feat: Initial release #2

amanstep · 2026-02-03T12:28:44Z

No description provided.

claude · 2026-02-03T12:41:56Z

Claude finished @amanstep's task —— View job

Comprehensive GitHub Action Review

Reviewing this pull request for GitHub Action compliance and security requirements.

Review Progress:

Action Type Analysis

This is a Hybrid Action with both Node.js and Docker implementations:

Primary: Node.js action (action.yml using node20)
Secondary: Docker action (docker/action.yml using ../Dockerfile)

✅ PASSED REQUIREMENTS

License & Copyright

✅ LICENSE file present with correct StepSecurity copyright (LICENSE:4)
✅ Original author copyright preserved (LICENSE:3)
✅ ISC license matches original

Action Configuration

✅ action.yml has correct author: step-security (action.yml:3)
✅ docker/action.yml has correct author: step-security (docker/action.yml:3)

Required Files Present

✅ SECURITY.md present with correct contact (SECURITY.md:5)
✅ .github/workflows/auto_cherry_pick.yml present
✅ .github/workflows/actions_release.yml present

Forbidden Files Absent

✅ No FUNDING.yml or funding.yml files
✅ No renovate.json file
✅ No PULL_REQUEST.md file
✅ No ISSUE_TEMPLATE folder
✅ No CHANGELOG.md file
✅ No .vscode folder (correctly ignored in .gitignore)

Package.json (Node-specific)

✅ Author: step-security (package.json:6)
✅ Repository contains step-security phrase (package.json:10)
✅ Build script present: ncc build action.js (package.json:13)

Distribution

✅ dist/ folder present for Node.js action

Version Usage Examples

✅ README.md uses major version only: @v6 (README.md:50)

Subscription Check Implementation

✅ EXCELLENT: Proper subscription validation implemented (index.js:17-32)
- Correct API URL: https://agent.api.stepsecurity.io/v1/github/${process.env.GITHUB_REPOSITORY}/actions/subscription
- Proper error handling for 403 responses
- Graceful timeout handling for unreachable API
- Called in main drafter function (index.js:152)

⚠️ ISSUES IDENTIFIED

Docker Implementation Concerns

❌ CRITICAL: Docker action uses local Dockerfile instead of published image (docker/action.yml:6)
- Uses: image: '../Dockerfile'
- Should use: image: docker://stepsecurity/release-drafter:v6
❌ CRITICAL: Dockerfile uses base image instead of StepSecurity published image
- Current: FROM node:20.11.0-alpine@sha256:9b61ed13fef9ca689326f40c0c0b4da70e37a18712f200b4c66d3b44fd59d98e
- Should use StepSecurity org published image

Workflows Configuration

⚠️ WARNING: actions_release.yml has build script commented out (actions_release.yml:10-13)
- Since package.json has build script, workflow should specify it as input
- Current state may work but violates standard practice

🔍 SECURITY ANALYSIS

Code Security Review

✅ NO CRITICAL VULNERABILITIES DETECTED
✅ Template system uses safe string replacement (lib/template.js:10-28)
✅ Regex parsing properly validated (lib/template.js:36-50)
✅ No dangerous functions (eval, exec, Function()) in source code
✅ File operations limited to test fixtures and build scripts
✅ All dependencies appear used and necessary
✅ Input validation present for configuration

Dependency Analysis

✅ All major dependencies verified as used:
- @actions/core ✓ (index.js:12)
- axios ✓ (index.js:15)
- probot ✓ (action.js:2)
- lodash, semver, joi etc. all referenced

📋 RECOMMENDATIONS

High Priority

Fix Docker Implementation: Update docker/action.yml to use published Docker image from StepSecurity org
Publish Docker Image: Ensure Docker image is published to StepSecurity registry with proper major version tag

Medium Priority

Update Workflow: Uncomment and specify build script in actions_release.yml

Low Priority

Consider: Add input validation for action inputs in action.yml

📊 COMPLIANCE SCORE: 8.5/10

Summary: This is a well-implemented GitHub Action with excellent security practices, proper StepSecurity branding, and comprehensive subscription checking. The main issues are with the Docker implementation not following the published image requirement. The Node.js implementation meets all requirements excellently.

claude · 2026-02-03T12:45:08Z

Claude finished @amanstep's task —— View job

Comprehensive GitHub Action Review

Reviewing this pull request for GitHub Action compliance and security requirements.

Review Progress:

Action Type Analysis

This is a Hybrid Action with both Node.js and Docker implementations:

Primary: Node.js action (action.yml using node20)
Secondary: Docker action (docker/action.yml using ../Dockerfile)

✅ PASSED REQUIREMENTS

License & Copyright

✅ LICENSE file present with correct StepSecurity copyright (LICENSE:4)
✅ Original author copyright preserved (LICENSE:3)
✅ ISC license matches original

Action Configuration

✅ action.yml has correct author: step-security (action.yml:3)
✅ docker/action.yml has correct author: step-security (docker/action.yml:3)

Required Files Present

✅ SECURITY.md present with correct contact (SECURITY.md:5)
✅ .github/workflows/auto_cherry_pick.yml present
✅ .github/workflows/actions_release.yml present

Forbidden Files Absent

✅ No FUNDING.yml or funding.yml files
✅ No renovate.json file
✅ No PULL_REQUEST.md file
✅ No ISSUE_TEMPLATE folder
✅ No CHANGELOG.md file
✅ No .vscode folder (correctly ignored in .gitignore)

Package.json (Node-specific)

✅ Author: step-security (package.json:6)
✅ Repository contains step-security phrase (package.json:10)
✅ Build script present: ncc build action.js (package.json:13)

Distribution

✅ dist/ folder present for Node.js action

Version Usage Examples

✅ README.md uses major version only: @v6 (README.md:50)

Subscription Check Implementation

✅ EXCELLENT: Proper subscription validation implemented (index.js:17-32)
- Correct API URL: https://agent.api.stepsecurity.io/v1/github/${process.env.GITHUB_REPOSITORY}/actions/subscription
- Proper error handling for 403 responses
- Graceful timeout handling for unreachable API
- Called in main drafter function (index.js:152)

⚠️ ISSUES IDENTIFIED

Docker Implementation Concerns

❌ CRITICAL: Docker action uses local Dockerfile instead of published image (docker/action.yml:6)
- Uses: image: '../Dockerfile'
- Should use: image: docker://stepsecurity/release-drafter:v6
❌ CRITICAL: Dockerfile uses base image instead of StepSecurity published image
- Current: FROM node:20.11.0-alpine@sha256:9b61ed13fef9ca689326f40c0c0b4da70e37a18712f200b4c66d3b44fd59d98e
- Should use StepSecurity org published image

Workflows Configuration

⚠️ WARNING: actions_release.yml has build script commented out (actions_release.yml:10-13)
- Since package.json has build script, workflow should specify it as input
- Current state may work but violates standard practice

🔍 SECURITY ANALYSIS

Code Security Review

✅ NO CRITICAL VULNERABILITIES DETECTED
✅ Template system uses safe string replacement (lib/template.js:10-28)
✅ Regex parsing properly validated (lib/template.js:36-50)
✅ No dangerous functions (eval, exec, Function()) in source code
✅ File operations limited to test fixtures and build scripts
✅ All dependencies appear used and necessary
✅ Input validation present for configuration

Dependency Analysis

✅ All major dependencies verified as used:
- @actions/core ✓ (index.js:12)
- axios ✓ (index.js:15)
- probot ✓ (action.js:2)
- lodash, semver, joi etc. all referenced

📋 RECOMMENDATIONS

High Priority

Fix Docker Implementation: Update docker/action.yml to use published Docker image from StepSecurity org
Publish Docker Image: Ensure Docker image is published to StepSecurity registry with proper major version tag

Medium Priority

Update Workflow: Uncomment and specify build script in actions_release.yml

Low Priority

Consider: Add input validation for action inputs in action.yml

📊 COMPLIANCE SCORE: 8.5/10

Summary: This is a well-implemented GitHub Action with excellent security practices, proper StepSecurity branding, and comprehensive subscription checking. The main issues are with the Docker implementation not following the published image requirement. The Node.js implementation meets all requirements excellently.

claude · 2026-02-03T17:06:33Z

Claude finished @amanstep's task —— View job

Comprehensive GitHub Action Review

Reviewing this pull request for GitHub Action compliance and security requirements.

Review Progress:

Action Type Analysis

This is a Hybrid Action with both Node.js and Docker implementations:

Primary: Node.js action (action.yml using node20)
Secondary: Docker action (docker/action.yml using ../Dockerfile)

✅ PASSED REQUIREMENTS

License & Copyright

✅ LICENSE file present with correct StepSecurity copyright (LICENSE:4)
✅ Original author copyright preserved (LICENSE:3)
✅ ISC license matches original

Action Configuration

✅ action.yml has correct author: step-security (action.yml:3)
✅ docker/action.yml has correct author: step-security (docker/action.yml:3)

Required Files Present

✅ SECURITY.md present with correct contact (SECURITY.md:5)
✅ .github/workflows/auto_cherry_pick.yml present
✅ .github/workflows/actions_release.yml present

Forbidden Files Absent

✅ No FUNDING.yml or funding.yml files
✅ No renovate.json file
✅ No PULL_REQUEST.md file
✅ No ISSUE_TEMPLATE folder
✅ No CHANGELOG.md file
✅ No .vscode folder (correctly ignored in .gitignore)

Package.json (Node-specific)

✅ Author: step-security (package.json:6)
✅ Repository contains step-security phrase (package.json:10)
✅ Build script present: ncc build action.js (package.json:13)

Distribution

✅ dist/ folder present for Node.js action

Version Usage Examples

✅ README.md uses major version only: @v6 (README.md:50)

Subscription Check Implementation

✅ EXCELLENT: Proper subscription validation implemented (index.js:17-32)
- Correct API URL: https://agent.api.stepsecurity.io/v1/github/${process.env.GITHUB_REPOSITORY}/actions/subscription
- Proper error handling for 403 responses
- Graceful timeout handling for unreachable API
- Called in main drafter function (index.js:152)

⚠️ ISSUES IDENTIFIED

Docker Implementation Concerns

❌ CRITICAL: Docker action uses local Dockerfile instead of published image (docker/action.yml:6)
- Uses: image: '../Dockerfile'
- Should use: image: docker://stepsecurity/release-drafter:v6
❌ CRITICAL: Dockerfile uses base image instead of StepSecurity published image
- Current: FROM node:20.11.0-alpine@sha256:9b61ed13fef9ca689326f40c0c0b4da70e37a18712f200b4c66d3b44fd59d98e
- Should use StepSecurity org published image

Workflows Configuration

⚠️ WARNING: actions_release.yml uses reusable workflow but doesn't specify build script input (actions_release.yml:20-22)
- Since package.json has build script, workflow should specify it as input
- Current state may work but violates standard practice

🔍 SECURITY ANALYSIS

Code Security Review

✅ NO CRITICAL VULNERABILITIES DETECTED
✅ Template system uses safe string replacement (lib/template.js:10-28)
✅ Regex parsing properly validated (lib/template.js:36-50)
✅ No dangerous functions (eval, exec, Function()) in source code
✅ File operations limited to test fixtures and build scripts
✅ All dependencies appear used and necessary
✅ Input validation present for configuration

Dependency Analysis

✅ All major dependencies verified as used:
- @actions/core ✓ (index.js:12)
- axios ✓ (index.js:15)
- probot ✓ (action.js:2)
- lodash, semver, joi etc. all referenced

📋 RECOMMENDATIONS

High Priority

Fix Docker Implementation: Update docker/action.yml to use published Docker image from StepSecurity org
Publish Docker Image: Ensure Docker image is published to StepSecurity registry with proper major version tag

Medium Priority

Update Workflow: Specify build script in actions_release.yml inputs for consistency

Low Priority

Consider: Add input validation for action inputs in action.yml

📊 COMPLIANCE SCORE: 8.5/10

Summary: This is a well-implemented GitHub Action with excellent security practices, proper StepSecurity branding, and comprehensive subscription checking. The main issues are with the Docker implementation not following the published image requirement. The Node.js implementation meets all requirements excellently.

claude · 2026-02-03T17:10:57Z

Claude finished @amanstep's task —— View job

Comprehensive GitHub Action Review

Reviewing this pull request for GitHub Action compliance and security requirements.

Review Progress:

Action Type Analysis

This is a Hybrid Action with both Node.js and Docker implementations:

Primary: Node.js action (action.yml using node20)
Secondary: Docker action (docker/action.yml using ../Dockerfile)

✅ PASSED REQUIREMENTS

License & Copyright

✅ LICENSE file present with correct StepSecurity copyright (LICENSE:4)
✅ Original author copyright preserved (LICENSE:3)
✅ ISC license matches original

Action Configuration

✅ action.yml has correct author: step-security (action.yml:3)
✅ docker/action.yml has correct author: step-security (docker/action.yml:3)

Required Files Present

✅ SECURITY.md present with correct contact (SECURITY.md:5)
✅ .github/workflows/auto_cherry_pick.yml present
✅ .github/workflows/actions_release.yml present

Forbidden Files Absent

✅ No FUNDING.yml or funding.yml files
✅ No renovate.json file
✅ No PULL_REQUEST.md file
✅ No ISSUE_TEMPLATE folder
✅ No CHANGELOG.md file
✅ No .vscode folder (correctly ignored in .gitignore)

Package.json (Node-specific)

✅ Author: step-security (package.json:6)
✅ Repository contains step-security phrase (package.json:10)
✅ Build script present: ncc build action.js (package.json:13)

Distribution

✅ dist/ folder present for Node.js action

Version Usage Examples

✅ README.md uses major version only: @v6 (README.md:50)

Subscription Check Implementation

✅ EXCELLENT: Proper subscription validation implemented (index.js:17-32)
- Correct API URL: https://agent.api.stepsecurity.io/v1/github/${process.env.GITHUB_REPOSITORY}/actions/subscription
- Proper error handling for 403 responses
- Graceful timeout handling for unreachable API
- Called in main drafter function (index.js:152)

⚠️ ISSUES IDENTIFIED

Docker Implementation Concerns

❌ CRITICAL: Docker action uses local Dockerfile instead of published image (docker/action.yml:6)
- Uses: image: '../Dockerfile'
- Should use: image: docker://stepsecurity/release-drafter:v6
❌ CRITICAL: Dockerfile uses base image instead of StepSecurity published image
- Current: FROM node:20.11.0-alpine@sha256:9b61ed13fef9ca689326f40c0c0b4da70e37a18712f200b4c66d3b44fd59d98e
- Should use StepSecurity org published image

Workflows Configuration

⚠️ WARNING: actions_release.yml uses reusable workflow but doesn't specify build script input (actions_release.yml:20-22)
- Since package.json has build script, workflow should specify it as input
- Current state may work but violates standard practice

🔍 SECURITY ANALYSIS

Code Security Review

✅ NO CRITICAL VULNERABILITIES DETECTED
✅ Template system uses safe string replacement (lib/template.js:10-28)
✅ Regex parsing properly validated (lib/template.js:36-50)
✅ No dangerous functions (eval, exec, Function()) in source code
✅ File operations limited to test fixtures and build scripts
✅ All dependencies appear used and necessary
✅ Input validation present for configuration

Dependency Analysis

✅ All major dependencies verified as used:
- @actions/core ✓ (index.js:12)
- axios ✓ (index.js:15)
- probot ✓ (action.js:2)
- lodash, semver, joi etc. all referenced

📋 RECOMMENDATIONS

High Priority

Fix Docker Implementation: Update docker/action.yml to use published Docker image from StepSecurity org
Publish Docker Image: Ensure Docker image is published to StepSecurity registry with proper major version tag

Medium Priority

Update Workflow: Specify build script in actions_release.yml inputs for consistency

Low Priority

Consider: Add input validation for action inputs in action.yml

📊 COMPLIANCE SCORE: 8.5/10

Summary: This is a well-implemented GitHub Action with excellent security practices, proper StepSecurity branding, and comprehensive subscription checking. The main issues are with the Docker implementation not following the published image requirement. The Node.js implementation meets all requirements excellently.

Raj-StepSecurity · 2026-02-03T17:59:41Z

.github/actions/common-setup/action.yml

@@ -0,0 +1,19 @@
+name: Node & npm setup
+author: Clément Chanchevrier @cchanche


remove author

Raj-StepSecurity · 2026-02-03T18:01:13Z

package.json

+    "generate-fixtures": "node ./bin/generate-fixtures.js",
+    "lint": "eslint bin/*.js lib/*.js action.js index.js test/**/*.js",
+    "prettier": "prettier --write **/*.{js,md,json}",
+    "postversion": "npm run test && git push && git push --tags",


Raj-StepSecurity · 2026-02-03T18:01:35Z

package.json

+    "lint": "eslint bin/*.js lib/*.js action.js index.js test/**/*.js",
+    "prettier": "prettier --write **/*.{js,md,json}",
+    "postversion": "npm run test && git push && git push --tags",
+    "open-releases": "open \"$(node -e 'console.log(`${require(\"./package.json\").repository}/releases`)')\""


check usage and remove

Raj-StepSecurity · 2026-02-03T18:04:48Z

lib/commits.js

remove lib folder from tracking

Raj-StepSecurity · 2026-02-03T18:09:18Z

add publish docker image workflow

amanstep added 3 commits February 3, 2026 17:58

feat: Initial release

5db61d9

fix: fixed test workflow

0b58d7f

fix: fixed test workflow

ee38538

amanstep added the review-required label Feb 3, 2026

fix: fixed action_release workflow

cb49d78

fix: deleted .npmrc

0c5d8b4

fix: deleted .npmrc

b9ccf87

Raj-StepSecurity reviewed Feb 3, 2026

View reviewed changes

lib/commits.js

Copy link

Raj-StepSecurity Feb 3, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

remove lib folder from tracking

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

feat: Initial release #2

feat: Initial release #2

Uh oh!

amanstep commented Feb 3, 2026

Uh oh!

claude bot commented Feb 3, 2026 •

edited

Loading

Uh oh!

claude bot commented Feb 3, 2026 •

edited

Loading

Uh oh!

claude bot commented Feb 3, 2026 •

edited

Loading

Uh oh!

claude bot commented Feb 3, 2026 •

edited

Loading

Uh oh!

Raj-StepSecurity Feb 3, 2026

Uh oh!

Raj-StepSecurity Feb 3, 2026

Uh oh!

Raj-StepSecurity Feb 3, 2026

Uh oh!

Raj-StepSecurity Feb 3, 2026

Uh oh!

Raj-StepSecurity commented Feb 3, 2026

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

3 participants

		@@ -0,0 +1,19 @@
		name: Node & npm setup
		author: Clément Chanchevrier @cchanche

feat: Initial release #2

Are you sure you want to change the base?

feat: Initial release #2

Uh oh!

Conversation

amanstep commented Feb 3, 2026

Uh oh!

claude bot commented Feb 3, 2026 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Comprehensive GitHub Action Review

Review Progress:

Action Type Analysis

✅ PASSED REQUIREMENTS

License & Copyright

Action Configuration

Required Files Present

Forbidden Files Absent

Package.json (Node-specific)

Distribution

Version Usage Examples

Subscription Check Implementation

⚠️ ISSUES IDENTIFIED

Docker Implementation Concerns

Workflows Configuration

🔍 SECURITY ANALYSIS

Code Security Review

Dependency Analysis

📋 RECOMMENDATIONS

High Priority

Medium Priority

Low Priority

📊 COMPLIANCE SCORE: 8.5/10

Uh oh!

claude bot commented Feb 3, 2026 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Comprehensive GitHub Action Review

Review Progress:

Action Type Analysis

✅ PASSED REQUIREMENTS

License & Copyright

Action Configuration

Required Files Present

Forbidden Files Absent

Package.json (Node-specific)

Distribution

Version Usage Examples

Subscription Check Implementation

⚠️ ISSUES IDENTIFIED

Docker Implementation Concerns

Workflows Configuration

🔍 SECURITY ANALYSIS

Code Security Review

Dependency Analysis

📋 RECOMMENDATIONS

High Priority

Medium Priority

Low Priority

📊 COMPLIANCE SCORE: 8.5/10

Uh oh!

claude bot commented Feb 3, 2026 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Comprehensive GitHub Action Review

Review Progress:

Action Type Analysis

✅ PASSED REQUIREMENTS

License & Copyright

Action Configuration

Required Files Present

Forbidden Files Absent

Package.json (Node-specific)

Distribution

Version Usage Examples

Subscription Check Implementation

⚠️ ISSUES IDENTIFIED

Docker Implementation Concerns

Workflows Configuration

🔍 SECURITY ANALYSIS

Code Security Review

Dependency Analysis

📋 RECOMMENDATIONS

claude bot commented Feb 3, 2026 •

edited

Loading

claude bot commented Feb 3, 2026 •

edited

Loading

claude bot commented Feb 3, 2026 •

edited

Loading

claude bot commented Feb 3, 2026 •

edited

Loading