docs.stepsecurity.io/actions/stepsecurity-maintained-actions" -# Set a timeout for the curl command (3 seconds) -RESPONSE=$(curl --max-time 3 -s -w "%{http_code}" "$API_URL" -o /dev/null) || true -CURL_EXIT_CODE=${?} +echo "" +echo -e "\033[1;36mStepSecurity Maintained Action\033[0m" +echo "Secure drop-in replacement for $UPSTREAM" +if [ "$REPO_PRIVATE" = "false" ]; then + echo -e "\033[32m✓ Free for public repositories\033[0m" +fi +echo -e "\033[36mLearn more:\033[0m $DOCS_URL" +echo "" -# Decide based on curl exit code and HTTP status -if [ $CURL_EXIT_CODE -ne 0 ]; then - echo "Timeout or API not reachable. Continuing to next step." -elif [ "$RESPONSE" = "200" ]; then - : -elif [ "$RESPONSE" = "403" ]; then - echo "Subscription is not valid. Reach out to support@stepsecurity.io" - exit 1 -else - echo "Timeout or API not reachable. Continuing to next step." +if [ "$REPO_PRIVATE" != "false" ]; then + SERVER_URL="${GITHUB_SERVER_URL:-https://github.com}" + + if [ "$SERVER_URL" != "https://github.com" ]; then + BODY=$(printf '{"action":"%s","ghes_server":"%s"}' "$ACTION_REPO" "$SERVER_URL") + else + BODY=$(printf '{"action":"%s"}' "$ACTION_REPO") + fi + + API_URL="https://agent.api.stepsecurity.io/v1/github/$GITHUB_REPOSITORY/actions/maintained-actions-subscription" + + RESPONSE=$(curl --max-time 3 -s -w "%{http_code}" \ + -X POST \ + -H "Content-Type: application/json" \ + -d "$BODY" \ + "$API_URL" -o /dev/null) && CURL_EXIT_CODE=0 || CURL_EXIT_CODE=$? + + if [ $CURL_EXIT_CODE -ne 0 ]; then + echo "Timeout or API not reachable. Continuing to next step." + elif [ "$RESPONSE" = "403" ]; then + echo -e "::error::\033[1;31mThis action requires a StepSecurity subscription for private repositories.\033[0m" + echo -e "::error::\033[31mLearn how to enable a subscription: $DOCS_URL\033[0m" + exit 1 + fi fi # Copy the matcher to the host system; otherwise "add-matcher" can't find it. From 6f333f01b77d339952033271a86136c0ca97fe3d Mon Sep 17 00:00:00 2001 From: amanstep Date: Tue, 19 May 2026 12:51:22 +0530 Subject: [PATCH 2/5] fix: fix copy issue --- entrypoint.sh | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/entrypoint.sh b/entrypoint.sh index 939c656..598d671 100755 --- a/entrypoint.sh +++ b/entrypoint.sh @@ -40,8 +40,10 @@ if [ "$REPO_PRIVATE" != "false" ]; then fi fi -# Copy the matcher to the host system; otherwise "add-matcher" can't find it. -cp /code/codespell-matcher.json /github/workflow/codespell-matcher.json +# Copy the matcher directly to RUNNER_TEMP; the /github/workflow bind-mount is not reliable. +CODE_DIR="${CODE_DIR:-/code}" +mkdir -p "${RUNNER_TEMP}/_github_workflow" +cp "${CODE_DIR}/codespell-matcher.json" "${RUNNER_TEMP}/_github_workflow/codespell-matcher.json" echo "::add-matcher::${RUNNER_TEMP}/_github_workflow/codespell-matcher.json" # Run codespell. From d115905996d6716d74b6bee5765632d2842b35ff Mon Sep 17 00:00:00 2001 From: amanstep Date: Tue, 19 May 2026 13:11:52 +0530 Subject: [PATCH 3/5] fix: fixed tests --- test/test.bats | 2 ++ 1 file changed, 2 insertions(+) diff --git a/test/test.bats b/test/test.bats index 119bc5b..e92eca4 100644 --- a/test/test.bats +++ b/test/test.bats @@ -29,6 +29,8 @@ function setup() { [ -d "/code/" ] || sudo mkdir -p /code/ [ -f "/code/codespell-matcher.json" ] || sudo cp codespell-problem-matcher/codespell-matcher.json /code/ #ls -alR /code/ + # Create the _github_workflow dir that entrypoint.sh copies the matcher into + [ -d "${RUNNER_TEMP}/_github_workflow/" ] || sudo mkdir -p ${RUNNER_TEMP}/_github_workflow/ && sudo chmod 777 ${RUNNER_TEMP}/_github_workflow/ # Add a random place BATS tries to put it [ -d "/github/workflow/" ] || sudo mkdir -p /github/workflow/ && sudo chmod 777 /github/workflow/ #ls -alR /github/workflow/ From 3d0f3f62f6631d8fca21a50eb61aaf460e669308 Mon Sep 17 00:00:00 2001 From: amanstep Date: Tue, 19 May 2026 13:26:27 +0530 Subject: [PATCH 4/5] fix: fixed tests --- test/test.bats | 12 +++++++++--- 1 file changed, 9 insertions(+), 3 deletions(-) diff --git a/test/test.bats b/test/test.bats index e92eca4..65cf995 100644 --- a/test/test.bats +++ b/test/test.bats @@ -35,6 +35,12 @@ function setup() { [ -d "/github/workflow/" ] || sudo mkdir -p /github/workflow/ && sudo chmod 777 /github/workflow/ #ls -alR /github/workflow/ + # Set GITHUB_EVENT_PATH to a fake public-repo event so REPO_PRIVATE=false, + # which skips the subscription check and keeps banner output deterministic. + local event_file="/tmp/test-event.json" + printf '{"repository":{"private":false}}' > "${event_file}" + export GITHUB_EVENT_PATH="${event_file}" + # Set default input values export INPUT_CHECK_FILENAMES="" export INPUT_CHECK_HIDDEN="" @@ -55,10 +61,10 @@ function setup() { run "./entrypoint.sh" [ $status -eq $expectedExitStatus ] - # Check output - [ "${lines[0]}" == "::add-matcher::${RUNNER_TEMP}/_github_workflow/codespell-matcher.json" ] + # Check output (lines 0-5 are the banner; add-matcher starts at line 6) + [ "${lines[6]}" == "::add-matcher::${RUNNER_TEMP}/_github_workflow/codespell-matcher.json" ] outputRegex="^Running codespell on '${INPUT_PATH}'" - [[ "${lines[1]}" =~ $outputRegex ]] + [[ "${lines[7]}" =~ $outputRegex ]] [ "${lines[-4 - $errorCount]}" == "$errorCount" ] [ "${lines[-3]}" == "Codespell found one or more problems" ] [ "${lines[-2]}" == "::remove-matcher owner=codespell-matcher-default::" ] From 353d7903079b8dbe2c805c40b71795694e3cbe63 Mon Sep 17 00:00:00 2001 From: amanstep Date: Tue, 19 May 2026 14:43:22 +0530 Subject: [PATCH 5/5] fix: tests fixed --- test/test.bats | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/test/test.bats b/test/test.bats index 65cf995..560a756 100644 --- a/test/test.bats +++ b/test/test.bats @@ -61,10 +61,10 @@ function setup() { run "./entrypoint.sh" [ $status -eq $expectedExitStatus ] - # Check output (lines 0-5 are the banner; add-matcher starts at line 6) - [ "${lines[6]}" == "::add-matcher::${RUNNER_TEMP}/_github_workflow/codespell-matcher.json" ] - outputRegex="^Running codespell on '${INPUT_PATH}'" - [[ "${lines[7]}" =~ $outputRegex ]] + # Check output + [[ "${output}" == *"::add-matcher::${RUNNER_TEMP}/_github_workflow/codespell-matcher.json"* ]] + outputRegex="Running codespell on '${INPUT_PATH}'" + [[ "${output}" =~ $outputRegex ]] [ "${lines[-4 - $errorCount]}" == "$errorCount" ] [ "${lines[-3]}" == "Codespell found one or more problems" ] [ "${lines[-2]}" == "::remove-matcher owner=codespell-matcher-default::" ]