feat: onboarding github-action-matrix-outputs-write

[Raj-StepSecurity]

No description provided.

[github-actions]

PR Review

Action Type

Node-based action — uses node24 runtime (declared in action.yml), compiled with @vercel/ncc into dist/index.js.

Passed Checks

• action.yml is present with author: 'step-security'
• SECURITY.md is present
• No FUNDING.yml or funding.yml present
• .github/workflows/auto_cherry_pick.yml is present
• .github/workflows/actions_release.yml is present
• No renovate.json, PULL_REQUEST.md, ISSUE_TEMPLATE folder, CHANGELOG.md, or .vscode folder present
• README contains the StepSecurity Maintained Action banner
• README usage examples use major version only (e.g. @v1)
• Subscription check calls the correct URL (https://agent.api.stepsecurity.io/v1/github/.../actions/maintained-actions-subscription)
• upstream value (gocodealone/github-action-matrix-outputs-write) correctly matches original-owner/repo-name from auto_cherry_pick.yml
• package.json author is "step-security", repository URL contains step-security
• dist/ folder is present; package.json has a "build" script using npm

Failed Checks

• LICENSE missing original author copyright: Only Copyright 2026 StepSecurity is present. The original author (gocodealone) must also be credited per Apache 2.0 attribution requirements.
• YAML syntax error in test-non-matrix.yml: The on: block uses 1-space indent for pull_request but 2-space for workflow_dispatch — invalid YAML, workflow will not parse. See inline comment.
• YAML syntax error in test-positive.yml: Same inconsistent indentation in the on: block. See inline comment.
• Missing await on artifactClient.uploadArtifact (index.js:128): Promise is not awaited; the process exits before the upload completes, silently losing the artifact. See inline comment.
• Implicit global variable message (index.js:82): Assigned without let/const/var; will throw ReferenceError in strict mode. See inline comment.

Warnings

• Unpinned nick-fields/assert-action@v4 in all test workflow files (test-positive.yml, test-negative.yml, test-non-matrix.yml, test-reusable-workflow.yml, test-special-chars.yml, test-validation.yml): Uses a mutable tag instead of a full commit SHA. Pin to a SHA to guard against supply chain attacks.
• Missing trailing newline at end of setup-test.yml.

Security Findings

1. Path traversal via unsanitized user inputs (index.js:108): step_name and matrix_key come from workflow inputs and are concatenated directly into a file path with no sanitization. A malicious caller can pass ../../sensitive to write files outside the working directory. Sanitize with path.basename() on both values. See inline comment.
2. Unpinned third-party CI actions (nick-fields/assert-action@v4): Mutable tag references across multiple test workflows can be silently redirected to a malicious commit; pin all references to full SHAs.

Summary

The onboarding is structurally correct — subscription check, StepSecurity branding, and required workflow files are all in place. However, the PR must not merge until the LICENSE is updated to credit the original author, the two YAML syntax errors in test workflows are fixed, and the missing await and path traversal issues in index.js are addressed.

[github-actions]

PR Review

Action Type

Node-based — uses node24 runtime as declared in action.yml.

---

✅ Passed Checks

• SECURITY.md is present with a vulnerability reporting contact.
• action.yml is present with author: 'step-security'.
• FUNDING.yml / funding.yml is not present.
• .github/workflows/auto_cherry_pick.yml is present.
• .github/workflows/actions_release.yml is present.
• renovate.json is not present.
• PULL_REQUEST.md is not present.
• ISSUE_TEMPLATE folder is not present.
• CHANGELOG.md is not present.
• .vscode folder is not present.
• README.md banner is present: the StepSecurity Maintained Action image/link is included at the top.
• README.md usage examples use major-version tags only (e.g. @v1, @v3, @v4) — no complete semver tags.
• Subscription check URL is correct: https://agent.api.stepsecurity.io/v1/github/${GITHUB_REPOSITORY}/actions/maintained-actions-subscription.
• upstream variable in index.js is gocodealone/github-action-matrix-outputs-write, which correctly matches original-owner: "gocodealone" and repo-name: "github-action-matrix-outputs-write" in auto_cherry_pick.yml.
• package.json author is "step-security".
• package.json repository URL references step-security.
• All declared dependencies are used (@actions/artifact, @actions/core, axios, yaml).
• dist/ folder is present with the built artifact.
• build script is present in package.json (ncc build index.js -o dist).

---

❌ Failed Checks

• LICENSE is missing the original author's copyright. The file only carries Copyright 2026 StepSecurity. Since this is a maintained fork of gocodealone/github-action-matrix-outputs-write, the original author's copyright notice must be preserved alongside StepSecurity's. Add the original copyright (e.g. Copyright <year> gocodealone or whatever the upstream LICENSE states) above the StepSecurity copyright line.

---

⚠️ Warnings

• Implicit global variable in index.js line 82: message = \...`is assigned withoutconst/let/var. In sloppy mode this silently creates a global; in strict mode it would throw a ReferenceError. Change to const message = `...``.
• README usage examples reference potentially non-existent action versions: actions/checkout@v7 and cloudposse/github-action-docker-build-push@v3 are used in examples. While the major-version-only format is correct per policy, verifying these tags actually exist avoids misleading users.

---

🔒 Security Findings

Path traversal vulnerability in index.js (line 108): The filename used for artifact upload is constructed by directly concatenating user-supplied action inputs:

const filename = "./" + step_name + "-" + matrix_key

If either matrix-step-name or matrix-key contains ../ sequences, the fs.writeFileSync call on line 110 can write files outside the intended working directory on the runner. While the runner is ephemeral, a crafted path could overwrite sensitive runner-local files or embed unexpected content in uploaded artifacts. Fix: sanitize both inputs before constructing the filename, e.g.:

const safeStepName = path.basename(step_name);
const safeKey = path.basename(matrix_key);
const filename = "./" + safeStepName + "-" + safeKey;

---

Summary

The onboarding is largely complete and well-structured. One compliance blocker must be resolved before merging: the LICENSE file must include the original author's copyright notice alongside StepSecurity's. Additionally, the path-traversal issue in filename construction should be patched to close a low-severity but real security risk.