From f2ffcfa6af6f58c2d3f05476477568e887b5aa3a Mon Sep 17 00:00:00 2001
From: Anurag Rajawat <anurag@stepsecurity.io>
Date: Thu, 23 Apr 2026 15:57:25 +0530
Subject: [PATCH] feat: added banner and update subscription check to make
 maintained actions free for public repos

Signed-off-by: Anurag Rajawat <anurag@stepsecurity.io>
---
 .github/workflows/actions_release.yml |  7 +++-
 .github/workflows/audit_package.yml   |  5 +++
 .github/workflows/test.yml            |  2 +-
 README.md                             |  2 ++
 action.yml                            |  2 +-
 dist/index.js                         | 38 +++++++++++++++-----
 src/pr.ts                             | 50 ++++++++++++++++++++++-----
 tsconfig.json                         |  2 +-
 8 files changed, 88 insertions(+), 20 deletions(-)

diff --git a/.github/workflows/actions_release.yml b/.github/workflows/actions_release.yml
index b2c7eb2..9dd5dcd 100644
--- a/.github/workflows/actions_release.yml
+++ b/.github/workflows/actions_release.yml
@@ -6,6 +6,10 @@ on:
       tag:
         description: "Tag for the release"
         required: true
+      node_version:
+        description: "Specify Node.js version (e.g., '18', '20', 'lts/*')"
+        required: false
+        default: "24"
 
 permissions:
   contents: read
@@ -19,4 +23,5 @@ jobs:
 
     uses: step-security/reusable-workflows/.github/workflows/actions_release.yaml@v1
     with:
-      tag: "${{ github.event.inputs.tag }}"
\ No newline at end of file
+      tag: "${{ github.event.inputs.tag }}"
+      node_version: "${{ github.event.inputs.node_version }}"
\ No newline at end of file
diff --git a/.github/workflows/audit_package.yml b/.github/workflows/audit_package.yml
index 2cc740e..4fa5ce9 100644
--- a/.github/workflows/audit_package.yml
+++ b/.github/workflows/audit_package.yml
@@ -11,6 +11,10 @@ on:
         description: "Specify a base branch"
         required: false
         default: "main"
+      node_version:
+        description: "Specify Node.js version (e.g., '18', '20', 'lts/*')"
+        required: false
+        default: "24"
   schedule:
     - cron: "0 0 * * 1"
 
@@ -20,6 +24,7 @@ jobs:
     with:
       force: ${{ inputs.force || false }}
       base_branch: ${{ inputs.base_branch || 'main' }}
+      node_version: "${{ inputs.node_version || '24' }}"
 
 permissions:
   contents: write
diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml
index 3ad1d3f..19fe977 100644
--- a/.github/workflows/test.yml
+++ b/.github/workflows/test.yml
@@ -27,7 +27,7 @@ jobs:
       - name: Setup Node.js
         uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4.4.0
         with:
-          node-version: '20'
+          node-version: '24'
           cache: 'npm'
           
       - name: Install dependencies
diff --git a/README.md b/README.md
index a3cc8d8..9d8da0a 100644
--- a/README.md
+++ b/README.md
@@ -1,3 +1,5 @@
+[![StepSecurity Maintained Action](https://raw.githubusercontent.com/step-security/maintained-actions-assets/main/assets/maintained-action-banner.png)](https://docs.stepsecurity.io/actions/stepsecurity-maintained-actions)
+
 # PR Description Updater
 
 A GitHub Action that updates pull request descriptions using regex patterns for content matching and replacement. This action allows you to dynamically update PR descriptions with content from files or direct text input, supporting various regex matching strategies.
diff --git a/action.yml b/action.yml
index af01e0c..e848fa3 100644
--- a/action.yml
+++ b/action.yml
@@ -35,7 +35,7 @@ inputs:
     required: true
 
 runs:
-  using: 'node20'
+  using: 'node24'
   main: 'dist/index.js'
 
 branding:
diff --git a/dist/index.js b/dist/index.js
index c6440ee..600ddc2 100644
--- a/dist/index.js
+++ b/dist/index.js
@@ -67,23 +67,45 @@ var __importStar = (this && this.__importStar) || (function () {
 Object.defineProperty(exports, "__esModule", ({ value: true }));
 exports.updatePullRequestBody = updatePullRequestBody;
 const core_1 = __nccwpck_require__(7484);
+const core = __importStar(__nccwpck_require__(7484));
 const github_1 = __nccwpck_require__(3228);
+const fs = __importStar(__nccwpck_require__(9896));
 const fs_1 = __nccwpck_require__(9896);
 const config_1 = __nccwpck_require__(4054);
 const axios_1 = __importStar(__nccwpck_require__(7269));
 async function validateSubscription() {
-    const API_URL = `https://agent.api.stepsecurity.io/v1/github/${process.env.GITHUB_REPOSITORY}/actions/subscription`;
+    const eventPath = process.env.GITHUB_EVENT_PATH;
+    let repoPrivate;
+    if (eventPath && fs.existsSync(eventPath)) {
+        const eventData = JSON.parse(fs.readFileSync(eventPath, 'utf8'));
+        repoPrivate = eventData?.repository?.private;
+    }
+    const upstream = 'step-security/update-pr-description';
+    const action = process.env.GITHUB_ACTION_REPOSITORY;
+    const docsUrl = 'https://docs.stepsecurity.io/actions/stepsecurity-maintained-actions';
+    core.info('');
+    core.info('\u001b[1;36mStepSecurity Maintained Action\u001b[0m');
+    core.info(`Secure drop-in replacement for ${upstream}`);
+    if (repoPrivate === false)
+        core.info('\u001b[32m\u2713 Free for public repositories\u001b[0m');
+    core.info(`\u001b[36mLearn more:\u001b[0m ${docsUrl}`);
+    core.info('');
+    if (repoPrivate === false)
+        return;
+    const serverUrl = process.env.GITHUB_SERVER_URL || 'https://github.com';
+    const body = { action: action || '' };
+    if (serverUrl !== 'https://github.com')
+        body.ghes_server = serverUrl;
     try {
-        await axios_1.default.get(API_URL, { timeout: 3000 });
+        await axios_1.default.post(`https://agent.api.stepsecurity.io/v1/github/${process.env.GITHUB_REPOSITORY}/actions/maintained-actions-subscription`, body, { timeout: 3000 });
     }
-    catch (e) {
-        if ((0, axios_1.isAxiosError)(e) && e.response?.status === 403) {
-            (0, core_1.error)('Subscription is not valid. Reach out to support@stepsecurity.io');
+    catch (error) {
+        if ((0, axios_1.isAxiosError)(error) && error.response?.status === 403) {
+            core.error(`\u001b[1;31mThis action requires a StepSecurity subscription for private repositories.\u001b[0m`);
+            core.error(`\u001b[31mLearn how to enable a subscription: ${docsUrl}\u001b[0m`);
             process.exit(1);
         }
-        else {
-            (0, core_1.info)('Timeout or API not reachable. Continuing to next step.');
-        }
+        core.info('Timeout or API not reachable. Continuing to next step.');
     }
 }
 async function updatePullRequestBody() {
diff --git a/src/pr.ts b/src/pr.ts
index ae435ba..bc3e1d6 100644
--- a/src/pr.ts
+++ b/src/pr.ts
@@ -1,21 +1,55 @@
 import { notice, setFailed, error, info } from '@actions/core';
+import * as core from '@actions/core';
 import { context, getOctokit } from '@actions/github';
+import * as fs from 'fs';
 import { readFileSync } from 'fs';
 import { config } from './config';
 import axios, { isAxiosError } from 'axios';
 
 async function validateSubscription(): Promise<void> {
-  const API_URL = `https://agent.api.stepsecurity.io/v1/github/${process.env.GITHUB_REPOSITORY}/actions/subscription`;
+  const eventPath = process.env.GITHUB_EVENT_PATH
+  let repoPrivate: boolean | undefined
 
+  if (eventPath && fs.existsSync(eventPath)) {
+    const eventData = JSON.parse(fs.readFileSync(eventPath, 'utf8'))
+    repoPrivate = eventData?.repository?.private
+  }
+
+  const upstream = 'step-security/update-pr-description'
+  const action = process.env.GITHUB_ACTION_REPOSITORY
+  const docsUrl =
+    'https://docs.stepsecurity.io/actions/stepsecurity-maintained-actions'
+
+  core.info('')
+  core.info('\u001b[1;36mStepSecurity Maintained Action\u001b[0m')
+  core.info(`Secure drop-in replacement for ${upstream}`)
+  if (repoPrivate === false)
+    core.info('\u001b[32m\u2713 Free for public repositories\u001b[0m')
+  core.info(`\u001b[36mLearn more:\u001b[0m ${docsUrl}`)
+  core.info('')
+
+  if (repoPrivate === false) return
+
+  const serverUrl = process.env.GITHUB_SERVER_URL || 'https://github.com'
+  const body: Record<string, string> = {action: action || ''}
+  if (serverUrl !== 'https://github.com') body.ghes_server = serverUrl
   try {
-    await axios.get(API_URL, { timeout: 3000 });
-  } catch (e) {
-    if (isAxiosError(e) && e.response?.status === 403) {
-      error('Subscription is not valid. Reach out to support@stepsecurity.io');
-      process.exit(1);
-    } else {
-      info('Timeout or API not reachable. Continuing to next step.');
+    await axios.post(
+      `https://agent.api.stepsecurity.io/v1/github/${process.env.GITHUB_REPOSITORY}/actions/maintained-actions-subscription`,
+      body,
+      {timeout: 3000}
+    )
+  } catch (error) {
+    if (isAxiosError(error) && error.response?.status === 403) {
+      core.error(
+        `\u001b[1;31mThis action requires a StepSecurity subscription for private repositories.\u001b[0m`
+      )
+      core.error(
+        `\u001b[31mLearn how to enable a subscription: ${docsUrl}\u001b[0m`
+      )
+      process.exit(1)
     }
+    core.info('Timeout or API not reachable. Continuing to next step.')
   }
 }
 
diff --git a/tsconfig.json b/tsconfig.json
index 086520a..446bdef 100644
--- a/tsconfig.json
+++ b/tsconfig.json
@@ -1,6 +1,6 @@
 {
   "compilerOptions": {
-    "target": "ES2020",
+    "target": "ES2024",
     "module": "commonjs",
     "strict": true,
     "esModuleInterop": true,